SlideShare a Scribd company logo

Layer one 2011-sam-bowne-layer-7-dos

F
fangjiafu

The document discusses various types of denial of service (DoS) attacks including layer 4 distributed denial of service (DDoS) attacks using botnets, layer 7 attacks that can be carried out by a single attacker, and link local attacks using fraudulent IPv6 router advertisements. It also profiles various hacktivist groups that have carried out such attacks and outlines defenses against DoS attacks like ModSecurity, load balancing, and router advertisement guard.

Technology
1 of 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Layer 7 DoS Attacks and Defenses LayerOne, 2011
Bio
Summary • The DoS Circus • Layer 4 DDoS: Thousands of attackers bring down one site • Layer 7 DoS: One attacker brings down one site • Link-Local DoS: IPv6 RA Attack: One attacker brings down a whole network
The DoS Circus Characters
Wikileaks • Published <1000 US Gov't diplomatic cables from a leak of 250,000 • Distributed an encrypted "Insurance" file by BitTorrent • Widely assumed to contain the complete, uncensored leaked data • Encrypted with AES-256--no one is ever getting in there without the key • Key to be released if Assange is jailed or killed, but he is in UK now resisting extradition to Sweden and the key has not been released
Anonymous
Operation Payback • 4chan's Anonymous group • Attacked Scientology websites in 2008 • Attacked the RIAA and other copyright defenders • Using the Low Orbit Ion Cannon with HiveMind (DDoS) • "Opt-in Botnet"
HB Gary Federal • Aaron Barr • Developed a questionable way to track people down online • By correlating Twitter, Facebook, and other postings • Announced in Financial Times that he had located the “leaders” of Anonymous and would reveal them in a few days
Layer one 2011-sam-bowne-layer-7-dos
Social Engineering & SQLi • http://tinyurl.com/4gesrcj
Leaked HB Gary Emails • For Bank of America • Discredit Wikileaks • Intimidate Journalist Glenn Greenwald • For the Chamber of Commerce • Discredit the watchdog group US Chamber Watch • Using fake social media accounts • For the US Air Force • Spread propaganda with fake accounts • http://tinyurl.com/4anofw8
Drupal Exploit
Th3j35t3r • "Hacktivist for Good" • Claims to be ex-military • Originally performed DoS attacks on Jihadist sites • Bringing them down for brief periods, such as 30 minutes • Announces his attacks on Twitter, discusses them on a blog and live on irc.2600.net
Jester's Tweets from Dec 2010
Th3j35t3r v. Wikileaks • He brought down Wikileaks single-handed for more than a day – I was chatting with him in IRC while he did it, and he proved it was him by briefly pausing the attack
Wikileaks Outage • One attacker, no botnet
Th3j35t3r • After his Wikileaks attack • He battled Anonymous • He claims to have trojaned a tool the Anons downloaded • He claims to pwn Anon insiders now
Jester's Tweets
Westboro Baptist Outage • 4 sites held down for 8 weeks • From a single 3G cell phone – http://tinyurl.com/4vggluu
Layer 4 DDoS Many Attackers – One Target Bandwidth Consumption
Companies that Refused Service to Wikileaks • Amazon • Paypal • Mastercard • Visa • Many others
Low Orbit Ion Cannon • Primitive DDoS Attack, controlled via IRC • Sends thousands of packets per second from the attacker directly to the target • Like throwing a brick through a window • Takes thousands of participants to bring down a large site • They tried but failed to bring down Amazon
Low Orbit Ion Cannon
Operation Payback v. Mastercard • Brought down Visa, Mastercard, and many other sites – Easily tracked, and easily blocked – High bandwidth, cannot be run through anonymizer – Dutch police have already arrested two participants
Mastercard Outage 3,000 to 30,000 attackers working together
