Tech Talk #4 : Lessons from building backend for mobile app UBus - Nguyễn Việt Hà
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt
-
Upload
security-bootcamp -
Category
Technology
-
view
1.117 -
download
0
Transcript of Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt
![Page 1: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/1.jpg)
Mitigate DDoS attackwith effective cost
Nguyễn Chấn Việt
![Page 2: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/2.jpg)
Đơn vị tổ chức:
Đơn vị tài trợ:
![Page 3: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/3.jpg)
The Growth of DDoS Attacks
• Malware• Exploit
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 4: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/4.jpg)
Classification• Volume Based Attacks –The attacker tries to saturate the bandwidth of the target’s
website by flooding it with a huge quantity of data. This category includes ICMP floods,UDP floods and other spoofed-packet floods. The magnitude of Volume Based Attacksis measured in bits per second (Bps).
• Protocol Attacks –The attacker’s goal is to saturate the target’s server resources orthose of intermediate communication equipment (e.g., Load balancers) by exploitingnetwork protocol flaws. This category includes SYN floods, Ping of Death, fragmentedpacket attacks, Smurf DDoS and more. The magnitude of Protocol Attacks ismeasured in Packets per second.
• Application Layer (Layer 7) Attacks – Designed to exhaust the resource limits of Webservices, application layer attacks target specific web applications, flooding them witha huge quantity of HTTP requests that saturate a target’s resources. Examples ofapplication layer DDoS attacks include Slowloris, as well as DDoS attacks that targetApache, Windows, or OpenBSD vulnerabilities. The magnitude of application layerattacks is measured in Requests per second.
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 5: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/5.jpg)
What we care ?• Exhausting resources like:
– CPU– Memory/Buffers– I/O operations– Disk space– Network bandwidth
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 6: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/6.jpg)
Where to start ?• Go through all devices on network, from
L2 switches to backend servers andidentify possible leaks, bottlenecks,attack vectors, applicable DoS attacks,vulnerabilities ... and mitigate or(rate)limit them
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 7: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/7.jpg)
Infrastructure• Hosting and VM is not good idea
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 8: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/8.jpg)
[1]
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 9: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/9.jpg)
Architecture• Rule: Defence in depth (multi-layer)
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 10: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/10.jpg)
OS Tuning• *nix is good choice
• Rule : If not used, turn off
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 11: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/11.jpg)
/etc/sysctl.conf tuning• net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 2
net.ipv4.tcp_syn_retries = 3net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 8192net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.tcp_rmem = 4096 87380 1048576net.ipv4.tcp_wmem = 4096 16384 1048576net.ipv4.tcp_max_orphans = 2048
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 12: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/12.jpg)
Layer 3-4• Stateful Firewall
– Iptables– Tuning connections tracking
• Rule : Deny all, allow selective
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 13: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/13.jpg)
Layer 7• WAF : to filter what firewall missed at IP
layer– Mod_security
• Why not snort ?
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 14: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/14.jpg)
Layer 7• Choosing webserver
– Nginx is the best• Tuning webserver
– Improve Apache with mod_reqtimeout• Caching is very important
– Static cache– memcached
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 15: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/15.jpg)
Patching• Keep Your System Up-to-date• Example :
– Slowloris : based on missing CRLF– Slow Read attack : based on TCP persist
timer exploit– Apache Range Header attack
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 16: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/16.jpg)
Proactive with NSM• Logs is very important• My suggestion : Syslog-ng + Splunk
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 17: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/17.jpg)
Proactive with NSM
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 18: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/18.jpg)
Proactive with NSM
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 19: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/19.jpg)
Proactive with NSM• Alternative :
10/29/2013 11:16 AM www.securitybootcamp.vn
Logstash is a free tool formanaging events and logs. Ithas three primarycomponents, an Inputmodule for collecting logsfrom various sources
ElasticSearch is thisawesome distributable,RESTful, free Lucenepowered searchengine/server. UnlikeSOLR, ES is very simpleto use and maintain andsimilar to SOLR, indexingis near realtime.
Kibana is a presentation layerthat sits on top of Elasticsearch toanalyze and make sense of logsthat logstash throws into Elasticsearch; Kibana is a highlyscalable interface for Logstashand ElasticSearch that allows youto efficiently search, graph,analyze and otherwise makesense of a mountain of logs.
![Page 20: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/20.jpg)
Proactive with NSM
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 21: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/21.jpg)
[2] Case Study
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 22: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/22.jpg)
Our suggestion• Diagram
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 23: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/23.jpg)
Our suggestion• Router with high throughput
• reverse proxy servers :– 32Gb RAM, 10Gb NIC, Quad Core I7, SSD
disk (for internal I/O better)– Linux OS, running IPTables + apache
(worker MPM) + mod_security
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 24: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/24.jpg)
Our suggestion• cache servers :
– Using SSD Disk– Application cache (ex : xcache/APC for
PHP, …)– Generic cache : Apache Traffic Server
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 25: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/25.jpg)
Cloud-based Solutions• For large DDoS attack (e.g Spamhaus
was DDoS by 300Gb/s of traffic), weneed a third-party :– Incapsula– CloudFlare
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 26: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/26.jpg)
Cloud-based Solutions
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 27: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/27.jpg)
Simple but effective• If you can determine C&C servers, just
null route them
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 28: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/28.jpg)
Testing• Test your network and devices by
simulating real DoS attack (LOIC/HOIC,hping, slowhttptest, thc-ssl-dos, pktgen,... )
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 29: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/29.jpg)
Conclusion• This approach is not “silver bullet” for
preventing DDoS attacks• There isn’t “a technique” for mitigrating
DDoS– DDoS Mitigation = Hardened System +
Money
10/29/2013 11:16 AM www.securitybootcamp.vn
![Page 30: Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt](https://reader033.fdocuments.in/reader033/viewer/2022060107/554bd319b4c905706a8b4def/html5/thumbnails/30.jpg)
Thank you !
10/29/2013 11:16 AM www.securitybootcamp.vn