• No results found

Universal DDoS Mitigation Bypass. DDoS Mitigation Lab

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Universal DDoS Mitigation Bypass. DDoS Mitigation Lab"

Copied!
44
0
0

Loading.... (view fulltext now)

Download now ( 44 Page )

Full text

(1)

Universal DDoS Mitigation Bypass

(2)

About Us

DDoS Mitigation Lab

Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with the defense community.

Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge.

(3)

• DDoS Attack Categories

• DDoS Detection and Mitigation Techniques

– How they work?

– How to bypass / take advantage?

• DDoS Mitigation Bypass

– How to use our PoC tool?

– PoC tool capability

• Next-Generation Mitigation

(4)

Financial Impact

Source: NTT Communications,

(5)

Volumetric Attacks

• Packet-Rate-Based

(6)

Semantic Attacks

API attacks Hash DoS

Apache Killer Teardrop

(old textbook example)

Slowloris / RUDY SYN Flood

(old textbook example)

Smurf

(7)
(8)

Attack Quadrant

Complexity Simple Sophisticated Vo lum e xxx Gbps+ xxx Mbps+

(9)

DDoS Mitigations

Traffic Policing Proactive Resource Release Black- / Whitelisting xxx Gbps+ xxx Mbps+ Complexity Simple Sophisticated Vo lum e

(10)

DDoS Mitigation:

Traffic Policing

(11)

DDoS Mitigation:

Proactive Resource Release

RST

1. Open lots of TCP connections

2. TCP connection pool starved 3. Detect idle / slow TCP connections

4. Close idle / slow TCP connections With RST

Example:

(12)

B Backend (dropped)

DDoS Mitigation:

Black- / Whitelisting

Black List White List 1.2.3.4 5.6.7.8 5.6.7.8 3.4.5.6 6.7.8.9 = free pass

(for awhile / for x amount of volume)

Src: 1.2.3.4

(13)

DDoS Mitigation:

Source Isolation

Source: http://www.cs.duke.edu/nds/ddos/ AS AS AS

(14)

DDoS Solution: Secure CDN

Backend End User 3: return 1: request 2: redirect to nearest server 4: bypass distribution, attack backend!

(15)

DDoS Detection

Rate Measurement (SNMP) Baselining (Netflow) Protocol Sanity (PCAP) Application (SYSLOG) Protocol Behavior (PCAP) Big Data Analysis

Complexity Simple Sophisticated Vo lum e xxx Gbps+ xxx Mbps+

(16)

Rate- / Flow-Based Countermeasures

Detection

(17)

Protocol-Based Countermeasures

Detection

(18)

Blanket Countermeasures

Traffic Statistics and Behavior Big Data Analysis

Detection

Mitigation

(19)

Source Host Verification

• TCP SYN Auth • HTTP Redirect Auth • HTTP Cookie Auth • JavaScript Auth • CAPTCHA Auth

(20)
(21)

• True TCP/IP behavior (RST, resend, etc.)

• Believable HTTP headers (User-Agent strings, etc.)

• Embedded JavaScript engine

• CAPTCHA solving capability

• Randomized payload

• Tunable post-authentication traffic model

(22)
(23)

TCP SYN Auth

(TCP Reset) SYN ACK SYN ACK RST SYN SYN ACK ACK

(24)

TCP SYN Auth

(TCP Out-of-Sequence) RST SYN SYN SYN ACK ACK

SYN ACK

(25)

HTTP Redirect Auth

GET /index.html HTTP 302 redir to /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html

(26)

HTTP Cookie Auth

GET /index.html HTTP 302 redir to /index.html HTTP 302 redir to /index.html GET /index.html GET /index.html

(27)

HTTP Cookie Auth (Header Token)

GET /index.html HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] HTTP 302 redir to /index.html [X-Header: foo=bar]

GET /index.html [X-Header: foo=bar]

(28)

JavaScript Auth

GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php ans=16 JS 7+nine=?

(29)

CAPTCHA Auth

GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php

(30)
(31)
(32)

TCP Traffic Model

Num be r of C onne cti on s

Connection Hold Time

Before 1st Request Connection Idle TimeoutAfter Last Request

Connections

Interval ConnectionsInterval

TCP Connection

TCP Connection

(33)
(34)

HTTP Traffic Model

Num be r of R eque sts per C onne cti on Requests

Interval RequestsInterval RequestsInterval

TCP Connection

HTTP Connection

HTTP Connection

HTTP Connection

(35)

• 3 tries per authentication attempt (in practice more likely to success)

• True TCP/IP behavior thru use of OS TCP/IP stack

• Auth cookies persist during subsequent dialogues

• JavaScript execution using embedded JS engine (lack

of complete DOM an obstacle to full emulation)

(36)

1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising

3. Word segmentation 4. Boundary recognition

5. Pixel difference computed against character map

(37)
(38)

Testing Environment

Against Devices Against Services

Measure Attack Traffic Measure Attack Traffic

(39)

Mitigation Bypass

(Protection Products)

Auth Bypass Post-Auth

Testing results under specific conditions, valid as of Jul 13, 2013

Proactive

(40)

Mitigation Bypass

(Protection Services)

Auth Bypass Post-Auth

Testing results under specific conditions, valid as of Jul 13, 2013

Proactive

(41)

• Client Puzzle – add cost to individual zombies.

(42)

• DDoS is expensive to business

• Existing DDoS protection insufficient

• Next-Generation solution should make attack

expensive

(43)

[email protected] [email protected] [email protected]

Thank You!

(44)

References

Download now ( PDF - 44 Page - 4.24 MB )

Related documents

Civil Bill Assessment Manual

"where, after detailed assessment or assessment, payments made under this regulation (100) are found to exceed the final costs of the case, the solicitor or counsel (if

Horse Property For Sale In Texas Panhandle

South of hall, horse property sale texas panhandle, including property is truly a few minutes to create the perfect for horses or retreat and with excellent recreational farm.. That

EST.491. Cost Estimation Challenges and Uncertainties Confronting Oil and Gas Companies

The estimate of this last category is carried out by a cost estimator as a project reserve cost, not as a contingency, this estimate is added to cover uncertainties

Defined Benefit Pension Annuity and Defined Contribution Pension Annuity

the rise of interest rate increases the expected rate of return on DC pension annuities, the expected rate of growth on DC pension annuity, the minimum coverage and the claim

15 Years of Pension Reform in Germany: Old Successes and New Threats

We point to new threats to sustainable public pension finances developing in the wake of the financial crisis: First, pressure to disconnect the annual adjustment of pensions

Reducing edible food waste in the UK food manufacturing supply chain through collaboration

The aim of this study is to examine the relationship between food manufacturing supply chain (FMSC) collaboration, collaborative effectiveness and edible food waste (EF)

Bee Keeping a Novices Guide Unlocked

You need to give the nucleus some food stores, so select a couple of frames of brood which have some capped stores and place in the nucleus as the first and fifth frame..

Antidote Use in the Critically Ill Poisoned Patient

The more commonly used antidotes that may be encountered in the intensive care unit (N-acetylcysteine, ethanol, fomepizole, physostigmine, naloxone, flumazenil, sodium