universal ddos mitigation bypass
play

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us - PowerPoint PPT Presentation

Dec 07, 2023 •308 likes •764 views

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

  1. Universal DDoS Mitigation Bypass DDoS Mitigation Lab

  2. About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge DDoS Mitigation Lab and collaborate with the defense community.

  3. Outline • DDoS Attack Categories • DDoS Detection and Mitigation Techniques – How they work? – How to bypass / take advantage? • DDoS Mitigation Bypass – How to use our PoC tool? – PoC tool capability • Next-Generation Mitigation

  4. Financial Impact Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012

  5. Volumetric Attacks • Packet-Rate-Based • Bit-Rate-Based

  6. Semantic Attacks API attacks Hash DoS Apache Killer Teardrop (old textbook example) Slowloris / RUDY SYN Flood (old textbook example) Smurf (old textbook example)

  7. Blended Attacks

  8. Attack Quadrant xxx Gbps+ Volume xxx Mbps+ Simple Sophisticated Complexity

  9. DDoS Mitigations xxx Gbps+ Volume Black- / Whitelisting Proactive Resource Traffic Release Policing xxx Mbps+ Simple Sophisticated Complexity

  10. DDoS Mitigation: Traffic Policing Source: Cisco

  11. DDoS Mitigation: Proactive Resource Release 3. Detect idle / slow TCP connections 2. TCP connection pool starved RST 4. Close idle / slow TCP connections With RST Example: Slowloris Attack 1. Open lots of TCP connections

  12. DDoS Mitigation: Black- / Whitelisting 1.2.3.4 Src: 1.2.3.4 5.6.7.8 Black List (dropped) B 5.6.7.8 Src: 3.4.5.6 3.4.5.6 6.7.8.9 White List = free pass Backend (for awhile / for x amount of volume)

  13. DDoS Mitigation: Source Isolation AS AS AS Source: http://www.cs.duke.edu/nds/ddos/

  14. DDoS Solution: Secure CDN Backend 2: redirect to nearest 3: return server 1: request 4: bypass distribution, attack backend! End User

  15. DDoS Detection xxx Gbps+ Rate Measurement (SNMP) Baselining (Netflow) Volume Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG) xxx Mbps+ Simple Sophisticated Complexity

  16. Rate- / Flow-Based Countermeasures Detection Mitigation

  17. Protocol-Based Countermeasures Detection Mitigation

  18. Blanket Countermeasures Detection Mitigation Traffic Statistics and Behavior Big Data Analysis Source Host Verification

  19. Source Host Verification • TCP SYN Auth • HTTP Redirect Auth • HTTP Cookie Auth • JavaScript Auth • CAPTCHA Auth

  20. PoC Tool

  21. PoC Tool Strengths • True TCP/IP behavior (RST, resend, etc.) • Believable HTTP headers (User-Agent strings, etc.) • Embedded JavaScript engine • CAPTCHA solving capability • Randomized payload • Tunable post-authentication traffic model

  22. PoC Tool: Authentication Bypass

  23. TCP SYN Auth (TCP Reset) SYN SYN ACK ACK RST SYN SYN ACK  ACK

  24. TCP SYN Auth (TCP Out-of-Sequence) SYN SYN ACK RST SYN SYN ACK  ACK

  25. HTTP Redirect Auth GET /index.html HTTP 302 redir dir to to /foo/index.html GET /foo/index.html HTTP 302 redir dir to to /index.html  GET /index.html

  26. HTTP Cookie Auth GET /index.html HTTP 302 redir dir to to /index.html GET /index.html HTTP 302 redir dir to to /index.html  GET /index.html

  27. HTTP Cookie Auth (Header Token) GET /index.html [X-Header: foo=bar] HTTP 302 redir dir to to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] HTTP 302 redir dir to to /index.html  [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html

  28. JavaScript Auth GET /index.html JS 7+nine=? ans=16 POST /auth.php HTTP 302 redir dir to to /index.html  GET /index.html

  29. CAPTCHA Auth GET /index.html POST /auth.php HTTP 302 redir dir to to /index.html  GET /index.html

  30. CAPTCHA Pwnage

  31. PoC Tool: TCP Traffic Model

  32. TCP Traffic Model Connection Hold Time Connection Idle Timeout Before 1 st Request After Last Request Number of Connections TCP Connection TCP Connection TCP Connection Connections Connections Interval Interval

