SlideShare a Scribd company logo

DDoS: practical survival

Download as PPTX, PDF
Positive Hack Days, profile picture
Positive Hack Days

This document discusses DDoS attacks and various techniques for mitigating them. It provides statistics on DDoS attacks from 2012, including the number of incidents and average/maximum botnet sizes. It then evaluates several approaches for detecting and blocking DDoS traffic, such as mod_evasive, iptables, Nginx testcookie module, and neural networks. The key message is that while many solutions can help, none are perfect, and maintaining system uptime requires a layered defense-in-depth approach along with protecting the underlying TCP stack. The homework suggested is to configure Nginx with ipset, harden the TCP stack, use dedicated IPs, and test blackholing capabilities.

Technology
1 of 38
Downloaded 55 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
DDoS: practical survival guide Alexander Lyamin <la@highloadlab.com>
Q1 2012 • Incidents: 365 • Daily max: 12 • Avg. botnet size: 2637 • Max botnet size: 37834
2012: 1 Jan – 30 May • Incidents: 728 • Daily max: 51 • Avg. botnet size: 3288 • Max botnet size: 116265
Daily 55 Jan 50 Feb 45 Mar 40 Apr 35 May 30 25 20 15 10 5 0
Weekday distribution 20% 18.82% 18% 15.93% 15.52% 16% 13.60% 14% 12.77% 12.50% 12% 10.85% 10% 8% 6% 4% 2% 0% Monday Tuesday Wednesday Thursday Friday Saturday Sunday
High speed attacks 3.16% >=1Gbps 96.84% <1Gbps
Spoofed source attacks 29.67% Spoofed Full connect 70.33%
Scary stuff • DNS: NIC, Masterhost, FastVPS. • DataCenters: CROC, WAhome. • “Invisible” russian elections botnets. • Minerbot.
New reality • 1k botnet - 100-160 USD. • Readily available botnet toolkits. • Fall of prices - 20 USD/day.
New competition
Apache mod_evasive
Apache mod_evasive <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 8 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600 DOSEmailNotify secure@adminmail.com </IfModule>
Apache mod_evasive Positive Negative It works! Apache
Iptables --string
Iptables --string iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --set --name httpddos --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP
Iptables --string Positive Negative It works. Not always works. (fragmentet packets) Its fast. Not always fast. (kmp matched packets) Orphaned sockets + retransmit. Requires conntrack(statefull is bad).
NGINX testcookie_module
JS
Cookie/Redirect
NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } Further reading: http://habrahabr.ru/post/139931/
NGINX testcookie_module Positive Negative It works. Doesn’t block traffic.* NGINX. Alternates UX. Its fast. Is not effective on FBS. Predictable. Expandable (Flash, QT checks). * That’s what ipset is for.
Neuron network PyBrain
Neuron network PyBrain Request: 0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0» Dictionary: ['__UA___OS_U', '__UA_EMPTY', '__REQ___METHOD_POST', '__REQ___HTTP_VER_HTTP/1.0', '__REQ___URL_ __NETLOC_', '__REQ___URL___PATH_/forum/rss.php', '__REQ___URL___PATH_/forum/index.php', '__REQ___URL ___SCHEME_', '__REQ___HTTP_VER_HTTP/1.1', '__UA___VER_Firefox/3.0', '__REFER___NETLOC_www.mozilla- europe.org', '__UA___OS_Windows', '__UA___BASE_Mozilla/5.0', '__CODE_503', '__UA___OS_pl', '__REFER___PA TH_/', '__REFER___SCHEME_http', '__NO_REFER__', '__REQ___METHOD_GET', '__UA___OS_Windows NT 5.1', '__UA___OS_rv:1.9', '__REQ___URL___QS_topic', '__UA___VER_Gecko/2008052906’ Further reading: http://habrahabr.ru/post/136237/
Neuron network PyBrain Positive Negative It works. May not work. Nerd award! No historical analysis.
tcpdump
tcpdump tcpdump -v -n -w attack.log dst port 80 -c 250 tcpdump -nr attack.log |awk '{print $3}' |grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0- 9]{1,}' |sort |uniq -c |sort -rn
tcpdump Positive Negative It works. why tcpdump? Ask kernel (nicely)!
Cisco ASA
Cisco ASA
Cisco ASA Positive Negative It works. Performance is theoretical. Expen$ive High Performance $olution. Fun is real.
More recipes
Recipes VS LOIC/HOIC • HTTP1.0 + Host header • Header order signatures • Leading space character signature • Mod_security • Snort More reading: http://blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html
Results? • Every solution works. • Not always. • Not for everyone. • UPTIME > DOWNTIME.
Definition of happiness • Minimal FALSE POSITIVES. • No vulnerabilities on lower levels. • Up to challenge.
NGINX testcookie_module
One last thing… (protect your TCP stack) 29.67% 3.16% >=1Gbps Spoofed 96.84% <1Gbps Full connect 70.33%
Have a fun ride!
Homework. 1. NGINX/ipset pre-installed. 2. No stateful firewalls. 3. Fortified TCP stack. 4. Dedicated IP per critical published service. 5. Blackhole communities present and tested.