Layer one 2011-sam-bowne-layer-7-dos
Layer 7 DoS One Attacker – One Target Exhausts Server Resources
Layer 7 DoS • Subtle, concealable attack • Can be routed through proxies • Low bandwidth • Can be very difficult to distinguish from normal traffic
HTTP GET
SlowLoris • Send incomplete GET requests • Freezes Apache with one packet per second
R-U-Dead-Yet • Incomplete HTTP POSTs • Stops IIS, but requires thousands of packets per second
Keep-Alive DoS • HTTP Keep-Alive allows 100 requests in a single connection • HEAD method saves resources on the attacker • Target a page that is expensive for the server to create, like a search – http://www.esrun.co.uk/blog/keep-alive-dos-script/ • A php script – pkp keep-dead.php
keep-dead
XerXes • Th3j35t3r's DoS Tool • Routed through proxies like Tor to hide the attacker's origin • No one knows exactly what it does • Layer 7 DoS?
XerXes
Link-Local DoS IPv6 Router Advertisements
IPv4: DHCP PULL process  Client requests an IP  Router provides one I need an IP Use this IP Host Router
IPv6: Router Advertisements PUSH process  Router announces its presence  Every client on the LAN creates an address and joins the network JOIN MY NETWORK Yes, SIR Host Router
Router Advertisement Packet
RA Flood
Windows Vulnerability • It takes a LOT of CPU for Windows to process those Router Advertisements • 5 packets per second drives the CPU to 100% • And they are sent to every machine in the LAN (ff02::1 is Link-Local All Nodes Multicast) • One attacker kills all the Windows machines on a LAN
Responsible Disclosure • Microsoft was alerted by Marc Heuse on July 10, 2010 • Microsoft does not plan to patch this • Juniper and Cisco devices are also vulnerable • Cisco has released a patch, Juniper has not
Defenses from RA Floods • Disable IPv6 • Turn off Router Discovery • Block rogue RAs with a firewall • Get a switch with RA Guard
RA Guard Evasion • Add "Fragmentation Headers" to the RA Packets – http://samsclass.info/ipv6/proj/RA-evasion.html
Fragmentation Headers
Defending Websites
Attack > Defense • Right now, your website is only up because – Not even one person hates you, or – All the people that hate you are ignorant about network security
Defense • Mod Security--free open-source defense tool • Latest version has some protections against Layer 7 DoS • Akamai has good defense solutions • Caching • DNS Redirection • Javascript second-request trick
Load Balancer
Counterattacks • Reflecting attacks back to the command & control server • Effective against dumb attackers like Anonymous' LOIC – Will lose effect if they ever learn about Layer 7 DoS, which is happening now
References
References Anonymous Takes Down U.S. Chamber Of Commerce And Supporter Websites http://goo.gl/Mue9k Slowloris HTTP DoS http://ha.ckers.org/slowloris/ OWASP HTTP DoS Tool http://code.google.com/p/owasp-dos-http-post/ Mitigating Slow HTTP DoS Attacks http://blog.spiderlabs.com/2010/11/advanced-topic-of-the- week-mitigating-slow-http-dos-attacks.html ‘Tis the Season of DDoS – WikiLeaks Edition (Outage charts) http://goo.gl/V5jZc
References ModSecurity http://goo.gl/56hbl Akamai DDoS Report http://baythreat.org/MichaelSmith_DDoS.pdf How Secure Is Julian Assange's "Thermonuclear" Insurance File? http://goo.gl/sY6Nn Overview of Anonymous and their attack on MasterCard: http://goo.gl/lVsCD Operation Payback Toolkit: LOIC and HiveMind http://pastehtml.com/view/1c8i33u.html
References r-u-dead-yet http://code.google.com/p/r-u-dead-yet/ Keep-Alive DoS Script http://www.esrun.co.uk/blog/keep-alive-dos-script/ Router Advertisement DoS in Windows http://samsclass.info/ipv6/proj/flood-router6a.htm RA Guard Evasion http://samsclass.info/ipv6/proj/RA-evasion.html XerXes Attack Video http://goo.gl/j8NQE

