Hunting Slowloris and Friends - Hacking-Lab · bad traffic mimics good traffic and you are blind to...
Transcript of Hunting Slowloris and Friends - Hacking-Lab · bad traffic mimics good traffic and you are blind to...
OWASP Track
Swiss Cyberstorm 2011 – OWASP Track
Hunting Slowloris and FriendsOn Practical Defense Against Application Layer DDoS Attacks that use Request Delaying Techniques
Dr. Christian Folininetnea.com / Swiss [email protected]
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Christian Folini CV
IT Consultant for Swiss Post, Swiss Federal IT, Swiss TV, one or two banks etc.
Specialised in Webserver Security and Web Application Security on Unix Servers and System Administrationin general
Speaker at OWASP conferencesDeveloper of a ModSecurity Rule Editor named “REMO“Studies in Fribourg (Switzerland), Berne, Bielefeld,
BerlinPhD in Medieval History at Fribourg University,
Switzerland
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
The probability of an application level DDoS using Request Delaying Techniques hitting Swiss Post is very low - and the result would be a complete disaster.
Christian Folini, 2006
Internal Swiss Post Memo
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
ModSecurity ML in 2006
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
RSnake Announcing Slowloris
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Writing about Slowloris in LWN.net
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
For Completeness: Matteo
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Swiss Post Press Release
FIXME: Screenshot
http://lwn.net/Articles/338407/
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Attack Waves Traffic Graph
Two weeks of TCP traffic on one of the links of Swiss Post
One week of TCP traffic on one of the links of Swiss Post
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
How to DDoS on the Application Level?
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Attack Waves Traffic Graph
Two weeks of TCP traffic on one of the links of Swiss Post
One week of TCP traffic on one of the links of Swiss Post
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Apache ModStatus Example Output
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Statements from IRC (1 of 2)
< machiavelli> again I think holding postfinance.ch down for several weeks would lead to cash in wikileaks' hands. Postfinance would be forced to actually release the wikileaks funds they've stolen or go out of business.
The Plan (here summarised after the attack was over)
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Statements from IRC (2 of 2)22:12 < biertrinker> paypal is wasting time. lets do postfinance.ch again to let them see that war is still not over
...
23:12 < pride2> what is the site of the bank that blocked assanges account?
...
23:12 < pride2> we can take that one out?
...
23:13 < OPBIG_7> postfinance pride2
...
23:14 < RemmiDemmi> postfinance.ch would be good
...
23:14 < pride2> i agree
23:14 < pride2> it would make a good statement
...
23:15 < OPBIG_7> pride2 and co: postfinance was complete down when we attacked them and they had to block all non CH ip's. They will do same if we attack again. Its not a long term target
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Internal Swiss Post Memo
The probability of an application level DDoS using Request Delaying Techniques hitting Swiss Post is very low - and the result would be a complete disaster.
Christian Folini, 2006
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
Practical Defense
A Problem of Strict Differentiation:
It is about telling good traffic from bad traffic when the bad traffic mimics good traffic and you are blind to start with.
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
What You Can Do (1 of 3)
Know your architecture
Know your protocols
Know your application
Know your customers
Know your allies and their phone number
Know your tools
Know your defense plan
Know your enemies
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
What You Can Do (2 of 3)Think about using an "event based" webserver (but they have other
limits...)
Think about routing the traffic through an external specialist
Understand HTTP Keepalive and decide if you really need it
Lower your timeouts (3s sounds like a decent value in my eyes)
Use mod_reqtimeout
Look into mod_qos (by Pascal Buchbinder, Winterthur)
Use GeoIP
Use netstat
Use tcpdump
Use IP Blacklisting
Look into ModSecurity – there are a few useful directives
Look into mod_backdoor
Think about separating File Uploads from the rest of the application
Forget mod_evasive
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
What You Can Do (3 of 3)Slowloris type DDoS tools don't ever finish a request -> comparing netstat output and the access log should be
able to tell you moreOther DDoS tools do full requests, but they do not fetch follow up css,
javascript and image files -> the access log has the detailsThere is a typical median lifetime of a connection to your application -> observing netstat output should give you an idea
And now the really advanced stuff:Run an agent that supervises the connections and observes the access log and the login log (if that exists in your application): Look for clients accessing the wrong URLs Look for clients using the wrong method on the wrong URLs (i.e. Doing a POST on a page where POST is not expected)
Look for clients having an atypical order of requests Look for clients with atypical request structure
Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track
What You Can Do (4 of 3: Bonus Exercises)
Browserrecon Project
-> Marc Ruef, computec.ch
HTTP Client Fingerprinting Using SSL Handshake Analysis -> Ivan Ristić: SSL Labs