More Related Content

PPTX
lightning talk proposal
Alexander Lyamin
 
PDF
DDoS: Practical Survival Guide
HLL
 
PDF
Owning the bad guys
Santhosh Kumar
 
PDF
HTTP For the Good or the Bad
Xavier Mertens
 
PPT
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
PDF
Integrity protection for third-party JavaScript
Francois Marier
 
PDF
Active Https Cookie Stealing
SecurityTube.Net
 
PDF
Comet: Making The Web a 2-Way Medium
Joe Walker
 
lightning talk proposal
Alexander Lyamin
 
DDoS: Practical Survival Guide
HLL
 
Owning the bad guys
Santhosh Kumar
 
HTTP For the Good or the Bad
Xavier Mertens
 
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
Integrity protection for third-party JavaScript
Francois Marier
 
Active Https Cookie Stealing
SecurityTube.Net
 
Comet: Making The Web a 2-Way Medium
Joe Walker
 

What's hot (20)

PDF
Be Mean to your Code with Gauntlt #txlf 2013
James Wickett
 
PDF
URL to HTML
Francois Marier
 
PDF
Integrity protection for third-party JavaScript
Francois Marier
 
PPTX
TLS - 2016 Velocity Training
Patrick Meenan
 
KEY
Genkidama:実装と課題
Takuya ASADA
 
PDF
mod_perl 2.0 For Speed Freaks!
Philippe M. Chiasson
 
PDF
Security and Privacy on the Web in 2015
Francois Marier
 
PPT
5 things MySql
sarahnovotny
 
PPTX
Altitude San Francisco 2018: Programming the Edge
Fastly
 
PDF
FastNetMonを試してみた
Yutaka Ishizaki
 
PDF
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
PDF
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
PDF
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
PDF
Protect your edge BGP security made simple
Pavel Odintsov
 
PDF
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
PDF
20190516 web security-basic
MksYi
 
PDF
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 
PDF
Security and Privacy on the Web in 2016
Francois Marier
 
PDF
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
PPT
Dos threats and countermeasures
n|u - The Open Security Community
 
Be Mean to your Code with Gauntlt #txlf 2013
James Wickett
 
URL to HTML
Francois Marier
 
Integrity protection for third-party JavaScript
Francois Marier
 
TLS - 2016 Velocity Training
Patrick Meenan
 
Genkidama:実装と課題
Takuya ASADA
 
mod_perl 2.0 For Speed Freaks!
Philippe M. Chiasson
 
Security and Privacy on the Web in 2015
Francois Marier
 
5 things MySql
sarahnovotny
 
Altitude San Francisco 2018: Programming the Edge
Fastly
 
FastNetMonを試してみた
Yutaka Ishizaki
 
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
Protect your edge BGP security made simple
Pavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
20190516 web security-basic
MksYi
 
