Abstract image of a woman sitting on books and studying on a laptop

TADSummit 2022 - How to bring your own RTC platform down

Sandro Gauci, profile picture
Sandro Gauci

The document discusses performing DDoS simulations specifically for RTC services to evaluate their resilience against such attacks. It emphasizes the importance of testing existing security solutions to understand their effectiveness and highlights various strategies for launching attacks and monitoring system responses. The document also covers best practices for executing these tests, collaboration with engineers, and the necessity of documenting findings for future improvements.

Technology
1 of 62
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Most read
22
Most read
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
TADSummit 2022 - How to bring your own RTC platform down Running DDoS simulations on your own Sandro Gauci 2022-11-08
Introduction
What is this about? provide a quick walk-through of performing DDoS attacks speci c to RTC services not complete but should help you get started Distributed Denial of Service: distributed attacks that block legitimate usage of your service
What makes me quali ed to talk about this? author of SIPVicious OSS - security testing toolset for SIP in Infosec / Cyber security since > 20 years last 14 years doing offensive security and leading Enable Security
What we do we focus on RTC security testing various cyber-security services we do DDoS simulation for our clients
Why would you do such a thing?
Pinky and the Brain, pondering why
obviously, to have some dangerous fun!
Serious answers only to nd out how your critical services are going to react to a DDoS attack What if we got attacked? the purpose is to create a system that can reasonably withstand most DDoS attacks
What if we have some form of protection mechanism? most organisations operating in RTC have security solutions or use technology that is known to be robust often a hybrid approach, some things are better protected than others
security protection is often implemented but rarely properly tested until you test, you should not make any assumptions because …
what often happens is that service providers nd out that they don’t work during an actual attack this is not ideal!
What if we’re trying to evaluate an anti-DDoS solution? how well does it work? comparing two or more solutions which one works better given your situation?
Our experience almost all DoS protection mechanisms fail at some point maybe network tra c bursts are not handled well maybe slow attacks lead to bypass but still trigger DoS maybe the security solution looks for particular patterns which can be bypassed
every organisation has limitations bandwidth system resources application bugs / e ciency the point is to understand if your current protection-level is su cient against real life attacks
Part of Threat modelling what are your most critical services? how are they exposed to DDoS attacks? what do we need to do to protect against these attacks?
once you have understood Why, you should move on to What and How
Preparing for destruction!
Decide on what your want to attack and how bandwidth saturation generic protocol attacks speci c app attacks
Bandwidth or generic protocol attacks often require generic or simple tools e.g. targeting APIs or SIP servers ( ooding with GET or REGISTER messages)
Attacking speci c application functionality needs some homework Initial tests to determine which parts should be attacked Look for: errors, especially if generated during fuzzing slow responses increase in memory consumption (even a slight increase) potential exhaustion of resources
Attack tools for bandwidth saturation and generic protocol attacks, standard or simple tools are enough attack tools need to be more e cient than the target application normally, they generate tra c - replaying messages
func flood() { payload := "OPTIONS sip:demo.sipvicious.pro SIP/2.0rn" + "Content-Length: 0rnrn" b := make([]byte, 1024) for { c, err := net.Dial("udp", "demo.sipvicious.pro:5060") if err != nil { log.Fatal(err) } go func() { // Read loop for { c.Read(b) } }() go func() { // Write loop for { c.Write([]byte(payload)) } }() } } func main() { flood() }
func flood() { payload := "OPTIONS sip:demo.sipvicious.pro SIP/2.0rn" + "Content-Length: 0rnrn" b := make([]byte, 1024) for { c, err := net.Dial("udp", "demo.sipvicious.pro:5060") if err != nil { log.Fatal(err) } go func() { // Read loop for { c.Read(b) } }() go func() { // Write loop for { c.Write([]byte(payload)) } }() } } func main() { for i:=0;i<100;i++ { go flood() } select{} }
Useful features for such tools rate limiting concurrency (e.g. connection count)
You need control tools distribute the attack tools (e.g. use Terraform) ability to start the attack and stop the attack
#!/bin/bash IPS=$(linode-cli linodes list --format ipv4 --json | jq -r '[.[][][]] | join(" ")') for ip in $IPS; do ssh root@${ip} sipvicious sip dos flood udp://demo.sipvicious.pro:5060 & done
