Ddos and mitigation methods.pptx (1)

DDOS Attacksand Mitigation Methods

Özkan Erdoğ[email protected]

Ms.C, CISA, CEH, ISO 27001 LA

BTPSec Corp [email protected]

Office:+90 216 4647475 +44 203 6084760

Address:Turaboğlu Sk. Hamdiye Yazgan İş Merkezi, Kozyatağı Kadıköy İSTANBUL

What is DOS & DDOS?

D = Distributed DOS : focused on vulnerabilities, using single source DDOS : overflow focused, using multiple sources Target of attacks is to eliminate availability of the resource

What is DDOS

Is it possible to mitigate Ddos attacks?Our experience shows that its quite possible to mitigate ddos attacks. However, there are caveats such

that: Most ddos attacks come big in volume where it saturates your bandwidth . Attack volume > Target

network bandwidth (mbps).These attacks can be handled by obtaining service from global anti ddos providers: e.g. Cloudflare, Incapsula, Akamai etc.

Other kinds of attacks are usually ineffective if we configure our network with correct measures.

Botnet Lethic , Cutwail, Grum (spam), Flashback (Mac), Zeus (bank),

Spyeye (banka) etc..

Botnet Builder (10$)

Ddos Survey Results

61% loss of access to information

38% business stop

33% loss of job opportunities

29% reputation loss

26% insurance premium increases

65% Received security consultancy

49% More investments on IT

46% Started legal processes

43% Informed customers

36% Applied legal ways

26% Informed the media

● Spamhaus● Chinese domain authority (.cn)● Pohjola -Finland bank ● Nasdaq● Bitcoin● Bank of America

Ddos Costs

BOTNETs

Controlled by Botnet herders Commanded via : Mirc, http(s), Tor (popular now) Injection methods: Wordpress, Joomla etc. old Windows systems are

easiest targets.

Botnet members are targeted to be amongst data center systems.

DDOS events

1. Spamhaus (DNS Amplification) 300gbps.a. 11 Feb 2015: New NTP attack: 400gbps

2. Brobot (American Financial companies)3. Chinese attacks4. Russia: DDOS gangs5. Syn reflection attacks are gaining a rise.

DDOS Detection Methods

Honeypot Flow DPI

DDOS Mitigation Methods (General)

ACL BGP Routing (Cloud service) Blackhole Mitigation devices (Inline, Offline)

Basic DDOS Attacks

Signature based attacks (Teardrop, Land, Smurf, Nuke,Fraggle vb) Volumetric attacks (legal and illegal attacks) Reflection (dns, syn) Application based attacks: e.g. Slow attacks Connection attacks

Protocols used in DDOS

TCP/IP Tcp,udp, icmp,

Other (GRE, ESP etc) IPv4 IPv6 Application layer

Http, dns, VOIP etc.

IP Spoofing (&How to detect it)

uRPF- Unicast reverse path forwarding. Source IP of packet is compared to the FIB table in router and

dropped if routes are not the same. Authentication First packet drop, and let following packets go.

Attack Tools

Hping, nping, mz, isic Slowloris, httpflooder, Torshammer, jmeter, ab, httpDOS, R-U-D-Y,

pyloris etc. Scripts (socket programming: Python, Perl etc)

Volumetric Attacks

Band filling attacks Network attacks (syn, syn-ack, ack, udp flood etc) Application Attacks (http, https, dns, voip etc) Botnet, HOIC, LOIC

Application Layer DDOS

Slow attack (Apache)- slowloris, pyloris etc Slow Read- tcp window size RUDY- HTTP post XML dos SIP invite- multiple udp calls to overwhelm server..

How to mitigate DDOS attacks?

WL/BL (ALL protocols) ACL (All protocols) Fingerprint (udp, dns) Authentication (tcp, http, dns) Session management (dns, tcp) Statistical Methods Rate Limit

Syn Flood and Prevention

Attacker

ServerSyn

Syn

SynSyn

Syn-Ack

Syn-AckSyn-Ack

• Most popular ddos attack is syn flood.• Protection method: Authentication and WL. (Whitelisting) (Syn

cookie vs. syn proxy)• Syn reflection factor• Syn flood from real IP addresses: TCP ratio mechanism

Syn-Ack Flood and Mitigation

Attacker

ServerSyn-AckSyn-Ack

Syn-AckSyn-Ack

• Protection: Check session table if syn-ack’s are real.