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 
Security and Privacy on the Web in 2016
Francois Marier
 
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
Dos threats and countermeasures
n|u - The Open Security Community
 
Ad

Similar to DDoS: practical survival (20)

PDF
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
PDF
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
APNIC
 
PPTX
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Fwdays
 
PDF
Layer one 2011-gh0stwood-d-dos-attacks
fangjiafu
 
PDF
How to secure your web applications with NGINX
Wallarm
 
PPTX
Hunting Botnets with Zmap
HeadlessZeke
 
PDF
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
allanjude
 
PDF
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
PDF
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
PPTX
Attacks and their mitigations
Mukesh Chaudhari
 
PPTX
Tcpdump hunter
Andrew McNicol
 
PDF
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
PPT
Hacking Cisco
guestd05b31
 
PDF
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
PDF
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
PDF
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
PPTX
Multi-Layer DDoS Mitigation Strategies
Logan Best
 
PDF
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
PDF
Multi-Layer DDoS Mitigation Strategies
Sagi Brody
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
APNIC
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Fwdays
 
Layer one 2011-gh0stwood-d-dos-attacks
fangjiafu
 
How to secure your web applications with NGINX
Wallarm
 
Hunting Botnets with Zmap
HeadlessZeke
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
allanjude
 
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Attacks and their mitigations
Mukesh Chaudhari
 
Tcpdump hunter
Andrew McNicol
 
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
Hacking Cisco
guestd05b31
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
Multi-Layer DDoS Mitigation Strategies
Logan Best
 
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Multi-Layer DDoS Mitigation Strategies
Sagi Brody
 
Ad

More from Positive Hack Days (20)

PPTX
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days
 
PPTX
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days
 
PPTX
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days
 
PPTX
Аналитика в проектах: TFS + Qlik
Positive Hack Days
 
PPTX
Использование анализатора кода SonarQube
Positive Hack Days
 
PPTX
Развитие сообщества Open DevOps Community
Positive Hack Days
 
PPTX
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days
 
PPTX
Автоматизация построения правил для Approof
Positive Hack Days
 
PDF
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
PDF
Формальные методы защиты приложений
Positive Hack Days
 
PDF
Эвристические методы защиты приложений
Positive Hack Days
 
PDF
Теоретические основы Application Security
Positive Hack Days
 
PPTX
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
PDF
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
PPTX
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
PDF
Формальная верификация кода на языке Си
Positive Hack Days
 
PPTX
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
PDF
SOC для КИИ: израильский опыт
Positive Hack Days
 
PDF
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days
 
PDF
Credential stuffing и брутфорс-атаки
Positive Hack Days
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days
 
Аналитика в проектах: TFS + Qlik
Positive Hack Days
 
Использование анализатора кода SonarQube
Positive Hack Days
 
Развитие сообщества Open DevOps Community
Positive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days
 
Автоматизация построения правил для Approof
Positive Hack Days
 
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Формальные методы защиты приложений
Positive Hack Days
 
Эвристические методы защиты приложений
Positive Hack Days
 
Теоретические основы Application Security
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
SOC для КИИ: израильский опыт
Positive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days
 
Credential stuffing и брутфорс-атаки
Positive Hack Days
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 

