DDoS Mitigation Lab. GET. /index.html. HTTP 302 redir to. /index.html. GET. /index.html. POST. /auth.php ans=16. JS. 7+n
DDoS Protecion Total AnnihilationD
A
DDoS Mitigation Lab
Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge.
DDoS Mitigation Lab
Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with defense community.
DDoS Mitigation Lab
DDoS Relevance, Attack Categories, Detection & Mitigation Source Host Verification: Authentication Methods TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth
PoC Tool TCP Traffic Model HTTP Traffic Model
DDoS Mitigation Lab
Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012
DDoS Mitigation Lab
Volumetric
Semantic
Blended
DDoS Mitigation Lab
Volume
xxx Gbps+
xxx Mbps+ Simple
Complexity
Sophisticated
DDoS Mitigation Lab
Volume
xxx Gbps+
Black- / Whitelisting Traffic Policing
Proactive Resource Release
xxx Mbps+ Simple
Complexity
Sophisticated
DDoS Mitigation Lab
xxx Gbps+ Rate Measurement (SNMP)
Volume
Baselining (Netflow)
Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG)
xxx Mbps+ Simple
Complexity
Sophisticated
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Traffic Pattern simulation, e.g. Like traffic behind Proxy HTTP Header Simulation
Simulate Normal traffic Pattern and Behavior!!!!!
DDoS Mitigation Lab
Attack Traffic
Conn B and User-agent B Proxy
DDoS Mitigation Lab
HTTP header will change during the attack For example, first HTTP request for HTTP Header “Accept”
First Request
Second Request
Accept: */*
Accept: image/gif, image/jpeg, imag,…..
DDoS Mitigation Lab
TCP option against Detection Empower attack Power
DDoS Mitigation Lab
SYN SYN ACK
Connection Hold Time
ACK
Push ACK (HTTP Request e.g. GET, POST)
Full Control every TCP State!!!!
ACK Push ACK DDoS Mitigation Lab
OLD-FASHIONED GET Flood SYN SYN ACK
High CPU and constant no. of conns But Still ALIVE!!!
ACK Push ACK (HTTP GET) ACK Fin ACK Conns closed… DDoS Mitigation Lab
Kill ‘EM ALL!!!!!! SYN SYN ACK ACK Push ACK (HTTP Request)
High Memory, High CPU and no. of conns increasing ------------------------HTTP 503 Service unavailable
ACK Push ACK (HTTP Request) ACK … DDoS Mitigation Lab
TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth
DDoS Mitigation Lab
SYN SYN ACK ACK RST SYN SYN ACK
ACK DDoS Mitigation Lab
SYN SYN ACK RST SYN SYN ACK
ACK
DDoS Mitigation Lab
SYN
Spoofed Src IP
SYN ACK RST (May be from Real host)
TCP REST and TCP Out of Seq are SAME!!!!!!
DDoS Mitigation Lab
Handling a Real User access: TCP REST
TCP out of Seq
TCP Flag
Total Length
TCP Flag
Total Length
SYN
60
SYN
60
SYN ACK
40
SYN ACK
40
ACK
40
RST
40
RST
40
Total
180 Bytes
Total
140 Bytes
P.S. TCP SYN Packet size = Header length + Total Length DDoS Mitigation Lab
Same Spoofed a real Host IP as Src IP
SYN SYN ACK RST
33% Attack traffic Bypassed
SYN
DDoS Mitigation Lab
The traditional SYN Flood is 40 bytes, missing TCP Option
How to simulate a real SYN traffic: In IP layer: Randomize TTL In TCP layer: Randomize Window size, Correct Option added, e.g.
Maximum Segment Size, etc.
48-60 bytes TCP SYN Flood attack is nightmare
DDoS Mitigation Lab
GET
/index.html
HTTP 302 redir to GET
/foo/index.html
/foo/index.html
HTTP 302 redir to GET
/index.html
/index.html
DDoS Mitigation Lab
HTTP / 1.1 302 Found\r\n Location: http: a.c.com\r\n Loop the script, until “HTTP / 1.1 200 ok”
DDoS Mitigation Lab
GET HTTP 302 redir to GET HTTP 302 redir to GET
/index.html /index.html /index.html /index.html
/index.html
DDoS Mitigation Lab
Set-Cookie: AuthCode=d8e; expires=Mon, 23-Dec-2019 23:50:00 GMT;
……., etc
If Date and time of Expire is between hour or minutes, it is the our
REAUTH threshold!!!!!!!!