#!/bin/bash IPS=$(linode-cli linodes list --format ipv4 --json | jq -r '[.[][][]] | join(" ")') for ip in $IPS; do ssh root@${ip} killall sipvicious & done
The killswitch emphasis on stopping the attack if attacker machine is no longer reachable but still attacking may lead to a real security incident!
#!/bin/bash IDS=$(linode-cli linodes list --format id --json | jq -r '[.[][]] | join(" ")') for id in $IDS; do linode-cli linodes shutdown ${id} done
You need attack nodes these are systems from where to launch your distributed attacks
Options VPS: easy to get started and distributing attacks at low price VMs: very useful for internal tests in lab environment Bare metal servers: great for attacks that consume bandwidth/require decent resources but more expensive
Caution when using third- parties you will want to make sure that the activity is allowed that you are not affecting other customers especially watch out for bandwidth saturation
Monitor your bandwidth usage even if not testing for bandwidth saturation might give a false positives (incorrect results) see our blog post: Why volumetric DDoS cripples VoIP providers and what we see during pentesting
Monitor your bandwidth usage at the target at the attack nodes
Monitor your application and system resources having the ability to switch pro ling on is very useful ability to debug
Don’t forget the people! the engineers who need to be involved/monitor systems: they need to be booked testing on live systems usually means doing tests during off-peak hours
Finally the test environment: you need a place to test make sure it is as close to production as possible sometimes, it is production
One more thing
i love it when a plan comes together
gure out what tests to do start with the simpler tests rst you will encounter problems that should be solved before moving to more complex tests
Fun time!
a beverage
Start monitoring bandwidth application system resources dependencies (e.g. databases)
External monitoring use a pinger simulates legitimate tra c periodically (e.g. every 1s) will indicate major problems but will miss more subtle issues
Demo time we show our Attack Platform that we use to do such tests Target server - a Kamailio/Asterisk server Have 3 parts in this demo Target server Monitoring system sending SIP ping Attack platform client (controlling the attacker nodes)
0:00 / 0:53
Next when things break, you should get noti ed through monitoring stop and assess: real work starts here some of it might be done during the exercise, some later understanding root cause
Best practices 1. Automate as much as possible (capturing of monitoring results, bandwidth stats) 2. Have a real-time communication channel with the engineers (e.g. Google Meet) 3. Work with the engineers not against them - collaborate don’t compete 4. Test your tests ahead of time! don’t do your own QA during the test 5. Document every step done and the results (can be semi- automated); otherwise you might forget what actually happened . Set a xed scope + timeframe; know your limits (we stick to 2hrs, very tiring)
What happens after the fact
accept the risk?
really, it depends on your ndings generally: root cause analysis might have started already during the actual exercise might need further exploration, dedicated time and effort
Once the root cause for each nding is determined solutions or mitigation techniques need to be discussed jumping to solutions without proper assessment undermines the whole effort solutions need to be: practical and make economic sense not introduce new problems that prevent legitimate usage actually address the problems that were identi ed implemented
Examples of solutions outdated logging library caused locks - updating that library (but dependency hell) changes in application con guration rate limiting solutions application code changes (result of pro ling and debugging)
Caveat real solutions rarely consist of buying more resources
Finally - documentation & retest update your documentation to include details about the solutions test the solution again does it work? where does it fail? feedback loop
Moving forward towards a more robust RTC
by doing your own DDoS simulations, you learn about your system no longer should have to guess if you will handle a real attack as an RTC provider, you have a duty to keep your RTC <real(-time)=
One more thing Security is often a cat and mouse game No security solution is perfect, incidence response is critical How will we handle the next time we get DDoSed?
This is the end
Thanks! Alan Quayle My colleague, Alfred Farrugia for the demos Our clients for allowing us to cause trouble on their applications and networks
Get in touch & References Email: Enable Security: sandro@enablesecurity.com https://www.enablesecurity.com Communication Breakdown blog @ rtcsec.com Subscribe to the RTCSec Newsletter