DDoS: practical survival

  • 1. DDoS: practical survival guide Alexander Lyamin <la@highloadlab.com>
  • 2. Q1 2012 • Incidents: 365 • Daily max: 12 • Avg. botnet size: 2637 • Max botnet size: 37834
  • 3. 2012: 1 Jan – 30 May • Incidents: 728 • Daily max: 51 • Avg. botnet size: 3288 • Max botnet size: 116265
  • 4. Daily 55 Jan 50 Feb 45 Mar 40 Apr 35 May 30 25 20 15 10 5 0
  • 5. Weekday distribution 20% 18.82% 18% 15.93% 15.52% 16% 13.60% 14% 12.77% 12.50% 12% 10.85% 10% 8% 6% 4% 2% 0% Monday Tuesday Wednesday Thursday Friday Saturday Sunday
  • 6. High speed attacks 3.16% >=1Gbps 96.84% <1Gbps
  • 7. Spoofed source attacks 29.67% Spoofed Full connect 70.33%
  • 8. Scary stuff • DNS: NIC, Masterhost, FastVPS. • DataCenters: CROC, WAhome. • “Invisible” russian elections botnets. • Minerbot.
  • 9. New reality • 1k botnet - 100-160 USD. • Readily available botnet toolkits. • Fall of prices - 20 USD/day.
  • 12. Apache mod_evasive <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 8 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600 DOSEmailNotify secure@adminmail.com </IfModule>
  • 13. Apache mod_evasive Positive Negative It works! Apache
  • 15. Iptables --string iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --set --name httpddos --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP
  • 16. Iptables --string Positive Negative It works. Not always works. (fragmentet packets) Its fast. Not always fast. (kmp matched packets) Orphaned sockets + retransmit. Requires conntrack(statefull is bad).
  • 18. JS
  • 20. NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } Further reading: http://habrahabr.ru/post/139931/
  • 21. NGINX testcookie_module Positive Negative It works. Doesn’t block traffic.* NGINX. Alternates UX. Its fast. Is not effective on FBS. Predictable. Expandable (Flash, QT checks). * That’s what ipset is for.
  • 23. Neuron network PyBrain Request: 0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0» Dictionary: ['__UA___OS_U', '__UA_EMPTY', '__REQ___METHOD_POST', '__REQ___HTTP_VER_HTTP/1.0', '__REQ___URL_ __NETLOC_', '__REQ___URL___PATH_/forum/rss.php', '__REQ___URL___PATH_/forum/index.php', '__REQ___URL ___SCHEME_', '__REQ___HTTP_VER_HTTP/1.1', '__UA___VER_Firefox/3.0', '__REFER___NETLOC_www.mozilla- europe.org', '__UA___OS_Windows', '__UA___BASE_Mozilla/5.0', '__CODE_503', '__UA___OS_pl', '__REFER___PA TH_/', '__REFER___SCHEME_http', '__NO_REFER__', '__REQ___METHOD_GET', '__UA___OS_Windows NT 5.1', '__UA___OS_rv:1.9', '__REQ___URL___QS_topic', '__UA___VER_Gecko/2008052906’ Further reading: http://habrahabr.ru/post/136237/
  • 24. Neuron network PyBrain Positive Negative It works. May not work. Nerd award! No historical analysis.
  • 26. tcpdump tcpdump -v -n -w attack.log dst port 80 -c 250 tcpdump -nr attack.log |awk '{print $3}' |grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0- 9]{1,}' |sort |uniq -c |sort -rn
  • 27. tcpdump Positive Negative It works. why tcpdump? Ask kernel (nicely)!
  • 30. Cisco ASA Positive Negative It works. Performance is theoretical. Expen$ive High Performance $olution. Fun is real.
  • 32. Recipes VS LOIC/HOIC • HTTP1.0 + Host header • Header order signatures • Leading space character signature • Mod_security • Snort More reading: http://blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html
  • 33. Results? • Every solution works. • Not always. • Not for everyone. • UPTIME > DOWNTIME.
  • 34. Definition of happiness • Minimal FALSE POSITIVES. • No vulnerabilities on lower levels. • Up to challenge.
  • 36. One last thing… (protect your TCP stack) 29.67% 3.16% >=1Gbps Spoofed 96.84% <1Gbps Full connect 70.33%
  • 37. Have a fun ride!
  • 38. Homework. 1. NGINX/ipset pre-installed. 2. No stateful firewalls. 3. Fortified TCP stack. 4. Dedicated IP per critical published service. 5. Blackhole communities present and tested.