DDoS mitigation EPIC FAIL collection - 32C3
2 likes1,147 views
This document discusses strategies for conducting distributed denial-of-service (DDoS) attacks and bypassing mitigation tactics. It presents 10 attack strategies, including targeting backend systems like databases to cause amplification, using reflection techniques, and spoofing large ranges of IP addresses to overwhelm blocklisting defenses. The document also critiques common misconceptions that can leave systems vulnerable, such as not protecting HTTPS traffic or enabling dynamic cloud distribution without origin protection. The overall message is that comprehensive testing and planning is needed to effectively mitigate DDoS attacks.
DDoS mitigation EPIC FAIL collection - 32C3
- 1. DDoS Mitigation collection TL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS 1
- 2. Agenda Intro to D/DoS Methodology of work DDoS tactics in-the-wild and how to improve 10 ‘from-the-books’ strategies & how to leverage your attack to fit them Q&A 2
- 3. ~$ whoami Hi! Moshe Zioni, I do security stuff 3 years of designing & providing a full-blown on-demand DDoS attack service. Mainly exp. in Ethical Hacking & Penetration Testing 1st time speaker @ CCC, grateful to have this honor. .///. END OF SHAMELESS PROMOTION SLIDE .///. 3
- 4. DDoS for Everyone! 4
- 5. Method 5
- 6. Run-of-the-Mill DDoS attacks in-the-wild Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.) Most attacks does not require brains 6
- 7. Strike Harder! (!=Larger botnet) There is more to a web site then a front-end (!!) Overload the backend by making the system work for you Keep it stealthy, they might be using the ‘magic of sniffing’ Think of amplification in a general way 7
- 8. Generalized Amplification - “4 Pillars” Amplification factors Network – The usual suspect CPU – Very limited on some mediators and web application servers, Memory – Volatile, everything uses it, multi-step operations is prime target. Storage – Can be filled up or exhausting I/O buffer 8
- 11. W
- 12. Ready? Set. 12
- 13. FACEPALM 13
- 14. 14
- 15. “Limit the rate of incoming packets” 15
- 16. The customer has been hit by a DDoS attack that consumed ALL BANDWIDTH To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability And so he did… believing that now he upped the game significantly for us 16
- 17. Reflection to the rescue! Consumption by reflection Send in 1Kb Consume according to file-length 17
- 19. 19
- 20. “It’s OK now, monitoring shows everything is back to normal” 20
- 21. MegaCommonPractive now went on to buy a Anti-DDoS solution A known Anti-DDoS cloud-based protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring 21
- 22. DID YOU ACTUALLY TRY TO ACCESS THE WEB SITE!!!! 22
- 23. 23
- 24. 24
- 25. “Backend servers are not important to protect against DDoS” 25
- 26. Mapping the backend for DDoS Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification How can we find DBs? You can always guess, pentersters do that all the time… Takes more time == more elaborate operation, may involve BE !!! PROFIT!!! 26
- 27. 27
- 28. 28
- 29. 29
- 30. Really??!?! ALL OF THE DOMAINS?!? What is the strategy of mitigation? Do you understand it? “Doesn’t matter, let’s do it!” 30
- 31. So, remember the booklet that you didn’t read? Interesting strategy – the system is devising some unknown algorithm to detect probable attacks. Defense mechanism is ‘draining’ out all traffic first and do some magic. Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno) 31
- 32. 32
- 33. 33
- 34. “We don’t trust the vendor, we don’t give them certificates” 34
- 35. Talk to me in layer 7… Defense have chosen not to monitor layer 7 – HTTPS attacks.. SSL re/negotiation Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic 35
- 36. 36
- 37. 37
- 38. “We need Big Data, collect all the logs” 38
- 39. Logs need to be handled Storage Boom Result in a complete lock-down, including not be able to manage the overflowed device It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system SILO NEEDED! 39
- 40. 40
- 41. 41
- 42. “We are under attack – enforce the on-demand Scrubbing Service” 42
- 43. Learning mode – did you do it? All is learned Attack considered legitimate traffic RTFM And… Vendor response was epic by itself 43
- 44. 44
- 45. 45
- 46. “So what CDN is not dynamic? Let’s enable it” 46
- 47. NOT IN CACHE? ASK THE ORIGIN! 47
- 48. 48
- 49. 49
- 50. 50
- 51. 51
- 52. How to find an ‘invisible’ origin? Find other known subdomain -> translate to IP -> scan the /24 or /16 -> good chance it’s there. AND….. WHOIS never forgets http://viewdns.info FTW! 52
- 53. 53
- 54. 54
- 55. “Block ‘em!, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “ 55
- 56. Total IPs (DE): ~116 M 56 * http://www.nirsoft.net/countryip/de.html
- 57. Roughly -1,800 class B ranges 57
- 58. We spoofed IPs from those classes and deliver a very detectable TCP SYN flood attack from each source 58
- 59. Now think of a monkey blocking every incoming alert. 15 MINUTES TO SELF INFLICTED DDOS 59
- 60. 60
- 61. Collected misconceptions There is no magic pill or best cocktail mix of technologies/appliances/services, never was – prepare a plan, not just a mitigation. You can have all the toys and money in the world – best mitigation – don’t do drugs TEST your infrastructure regularly. If you won’t do that – you can be evaluated for this presentation in the future 61
- 62. Questions? 62
- 63. Thank you! Moshe Zioni zimoshe@gmail.com, @dalmoz_ 63