December 11, 2014

Cyber Security

Current Trends & Emerging Threats in

DDOS

DDoS attacks

What is a DoS Attack?

An attack designed to take a resource, application or

service and deny access to legitimate users

DoS – Denial-of-Service

DDoS – Distributed Denial-of-Service

LDoS – Low-Rate Denial-of-Service

PDoS – Permanent Denial-of-Service

PPS – Packets Per Second

TERMINOLOGY

DoS – Denial of Service

• denial-of-service attack (DoS attack) is an attempt to make a

machine or network resource unavailable to its intended users.

Although the means to carry out, motives for, and targets of a DoS

attack may vary, it generally consists of efforts to temporarily or

indefinitely interrupt or suspend services of a host connected to the

Internet.

DDoS – Distributed denial of service

• DDoS occurs when multiple systems flood the bandwidth or resources of

a targeted system, usually one or more web servers. This is the result of

multiple compromised systems (for example a botnet) flooding the

targeted system(s) with traffic. When a server is overloaded with

connections, new connections can no longer be accepted.

LDoS – Low-Rate Denial of Service

• LDoS attack exploits TCP’s slow-time-scale dynamics of

retransmission time-out (RTO) mechanisms to reduce TCP throughput.

Basically, an attacker can cause a TCP flow to repeatedly enter a RTO

state by sending high-rate, but short-duration bursts, and repeating

periodically at slower RTO time-scales. The TCP throughput at the

attacked node will be significantly reduced while the attacker will have

low average rate making it difficult to be detected

PDoS – Permanent Denial of service

• APDoS, is an attack that damages a system so badly that it requires

replacement or reinstallation of hardware.

• a PDoS attack exploits security flaws which allow remote

administration on the management interfaces of the victim's hardware,

such as routers, printers, or other networking hardware.

• The attacker uses these vulnerabilities to replace a device's firmware

with a modified, corrupt, or defective firmware , is known as flashing.

• The PDoS is a pure hardware targeted attack which can be much

faster and requires fewer resources than using a botnet in a DDoS

attack.

1

10

100

10000

Traffic

1000

X

1

50

100

CPU/MEM

Web Server

Example of attack

• Target well known, and required services

»Email/SMTP, DNS, Web/HTTP, SQL, SSH

• Require sophisticated tools able to update and adapt

»These exist today

• Deliberately avoid high bandwidth usage to keep low (…and slow)

• Application based DDoS is on the increase accounting for a quarter of all

attacks

• Continuously evolving to evade detection of the attack and protect the

identity of the attacker

Application Targeted DDoS – L7

Volumetric Attack

Designed to consume

available Internet

bandwidth or overload

server resources.

Typical examples SYN

Flood, UDP Flood, ICMP

Flood, SMURF attacks.

Application Layer

Attacks

More sophisticated,

attractive to the attacker

since they require less

resource to carry out

(botnet costs)

Target vulnerabilities in

applications to evade

flood detection strategies

Cloud Infrastructure

Attacks

Cloud solutions can turn

the Internet in the

Corporate WAN. Modern

attackers target the full

range of cloud

infrastructure (firewall,

mail & web servers)

Mitigation can be

complex and any attack

can impact multiple

customers

Type of Attack

DDoS Attack Trends: Centralized Execution, Decentralized

Chaos

Spoofed Attacks

• Fewer machines

• Limited Power

Non Spoofed Bot Clients

• More machines

• Higher Power

Bot Servers

• More Power

• More Bandwidth

• Socially Engineered

• More with less

Who’s likely to be interested in a DDoS?

• Companies that are/have been targets by Denial of Service attacks

• Hosting or Cloud provider services

• Ecommerce

• Online Gaming & Gambling

• Medium and larger Enterprises with an internet presences

• Any company that has recently been or is actively being attacked

•SYN Flood

»Targets connection table resources

»Layer 3 attack

»Target flooded with TCP SYN packets

Some Traditional Attacks

Some traditional attacks

•UDP Flood

»Targets CPU and Network traffic resources

»Layer 3 attack

»Flood server with random UDP connections

• ICMP Flood (SMURF, Ping Flood)

»SMURF

• Packets sent with source being a false IP

• Layer 3 Attack

• Turns server into an Attacker and consumes resources

Some Traditional Attacks

Some traditional attacks

»Ping Flood

• Echo requests sent without waiting for reply

• Layer 3 Attack

• Consumes bandwidth

• One common method of combating a ping flood attack is to block ICMP traffic.