More Related Content

PDF
Fear, Uncertainty and Doubt
Manuel Schmalstieg
 
PDF
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
PDF
Defcon 22-metacortex-grifter-darkside-of-the-internet
Priyanka Aash
 
PDF
AtlSecCon 2016
Earl Carter
 
PPTX
The Ransomware Threat: Tracking the Digitial Footprints
k3vb0t
 
PDF
Fade from Whitehat... to Black
Beau Bullock
 
PDF
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
OWASP Delhi
 
PPTX
Dark web
Safwan Hashmi
 
Fear, Uncertainty and Doubt
Manuel Schmalstieg
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
Defcon 22-metacortex-grifter-darkside-of-the-internet
Priyanka Aash
 
AtlSecCon 2016
Earl Carter
 
The Ransomware Threat: Tracking the Digitial Footprints
k3vb0t
 
Fade from Whitehat... to Black
Beau Bullock
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
OWASP Delhi
 
Dark web
Safwan Hashmi
 

What's hot (16)

PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
PPTX
Mo and Tao 魔与道
Austin Chou
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
PPTX
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
Jeff Beley
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
PPTX
Ransomware the clock is ticking
Manoj Kumar Mishra
 
PDF
Bitcoin and Ransomware Analysis
inder_barara
 
PDF
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
PPTX
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
PDF
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
PDF
Survival in an Evolving Threat Landscape
Radware
 
PPTX
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
Radware
 
PPTX
Threat hunting in_windows
Chung Wee Jing
 
PPSX
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
Onwadee18
 
PPSX
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
Onwadee18
 
PDF
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
Mo and Tao 魔与道
Austin Chou
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
There's always money in the banana stand: A BLUE TEAMER’S GUIDE TO COBALT STRIKE
Jeff Beley
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
Ransomware the clock is ticking
Manoj Kumar Mishra
 
Bitcoin and Ransomware Analysis
inder_barara
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
Survival in an Evolving Threat Landscape
Radware
 
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
Radware
 
Threat hunting in_windows
Chung Wee Jing
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
Onwadee18
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
Onwadee18
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Ad

Viewers also liked (16)

PPTX
piel y anexos h
karen sanchez
 
DOCX
Shooting schedule overview BlueSkyStudios day 1
rhsmediastudies
 
PDF
Unidad2.procesos políticos.
Joselin Gómez
 
PDF
Organigrama de empresa forestal
Beatriz Juarez jimenez
 
PDF
Sistemas de certificacion forestal
Beatriz Juarez jimenez
 
PDF
Planeación de Caminos Forestales
Eliana Molar
 
DOCX
Maquinaria y equipo
Eliana Molar
 
PPTX
Algorithm Design & Implementation
Gaditek
 
PPTX
hiperkolesterolemia (hypercolesterolemia)
Mela Roviani
 
PDF
2 programa curricular-de-educacion-primaria-2017
Victor Misael Rivera Guerrero
 
PDF
Programa Nacional de Saúde Escolar
Gonçalo Silva
 
PPT
"O espantalho enamorado" de Guido Visconti
isigoncalves
 
PPT
Atención a la diversidad1516
S MD
 
PPT
Programación didáctica parte 2
S MD
 
DOCX
FYS Partner Photo 5
pauley237
 
DOC
Deepak new resume 2016
Deepak Itim
 
piel y anexos h
karen sanchez
 
Shooting schedule overview BlueSkyStudios day 1
rhsmediastudies
 
Unidad2.procesos políticos.
Joselin Gómez
 
Organigrama de empresa forestal
Beatriz Juarez jimenez
 
Sistemas de certificacion forestal
Beatriz Juarez jimenez
 
Planeación de Caminos Forestales
Eliana Molar
 
Maquinaria y equipo
Eliana Molar
 
Algorithm Design & Implementation
Gaditek
 
hiperkolesterolemia (hypercolesterolemia)
Mela Roviani
 
2 programa curricular-de-educacion-primaria-2017
Victor Misael Rivera Guerrero
 
Programa Nacional de Saúde Escolar
Gonçalo Silva
 
"O espantalho enamorado" de Guido Visconti
isigoncalves
 
Atención a la diversidad1516
S MD
 
Programación didáctica parte 2
S MD
 
FYS Partner Photo 5
pauley237
 
Deepak new resume 2016
Deepak Itim
 
Ad

Similar to Layer one 2011-sam-bowne-layer-7-dos (20)

