Post on 14-Apr-2017
DDOS Workshop DDOS Workshop
Research Accreditation
• Discuss current DDOS attacks• DDOS Methods• DDOS Prevention• Demonstrate a live DDOS attack
Agenda
• DDOS is illegal• This presentation is for educational purposes• Misuse of this information will result in reporting you to local Federal
authorities
Disclaimer
• 86% of all websites on the internet have an exploitable vulnerability• DDOS attacks are on the rise• Web-exploits are easy to execute• Current prevention and infrastructure can’t handle coordinated attacks
Background
• Distributed Denial of Service: Intentional rapid generation of packets directed at a domain, IP, or IOT device.
• Most common cyber attack• Memory consumption or maxed bandwidth• Can be simulated with custom programs• Easy to do
Concept
Graphic
• Server
• Server
10/21/2016: “Worst DDOS attack in history” @500+ GB/s per sitehttps://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/US – France – South Africa - Korea
DNS service provider Dyn was compromisedDirect directory to servers hosted
Netflix was down for hoursTwitter was down for hoursPaypalAmazonPSN Worldwide was downXBOX LiveBlizzardYahooAOLCalifornia School Districts (Assumed nation wide)100s…..
Cases
KrebsOnSecurity – 20 September 665 GB/sDNS Quire floodingProtected by Akamai
KrebsOnSecurity.comhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/BangStresser – Push button DDOS tool
Cases
New World Hackers – 602 GB/s attacksBBC networks and Donald Trump http://thehackernews.com/2016/01/biggest-ddos-attack.html
BangStresser – Push button DDOS tool
Cases
• Service Unavailability• Session Hijacking• Physical Hardware Damage• Loss in both Tangible and Intangible resources
DDOS Risk
• Deploy a Localhost (127.0.0.1) server• Use Apache / Tomcat / Microsoft / XAMP• XAMP is great (Server deploying for
dummies)• TURN YOUR FRICKING WIFI OFF /
AIRPLANE MODE
Setting up DDOS Lab
Karter DDOS
• Exploiting legitimate connection requests• Just like a ping command, web-servers allow HTTP, GET,
POST,PUT, DELETE, etc• Web-servers have to allow certain requests• Simple mitigation (BLOCK FOREIGN HTTP/S METHODS)
Flooding
• Passed on 10/31/2016• Digital Millenium Copy Right Act enacted an exemption that legalizes
users to hack owned devices
Wait….
Ricky Bobby Approves
Statistics
Transport LayerInformation Leakage
Cross-Site ScriptingBrute Force
Content SpoofingCross-Site Forgery
URL RedirectLocation Leakage
Session FixationSL Injection
0% 10% 20% 30% 40% 50% 60% 70% 80%
70%56%
47%29%
26%24%
16%15%14%
6%
DDOS Diagram
DDOS Diagram
DDOS Diagram
Picture
• Server
• Server
• Deploy any basic web-server on Localhost (127.0.0.1).• Close down any network connections• Verify your connections are disabled (DON’T BE STUPID)• Tips:• Use XAMP to deploy servers• Download DVWA to attack
DDOS Lab
• Did you know? • PING command can up to 65,500 bytes in 0.06 ms• HTTP / GET / POST requests take up a lot of memory• Sloworis
• Simple automation with C++ or Java• Generate packet• Loop through• Send to IP• Generate huge network loads (400 MB/s+)
• Launch attacks…..
Flooding
Packet TypesUDP / SYN / TCP
These packets are for specific devicesMuch more difficultMuch more deadly
Simple automation with C++ or JavaGenerate packetLoop throughSend to IP / Mac addressGenerate huge network loads (400 MB/s+)
Launch attacks…..
Network Flooding
HOIC
LOIC
Lizard Stresser
Karter DDOS
Karter DDOS
Karter DDOS
Karter DDOS
Karter DDOS
Shodan (Find your target)
DDOS Workshop DDOS Workshop