  33. PoC Tool: HTTP Traffic Model

  34. HTTP Traffic Model TCP Connection Number of Requests HTTP Connection per Connection HTTP Connection HTTP Connection HTTP Connection Requests Requests Requests Interval Interval Interval

  35. PoC Tool Design • 3 tries per authentication attempt (in practice more likely to success) • True TCP/IP behavior thru use of OS TCP/IP stack • Auth cookies persist during subsequent dialogues • JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation)

  36. CAPTCHA Bypass Design 1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising 3. Word segmentation 4. Boundary recognition 5. Pixel difference computed against character map

  37. PoC Tool in Action

  38. Testing Environment Against Devices Against Services Measure Measure Attack Attack Traffic Traffic

  39. Mitigation Bypass (Protection Products) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

  40. Mitigation Bypass (Protection Services) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

  41. Next-Generation Mitigation • Client Puzzle – add cost to individual zombies.

  42. Conclusion • DDoS is expensive to business • Existing DDoS protection insufficient • Next-Generation solution should make attack expensive

  43. Thank You! tony.miu@nexusguard.com albert.hui@ntisac.org waileng.lee@ntisac.org http://www.ntisac.org

Recommend

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to

Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to

Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to millions of users and thousands of companies around the globe. Powered by an ever-expanding global network dedicated to DDoS mitigation and multiple

576 views • 9 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why

PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why

PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why use the DDoS Mitigation Service What the service does not do (currently) Understanding traffic flow PennREN member requirements Activating traffic

389 views • 18 slides
DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees

DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees

DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees IP ServerOne Managing over 4500 physical servers Total 150 Racks in 5 data centers across Malaysia and Singapore Contributing 10% of

479 views • 35 slides
A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure Cristian Hesselman 1 , Jeroen van der Ham 2 , Roland van Rijswijk 3 , Jair Santanna 2 , Aiko Pras 2 1) SIDN Labs, 2) University of Twente, 3) SURFnet

463 views • 10 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies,

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies,

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com Who am I? CEO & CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW open source Linux Application

740 views • 48 slides
Future of DDoS Attacks Mitigation in Software Defined Networks Martin Vizvry, Jan Vykopal AIMS

Future of DDoS Attacks Mitigation in Software Defined Networks Martin Vizvry, Jan Vykopal AIMS

Future of DDoS Attacks Mitigation in Software Defined Networks Martin Vizvry, Jan Vykopal AIMS 2014, Brno, July, 1st 2014 Current and Future Networking Traditional networking principles remain mostly unchanged over the past decades.

446 views • 18 slides
Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions Squerryes has been asked by WTC to review feasibility of bypass. It is at a very early stage. Bypass has been on the agenda for circa 40 plus

97 views • 8 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,

DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,

NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta, 27 November 2014 NORDUnet Basic Nordic infrastructure for Research & Education

307 views • 16 slides
Adaptive Distributed Distributed Traffic Traffic Adaptive Adaptive Distributed Traffic Control

Adaptive Distributed Distributed Traffic Traffic Adaptive Adaptive Distributed Traffic Control

Adaptive Distributed Distributed Traffic Traffic Adaptive Adaptive Distributed Traffic Control Service Service for for DDoS DDoS Attack Attack Control Control Service for DDoS Attack Mitigation Mitigation Mitigation Bernhard Plattner,

474 views • 24 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001 One-anastomosis gastric bypass (OAGB) Garcia-Caballero in 2004 Single-anastomosis gastric bypass (SAGB) Lee 2014 Omega loop

814 views • 48 slides
TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery

TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery

TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery : the DDOS Mitigation Playbook The goal of the first workshop was to explore how TLD-OPS members can collaborate to detect and mitigate DDOS

1.12k views • 13 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
2400 Baud of Technical Excitement Pretty Sure this begins to date me... DDoS Attacks on the

2400 Baud of Technical Excitement Pretty Sure this begins to date me... DDoS Attacks on the

Security Trends & Tactics AND Strategies of UETN The Quilt Winter Member Meeting 2018 Presented by Troy Jessup, UETN 2400 Baud of Technical Excitement Pretty Sure this begins to date me... DDoS Attacks on the Decline? Mitigation at

742 views • 26 slides
US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental Assessment Public Meeting Public Meeting March 14, 2013 US 81 Bypass Environmental Assessment Introductions ODOT FHWA SAIC US 81 Bypass

964 views • 48 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides

More recommend