PPT
Dos threats and countermeasures
n|u - The Open Security Community
 
PDF
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
PPTX
Security News Bytes (Aug Sept 2017)
Apurv Singh Gautam
 
PPTX
Crypto Miners in the Cloud
2nd Sight Lab
 
PPTX
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Shellmates
 
PPT
DDos
rohit verma
 
PPTX
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Stephen Abram
 
PDF
Security events in 2014
Chong-Kuan Chen
 
PDF
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Codemotion
 
PDF
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Codemotion
 
PDF
Virus Bulletin 2012
Cloudflare
 
PPTX
DoS or DDoS attack
stollen_fusion
 
PPTX
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
PPTX
Information about malwares and Attacks.pptx
malikmuzammil2326
 
PPTX
Dark Web and Privacy
Brian Pichman
 
PPTX
Attacks on the cyber world
Nikhil Tripathi
 
PPTX
Bh europe 2013_wilhoit
Kyle Wilhoit
 
PPTX
News Bytes - May 2015
n|u - The Open Security Community
 
PPT
All about Hacking
Madhusudhan G
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
Dos threats and countermeasures
n|u - The Open Security Community
 
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
Security News Bytes (Aug Sept 2017)
Apurv Singh Gautam
 
Crypto Miners in the Cloud
2nd Sight Lab
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Shellmates
 
DDos
rohit verma
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Stephen Abram
 
Security events in 2014
Chong-Kuan Chen
 
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Codemotion
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Codemotion
 
Virus Bulletin 2012
Cloudflare
 
DoS or DDoS attack
stollen_fusion
 
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
Information about malwares and Attacks.pptx
malikmuzammil2326
 
Dark Web and Privacy
Brian Pichman
 
Attacks on the cyber world
Nikhil Tripathi
 
Bh europe 2013_wilhoit
Kyle Wilhoit
 
News Bytes - May 2015
n|u - The Open Security Community
 
All about Hacking
Madhusudhan G
 
Top 10 Threats to Cloud Security
SBWebinars
 

More from fangjiafu (20)

PDF
Wce internals rooted_con2011_ampliasecurity
fangjiafu
 
PDF
Oracle forensics 101
fangjiafu
 
PDF
Understanding and selecting_dsp_final
fangjiafu
 
PDF
Wce12 uba ampliasecurity_eng
fangjiafu
 
PDF
Ddos analizi
fangjiafu
 
PDF
Bypass dbms assert
fangjiafu
 
PDF
Cursor injection
fangjiafu
 
PDF
Create user to_sysdba
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PDF
Layer 7 ddos
fangjiafu
 
PDF
Tlsoptimizationprint 120224194603-phpapp02
fangjiafu
 
PDF
Crypto hlug
fangjiafu
 
PDF
Fp
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PDF
Rr 7944
fangjiafu
 
PDF
Proper passwordhashing
fangjiafu
 
PDF
Burp suite injection中的应用by小冰
fangjiafu
 
PDF
Oech03
fangjiafu
 
PDF
2008 07-24 kwpm-threads_and_synchronization
fangjiafu
 
PDF
Unit07
fangjiafu
 
Wce internals rooted_con2011_ampliasecurity
fangjiafu
 
Oracle forensics 101
fangjiafu
 
Understanding and selecting_dsp_final
fangjiafu
 
Wce12 uba ampliasecurity_eng
fangjiafu
 
Ddos analizi
fangjiafu
 
Bypass dbms assert
fangjiafu
 
Cursor injection
fangjiafu
 
Create user to_sysdba
fangjiafu
 
Presentation nix
fangjiafu
 
Layer 7 ddos
fangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
fangjiafu
 
Crypto hlug
fangjiafu
 
Fp
fangjiafu
 
Presentation nix
fangjiafu
 
Rr 7944
fangjiafu
 
Proper passwordhashing
fangjiafu
 
Burp suite injection中的应用by小冰
fangjiafu
 
Oech03
fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
fangjiafu
 
Unit07
fangjiafu
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Layer one 2011-sam-bowne-layer-7-dos