Ack Flood ve Mitigation

Attacker

ServerAckAck

AckAck

• Protection: Check session table if ack’s are real.

FIN/RST Flood and Mitigation

Attacker

ServerFin/RstFin/Rst

Fin/RstFin/Rst

• Protection: Check session table if packets are real.

Udp Flood and Mitigation

Attacker

ServerUdpUdp

UdpUdp

• Udp is the most effective for ddos • Protect method: Payload and Header.

(Fingerprint)• Dest.port, source port, ttl, source/dest IP

also checked• ACL• Traffic limiting

Icmp Flood and Mitigation

Attacker

ServerIcmpIcmp

IcmpIcmp

• Protect method: Payload and Header. (Fingerprint)

• Session check (query, response)• Rate limit• ACL

TCP Connection Flood & Mitigation Low rate attack (Protection: Number of connections are analyzed- Bot detection methods

are used) TCP Null connection attack (No packets after handshake) Also check for rates of:

New connections Total connections per

second

TCP Retransmission Attack

SIP Flood

SIP Invite Flood

SIP Flood Prevention Methods

Traffic limiting Source IP limiting Fingerprint

Http(s) Get/Post Flood

Attacker

ServerSyn

HTTP get

AckSyn-Ack

HTTP getHTTP get

HTTP get

Http Ddos Detection & Mitigation Methods Authentication (Http redirection) SSL Ddos (Crypto handshake messages increase abnormally) Captcha usage Fingerprint

Example: Http Get Attack

DNS Flood Is the target DNS: Authoritative DNS or cache DNS?

DNS Attacks- Continued

Dns Cache poisoning attack

Dns reflection attack

Dns query/repsonse attacks

DNS Query/Response Attacks

SP DNS

1. What is the IP for abc.google.com?

2. What is the IP for abc.google.com?

Attacker

3. IP= XXX.XXX.XXX =news.google.com

DNS Reply Flood

Attacker

DNS Cache Poisoning

SP DNS

1. What is the IP for abc.google.com?

2. What is the IP for abc.google.com?

Attacker

3. abc.google.com= x.x.x.x

DNS Reply

Attacker

• Domain info on Cache DNS servers are attempted to be changed with the fake one.

• Attacker should guess the query id correctly. (which is so easy if query id’s are not random)

DNS Reply

DNS Reflection

Open DNS resolvers

1. What is the IP for abc.google.com?

2. What is the IP for abc.google.com?

Attacker

DNS Reply

• Attacker uses victim’s IP address as his source, and sends a dns query to all known dns servers.

• Thousands of resolvers return the answer to the victim and victim is Ddos’ed

DNS Reply

DNS authority

Victim

DNS Attacks

Conclusion:

DNS attacks are very dangerous and can be performed with the least effort and cost .

Ddos attacks are on the rise every year and quite possible to be so in the future.

Udp and Dns based ddos attacks are the most effective protocols for ddos.

Methods To Protect Against DNS Ddos Attacks Session control (Two way traffic) DNS proxy, caching DNS-Tcp Authentication First packet drop Domain name limiting Traffic limiting

An Effective Mitigation Technique: Fingerprinting Packet header and payload is analyzed to determine a fingerprint of

attack.

Syn Reflection

DNS Reflection (Attack multiplier 10x)

NTP Amplification ( Attack multiplier 300x)

Can also use snmp for upto 600x , however snmp seldom allows nonauthenticated clients

11 February 2015: New NTP attack: 400gbps

Ddos Summary

Extremely easy to attack ( Many free and user friendly tools) Impossible to be detected (If correctly hides) Big effects on the victim Attack types and methods are broad. Every application or service has its own ddos vulnerabilities ...Spoofing is possible and mostly costless ...AGAIN.. attack tools are free

THANKS

QUESTIONS???