Kill 'em All: DDoS Protection Total Annihilation! - Def Con

24 downloads 213 Views 5MB Size Report
DDoS Mitigation Lab. GET. /index.html. HTTP 302 redir to. /index.html. GET. /index.html. POST. /auth.php ans=16. JS. 7+n
DDoS Protecion Total AnnihilationD

A

DDoS Mitigation Lab

Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge.

DDoS Mitigation Lab

Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with defense community.

DDoS Mitigation Lab

 DDoS Relevance, Attack Categories, Detection & Mitigation  Source Host Verification: Authentication Methods  TCP SYN Auth  HTTP Redirect Auth  HTTP Cookie Auth  JavaScript Auth  CAPTCHA Auth

 PoC Tool  TCP Traffic Model  HTTP Traffic Model

DDoS Mitigation Lab

Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012

DDoS Mitigation Lab

Volumetric

Semantic

Blended

DDoS Mitigation Lab

Volume

xxx Gbps+

xxx Mbps+ Simple

Complexity

Sophisticated

DDoS Mitigation Lab

Volume

xxx Gbps+

Black- / Whitelisting Traffic Policing

Proactive Resource Release

xxx Mbps+ Simple

Complexity

Sophisticated

DDoS Mitigation Lab

xxx Gbps+ Rate Measurement (SNMP)

Volume

Baselining (Netflow)

Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG)

xxx Mbps+ Simple

Complexity

Sophisticated

DDoS Mitigation Lab

c

DDoS Mitigation Lab

 Traffic Pattern simulation, e.g. Like traffic behind Proxy  HTTP Header Simulation

Simulate Normal traffic Pattern and Behavior!!!!!

DDoS Mitigation Lab

Attack Traffic

Conn B and User-agent B Proxy

DDoS Mitigation Lab

 HTTP header will change during the attack  For example, first HTTP request for HTTP Header “Accept”

First Request

Second Request

Accept: */*

Accept: image/gif, image/jpeg, imag,…..

DDoS Mitigation Lab

 TCP option against Detection  Empower attack Power

DDoS Mitigation Lab

SYN SYN ACK

Connection Hold Time

ACK

Push ACK (HTTP Request e.g. GET, POST)

Full Control every TCP State!!!!

ACK Push ACK DDoS Mitigation Lab

OLD-FASHIONED GET Flood SYN SYN ACK

High CPU and constant no. of conns But Still ALIVE!!!

ACK Push ACK (HTTP GET) ACK Fin ACK Conns closed… DDoS Mitigation Lab

Kill ‘EM ALL!!!!!! SYN SYN ACK ACK Push ACK (HTTP Request)

High Memory, High CPU and no. of conns increasing ------------------------HTTP 503 Service unavailable

ACK Push ACK (HTTP Request) ACK … DDoS Mitigation Lab

 TCP SYN Auth  HTTP Redirect Auth  HTTP Cookie Auth  JavaScript Auth  CAPTCHA Auth

DDoS Mitigation Lab

SYN SYN ACK ACK RST SYN SYN ACK



ACK DDoS Mitigation Lab

SYN SYN ACK RST SYN SYN ACK



ACK

DDoS Mitigation Lab

SYN

Spoofed Src IP

SYN ACK RST (May be from Real host)

TCP REST and TCP Out of Seq are SAME!!!!!!

DDoS Mitigation Lab

Handling a Real User access: TCP REST

TCP out of Seq

TCP Flag

Total Length

TCP Flag

Total Length

SYN

60

SYN

60

SYN ACK

40

SYN ACK

40

ACK

40

RST

40

RST

40

Total

180 Bytes

Total

140 Bytes

P.S. TCP SYN Packet size = Header length + Total Length DDoS Mitigation Lab

Same Spoofed a real Host IP as Src IP

SYN SYN ACK RST

33% Attack traffic Bypassed

SYN

DDoS Mitigation Lab



 The traditional SYN Flood is 40 bytes, missing TCP Option

 How to simulate a real SYN traffic:  In IP layer: Randomize TTL  In TCP layer: Randomize Window size, Correct Option added, e.g.

Maximum Segment Size, etc.