The Slowloris Attack

• Targets HTTP from a single client machine

»Not new, dates from 2009

• Opens a connection to a web server

»Not all servers are vulnerable

• Sends legitimate, but partial, never ending requests

»Send ‘something’ to prevent a timeout

• Sockets held open

»No more sockets… no more service

GET

HEAD

POST

X-a

DDoS in action!...

Myths about DDoS attacks

• It happens to others

• Software fixes can solve DDoS attack issues

• IPTABLES can stop DDoS attacks

• Webhost will take care of DDoS attacks

• ISPs of the world co-operate

• ACL’s on switches/routers can stop DDoS attacks

• Pipes will fill any way – what’s the point

• Law enforcement is easy to approach in case of DDoS attacks

Law enforcement is easy to approach in case of DDoS attacks??

Scrubbing Service from

Internet or Cloud

Service Providers

Model: Managed service

subscription model.

Usually separate

detection and mitigation

Pros: Easy sign up and

deployment

Cons: Expensive,

inflexible, costs can rise

during an attack

Firewall / IPS

Model: Integrated device

for FW/IPS and DDoS

prevention

Pros: Single device,

simplified architecture,

less units to manage

Cons: Not designed to

detect/block sophisticated

DDoS attacks; typically

requires an update

license,

Dedicated Device

Model: Inline detection,

mitigation and reporting.

Auto detection of a wide

range of DDoS attacks

Pros: Cost effective, no

unpredictable or hidden

charges. Multi-layer,

accurate, fast, scalable

and easy to deploy

Cons: Additional network

element

DoS Protection Options

The OSI Model

DDoS attacks

BotNets

What about botnets....

• In its most basic form, a botnet is a group of computers that have been infected with

malware that allows its controller (or ‘master’) to take some measure of control over

the infected machine.

• Is used by its master to perform a range of unsavory activities without the knowledge

of the victim. Once infected with botnet malware, the computer becomes a mindless

zombie – ready to do the bidding of its master.

Cybercriminals use botnets to generate revenue in many

different ways:

• DDoS attacks: Sites that are event-specific, such as online

sportsbook, are particularly vulnerable to the threat of being knocked

offline during a major event like the Super Bowl or World Cup.

• Spamming: Infected machines will act as email relays for the bot

master and can send out staggering numbers of unsolicited emails per

day.

• Financial Fraud: With the ability to install additional malware onto an

infected machine, bot masters can siphon off valuable information

More ways to generate revenue...

• Search Engine Optimization (SEO) poisoning: Bot masters boost

search engine rankings artificially to drive searchers to Websites that

inject malware into a victim’s machine, or send the victim to sites that

sell counterfeit goods or fake prescription drugs.

• Pay-per-Click (PPC) fraud: A bot master will set up a legitimate-

looking website and recruit legitimate advertisers. The website owner’s

botnet, working in the background, will visit the site and click on ads.

The advertiser then pays the owner of the botnet for the botnet-

generated activity, as the clicks are coming from thousands of different

machines from geographically unique locations.

Two more ways...

• Bitcoin mining (http://bitcoin.org/en/): Bitcoin is a virtual currency that

can be traded anonymously online for products and services. Bitcoins

are “mined” by installing a program on a user’s PC that performs

complex calculations; the user is then rewarded with a bitcoin for their

efforts. By installing bitcoin software on a victim’s PC, a bot master can

harness the processing power of that computer to mine coins and sell

them on the grey or black market for real currency.

• Corporate and Industrial Espionage: some botnets have been used

in combination with targeted email attacks against both corporations

and governments in the attempt to steal valuable intellectual property

information and state secrets.

It really happens!!...

How could I be infected with a botnet?

• Drive-by download: Simply visiting a malicious site with a PC that

hasn’t been kept current with security patches and antivirus can

download and execute malware on the user’s PC, thus adding to that

botnet’s ranks.

• Email: A more traditional yet still popular method of botnet infection is

through a user opening email with malicious content, often sent by

someone the user knows and trusts (whose system is likely infected

with a botnet).

• Pirated software: Malware developers often hide malicious code

inside a software download, which then installs itself on a victim’s

machine when the user opens the executable.

What happens after infection?

• the malware typically installs what is known as a backdoor, or a

program that allows the bot master to communicate, control and install

software onto the infected computer. Once installed, it’s extremely

difficult to shut and lock the backdoor, even after the infected computer

has downloaded the newest security or antimalware updates.

