Professional Documents
Culture Documents
• Packet-Rate-Based
• Bit-Rate-Based
Semantic Attacks
API attacks
Hash DoS
Apache Killer
Teardrop
(old textbook example)
Slowloris / RUDY
SYN Flood
(old textbook example)
Smurf
(old textbook example)
Blended Attacks
Attack Quadrant
xxx Gbps+
Volume
xxx Mbps+
Simple Sophisticated
Complexity
DDoS Mitigations
xxx Gbps+
Volume
Black- /
Whitelisting
Proactive Resource
Traffic Release
Policing
xxx Mbps+
Simple Sophisticated
Complexity
DDoS Mitigation:
Traffic Policing
Source: Cisco
DDoS Mitigation:
Proactive Resource Release
3. Detect idle / slow TCP connections 2. TCP connection pool starved
RST
Example:
Slowloris Attack 1. Open lots of TCP connections
DDoS Mitigation:
Black- / Whitelisting
1.2.3.4
Src: 1.2.3.4 5.6.7.8
Black List
(dropped)
B
5.6.7.8
Src: 3.4.5.6
3.4.5.6
6.7.8.9
White List = free pass Backend
(for awhile / for x amount of volume)
DDoS Mitigation:
Source Isolation
AS
AS
AS
Source: http://www.cs.duke.edu/nds/ddos/
DDoS Solution: Secure CDN
Backend
2: redirect
3: return to nearest
server
1: request
4: bypass distribution,
attack backend!
End User
DDoS Detection
xxx Gbps+
Rate Measurement
(SNMP)
Baselining
(Netflow)
Volume
Application
(SYSLOG)
xxx Mbps+
Simple Sophisticated
Complexity
Rate- / Flow-Based Countermeasures
Detection
Mitigation
Protocol-Based Countermeasures
Detection
Mitigation
Blanket Countermeasures
Detection
Mitigation
Traffic Statistics and Behavior
Big Data Analysis
SYN
SYN ACK
ACK
RST
SYN
SYN ACK
ACK
TCP SYN Auth (TCP Out-of-Sequence)
SYN
SYN ACK
RST
SYN
SYN ACK
ACK
HTTP Redirect Auth
GET /index.html
GET /foo/index.html
GET /index.html
HTTP Cookie Auth
GET /index.html
GET /index.html
GET /index.html
HTTP Cookie Auth (Header Token)
GET /index.html
[X-Header: foo=bar]
HTTP 302 redir to /index.html
[X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]
HTTP 302 redir to /index.html
[X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]
GET /index.html
JavaScript Auth
GET /index.html
JS 7+nine=?
ans=16
POST /auth.php
GET /index.html
CAPTCHA Auth
GET /index.html
POST /auth.php
GET /index.html
CAPTCHA Pwnage
PoC Tool: TCP Traffic Model
TCP Traffic Model
Connection Hold Time Connection Idle Timeout
Before 1st Request After Last Request
Number of Connections
TCP Connection
TCP Connection
TCP Connection
Connections Connections
Interval Interval
PoC Tool: HTTP Traffic Model
HTTP Traffic Model
TCP Connection
Number of Requests
HTTP Connection
per Connection
HTTP Connection
HTTP Connection
HTTP Connection
Measure Measure
Attack Attack
Traffic Traffic
Mitigation Bypass
(Protection Products)
Auth Bypass Post-Auth
Proactive
Resource Release
Proactive
Resource Release