More Related Content

PDF
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
Alan Quayle
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PPTX
Attack Prevention Solution for RADWARE
Deivid Toledo
 
PDF
Sscp Systems Security Certified Practitioner Allinone Exam Guide Third Editio...
qhjmirl9960
 
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
Alan Quayle
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
How To Start Your InfoSec Career
Andrew McNicol
 
Attack Prevention Solution for RADWARE
Deivid Toledo
 
Sscp Systems Security Certified Practitioner Allinone Exam Guide Third Editio...
qhjmirl9960
 

Similar to TADSummit 2022 - How to bring your own RTC platform down (20)

PPTX
DoS Attack - Incident Handling
Marcelo Silva
 
PPTX
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
PDF
Aujas incident management webinar deck 08162016
Karl Kispert
 
PPT
Denial of services : limiting the threat
SensePost
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
PPTX
Dncybersecurity
Anne Starr
 
PDF
Network Security - Luxury or Must Have?
Allot Communications
 
PDF
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...
SecurityGen1
 
PDF
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection Solutions
SecurityGen1
 
PDF
Elevate Safety with Security Gen: Unraveling the Power of Signaling Security
SecurityGen1
 
PDF
SecurityGen's Pioneering Approach to 5G Security Services
SecurityGen1
 
PDF
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
PDF
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
PPTX
FUEL_USERS_GROUP
Will Pearce
 
PDF
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Khaledboufnina
 
PPT
Cloud Computing & Security
Awais Mansoor Chohan
 
PPTX
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
Nexusguard
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
DoS Attack - Incident Handling
Marcelo Silva
 
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
Aujas incident management webinar deck 08162016
Karl Kispert
 
Denial of services : limiting the threat
SensePost
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
Dncybersecurity
Anne Starr
 
Network Security - Luxury or Must Have?
Allot Communications
 
Securing the Future Safeguarding 5G Networks with Advanced Security Solutions...
SecurityGen1
 
Protecting Your Text Messages: SecurityGen's SMS Fraud Detection Solutions
SecurityGen1
 
Elevate Safety with Security Gen: Unraveling the Power of Signaling Security
SecurityGen1
 
SecurityGen's Pioneering Approach to 5G Security Services
SecurityGen1
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
FUEL_USERS_GROUP
Will Pearce
 
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Khaledboufnina
 
Cloud Computing & Security
Awais Mansoor Chohan
 
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
Nexusguard
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 

More from Sandro Gauci (9)

PDF
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
PDF
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
Sandro Gauci
 
PDF
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Sandro Gauci
 
PDF
Bounty bout 0x01 - WebRTC edition
Sandro Gauci
 
PDF
The various ways your RTC may be crushed
Sandro Gauci
 
PDF
A tale of two RTC fuzzing approaches
Sandro Gauci
 
PDF
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
PDF
Scanning The Intertubes For Voip
Sandro Gauci
 
PDF
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Sandro Gauci
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
Sandro Gauci
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Sandro Gauci
 
Bounty bout 0x01 - WebRTC edition
Sandro Gauci
 
The various ways your RTC may be crushed
Sandro Gauci
 
A tale of two RTC fuzzing approaches
Sandro Gauci
 
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
Scanning The Intertubes For Voip
Sandro Gauci
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Sandro Gauci
 

Recently uploaded (20)

PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
The various Industrial Revolutions .pptx
bandileshozi3
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 

