DDoS mitigation EPIC FAIL collection - 32C3
-
Upload
moshe-zioni -
Category
Technology
-
view
822 -
download
0
Transcript of DDoS mitigation EPIC FAIL collection - 32C3
![Page 1: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/1.jpg)
DDoS Mitigation
collectionTL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS
1
![Page 2: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/2.jpg)
Agenda
Intro to D/DoS
Methodology of work
DDoS tactics in-the-wild and how to improve
10 ‘from-the-books’ strategies & how to leverage your attack to fit them
Q&A
2
![Page 3: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/3.jpg)
~$ whoami Hi! Moshe Zioni, I do security stuff
3 years of designing & providing a full-blown on-demand DDoS
attack service.
Mainly exp. in Ethical Hacking & Penetration Testing
1st time speaker @ CCC, grateful to have this honor.
.///. END OF SHAMELESS PROMOTION SLIDE .///.
3
![Page 4: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/4.jpg)
DDoS for Everyone! 4
![Page 5: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/5.jpg)
Method 5
![Page 6: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/6.jpg)
Run-of-the-Mill DDoS attacks in-the-wild
Rely heavily on bandwidth consumption
53% of attacks are < 2Gbps (SANS)
Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.)
Most attacks does not require brains
6
![Page 7: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/7.jpg)
Strike Harder! (!=Larger botnet)
There is more to a web site then a front-end (!!)
Overload the backend by making the system work for you
Keep it stealthy, they might be using the ‘magic of sniffing’
Think of amplification in a general way
7
![Page 8: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/8.jpg)
Generalized Amplification - “4 Pillars”
Amplification factors
Network – The usual suspect
CPU – Very limited on some mediators
and web application servers,
Memory – Volatile, everything uses it, multi-step operations is prime target.
Storage – Can be filled up or
exhausting I/O buffer
8
![Page 9: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/9.jpg)
![Page 10: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/10.jpg)
![Page 11: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/11.jpg)
W
![Page 12: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/12.jpg)
Ready?
Set.
12
![Page 13: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/13.jpg)
FACEPALM
13
![Page 14: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/14.jpg)
14
![Page 15: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/15.jpg)
“Limit the rate
of incoming
packets”
15
![Page 16: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/16.jpg)
The customer has been hit by a DDoSattack that consumed ALL BANDWIDTH
To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability
And so he did… believing that now he upped the game significantly for us
16
![Page 17: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/17.jpg)
Reflection to the rescue!
Consumption by reflection
Send in 1Kb
Consume
according to
file-length
17
![Page 18: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/18.jpg)
![Page 19: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/19.jpg)
19
![Page 20: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/20.jpg)
“It’s OK now,
monitoring shows
everything is
back to normal”
20
![Page 21: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/21.jpg)
MegaCommonPractive now went on to
buy a Anti-DDoS solution
A known Anti-DDoS cloud-based
protection solution approached the client
and offered a very solid looking solution
including 24/7 third party monitoring
21
![Page 22: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/22.jpg)
DID YOU
ACTUALLY TRY
TO ACCESS
THE WEB SITE!!!!
22
![Page 23: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/23.jpg)
23
![Page 24: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/24.jpg)
24
![Page 25: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/25.jpg)
“Backend servers
are not important
to protect
against DDoS”
25
![Page 26: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/26.jpg)
Mapping the backend for DDoS
Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification
How can we find DBs?
You can always guess, pentersters do that all the time…
Takes more time == more elaborate operation, may involve BE !!!
PROFIT!!!
26
![Page 27: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/27.jpg)
27
![Page 28: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/28.jpg)
28
![Page 29: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/29.jpg)
29
![Page 30: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/30.jpg)
Really??!?! ALL OF THE DOMAINS?!?
What is the strategy of
mitigation? Do you understand
it?
“Doesn’t matter, let’s do it!”
30
![Page 31: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/31.jpg)
So, remember the booklet that you
didn’t read?
Interesting strategy – the system is devising some unknown algorithm to detect probable attacks.
Defense mechanism is ‘draining’ out all traffic first and do some magic.
Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno)
31
![Page 32: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/32.jpg)
32
![Page 33: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/33.jpg)
33
![Page 34: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/34.jpg)
“We don’t trust
the vendor, we
don’t give them
certificates”
34
![Page 35: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/35.jpg)
Talk to me in layer 7…
Defense have chosen not to monitor layer 7 – HTTPS attacks..
SSL re/negotiation
Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic
35
![Page 36: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/36.jpg)
36
![Page 37: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/37.jpg)
37
![Page 38: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/38.jpg)
“We need Big
Data, collect all
the logs”
38
![Page 39: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/39.jpg)
Logs need to be handled
Storage Boom
Result in a complete lock-down, including not be able to manage the overflowed device
It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system
SILO NEEDED!
39
![Page 40: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/40.jpg)
40
![Page 41: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/41.jpg)
41
![Page 42: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/42.jpg)
“We are under
attack – enforce
the on-demand
Scrubbing Service”
42
![Page 43: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/43.jpg)
Learning mode – did you do it?
All is learned
Attack considered legitimate traffic
RTFM
And… Vendor response was epic by itself
43
![Page 44: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/44.jpg)
44
![Page 45: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/45.jpg)
45
![Page 46: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/46.jpg)
“So what CDN is
not dynamic?
Let’s enable it”
46
![Page 47: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/47.jpg)
NOT IN CACHE? ASK THE ORIGIN! 47
![Page 48: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/48.jpg)
48
![Page 49: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/49.jpg)
49
![Page 50: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/50.jpg)
50
![Page 51: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/51.jpg)
51
![Page 52: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/52.jpg)
How to find an ‘invisible’ origin?
Find other known subdomain ->
translate to IP -> scan the /24 or /16 ->
good chance it’s there.
AND….. WHOIS never forgets
http://viewdns.info FTW!
52
![Page 53: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/53.jpg)
53
![Page 54: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/54.jpg)
54
![Page 55: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/55.jpg)
“Block ‘em!, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them. “
55
![Page 56: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/56.jpg)
Total IPs (DE):
~116 M
56
* http://www.nirsoft.net/countryip/de.html
![Page 57: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/57.jpg)
Roughly -1,800
class B ranges
57
![Page 58: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/58.jpg)
We spoofed IPs from
those classes and deliver
a very detectable TCP
SYN flood attack from
each source
58
![Page 59: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/59.jpg)
Now think of a monkey
blocking every incoming
alert.
15 MINUTES TO SELF
INFLICTED DDOS
59
![Page 60: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/60.jpg)
60
![Page 61: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/61.jpg)
Collected misconceptions
There is no magic pill or best cocktail mix of
technologies/appliances/services, never was
– prepare a plan, not just a mitigation.
You can have all the toys and money in the
world – best mitigation – don’t do drugs
TEST your infrastructure regularly.
If you won’t do that – you can be evaluated
for this presentation in the future
61
![Page 62: DDoS mitigation EPIC FAIL collection - 32C3](https://reader033.fdocuments.in/reader033/viewer/2022052606/58edae971a28ab7a488b4695/html5/thumbnails/62.jpg)
Questions?
62