Cyber Security Current Trends & Emerging Threats in DDOS · DDoS attacks; typically requires an...
Transcript of Cyber Security Current Trends & Emerging Threats in DDOS · DDoS attacks; typically requires an...
December 11, 2014
Cyber Security
Current Trends & Emerging Threats in
DDOS
DDoS attacks
What is a DoS Attack?
An attack designed to take a resource, application or
service and deny access to legitimate users
DoS – Denial-of-Service
DDoS – Distributed Denial-of-Service
LDoS – Low-Rate Denial-of-Service
PDoS – Permanent Denial-of-Service
PPS – Packets Per Second
TERMINOLOGY
DoS – Denial of Service
• denial-of-service attack (DoS attack) is an attempt to make a
machine or network resource unavailable to its intended users.
Although the means to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of efforts to temporarily or
indefinitely interrupt or suspend services of a host connected to the
Internet.
DDoS – Distributed denial of service
• DDoS occurs when multiple systems flood the bandwidth or resources of
a targeted system, usually one or more web servers. This is the result of
multiple compromised systems (for example a botnet) flooding the
targeted system(s) with traffic. When a server is overloaded with
connections, new connections can no longer be accepted.
LDoS – Low-Rate Denial of Service
• LDoS attack exploits TCP’s slow-time-scale dynamics of
retransmission time-out (RTO) mechanisms to reduce TCP throughput.
Basically, an attacker can cause a TCP flow to repeatedly enter a RTO
state by sending high-rate, but short-duration bursts, and repeating
periodically at slower RTO time-scales. The TCP throughput at the
attacked node will be significantly reduced while the attacker will have
low average rate making it difficult to be detected
PDoS – Permanent Denial of service
• APDoS, is an attack that damages a system so badly that it requires
replacement or reinstallation of hardware.
• a PDoS attack exploits security flaws which allow remote
administration on the management interfaces of the victim's hardware,
such as routers, printers, or other networking hardware.
• The attacker uses these vulnerabilities to replace a device's firmware
with a modified, corrupt, or defective firmware , is known as flashing.
• The PDoS is a pure hardware targeted attack which can be much
faster and requires fewer resources than using a botnet in a DDoS
attack.
1
10
100
10000
Traffic
1000
X
1
50
100
CPU/MEM
Web Server
Example of attack
• Target well known, and required services
»Email/SMTP, DNS, Web/HTTP, SQL, SSH
• Require sophisticated tools able to update and adapt
»These exist today
• Deliberately avoid high bandwidth usage to keep low (…and slow)
• Application based DDoS is on the increase accounting for a quarter of all
attacks
• Continuously evolving to evade detection of the attack and protect the
identity of the attacker
Application Targeted DDoS – L7
Volumetric Attack
Designed to consume
available Internet
bandwidth or overload
server resources.
Typical examples SYN
Flood, UDP Flood, ICMP
Flood, SMURF attacks.
Application Layer
Attacks
More sophisticated,
attractive to the attacker
since they require less
resource to carry out
(botnet costs)
Target vulnerabilities in
applications to evade
flood detection strategies
Cloud Infrastructure
Attacks
Cloud solutions can turn
the Internet in the
Corporate WAN. Modern
attackers target the full
range of cloud
infrastructure (firewall,
mail & web servers)
Mitigation can be
complex and any attack
can impact multiple
customers
Type of Attack
DDoS Attack Trends: Centralized Execution, Decentralized
Chaos
Spoofed Attacks
• Fewer machines
• Limited Power
Non Spoofed Bot Clients
• More machines
• Higher Power
Bot Servers
• More Power
• More Bandwidth
• Socially Engineered
• More with less
Who’s likely to be interested in a DDoS?
• Companies that are/have been targets by Denial of Service attacks
• Hosting or Cloud provider services
• Ecommerce
• Online Gaming & Gambling
• Medium and larger Enterprises with an internet presences
• Any company that has recently been or is actively being attacked
•SYN Flood
»Targets connection table resources
»Layer 3 attack
»Target flooded with TCP SYN packets
Some Traditional Attacks
Some traditional attacks
•UDP Flood
»Targets CPU and Network traffic resources
»Layer 3 attack
»Flood server with random UDP connections
• ICMP Flood (SMURF, Ping Flood)
»SMURF
• Packets sent with source being a false IP
• Layer 3 Attack
• Turns server into an Attacker and consumes resources
Some Traditional Attacks
Some traditional attacks
»Ping Flood
• Echo requests sent without waiting for reply
• Layer 3 Attack
• Consumes bandwidth
• One common method of combating a ping flood attack is to block ICMP traffic.