  • 1. Layer 7 DoS Attacks and Defenses LayerOne, 2011
  • 2. Bio
  • 3. Summary • The DoS Circus • Layer 4 DDoS: Thousands of attackers bring down one site • Layer 7 DoS: One attacker brings down one site • Link-Local DoS: IPv6 RA Attack: One attacker brings down a whole network
  • 4. The DoS Circus Characters
  • 5. Wikileaks • Published <1000 US Gov't diplomatic cables from a leak of 250,000 • Distributed an encrypted "Insurance" file by BitTorrent • Widely assumed to contain the complete, uncensored leaked data • Encrypted with AES-256--no one is ever getting in there without the key • Key to be released if Assange is jailed or killed, but he is in UK now resisting extradition to Sweden and the key has not been released
  • 7. Operation Payback • 4chan's Anonymous group • Attacked Scientology websites in 2008 • Attacked the RIAA and other copyright defenders • Using the Low Orbit Ion Cannon with HiveMind (DDoS) • "Opt-in Botnet"
  • 8. HB Gary Federal • Aaron Barr • Developed a questionable way to track people down online • By correlating Twitter, Facebook, and other postings • Announced in Financial Times that he had located the “leaders” of Anonymous and would reveal them in a few days
  • 10. Social Engineering & SQLi • http://tinyurl.com/4gesrcj
  • 11. Leaked HB Gary Emails • For Bank of America • Discredit Wikileaks • Intimidate Journalist Glenn Greenwald • For the Chamber of Commerce • Discredit the watchdog group US Chamber Watch • Using fake social media accounts • For the US Air Force • Spread propaganda with fake accounts • http://tinyurl.com/4anofw8
  • 13. Th3j35t3r • "Hacktivist for Good" • Claims to be ex-military • Originally performed DoS attacks on Jihadist sites • Bringing them down for brief periods, such as 30 minutes • Announces his attacks on Twitter, discusses them on a blog and live on irc.2600.net
  • 15. Th3j35t3r v. Wikileaks • He brought down Wikileaks single-handed for more than a day – I was chatting with him in IRC while he did it, and he proved it was him by briefly pausing the attack
  • 16. Wikileaks Outage • One attacker, no botnet
  • 17. Th3j35t3r • After his Wikileaks attack • He battled Anonymous • He claims to have trojaned a tool the Anons downloaded • He claims to pwn Anon insiders now
  • 19. Westboro Baptist Outage • 4 sites held down for 8 weeks • From a single 3G cell phone – http://tinyurl.com/4vggluu
  • 20. Layer 4 DDoS Many Attackers – One Target Bandwidth Consumption
  • 21. Companies that Refused Service to Wikileaks • Amazon • Paypal • Mastercard • Visa • Many others
  • 22. Low Orbit Ion Cannon • Primitive DDoS Attack, controlled via IRC • Sends thousands of packets per second from the attacker directly to the target • Like throwing a brick through a window • Takes thousands of participants to bring down a large site • They tried but failed to bring down Amazon
  • 23. Low Orbit Ion Cannon
  • 24. Operation Payback v. Mastercard • Brought down Visa, Mastercard, and many other sites – Easily tracked, and easily blocked – High bandwidth, cannot be run through anonymizer – Dutch police have already arrested two participants
  • 25. Mastercard Outage 3,000 to 30,000 attackers working together
  • 27. Layer 7 DoS One Attacker – One Target Exhausts Server Resources
  • 28. Layer 7 DoS • Subtle, concealable attack • Can be routed through proxies • Low bandwidth • Can be very difficult to distinguish from normal traffic
