DDoS handlering
8 likes1,109 views
This document discusses DDoS (Distributed Denial of Service) attacks and methods for mitigating them. It defines DDoS as simultaneous attacks from multiple sources aimed at overwhelming the bandwidth or resources of the targeted system. The document outlines different types of DDoS attacks like amplification attacks using NTP and DNS. It provides statistics on the rising scale and commercialization of DDoS attacks. Finally, it recommends mitigation approaches for servers like using mod_evasion with Apache, rate limiting with Nginx, and firewall configurations.
DDoS handlering
- 1. DDoS Handlering By Sumedt Jitpukdebodin
- 2. whoami • Name: Sumedt Jitpukdebodin • Website: www.r00tsec.com, www.techsuii.com • Jobs: Senior Security Researcher@I-SECURE, Writer of “Network Security - ก้าวแรกสู่นักทดสอบและป้องกันการเจาะระบบ” • Hobby: Hacking, Forensic, Linux, Android, Writing • Social Network & Another story of me: Please Google
- 3. CIA • Confidentiality • Integrity • Availability
- 4. DoS vs DDoS • Old day hacking - Modern day hacking • Vulnerability of system - Flood of traffic • one by one - one by many
- 5. Example of DoS • ICMP Attack • Ping of death • Smurf Attack • Ping Flood • SYN flood attack • Half Connection Attack • Unending knock knock • Application Layer • Low and slow attack • Etc.
- 6. DDoS • Simultaneous attack from multiple sources
- 7. New Era of DDoS • Amplification
- 8. Amplification • Response = 5-6 xRequest • NTP • DNS
- 9. Statistic of DDoS Source:: Verisign’s Distributed Denial of Service Trends Report 2014
- 10. DDoS as a Service Source:: Verisign’s Distributed Denial of Service Trends Report 2014
- 11. Show Time
- 12. Migration • IDS/IPS • Incident Response • SIEM • Log Management • Rate Limit • Firewall • Firewall @Company • Firewall @ISP • Firewall @your server • Web Application Firewall
- 13. Protect your server to be a tool of hacker • NTP • DNS
- 14. Web Server X DDoS • Apache (with mod_evasion) • DOSHashTableSize 2048 • DOSPageCount 20 # maximum number of requests for the same page • DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener • DOSPageInterval 1.0 # interval for the page count threshold • DOSSiteInterval 1.0 # interval for the site count threshold • DOSBlockingPeriod 10.0 # time that a client IP will be blocked for • DOSLogDir “/var/log/apache2/evasive” • DOSEmailNotify admin@domain.com
- 15. Web Server X DDoS(2) • Nginx • client_body_buffer_size 128k; • large_client_header_buffers 4 256k; • limit_req_zone $binary_remote_addr zone=name:16m rate=1r/s; • limit_req_zone $http_x_forwarded_for zone=name:16m rate=1r/s;
- 16. –Anonymous “Security can’t be 100% for sure.”
- 18. Reference • https://labs.opendns.com/2014/03/17/dns-amplification-attacks/ • https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/ • https://community.qualys.com/blogs/securitylabs/2014/01/21/how-qualysguard-detects-vulnerability- to-ntp-amplification-attacks • http://www.slideshare.net/JerodBrennenCISSP/ddos-attack-preparation-and-mitigation-27027980 • http://www.i-secure.co.th/2014/07/%E0%B8%A3%E0%B8%B0%E0%B8%9A%E0%B8%9A %E0%B8%82%E0%B8%AD %E0%B8%87%E0%B8%84%E0%B8%B8%E0%B8%93%E0%B9%80%E0%B8%95%E0%B8%A3%E0 %B8%B5%E0%B8%A2%E0%B8%A1-ddos/ • http://securityaffairs.co/wordpress/33916/cyber-crime/verisign-ddos-attacks-as-a-service.html • http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html • http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris- and-dns-injection-attacks/ • http://www.helicontech.com/ape/doc/mod_evasive.htm