The Slowloris Attack
• Targets HTTP from a single client machine
»Not new, dates from 2009
• Opens a connection to a web server
»Not all servers are vulnerable
• Sends legitimate, but partial, never ending requests
»Send ‘something’ to prevent a timeout
• Sockets held open
»No more sockets… no more service
GET
HEAD
POST
X-a
DDoS in action!...
Myths about DDoS attacks
• It happens to others
• Software fixes can solve DDoS attack issues
• IPTABLES can stop DDoS attacks
• Webhost will take care of DDoS attacks
• ISPs of the world co-operate
• ACL’s on switches/routers can stop DDoS attacks
• Pipes will fill any way – what’s the point
• Law enforcement is easy to approach in case of DDoS attacks
Law enforcement is easy to approach in case of DDoS attacks??
Scrubbing Service from
Internet or Cloud
Service Providers
Model: Managed service
subscription model.
Usually separate
detection and mitigation
Pros: Easy sign up and
deployment
Cons: Expensive,
inflexible, costs can rise
during an attack
Firewall / IPS
Model: Integrated device
for FW/IPS and DDoS
prevention
Pros: Single device,
simplified architecture,
less units to manage
Cons: Not designed to
detect/block sophisticated
DDoS attacks; typically
requires an update
license,
Dedicated Device
Model: Inline detection,
mitigation and reporting.
Auto detection of a wide
range of DDoS attacks
Pros: Cost effective, no
unpredictable or hidden
charges. Multi-layer,
accurate, fast, scalable
and easy to deploy
Cons: Additional network
element
DoS Protection Options
The OSI Model
DDoS attacks
BotNets
What about botnets....
• In its most basic form, a botnet is a group of computers that have been infected with
malware that allows its controller (or ‘master’) to take some measure of control over
the infected machine.
• Is used by its master to perform a range of unsavory activities without the knowledge
of the victim. Once infected with botnet malware, the computer becomes a mindless
zombie – ready to do the bidding of its master.
Cybercriminals use botnets to generate revenue in many
different ways:
• DDoS attacks: Sites that are event-specific, such as online
sportsbook, are particularly vulnerable to the threat of being knocked
offline during a major event like the Super Bowl or World Cup.
• Spamming: Infected machines will act as email relays for the bot
master and can send out staggering numbers of unsolicited emails per
day.
• Financial Fraud: With the ability to install additional malware onto an
infected machine, bot masters can siphon off valuable information
More ways to generate revenue...
• Search Engine Optimization (SEO) poisoning: Bot masters boost
search engine rankings artificially to drive searchers to Websites that
inject malware into a victim’s machine, or send the victim to sites that
sell counterfeit goods or fake prescription drugs.
• Pay-per-Click (PPC) fraud: A bot master will set up a legitimate-
looking website and recruit legitimate advertisers. The website owner’s
botnet, working in the background, will visit the site and click on ads.
The advertiser then pays the owner of the botnet for the botnet-
generated activity, as the clicks are coming from thousands of different
machines from geographically unique locations.
Two more ways...
• Bitcoin mining (http://bitcoin.org/en/): Bitcoin is a virtual currency that
can be traded anonymously online for products and services. Bitcoins
are “mined” by installing a program on a user’s PC that performs
complex calculations; the user is then rewarded with a bitcoin for their
efforts. By installing bitcoin software on a victim’s PC, a bot master can
harness the processing power of that computer to mine coins and sell
them on the grey or black market for real currency.
• Corporate and Industrial Espionage: some botnets have been used
in combination with targeted email attacks against both corporations
and governments in the attempt to steal valuable intellectual property
information and state secrets.
It really happens!!...
How could I be infected with a botnet?
• Drive-by download: Simply visiting a malicious site with a PC that
hasn’t been kept current with security patches and antivirus can
download and execute malware on the user’s PC, thus adding to that
botnet’s ranks.
• Email: A more traditional yet still popular method of botnet infection is
through a user opening email with malicious content, often sent by
someone the user knows and trusts (whose system is likely infected
with a botnet).
• Pirated software: Malware developers often hide malicious code
inside a software download, which then installs itself on a victim’s
machine when the user opens the executable.
What happens after infection?
• the malware typically installs what is known as a backdoor, or a
program that allows the bot master to communicate, control and install
software onto the infected computer. Once installed, it’s extremely
difficult to shut and lock the backdoor, even after the infected computer
has downloaded the newest security or antimalware updates.
