DDOS Workshop DDOS Workshop

Research Accreditation

• Discuss current DDOS attacks• DDOS Methods• DDOS Prevention• Demonstrate a live DDOS attack

Agenda

• DDOS is illegal• This presentation is for educational purposes• Misuse of this information will result in reporting you to local Federal

authorities

Disclaimer

• 86% of all websites on the internet have an exploitable vulnerability• DDOS attacks are on the rise• Web-exploits are easy to execute• Current prevention and infrastructure can’t handle coordinated attacks

Background

• Distributed Denial of Service: Intentional rapid generation of packets directed at a domain, IP, or IOT device.

• Most common cyber attack• Memory consumption or maxed bandwidth• Can be simulated with custom programs• Easy to do

Concept

Graphic

• Server

• Server

10/21/2016: “Worst DDOS attack in history” @500+ GB/s per sitehttps://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/US – France – South Africa - Korea

DNS service provider Dyn was compromisedDirect directory to servers hosted

Netflix was down for hoursTwitter was down for hoursPaypalAmazonPSN Worldwide was downXBOX LiveBlizzardYahooAOLCalifornia School Districts (Assumed nation wide)100s…..

Cases

KrebsOnSecurity – 20 September 665 GB/sDNS Quire floodingProtected by Akamai

KrebsOnSecurity.comhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/BangStresser – Push button DDOS tool

Cases

New World Hackers – 602 GB/s attacksBBC networks and Donald Trump http://thehackernews.com/2016/01/biggest-ddos-attack.html

BangStresser – Push button DDOS tool

Cases

• Service Unavailability• Session Hijacking• Physical Hardware Damage• Loss in both Tangible and Intangible resources

DDOS Risk

• Deploy a Localhost (127.0.0.1) server• Use Apache / Tomcat / Microsoft / XAMP• XAMP is great (Server deploying for

dummies)• TURN YOUR FRICKING WIFI OFF /

AIRPLANE MODE

Setting up DDOS Lab

Karter DDOS

• Exploiting legitimate connection requests• Just like a ping command, web-servers allow HTTP, GET,

POST,PUT, DELETE, etc• Web-servers have to allow certain requests• Simple mitigation (BLOCK FOREIGN HTTP/S METHODS)

Flooding

• Passed on 10/31/2016• Digital Millenium Copy Right Act enacted an exemption that legalizes

users to hack owned devices

Wait….

Ricky Bobby Approves

Statistics

Transport LayerInformation Leakage

Cross-Site ScriptingBrute Force

Content SpoofingCross-Site Forgery

URL RedirectLocation Leakage

Session FixationSL Injection

0% 10% 20% 30% 40% 50% 60% 70% 80%

70%56%

47%29%

26%24%

16%15%14%

6%

DDOS Diagram

DDOS Diagram

DDOS Diagram

Picture

• Server

• Server

• Deploy any basic web-server on Localhost (127.0.0.1).• Close down any network connections• Verify your connections are disabled (DON’T BE STUPID)• Tips:• Use XAMP to deploy servers• Download DVWA to attack

DDOS Lab

• Did you know? • PING command can up to 65,500 bytes in 0.06 ms• HTTP / GET / POST requests take up a lot of memory• Sloworis

• Simple automation with C++ or Java• Generate packet• Loop through• Send to IP• Generate huge network loads (400 MB/s+)

• Launch attacks…..

Flooding

Packet TypesUDP / SYN / TCP

These packets are for specific devicesMuch more difficultMuch more deadly

Simple automation with C++ or JavaGenerate packetLoop throughSend to IP / Mac addressGenerate huge network loads (400 MB/s+)

Launch attacks…..

Network Flooding

HOIC

LOIC

Lizard Stresser

Karter DDOS

Karter DDOS

Karter DDOS

Karter DDOS

Karter DDOS

Shodan (Find your target)

DDOS Workshop DDOS Workshop