A Cyberwarfare Weapon: SlowReq Maurizio Aiello [email protected]Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy
Genoa, Cpexpo meeting, Italy 30 October 2013
Maurizio Aiello
Cyberwarfare
“Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an
informative system owned by the adversary”
Governments vs. Governments
Groups vs. Governments
¤ Titan Rain
¤ Moonlight Maze
¤ Hacktivistic Groups Operations
¤ Anonymous
¤ LulzSec
Maurizio Aiello
Attack Technologies
DENIAL OF SERVICE (DoS)
DISTRIBUTED DENIAL OF SERVICE (DDoS)
INTRUSIONS & MALWARE
SQL INJECTION BUFFER OVERFLOW TROJAN HORSES
BACKDOOR
“An attempt to make a machine or network resource unavailable to its intended users”
Amplification of the attack resources through the enrollment of (willing or not) botnet agents
Maurizio Aiello
Denial of Service Attacks
¤ Attacks to the system ¤ ZIP Bomb
¤ Fork Bomb
¤ Attacks to the network ¤ Multipliers: DNS, Smurf attack, etc… ¤ Volumetric: flooding DoS attacks
¤ Application Layer: Slow DoS Attacks
Maurizio Aiello
“Old Style” Flooding DoS Attacks
¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, …
Flooding based attacks
LEVEL-4 Denial of Service
Maurizio Aiello
The ISO/OSI Model
Application Presentation
Session Transport Network Data Link Physical
Flooding DoS Attacks
Slow DoS Attacks
Hacktivist Groups: Anonymous and LulzSec
2008 2009 2010 2011
Iranian election protests
2012
Operation Payback
Project Chanology
Visa, Mastercard, Paypal
Operation Payback
Operation Sony
Interpol
Vatican
Hacktivist Groups
Anonymous LulzSec
Maurizio Aiello
Slow DoS Attack (SDA)
“An attack which exhausts the resources of a victim using low
bandwidth”
Maurizio Aiello
SDAs’ Strategy
¤ They move the victim to the saturation state
¤ Low bandwidth rate: ¤ Attack resources are minimized
¤ It’s easier to bypass security systems
¤ ON-OFF Nature
¤ Almost all the packets contribute to the success of the attack
Maurizio Aiello
Slow DoS Attacks An Example: Slowloris ¤ A script written in Perl programming language
¤ Used during the protests against Iranian presidential elections in 2009
¤ It sends a lot of endless requests with the pattern:
\r\n X-a: b\r\n X-a: b\r\n X-a: b\r\n
Source: http://ha.ckers.org/slowloris/
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n X-a: b\r\n
Maurizio Aiello
Making Order Into the Slow DoS Field
SLOWLORIS
R-U-DEAD-YET APACHE RANGE
HEADER
#HASHDOS
REDOS QUIET ATTACK
SHREW
INDUCED SHREW THC-SSL-DOS LORDAS
CPU/Memory/Disk Network
Server Timeout Client
Request Response
Slow DoS Attacks
Other Unknown Attacks
Delayed Responses
Delayed Responses
Slow Requests
Pending Requests
Resources Occupation
Planning
Server Behavior Alteration
Maurizio Aiello
SlowReq Attack
¤ It opens a large amount of endless connections with the victim
¤ It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure
SLOWLORIS SLOWREQ
X-a: b\r\n [space]
[space]
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n