How a botnet Avoids detection...
» IPS and antimalware is not enough.
»Techniques to evade existing methods of detecting and blocking to a command &
control server:
• List of ip address
• Domain Generation Algorithms (DGA): is a method whereby the malware generates
the C&C server addresses.
• Conficker.C malware would generate 50,000 domain names every day of which it
would attempt to contact 500
• Fast flux: is a DNS technique used by botnets to hide phishing and malware delivery
sites behind an ever-changing network of compromised hosts acting as proxies
How to determinate an infection has occured (1)
•System running slower than usual
•Hard drive LED is flashing wildly even though it’s in idle mode
•Files and folders have suddenly disappeared or have been
changed in some fashion
•A friend or colleague has informed the user that they have
received a spam email from their email account
How to determinate an infection has occured (2)
•A firewall on the computer informs the user that a program on
the PC is trying to connect to the Internet
•A launch icon from a program downloaded from the Internet
suddenly disappears
•More error messages than usual are popping up
•An online bank is suddenly asking for personal information it’s
never required before
The OSI Model
DDoS attacks
BotNets
Anti DDoS Appliances
Anti DDoS appliances..
• Carrier DDoS mitigation solutions
»Useful for global networks and carriers and ISPs
»Based on IP flow-based and deep packet inspection technologies
protecting the entire network
»Solutions too expensive for individual IDCs (Internet Data Center),
webhosts or web properties.
»Solutions designed around early 2000. cannot mitigate new generation
od DDoS attacks which involve botnets that mimic legitimate clients.
Anti DDoS appliances
•Custom logic (FPGA or ASIC) based internet data center
(IDC), web hosting and web property DDoS mitigation
solutions
»They work to protect one or several Internet links.
»The behavioral solutions are implemented in custom hardware logic
and provideline rate performance for large attacks.
»These solutions are cost-effective and effective for IDCs, webhosts
and web properties.
Anti DDoS appliances
•Software based web property DDoS mitigation solutions
»These solutions are useful for smaller web properties with very
minimal traffic.
»The behavioral solutions are implemented in off-the-shelf CPUs and
have issues at large attack traffic volumes in terms of keeping up.
»Some appliances have IPS functionality implemented in hardware
but have their DDoS mitigation logic in software and suffer from the
same issues.
The OSI Model
DDoS attacks
BotNets
Anti DDoS appliances
Hardening
Things to look for in Anti-DDoS equipment
• Latest technology
•Centralized monitoring
• Visibility into normal network traffic patterns
•Alerting mechanisms
•Filtering mechanisms to reduce false positives
• Low latency
•Hardware logic for Anti-DDoS
•Bypass and redundancy
•Extensible Arquitecture
Hardening from a DDoS point of view
in small scenarios (1)
•“home remedies” for simple and small DDoS attacks
»Update kernel to the last release
»Install all security updates
»Disable unused and insecures services
»Remove unused packages
Hardening from a DDoS point of view
in small scenarios (2)
»Better network cards means better performance.
»Choose a recognize vendor with driver’s thats already hardened.
»Use netfilter/iptables to deny packets
»Use hashlimit module to identify Ips that are consuming resources
»LiteSpeed instead of apache http://www.litespeedtech.com/
Hardening from a DDoS point of view in enterprise
• Firewalls, switches, Intrusion Detection Systems (IDS), Intrusion
Prevention Systems (IPS) are not enough.
• Upcoming techniques
»SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that
sit before the actual server and proxy the responses. Until the spoofed IP or un-
spoofed IPs respond with the ACK, the connection requests are not forwarded.
More technics
»Connection limiting: Too many connections can cause a server to be
overloaded. By limiting the number of new connection requests, you can
temporarily give the server respite.
Just one more......
»Aggressive Aging: Some botnet attacks involve opening a
legitimate connection and not doing anything at all. Such idle
connections fill up the connection tables in firewall and servers. By
aggressively aging such idle connections, you can provide some
relief to them.
Hardening from a DDoS point of view in enterprise (1)
•More techniques
»Source rate limiting: When a limited number of sources are
available to a bot-master, he/she can use them to aggressive send
packets. These high rate packets can burden the server.
Multithreaded attacks cause such patterns of attack.
»Dynamic filtering: is done by identifying undisciplined behavior
and punishing that behavior for a short time by creating a shortspan
filtering rule and removing that rule after that time-span.
