Ddos and mitigation methods.pptx

October 27, 2017 | Author: Ozkan Erdogan | Category: Technology
Report this link


Description

1. DDOS Attacks and Mitigation Methods Özkan Erdoğan [email protected] Ms.C, CISA, CEH, ISO 27001 LA BTPSec LTD [email protected] Office:+44 203 2870040 +44 792 6112461 Address:5 Milton Grove, London UK 2. What is DOS & DDOS? ★ D = Distributed ○ DOS : focused on vulnerabilities, using single source ○ DDOS : overflow focused, using multiple sources ○ Target of attacks is to eliminate availability of the resource 3. What is DDOS 4. Is it possible to mitigate Ddos attacks? Our experience shows that its quite possible to mitigate ddos attacks. However, there are caveats such that: ❏ Most ddos attacks come big in volume where it saturates your bandwidth . Attack volume > Target network bandwidth (mbps). These attacks can be handled by obtaining service from global anti ddos providers: e.g. Cloudflare, Incapsula, Akamai etc. ❏ Other kinds of attacks are usually ineffective if we configure our network with correct measures. 5. Botnet Lethic , Cutwail, Grum (spam), Flashback (Mac), Zeus (bank), Spyeye (banka) etc.. 6. Botnet Builder (10$) 7. Ddos Survey Results 61% loss of access to information 38% business stop 33% loss of job opportunities 29% reputation loss 26% insurance premium increases 65% Received security consultancy 49% More investments on IT 46% Started legal processes 43% Informed customers 36% Applied legal ways 26% Informed the media ● Spamhaus ● Chinese domain authority (.cn) ● Pohjola -Finland bank ● Nasdaq ● Bitcoin ● Bank of America 8. Ddos Costs 9. BOTNETs ➔ Controlled by Botnet herders ➔ Commanded via : Mirc, http(s), Tor (popular now) ➔ Injection methods: Wordpress, Joomla etc. old Windows systems are easiest targets. ➔ Botnet members are targeted to be amongst data center systems. 10. DDOS events 1. Spamhaus (DNS Amplification) 300gbps. a. 11 Feb 2015: New NTP attack: 400gbps 2. Brobot (American Financial companies) 3. Chinese attacks 4. Russia: DDOS gangs 5. Syn reflection attacks are gaining a rise. 11. DDOS Detection Methods ➔ Honeypot ➔ Flow ➔ DPI 12. DDOS Mitigation Methods (General) ★ ACL ★ BGP Routing (Cloud service) ★ Blackhole ★ Mitigation devices (Inline, Offline) 13. Basic DDOS Attacks ➔ Signature based attacks (Teardrop, Land, Smurf, Nuke,Fraggle vb) ➔ Volumetric attacks (legal and illegal attacks) ➔ Reflection (dns, syn) ➔ Application based attacks: e.g. Slow attacks ➔ Connection attacks 14. Protocols used in DDOS ➔ TCP/IP ◆ Tcp,udp, icmp, ◆ ➔ Other (GRE, ESP etc) ➔ IPv4 ➔ IPv6 ➔ Application layer ◆ Http, dns, VOIP etc. 15. IP Spoofing (&How to detect it) ➔ uRPF- Unicast reverse path forwarding. ➔ Source IP of packet is compared to the FIB table in router and dropped if routes are not the same. ➔ Authentication ➔ First packet drop, and let following packets go. 16. Attack Tools ➔ Hping, nping, mz, isic ➔ Slowloris, httpflooder, Torshammer, jmeter, ab, httpDOS, R-U-D-Y, pyloris etc. ➔ Scripts (socket programming: Python, Perl etc) 17. Volumetric Attacks Band filling attacks ➔ Network attacks (syn, syn-ack, ack, udp flood etc) ➔ Application Attacks (http, https, dns, voip etc) ➔ Botnet, HOIC, LOIC 18. Application Layer DDOS ➔ Slow attack (Apache)- slowloris, pyloris etc ➔ Slow Read- tcp window size ➔ RUDY- HTTP post ➔ XML dos ➔ SIP invite- multiple udp calls to overwhelm server.. 