How a botnet Avoids detection...

» IPS and antimalware is not enough.

»Techniques to evade existing methods of detecting and blocking to a command &

control server:

• List of ip address

• Domain Generation Algorithms (DGA): is a method whereby the malware generates

the C&C server addresses.

• Conficker.C malware would generate 50,000 domain names every day of which it

would attempt to contact 500

• Fast flux: is a DNS technique used by botnets to hide phishing and malware delivery

sites behind an ever-changing network of compromised hosts acting as proxies

How to determinate an infection has occured (1)

•System running slower than usual

•Hard drive LED is flashing wildly even though it’s in idle mode

•Files and folders have suddenly disappeared or have been

changed in some fashion

•A friend or colleague has informed the user that they have

received a spam email from their email account

How to determinate an infection has occured (2)

•A firewall on the computer informs the user that a program on

the PC is trying to connect to the Internet

•A launch icon from a program downloaded from the Internet

suddenly disappears

•More error messages than usual are popping up

•An online bank is suddenly asking for personal information it’s

never required before

The OSI Model

DDoS attacks

BotNets

Anti DDoS Appliances

Anti DDoS appliances..

• Carrier DDoS mitigation solutions

»Useful for global networks and carriers and ISPs

»Based on IP flow-based and deep packet inspection technologies

protecting the entire network

»Solutions too expensive for individual IDCs (Internet Data Center),

webhosts or web properties.

»Solutions designed around early 2000. cannot mitigate new generation

od DDoS attacks which involve botnets that mimic legitimate clients.

Anti DDoS appliances

•Custom logic (FPGA or ASIC) based internet data center

(IDC), web hosting and web property DDoS mitigation

solutions

»They work to protect one or several Internet links.

»The behavioral solutions are implemented in custom hardware logic

and provideline rate performance for large attacks.

»These solutions are cost-effective and effective for IDCs, webhosts

and web properties.

Anti DDoS appliances

•Software based web property DDoS mitigation solutions

»These solutions are useful for smaller web properties with very

minimal traffic.

»The behavioral solutions are implemented in off-the-shelf CPUs and

have issues at large attack traffic volumes in terms of keeping up.

»Some appliances have IPS functionality implemented in hardware

but have their DDoS mitigation logic in software and suffer from the

same issues.

The OSI Model

DDoS attacks

BotNets

Anti DDoS appliances

Hardening

Things to look for in Anti-DDoS equipment

• Latest technology

•Centralized monitoring

• Visibility into normal network traffic patterns

•Alerting mechanisms

•Filtering mechanisms to reduce false positives

• Low latency

•Hardware logic for Anti-DDoS

•Bypass and redundancy

•Extensible Arquitecture

Hardening from a DDoS point of view

in small scenarios (1)

•“home remedies” for simple and small DDoS attacks

»Update kernel to the last release

»Install all security updates

»Disable unused and insecures services

»Remove unused packages

Hardening from a DDoS point of view

in small scenarios (2)

»Better network cards means better performance.

»Choose a recognize vendor with driver’s thats already hardened.

»Use netfilter/iptables to deny packets

»Use hashlimit module to identify Ips that are consuming resources

»LiteSpeed instead of apache http://www.litespeedtech.com/

Hardening from a DDoS point of view in enterprise

• Firewalls, switches, Intrusion Detection Systems (IDS), Intrusion

Prevention Systems (IPS) are not enough.

• Upcoming techniques

»SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that

sit before the actual server and proxy the responses. Until the spoofed IP or un-

spoofed IPs respond with the ACK, the connection requests are not forwarded.

More technics

»Connection limiting: Too many connections can cause a server to be

overloaded. By limiting the number of new connection requests, you can

temporarily give the server respite.

Just one more......

»Aggressive Aging: Some botnet attacks involve opening a

legitimate connection and not doing anything at all. Such idle

connections fill up the connection tables in firewall and servers. By

aggressively aging such idle connections, you can provide some

relief to them.

Hardening from a DDoS point of view in enterprise (1)

•More techniques

»Source rate limiting: When a limited number of sources are

available to a bot-master, he/she can use them to aggressive send

packets. These high rate packets can burden the server.

Multithreaded attacks cause such patterns of attack.

»Dynamic filtering: is done by identifying undisciplined behavior

and punishing that behavior for a short time by creating a shortspan

filtering rule and removing that rule after that time-span.