48-60 bytes TCP SYN Flood attack is nightmare

DDoS Mitigation Lab

GET

/index.html

HTTP 302 redir to GET

/foo/index.html

/foo/index.html

HTTP 302 redir to GET

/index.html



/index.html

DDoS Mitigation Lab

 HTTP / 1.1 302 Found\r\n  Location: http: a.c.com\r\n  Loop the script, until “HTTP / 1.1 200 ok”

DDoS Mitigation Lab

GET HTTP 302 redir to GET HTTP 302 redir to GET

/index.html /index.html /index.html /index.html



/index.html

DDoS Mitigation Lab

 Set-Cookie: AuthCode=d8e; expires=Mon, 23-Dec-2019 23:50:00 GMT;

……., etc

 If Date and time of Expire is between hour or minutes, it is the our

REAUTH threshold!!!!!!!!

 If you saw this in third HTTP redirect request

Set-Cookie:AuthCode=deleted;…….bad luck

DDoS Mitigation Lab

GET HTTP 302 redir to

/index.html [X-Header: foo=bar]

/index.html

[X-Header: foo=bar]

GET HTTP 302 redir to

/index.html [X-Header: foo=bar]

/index.html



[X-Header: foo=bar]

GET

/index.html

[X-Header: foo=bar]

GET

/index.html

DDoS Mitigation Lab

 API, AJAX or XHR2 is used to deploy header token  Not all browser compatibility those Techniques  Existing Mitigation devices can not fully using those Techniques  Simulation the Traffic Flow BYPASS it!!!!

DDoS Mitigation Lab

GET

/index.html JS

ans=16

POST

/auth.php

HTTP 302 redir to GET

7+nine=?

/index.html



/index.html

DDoS Mitigation Lab

 JavaScript is client-side-program  Find the path “http://a.b.com/auth.js”, download and analyze

it.

 Challenge to embedded JavaScript in Botnet, guys using:  Simulate the traffic flow  Client Deployment Model  Server Deployment Model

 Kill ‘Em All is below 1M bytes!!!!!!

DDoS Mitigation Lab

Cmd: Attack!!!

ATTACK!!! Bot with JS Engine

C&C Server

Bot with JS Engine

Victim

Bot with JS Engine ……..

DDoS Mitigation Lab

Cmd: Attack!!!

ATTACK!!! Tell me the ANS, plz~

C&C Server

Tell me the ANS, plz~

Victim

Tell me the ASN, plz~ ……..

Server Resolve auth.js e.g. Application Bundle

DDoS Mitigation Lab

GET

/index.html

POST

/auth.php

HTTP 302 redir to GET

/index.html



/index.html

DDoS Mitigation Lab

 JavaScript is client-side-program  Find the path “http://a.b.com/auth.bmp”, download and

analyze it.

 Challenge to embedded CAPTCHA Engine in Botnet, guys

using:

 Simulate the traffic flow  Client Deployment Model  Server Deployment Model

DEFCON have FXXKING many CATPCHA engine!!!!

DDoS Mitigation Lab

DDoS Mitigation Lab

 3 tries per authentication attempt (in practice more likely to

success)

 True TCP/IP behavior thru use of OS TCP/IP stack  Auth cookies persist during subsequent dialogues  JavaScript execution using embedded JS engine (lack of

complete DOM an obstacle to full emulation)

DDoS Mitigation Lab

c

DDoS Mitigation Lab

DDoS Mitigation Lab

1.

Converted to black-and-white for max contrast

2.

3x3 median filter applied for denoising

3.

Word segmentation

4.

Boundary recognition

5.

Pixel difference computed against character map

DDoS Mitigation Lab

c

DDoS Mitigation Lab

Number of Connections

Connection Hold Time Before 1st Request

Connection Idle Timeout After Last Request

TCP Connection

TCP Connection

TCP Connection

Connections Interval

Connections Interval

DDoS Mitigation Lab

c

DDoS Mitigation Lab

Number of Requests per Connection

TCP Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection

Requests Interval

Requests Interval

Requests Interval

DDoS Mitigation Lab

DDoS Mitigation Lab

 True TCP/IP behavior (RST, resend, etc.) thru use of true OS

TCP/IP stack

 Believable HTTP headers (User-Agent strings, etc.)  Embedded JavaScript engine  CAPTCHA solving capability  Randomized payload  Tunable post-authentication traffic model

DDoS Mitigation Lab

 44 Page views

44 regular traffic

DDoS Mitigation Lab

 Against Devices

 Against Services

Measure Attack Traffic

Measure Attack Traffic

DDoS Mitigation Lab

Post-Auth Auth Bypass

Proactive Resource Release

Testing results under specific conditions, valid as of Jul 13, 2013

DDoS Mitigation Lab

Auth Bypass

Post-Auth

Proactive Resource Release

Testing results under specific conditions, valid as of Jul 13, 2013

DDoS Mitigation Lab

[email protected] [email protected] http://www.bloodspear.org