TADSummit 2022 - How to bring your own RTC platform down

  • 1. TADSummit 2022 - How to bring your own RTC platform down Running DDoS simulations on your own Sandro Gauci 2022-11-08
  • 3. What is this about? provide a quick walk-through of performing DDoS attacks speci c to RTC services not complete but should help you get started Distributed Denial of Service: distributed attacks that block legitimate usage of your service
  • 4. What makes me quali ed to talk about this? author of SIPVicious OSS - security testing toolset for SIP in Infosec / Cyber security since > 20 years last 14 years doing offensive security and leading Enable Security
  • 5. What we do we focus on RTC security testing various cyber-security services we do DDoS simulation for our clients
  • 6. Why would you do such a thing?
  • 7. Pinky and the Brain, pondering why
  • 8. obviously, to have some dangerous fun!
  • 9. Serious answers only to nd out how your critical services are going to react to a DDoS attack What if we got attacked? the purpose is to create a system that can reasonably withstand most DDoS attacks
  • 10. What if we have some form of protection mechanism? most organisations operating in RTC have security solutions or use technology that is known to be robust often a hybrid approach, some things are better protected than others
  • 11. security protection is often implemented but rarely properly tested until you test, you should not make any assumptions because …
  • 12. what often happens is that service providers nd out that they don’t work during an actual attack this is not ideal!
  • 13. What if we’re trying to evaluate an anti-DDoS solution? how well does it work? comparing two or more solutions which one works better given your situation?
  • 14. Our experience almost all DoS protection mechanisms fail at some point maybe network tra c bursts are not handled well maybe slow attacks lead to bypass but still trigger DoS maybe the security solution looks for particular patterns which can be bypassed
  • 15. every organisation has limitations bandwidth system resources application bugs / e ciency the point is to understand if your current protection-level is su cient against real life attacks
  • 16. Part of Threat modelling what are your most critical services? how are they exposed to DDoS attacks? what do we need to do to protect against these attacks?
  • 17. once you have understood Why, you should move on to What and How
  • 19. Decide on what your want to attack and how bandwidth saturation generic protocol attacks speci c app attacks
  • 20. Bandwidth or generic protocol attacks often require generic or simple tools e.g. targeting APIs or SIP servers ( ooding with GET or REGISTER messages)
  • 21. Attacking speci c application functionality needs some homework Initial tests to determine which parts should be attacked Look for: errors, especially if generated during fuzzing slow responses increase in memory consumption (even a slight increase) potential exhaustion of resources
  • 22. Attack tools for bandwidth saturation and generic protocol attacks, standard or simple tools are enough attack tools need to be more e cient than the target application normally, they generate tra c - replaying messages
  • 23. func flood() { payload := "OPTIONS sip:demo.sipvicious.pro SIP/2.0rn" + "Content-Length: 0rnrn" b := make([]byte, 1024) for { c, err := net.Dial("udp", "demo.sipvicious.pro:5060") if err != nil { log.Fatal(err) } go func() { // Read loop for { c.Read(b) } }() go func() { // Write loop for { c.Write([]byte(payload)) } }() } } func main() { flood() }
  • 24. func flood() { payload := "OPTIONS sip:demo.sipvicious.pro SIP/2.0rn" + "Content-Length: 0rnrn" b := make([]byte, 1024) for { c, err := net.Dial("udp", "demo.sipvicious.pro:5060") if err != nil { log.Fatal(err) } go func() { // Read loop for { c.Read(b) } }() go func() { // Write loop for { c.Write([]byte(payload)) } }() } } func main() { for i:=0;i<100;i++ { go flood() } select{} }
  • 25. Useful features for such tools rate limiting concurrency (e.g. connection count)
  • 26. You need control tools distribute the attack tools (e.g. use Terraform) ability to start the attack and stop the attack
  • 27. #!/bin/bash IPS=$(linode-cli linodes list --format ipv4 --json | jq -r '[.[][][]] | join(" ")') for ip in $IPS; do ssh root@${ip} sipvicious sip dos flood udp://demo.sipvicious.pro:5060 & done
  • 28. #!/bin/bash IPS=$(linode-cli linodes list --format ipv4 --json | jq -r '[.[][][]] | join(" ")') for ip in $IPS; do ssh root@${ip} killall sipvicious & done
  • 29. The killswitch emphasis on stopping the attack if attacker machine is no longer reachable but still attacking may lead to a real security incident!
