Layer 7 DOS attackBy :Oussama Elhamer Abdelkhalek.

Summary• The History of Dos attack .• Layer 4 Ddos : Overview.• Layer 7 Dos One attacker Brings Down one site .• Link-Local Dos : RA ip6 attack.

The Dos History

The Dos History

Layer 4 Ddos Attack :• Primitive DDOS attack controlled via

IRC.• Sends Thousands of packets per second

from the attacker directly to the target.• Needs Thousands of participants to

bring down a large site.• Take down master card for more than a

day (3.000 to 30.000)• Nothing More Than Pressing F5. (The

Low Orbit lon Cannon Do That For u /:p)

Layer 7 DOS • Operates at the application protocol level (OSI Layer 7).• Can Be routed through proxies .• More Dangerous.• Low Bandwidth .• Can Be Very Difficult To Distinguish From normal trafic. Eg. HTTP(S), SMTP, FTP and etc.

Some Example Of Layer 7 Dos Attacks

We will focus on The weaknesses of The Http Protocol .

HTTP GET

-Dont Send A Complete Request To The WebServer (Incomplete Headers ) Send SomeThing That Will hold The Web Server Continues To Send Headers at Regular intervals to keep the Sockets active !-So If You Open One Thousand Connection On A server That can Only Handle Five Hundred It Will be Rejecting Requests .Example Message syntax :GET /indexPage.html HTTP/1.1 CRLF <- Request Line Host : www.host.com:8080 CRLFContent-Length :25 CRLFCRLF<Optional Messaga Body >

- The Server Stop Reading When See Two CRLF and Start generating the response and sending feed back .

HTTP GET attack :

• Example • The Server Will Drop The Connection If There Are No Data In 60 Seconds !

• Get/http/1.1 \r\n• Host :Server \r\n• X-skdvbk :sdjvj\r\n

• ----59 Sec later • X-skdvbk :sdjvj\r\n• ----59 Sec later • X-skdvbk :sdjvj\r\n• ----59 Sec later • X-skdvbk :sdjvj\r\n• ----59 Sec later Client Server

• This Attack Don’t Works With IIS because it Use a time out .• No Realible Configurartion Universal To Protect your Web Server • But there Are some Recommandation THAT minimize the damage

SlowLoris

• Send Incomplete GET requests • And Freezes Apache With One Packet Per Second .• keeps sessions at halt • using neverending GET transmissions

HTTP post• Similar To http gET.• The Connections Whith The Server Stay Opened.• instead of prolongating The Header Section Of The http

Request It Prolongate The Message Body Section

R-U-Dead-Yet :• Incomplete HTTP POSTs•  implements the generic HTTP DoS attack via long form field submissions.

• Stops IIS, But Requires Thousands Of packets per second.

More Variation

• Keep-Alive Dos: A variation of The incomplete http get requests But Less Powerful .

• XerXes A Tool Developped By Th3j35t3r• • -Can be Imported To a 3G cell phone • -Can be run throught VPN.

Link-Local Dos • IPv6 Router Advertisments

• In ip v4 :• The Client Request An Ip • The Router Provides One • In ipv6 • The Router announces its presence • Every client on the Lan Creates an adress and joins the

network

• The problem That you can Send A lot Of Router advertisement • The Lan Machines Will Join All Those Networks • And Windows Is inefficient in doing That • You can take Down all The Lan .

Demo :• Slowloris .• R-u-dead yet .• RA ip6 attack .

Thanks