If you saw this in third HTTP redirect request
Set-Cookie:AuthCode=deleted;…….bad luck
DDoS Mitigation Lab
GET HTTP 302 redir to
/index.html [X-Header: foo=bar]
/index.html
[X-Header: foo=bar]
GET HTTP 302 redir to
/index.html [X-Header: foo=bar]
/index.html
[X-Header: foo=bar]
GET
/index.html
[X-Header: foo=bar]
GET
/index.html
DDoS Mitigation Lab
API, AJAX or XHR2 is used to deploy header token Not all browser compatibility those Techniques Existing Mitigation devices can not fully using those Techniques Simulation the Traffic Flow BYPASS it!!!!
DDoS Mitigation Lab
GET
/index.html JS
ans=16
POST
/auth.php
HTTP 302 redir to GET
7+nine=?
/index.html
/index.html
DDoS Mitigation Lab
JavaScript is client-side-program Find the path “http://a.b.com/auth.js”, download and analyze
it.
Challenge to embedded JavaScript in Botnet, guys using: Simulate the traffic flow Client Deployment Model Server Deployment Model
Kill ‘Em All is below 1M bytes!!!!!!
DDoS Mitigation Lab
Cmd: Attack!!!
ATTACK!!! Bot with JS Engine
C&C Server
Bot with JS Engine
Victim
Bot with JS Engine ……..
DDoS Mitigation Lab
Cmd: Attack!!!
ATTACK!!! Tell me the ANS, plz~
C&C Server
Tell me the ANS, plz~
Victim
Tell me the ASN, plz~ ……..
Server Resolve auth.js e.g. Application Bundle
DDoS Mitigation Lab
GET
/index.html
POST
/auth.php
HTTP 302 redir to GET
/index.html
/index.html
DDoS Mitigation Lab
JavaScript is client-side-program Find the path “http://a.b.com/auth.bmp”, download and
analyze it.
Challenge to embedded CAPTCHA Engine in Botnet, guys
using:
Simulate the traffic flow Client Deployment Model Server Deployment Model
DEFCON have FXXKING many CATPCHA engine!!!!
DDoS Mitigation Lab
DDoS Mitigation Lab
3 tries per authentication attempt (in practice more likely to
success)
True TCP/IP behavior thru use of OS TCP/IP stack Auth cookies persist during subsequent dialogues JavaScript execution using embedded JS engine (lack of
complete DOM an obstacle to full emulation)
DDoS Mitigation Lab
c
DDoS Mitigation Lab
DDoS Mitigation Lab
1.
Converted to black-and-white for max contrast
2.
3x3 median filter applied for denoising
3.
Word segmentation
4.
Boundary recognition
5.
Pixel difference computed against character map
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Number of Connections
Connection Hold Time Before 1st Request
Connection Idle Timeout After Last Request
TCP Connection
TCP Connection
TCP Connection
Connections Interval
Connections Interval
DDoS Mitigation Lab
c
DDoS Mitigation Lab
Number of Requests per Connection
TCP Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection
Requests Interval
Requests Interval
Requests Interval
DDoS Mitigation Lab
DDoS Mitigation Lab
True TCP/IP behavior (RST, resend, etc.) thru use of true OS
TCP/IP stack
Believable HTTP headers (User-Agent strings, etc.) Embedded JavaScript engine CAPTCHA solving capability Randomized payload Tunable post-authentication traffic model
DDoS Mitigation Lab
44 Page views
44 regular traffic
DDoS Mitigation Lab
Against Devices
Against Services
Measure Attack Traffic
Measure Attack Traffic
DDoS Mitigation Lab
Post-Auth Auth Bypass
Proactive Resource Release
Testing results under specific conditions, valid as of Jul 13, 2013
DDoS Mitigation Lab
Auth Bypass
Post-Auth
Proactive Resource Release
Testing results under specific conditions, valid as of Jul 13, 2013
DDoS Mitigation Lab
[email protected] [email protected] http://www.bloodspear.org