Hardening from a DDoS point of view in enterprise (2)
»Active verification through legitimate IP address matching: if the
appliance keeps sending SYN/ACK packets back, that would add too
much outbound traffic. To avoid such reverse flood, it is necessary to
cache identified legitimate IPs in to a memory table for a limited period
of time and then letting them go without the SYN proxy check.
»Anomaly recongnition: Most DDoS attacks are written using scripts
which continuously vary a few parameters in the network packets. By
performing anomaly checks on headers, state and rate, an appliance
can filter out most attack packets which otherwise would pass simple
firewall rules.
Hardening from a DDoS point of view in enterprise (3)
»Protocol analysis: Similar to header, state and rate anomalies,
further protocol analysis can bring out issues that would otherwise
pass through a generic firewall
» Granular rate limiting: Granularity refers to various parameters
available in layer 3, layer 4 and layer 7 headers. These include
packet rates for source, destination, protocol, fragment, ports,
and HTTP methods, URLs, User-Agents, Cookie, Host, Referer
etc.
More hardening techniques
• White-list, black-list, non-tracked sources: Since rate anomalies
are behavioral, all behaviors are learned from past. Therefore if you
don't want some behavior not to be learned, you must not track
such behavior by creating an exception. Such non-tracked sources
include backup IP machines etc. that do large amounts of IOs at
specific times or Content Data Network (CDN).
»State anomaly recognition: Since most bots are scripted, many a
times, they break TCP rules. A state anomaly recognition engine
looks for illegal TCP state transition anomalies, foreign packets
(packets in connections that are not properly established) and TCP
window-violations.
More techniques
»Dark address scan prevention: Dark addresses are IP addresses
that are not yet assigned by IANA. These are also called bogon
addresses. Any packets coming from or going to dark addresses
are signs of spoofing. By blocking them, you can block a substantial
percentage of DDoS packets that are spoofed.
»Stealth attack filtering: Before an attack, there are precursors to
attacks. These are in the form of scans. Network scans to discover
IP addresses in use are common and so also Port Scans to
discover TCP and UDP ports that respond to connections. By
identifying, such attacks and corresponding attackers, you can take
some precautions for a future full-blown attack.
How to test a mitigation system?
• Most people purchasing DDoS mitigation systems do not know how to
decide one system from the other.
• Since most DDoS mitigation systems are fewer than 5 year old today,
there is a trust issue with them. Those that have been tested by third
parties such as Tolly Group (www.tolly.com ) are fewer. Most people
would rather test them in their own lab before deploying them.
DDoS tools for testing in a PoC.
• Smartbits
» http://www.spirent.com/Products/Smartbits
• avalanche
» http://www.spirentfederal.com/IP/Products/Avalanche/Overview/
• Breaking point
» http://www.breakingpointsystems.com/
• Examples videos with breaking point and Fortinet tests
» https://www.youtube.com/watch?v=5N7L3_V69X0
» http://youtu.be/JygWSBRdON4
Attack Tools
• Many and varied
»Configurable Perl scripts,
executables, JavaScript
»Windows, OSX, Android
• Distributed as
»Stress Tester Utilities
»Development Toolkits
»Malware
• Used to create
» Individual attacks
»Voluntary ‘hacktivist’ attacks
»Botnet driven attacks booster scripts
Most popular tool – LOIC (low Orbit Ion Cannon)
• Low Orbit Ion Cannon (LOIC) is an open source network stress
testing and denial-of-service attack application, written in C#.
Software packet generators
• Nemesis
• Hping
• T50
• Rude and crude
• Scapy
• D-ITG
• Pktgen
• Packet generator
• Packet excalibur
• Packgen
• and much more in this site http://www.protocog.com/trgen.html
Type of testing attacks
• Over the Internet, one can launch Layer 3, 4 or 7 attacks.
• Example of Layer 3 attacks are protocol floods such as ICMP floods,
TCP floods,fragment floods.
• Example of layer 4 floods are port floods (TCP or UDP).
• Example of layer 7 floods are URL floods. In this attack, a single URL
is continuously attacked from multiple sources.
Attacks to test functionality and performance
• Spoofed syn flood attack
• Spoofed UDP attack
• Spoofed ICMP attack
• Spoofed TCP SYN-ACK attack
• Spoofed TCP FIN-ACK attack
• Spoofed IP attack
• Spoofed IP fragments attack
• IP-UDP fragments attack
• IP-ICMP fragments attack
• TCP/UDP destination port attack
• Backtrack will be your best friend!
Thank you!
Gracias!
Obrigado!