19. How to mitigate DDOS attacks? ● WL/BL (ALL protocols) ● ACL (All protocols) ● Fingerprint (udp, dns) ● Authentication (tcp, http, dns) ● Session management (dns, tcp) ● Statistical Methods ● Rate Limit 20. Syn Flood and Prevention Attacker ServerSyn Syn Syn Syn Syn-Ack Syn-Ack Syn-Ack • Most popular ddos attack is syn flood. • Protection method: Authentication and WL. (Whitelisting) (Syn cookie vs. syn proxy) • Syn reflection factor • Syn flood from real IP addresses: TCP ratio mechanism 21. Syn-Ack Flood and Mitigation Attacker ServerSyn-Ack Syn-Ack Syn-Ack Syn-Ack • Protection: Check session table if syn-ack’s are real. 22. Ack Flood ve Mitigation Attacker ServerAck Ack Ack Ack • Protection: Check session table if ack’s are real. 23. FIN/RST Flood and Mitigation Attacker ServerFin/Rst Fin/Rst Fin/Rst Fin/Rst • Protection: Check session table if packets are real. 24. Udp Flood and Mitigation Attacker ServerUdp Udp Udp Udp • Udp is the most effective for ddos • Protect method: Payload and Header. (Fingerprint) • Dest.port, source port, ttl, source/dest IP also checked • ACL 25. Icmp Flood and Mitigation Attacker ServerIcmp Icmp Icmp Icmp • Protect method: Payload and Header. (Fingerprint) • Session check (query, response) • Rate limit • ACL 26. TCP Connection Flood & Mitigation ❏ Low rate attack (Protection: Number of connections are analyzed- Bot detection methods are used) ❏ TCP Null connection attack (No packets after handshake) ❏ Also check for rates of: ❏ New connections ❏ Total connections per second 27. TCP Retransmission Attack 28. SIP Flood 29. SIP Invite Flood 30. SIP Flood Prevention Methods ➢ Traffic limiting ➢ Source IP limiting ➢ Fingerprint 31. Http(s) Get/Post Flood Attacker ServerSyn HTTP get Ack Syn-Ack HTTP get HTTP get HTTP get 32. Http Ddos Detection & Mitigation Methods ● Authentication (Http redirection) ● SSL Ddos (Crypto handshake messages increase abnormally) ● Captcha usage ● Fingerprint 33. Example: Http Get Attack 34. DNS Flood ➔ Is the target DNS: Authoritative DNS or cache DNS? 35. DNS Attacks- Continued ★ Dns Cache poisoning attack ★ ★ Dns reflection attack ★ ★ Dns query/repsonse attacks 36. DNS Query/Response Attacks SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. IP= XXX.XXX.XXX =news.google.com DNS Reply Flood Attacker 37. DNS Cache Poisoning SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. abc.google.com= x.x.x.x DNS Reply Attacker • Domain info on Cache DNS servers are attempted to be changed with the fake one. • Attacker should guess the query id correctly. (which is so easy if query id’s are not random) DNS Reply 38. DNS Reflection Open DNS resolvers 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker DNS Reply • Attacker uses victim’s IP address as his source, and sends a dns query to all known dns servers. • Thousands of resolvers return the answer to the victim and victim is Ddos’ed DNS Reply DNS authority Victim 39. DNS Attacks Conclusion: ➔ DNS attacks are very dangerous and can be performed with the least effort and cost . ➔ Ddos attacks are on the rise every year and quite possible to be so in the future. ➔ Udp and Dns based ddos attacks are the most effective protocols for ddos. 40. Methods To Protect Against DNS Ddos Attacks ➔ Session control (Two way traffic) ➔ DNS proxy, caching ➔ DNS-Tcp Authentication ➔ First packet drop ➔ Domain name limiting ➔ Traffic limiting 41. An Effective Mitigation Technique: Fingerprinting Packet header and payload is analyzed to determine a fingerprint of attack. 42. Syn Reflection 43. DNS Reflection (Attack multiplier 10x) 44. NTP Amplification ( Attack multiplier 300x) Can also use snmp for upto 600x , however snmp seldom allows nonauthenticated clients 11 February 2015: New NTP attack: 400gbps 45. Ddos Summary ● Extremely easy to attack ( Many free and user friendly tools) ● Impossible to be detected (If correctly hides) ● Big effects on the victim ● Attack types and methods are broad. ● Every application or service has its own ddos vulnerabilities ● ...Spoofing is possible and mostly costless ● ...AGAIN.. attack tools are free 46. THANKS QUESTIONS???


Comments

Copyright © 2024 UPDOCS Inc.