BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Download as PPTX, PDF0 likes1,003 views
This document discusses different types of layer 7 denial of service (DOS) attacks, including HTTP GET, HTTP POST, Slowloris, and R-U-Dead-Yet attacks. It also covers layer 4 DDOS attacks and link-local DOS attacks using IPv6 router advertisements. Layer 7 DOS attacks can be more difficult to detect than layer 4 attacks because they operate at the application layer and can be routed through proxies with low bandwidth. Examples provided show how incomplete requests can tie up server resources and bring down sites with a single attacker.
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
- 1. Layer 7 DOS attack By :Oussama Elhamer Abdelkhalek.
- 2. Summary • The History of Dos attack . • Layer 4 Ddos : Overview. • Layer 7 Dos One attacker Brings Down one site . • Link-Local Dos : RA ip6 attack.
- 5. Layer 4 Ddos Attack : • Primitive DDOS attack controlled via IRC. • Sends Thousands of packets per second from the attacker directly to the target. • Needs Thousands of participants to bring down a large site. • Take down master card for more than a day (3.000 to 30.000) • Nothing More Than Pressing F5. (The Low Orbit lon Cannon Do That For u /:p)
- 6. Layer 7 DOS • Operates at the application protocol level (OSI Layer 7). • Can Be routed through proxies . • More Dangerous. • Low Bandwidth . • Can Be Very Difficult To Distinguish From normal trafic. Eg. HTTP(S), SMTP, FTP and etc.
- 7. Some Example Of Layer 7 Dos Attacks We will focus on The weaknesses of The Http Protocol .
- 8. HTTP GET
- 9. HTTP GET attack : -Dont Send A Complete Request To The WebServer (Incomplete Headers ) Send SomeThing That Will hold The Web Server Continues To Send Headers at Regular intervals to keep the Sockets active ! -So If You Open One Thousand Connection On A server That can Only Handle Five Hundred It Will be Rejecting Requests . Example Message syntax : GET /indexPage.html HTTP/1.1 CRLF <- Request Line Host : www.host.com:8080 CRLF Content-Length :25 CRLF CRLF <Optional Messaga Body > - The Server Stop Reading When See Two CRLF and Start generating the response and sending feed back .
- 10. • Example • The Server Will Drop The Connection If There Are No Data In 60 Seconds ! • Get/http/1.1 rn • Host :Server rn • X-skdvbk :sdjvjrn • ----59 Sec later • X-skdvbk :sdjvjrn • ----59 Sec later • X-skdvbk :sdjvjrn • ----59 Sec later • X-skdvbk :sdjvjrn • ----59 Sec later Client Server • This Attack Don’t Works With IIS because it Use a time out . • No Realible Configurartion Universal To Protect your Web Server • But there Are some Recommandation THAT minimize the damage
- 11. SlowLoris • Send Incomplete GET requests • And Freezes Apache With One Packet Per Second . • keeps sessions at halt • using neverending GET transmissions
- 12. HTTP post • Similar To http gET. • The Connections Whith The Server Stay Opened. • instead of prolongating The Header Section Of The http Request It Prolongate The Message Body Section
- 13. R-U-Dead-Yet : • Incomplete HTTP POSTs • implements the generic HTTP DoS attack via long form field submissions. • Stops IIS, But Requires Thousands Of packets per second.
- 14. More Variation • Keep-Alive Dos: A variation of The incomplete http get requests But Less Powerful . • XerXes A Tool Developped By Th3j35t3r • • -Can be Imported To a 3G cell phone • -Can be run throught VPN.
- 15. Link-Local Dos • IPv6 Router Advertisments • In ip v4 : • The Client Request An Ip • The Router Provides One • In ipv6 • The Router announces its presence • Every client on the Lan Creates an adress and joins the network
- 16. • The problem That you can Send A lot Of Router advertisement • The Lan Machines Will Join All Those Networks • And Windows Is inefficient in doing That • You can take Down all The Lan .
- 17. Demo : • Slowloris . • R-u-dead yet . • RA ip6 attack .
- 18. Thanks