  • 30. SlowLoris • Send incomplete GET requests • Freezes Apache with one packet per second
  • 31. R-U-Dead-Yet • Incomplete HTTP POSTs • Stops IIS, but requires thousands of packets per second
  • 32. Keep-Alive DoS • HTTP Keep-Alive allows 100 requests in a single connection • HEAD method saves resources on the attacker • Target a page that is expensive for the server to create, like a search – http://www.esrun.co.uk/blog/keep-alive-dos-script/ • A php script – pkp keep-dead.php
  • 34. XerXes • Th3j35t3r's DoS Tool • Routed through proxies like Tor to hide the attacker's origin • No one knows exactly what it does • Layer 7 DoS?
  • 36. Link-Local DoS IPv6 Router Advertisements
  • 37. IPv4: DHCP PULL process  Client requests an IP  Router provides one I need an IP Use this IP Host Router
  • 38. IPv6: Router Advertisements PUSH process  Router announces its presence  Every client on the LAN creates an address and joins the network JOIN MY NETWORK Yes, SIR Host Router
  • 41. Windows Vulnerability • It takes a LOT of CPU for Windows to process those Router Advertisements • 5 packets per second drives the CPU to 100% • And they are sent to every machine in the LAN (ff02::1 is Link-Local All Nodes Multicast) • One attacker kills all the Windows machines on a LAN
  • 42. Responsible Disclosure • Microsoft was alerted by Marc Heuse on July 10, 2010 • Microsoft does not plan to patch this • Juniper and Cisco devices are also vulnerable • Cisco has released a patch, Juniper has not
  • 43. Defenses from RA Floods • Disable IPv6 • Turn off Router Discovery • Block rogue RAs with a firewall • Get a switch with RA Guard
  • 44. RA Guard Evasion • Add "Fragmentation Headers" to the RA Packets – http://samsclass.info/ipv6/proj/RA-evasion.html
  • 47. Attack > Defense • Right now, your website is only up because – Not even one person hates you, or – All the people that hate you are ignorant about network security
  • 48. Defense • Mod Security--free open-source defense tool • Latest version has some protections against Layer 7 DoS • Akamai has good defense solutions • Caching • DNS Redirection • Javascript second-request trick
  • 50. Counterattacks • Reflecting attacks back to the command & control server • Effective against dumb attackers like Anonymous' LOIC – Will lose effect if they ever learn about Layer 7 DoS, which is happening now
  • 52. References Anonymous Takes Down U.S. Chamber Of Commerce And Supporter Websites http://goo.gl/Mue9k Slowloris HTTP DoS http://ha.ckers.org/slowloris/ OWASP HTTP DoS Tool http://code.google.com/p/owasp-dos-http-post/ Mitigating Slow HTTP DoS Attacks http://blog.spiderlabs.com/2010/11/advanced-topic-of-the- week-mitigating-slow-http-dos-attacks.html ‘Tis the Season of DDoS – WikiLeaks Edition (Outage charts) http://goo.gl/V5jZc
  • 53. References ModSecurity http://goo.gl/56hbl Akamai DDoS Report http://baythreat.org/MichaelSmith_DDoS.pdf How Secure Is Julian Assange's "Thermonuclear" Insurance File? http://goo.gl/sY6Nn Overview of Anonymous and their attack on MasterCard: http://goo.gl/lVsCD Operation Payback Toolkit: LOIC and HiveMind http://pastehtml.com/view/1c8i33u.html
  • 54. References r-u-dead-yet http://code.google.com/p/r-u-dead-yet/ Keep-Alive DoS Script http://www.esrun.co.uk/blog/keep-alive-dos-script/ Router Advertisement DoS in Windows http://samsclass.info/ipv6/proj/flood-router6a.htm RA Guard Evasion http://samsclass.info/ipv6/proj/RA-evasion.html XerXes Attack Video http://goo.gl/j8NQE