  • 30. #!/bin/bash IDS=$(linode-cli linodes list --format id --json | jq -r '[.[][]] | join(" ")') for id in $IDS; do linode-cli linodes shutdown ${id} done
  • 31. You need attack nodes these are systems from where to launch your distributed attacks
  • 32. Options VPS: easy to get started and distributing attacks at low price VMs: very useful for internal tests in lab environment Bare metal servers: great for attacks that consume bandwidth/require decent resources but more expensive
  • 33. Caution when using third- parties you will want to make sure that the activity is allowed that you are not affecting other customers especially watch out for bandwidth saturation
  • 34. Monitor your bandwidth usage even if not testing for bandwidth saturation might give a false positives (incorrect results) see our blog post: Why volumetric DDoS cripples VoIP providers and what we see during pentesting
  • 35. Monitor your bandwidth usage at the target at the attack nodes
  • 36. Monitor your application and system resources having the ability to switch pro ling on is very useful ability to debug
  • 37. Don’t forget the people! the engineers who need to be involved/monitor systems: they need to be booked testing on live systems usually means doing tests during off-peak hours
  • 38. Finally the test environment: you need a place to test make sure it is as close to production as possible sometimes, it is production
  • 40. i love it when a plan comes together
  • 41. gure out what tests to do start with the simpler tests rst you will encounter problems that should be solved before moving to more complex tests
  • 45. External monitoring use a pinger simulates legitimate tra c periodically (e.g. every 1s) will indicate major problems but will miss more subtle issues
  • 46. Demo time we show our Attack Platform that we use to do such tests Target server - a Kamailio/Asterisk server Have 3 parts in this demo Target server Monitoring system sending SIP ping Attack platform client (controlling the attacker nodes)
  • 48. Next when things break, you should get noti ed through monitoring stop and assess: real work starts here some of it might be done during the exercise, some later understanding root cause
  • 49. Best practices 1. Automate as much as possible (capturing of monitoring results, bandwidth stats) 2. Have a real-time communication channel with the engineers (e.g. Google Meet) 3. Work with the engineers not against them - collaborate don’t compete 4. Test your tests ahead of time! don’t do your own QA during the test 5. Document every step done and the results (can be semi- automated); otherwise you might forget what actually happened . Set a xed scope + timeframe; know your limits (we stick to 2hrs, very tiring)
  • 50. What happens after the fact
  • 52. really, it depends on your ndings generally: root cause analysis might have started already during the actual exercise might need further exploration, dedicated time and effort
  • 53. Once the root cause for each nding is determined solutions or mitigation techniques need to be discussed jumping to solutions without proper assessment undermines the whole effort solutions need to be: practical and make economic sense not introduce new problems that prevent legitimate usage actually address the problems that were identi ed implemented
  • 54. Examples of solutions outdated logging library caused locks - updating that library (but dependency hell) changes in application con guration rate limiting solutions application code changes (result of pro ling and debugging)
  • 55. Caveat real solutions rarely consist of buying more resources
  • 56. Finally - documentation & retest update your documentation to include details about the solutions test the solution again does it work? where does it fail? feedback loop
  • 57. Moving forward towards a more robust RTC
  • 58. by doing your own DDoS simulations, you learn about your system no longer should have to guess if you will handle a real attack as an RTC provider, you have a duty to keep your RTC <real(-time)=
  • 59. One more thing Security is often a cat and mouse game No security solution is perfect, incidence response is critical How will we handle the next time we get DDoSed?
  • 60. This is the end
  • 61. Thanks! Alan Quayle My colleague, Alfred Farrugia for the demos Our clients for allowing us to cause trouble on their applications and networks
  • 62. Get in touch & References Email: Enable Security: sandro@enablesecurity.com https://www.enablesecurity.com Communication Breakdown blog @ rtcsec.com Subscribe to the RTCSec Newsletter