Académique Documents
Professionnel Documents
Culture Documents
Cutting-Edge Denial of
Service Mitigation
Yuri Gushin & Alex Behar
Introduction
DoS Attacks overview &
evolution
DoS Protection Technology
Operational mode
Detection
Mitigation
Performance
Wikileaks (LOIC) attack tool
analysis
Roboo release & live
Agen
da
Introduction - who we
are
labs
Introduction - what we
do
Newtons Third Law (of Denial of Service)
For every action, there is an equal and opposite
reaction.
Research
Core
In
Common
motives
Hacktivism
Extortion
Rivalry
Most
risk
On-line businesses, converting uptime to
revenue
bandwidth utilization
CPU
overloaded
CPU
overloaded
Firewall
IPS
CPU
overloaded
Internet
Access
Router
Switch
DMZ
triggering responses
Im hit!
Firewall
IPS
Switch
DMZ
SYN+ACK
HTTP: GET /
Internet
Access
Router
Firewall
IPS
Switch
DMZ
HTTP: 503 Service
HTTP: 200 OK
Unavailable
DoS Protection
Technology
DoS Protection
Technology
Operational modes
Detection
Mitigation
Operational mode
DoS Protection
Technology
DoS Protection
Technology
Operational mode
DoS Protection
Technology
Static thresholds
Adaptive thresholds
Detection
DoS Protection
Technology
DoS Protection
Technology
Detection
Rate-based Detection
Rate-based (single-dimensional)
Examples:
SYNs / second
HTTP requests / second
HTTP requests / second / source IP
Current
rate
Current
rate
Threshold
HTTP
requests
/second
Behavioral Detection
Behavioral (multi-dimensional)
E.g. PPS, BPS, HTTP requests per second, SIP messages per second, DNS
queries per second
attack is ongoing
Behavioral Detection
L3 floods
Example: L3 flood
Decision = Attack!
Z-axis
X-axis
Attack area
Suspicious
area
Y-axis
Normal area
Abnormal protocol
distribution [%]
Rat
io
dim
e
nsi
on
ion
imens
Rate d
Abnormal
rate of
packets,
Behavioral Detection
L4 floods
Example: L4 flood
Decision = Attack!
Z-axis
X-axis
Attack area
Suspicious
area
Y-axis
Normal area
Abnormal TCP flag
distribution [%]
Rat
io
dim
e
nsi
on
ion
imens
Rate d
Abnormal
rate of SYN
packets
Behavioral Detection
L7 floods
Example: L7 flood
Decision = Attack!
Z-axis
X-axis
Attack area
Suspicious
area
Y-axis
Normal area
Abnormal contenttype distribution [%]
Rat
io
dim
e
nsi
on
ion
imens
Rate d
Abnormal rate o
HTTP requests
Z-axis
X-axis
Attack area
Suspicious
area
Decision = not an
attack!
Y-axis
Normal area
Rat
io
Normal TCP flag
distribution [%]
dim
e
nsi
on
ion
imens
Rate d
Abnormal rate
of SYN packets
Mitigation
DoS Protection
Technology
DoS Protection
Technology
Mitigation
DoS Mitigation
Techniques
Dropped
Current
rate
Threshold
HTTP
requests
/second
Example Juno2.c
Drop matches to:
SYN
Internet
Access
Router
Anti-DoS
Firewall
IPS
Switch
DMZ
Example HTTP
Javascript
stack verification
HTML
+
Javascript
instructing the
browser to set a
cookie and
HTTP: GET /
reload
Internet
HTTP: 200 OK
Access
Router
Anti-DoS
Firewall
IPS
Switch
DMZ
HTTP: GET /
Internet
SWF including
Javascript code
to set a cookie
and reload
HTTP: 200 OK
Access
Router
Anti-DoS
Firewall
IPS
Switch
DMZ
HTTP: GET /
GET request
packet is
silently dropped
Backend
connection is
reset, or avoided
completely
TCP RESET
RETRANSMIT
Internet
RETRANSMIT
RETRANSMIT
Access
Router
Anti-DoS
Firewall
IPS
Switch
DMZ
SYN
SYN+ACK
ACK / Data
ACK window
size=0
Internet
Window
probe
Access
ACK window
Router
size=0
Window size =
5
Attackers TCP
stack enters
persist state,
periodically
sending window
probes
Anti-DoS
Firewall
IPS
Switch
DMZ
Mitigation Performance
DoS Protection
Technology
DoS Mitigation
Performance
Link
Most
Maintaining
Resilient
Roboo
Open Source HTTP Robot
Mitigator
Weeds
Pro, Nessus
Web exploits
Automatic comment posters/comment spam as a replacement of
conventional CAPTCHA methods
Spiders, Crawlers and other robotic evil
Gzip compressed
A real browser with full HTTP, HTML, Javascript and Flash
player stacks will re-issue the original request after
setting a special HTTP cookie that marks the host as
verified
Marks
Uses
cookie is calculated as
follows:
SHA1(client_IP, timebased_rand, secret)
160bits
Timebased_rand changes every X seconds (cookie
validity window)
Secret is a 512 bit randomly-generated value that
initializes when Roboo starts
Integrates
Demo
Summary
Q&A
Thanks!