Hardening from a DDoS point of view in enterprise (2)

»Active verification through legitimate IP address matching: if the

appliance keeps sending SYN/ACK packets back, that would add too

much outbound traffic. To avoid such reverse flood, it is necessary to

cache identified legitimate IPs in to a memory table for a limited period

of time and then letting them go without the SYN proxy check.

»Anomaly recongnition: Most DDoS attacks are written using scripts

which continuously vary a few parameters in the network packets. By

performing anomaly checks on headers, state and rate, an appliance

can filter out most attack packets which otherwise would pass simple

firewall rules.

Hardening from a DDoS point of view in enterprise (3)

»Protocol analysis: Similar to header, state and rate anomalies,

further protocol analysis can bring out issues that would otherwise

pass through a generic firewall

» Granular rate limiting: Granularity refers to various parameters

available in layer 3, layer 4 and layer 7 headers. These include

packet rates for source, destination, protocol, fragment, ports,

and HTTP methods, URLs, User-Agents, Cookie, Host, Referer

etc.

More hardening techniques

• White-list, black-list, non-tracked sources: Since rate anomalies

are behavioral, all behaviors are learned from past. Therefore if you

don't want some behavior not to be learned, you must not track

such behavior by creating an exception. Such non-tracked sources

include backup IP machines etc. that do large amounts of IOs at

specific times or Content Data Network (CDN).

»State anomaly recognition: Since most bots are scripted, many a

times, they break TCP rules. A state anomaly recognition engine

looks for illegal TCP state transition anomalies, foreign packets

(packets in connections that are not properly established) and TCP

window-violations.

More techniques

»Dark address scan prevention: Dark addresses are IP addresses

that are not yet assigned by IANA. These are also called bogon

addresses. Any packets coming from or going to dark addresses

are signs of spoofing. By blocking them, you can block a substantial

percentage of DDoS packets that are spoofed.

»Stealth attack filtering: Before an attack, there are precursors to

attacks. These are in the form of scans. Network scans to discover

IP addresses in use are common and so also Port Scans to

discover TCP and UDP ports that respond to connections. By

identifying, such attacks and corresponding attackers, you can take

some precautions for a future full-blown attack.

How to test a mitigation system?

• Most people purchasing DDoS mitigation systems do not know how to

decide one system from the other.

• Since most DDoS mitigation systems are fewer than 5 year old today,

there is a trust issue with them. Those that have been tested by third

parties such as Tolly Group (www.tolly.com ) are fewer. Most people

would rather test them in their own lab before deploying them.

DDoS tools for testing in a PoC.

• Smartbits

» http://www.spirent.com/Products/Smartbits

• avalanche

» http://www.spirentfederal.com/IP/Products/Avalanche/Overview/

• Breaking point

» http://www.breakingpointsystems.com/

• Examples videos with breaking point and Fortinet tests

» https://www.youtube.com/watch?v=5N7L3_V69X0

» http://youtu.be/JygWSBRdON4

Attack Tools

• Many and varied

»Configurable Perl scripts,

executables, JavaScript

»Windows, OSX, Android

• Distributed as

»Stress Tester Utilities

»Development Toolkits

»Malware

• Used to create

» Individual attacks

»Voluntary ‘hacktivist’ attacks

»Botnet driven attacks booster scripts

Most popular tool – LOIC (low Orbit Ion Cannon)

• Low Orbit Ion Cannon (LOIC) is an open source network stress

testing and denial-of-service attack application, written in C#.

Software packet generators

• Nemesis

• Hping

• T50

• Rude and crude

• Scapy

• D-ITG

• Pktgen

• Packet generator

• Packet excalibur

• Packgen

• and much more in this site http://www.protocog.com/trgen.html

Type of testing attacks

• Over the Internet, one can launch Layer 3, 4 or 7 attacks.

• Example of Layer 3 attacks are protocol floods such as ICMP floods,

TCP floods,fragment floods.

• Example of layer 4 floods are port floods (TCP or UDP).

• Example of layer 7 floods are URL floods. In this attack, a single URL

is continuously attacked from multiple sources.

Attacks to test functionality and performance

• Spoofed syn flood attack

• Spoofed UDP attack

• Spoofed ICMP attack

• Spoofed TCP SYN-ACK attack

• Spoofed TCP FIN-ACK attack

• Spoofed IP attack

• Spoofed IP fragments attack

• IP-UDP fragments attack

• IP-ICMP fragments attack

• TCP/UDP destination port attack

• Backtrack will be your best friend!

Thank you!

Gracias!

Obrigado!