SlideShare une entreprise Scribd logo

Tweaking to get away from Application Layer DoS attacks

Sergey Shekyan
Sergey Shekyan

The document discusses denial of service (DoS) attacks, specifically the Slowloris and Slow POST attacks. Slowloris keeps HTTP connections open by sending partial or incomplete headers in requests, while Slow POST sends complete headers but sends the message body in incomplete chunks to keep connections open. Both attacks aim to exhaust the pool of available connections on a server. The document also provides details on how these attacks work and examples of the request syntax used to execute the attacks.

1  sur  72
Télécharger pour lire hors ligne
BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012 Thursday, December 13, 12
BSIDES DETROIT 2012 22 Thursday, December 13, 12
Denial of Service Attacks BSIDES DETROIT 2012 22 Thursday, December 13, 12
Denial of Service Attacks BSIDES DETROIT 2012 22 Thursday, December 13, 12
Types of attack There is a variety of forms aiming at a variety of services: − Traffic consuming attacks (DNS, firewall, router, load balancer, OS, etc.) − Application Layer attacks (web server, media server, mail server) BSIDES DETROIT 2012 33 Thursday, December 13, 12
Network Layer attacks BSIDES DETROIT 2012 44 Thursday, December 13, 12
Network Layer attacks BSIDES DETROIT 2012 44 Thursday, December 13, 12
Application Layer attacks BSIDES DETROIT 2012 55 Thursday, December 13, 12
Application Layer attacks BSIDES DETROIT 2012 55 Thursday, December 13, 12
What is low-bandwidth attack? Slowloris GET Flood 400 300 Mbps/sec 200 100 0 0 10 20 30 40 Seconds BSIDES DETROIT 2012 66 Thursday, December 13, 12
DDoS economics § DDoS attacks are affordable (from $5/hour) § DDoS attack is a great way to promote your start-up (attacks on Russian travel agencies are 5 times as frequent in high season) § Longest attack detected by Kaspersky DDos Prevention System in the second half of 2011 targeted a travel agency website and lasted 80 days 19 hours 13 minutes 05 seconds § Akamai reports DDoS attack incidents soar 2,000 percent in the past three years BSIDES DETROIT 2012 77 Thursday, December 13, 12
Actual page from a forum offering DDoS services § We take projects with anti-DDoS § Wholesale discounts § We are clear against the law § Best quality-to-dollar ratio § $5/hour, $40/day, $260/week, $900/month BSIDES DETROIT 2012 88 Thursday, December 13, 12
Same botnet operator offering menu: § HTTP GET flood § HTTP POST flood § Download flood § UDP flood § SYN flood BSIDES DETROIT 2012 99 Thursday, December 13, 12
Application Layer DoS attacks § Slow HTTP headers attack (a.k.a. Slowloris) § Slow HTTP message body attack (a.k.a Slow Post) § Slow read HTTP attack (a.k.a. TCP Persist Timer exploit) BSIDES DETROIT 2012 10 Thursday, December 13, 12
Demo time BSIDES DETROIT 2012 11 Thursday, December 13, 12
What is common? § All mentioned attacks aim at draining the pool of concurrent connections (usually relatively small) BSIDES DETROIT 2012 12 Thursday, December 13, 12
HyperText Transfer Protocol (HTTP) Message syntax Per RFC 2616 generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line BSIDES DETROIT 2012 13 Thursday, December 13, 12
HyperText Transfer Protocol (HTTP) Message example GET /page.htm HTTP/1.1CRLF Host: www.example.com:8080CRLF Content-Length: 25CRLF CRLF Optional Message Body BSIDES DETROIT 2012 14 Thursday, December 13, 12
Slowloris §Low bandwidth attack that sends HTTP requests with incomplete headers. Continues to send headers at regular intervals to keep the sockets active §First mentioned by Adrian Ilarion Ciobanu in 2007 and implemeted by Robert Hansen in 2009 BSIDES DETROIT 2012 15 Thursday, December 13, 12
How slowloris works Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn BSIDES DETROIT 2012 16 Thursday, December 13, 12
How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn ... BSIDES DETROIT 2012 16 Thursday, December 13, 12
Slow POST § Attack that sends HTTP requests with complete headers but incomplete message body. Continues to send data at regular intervals to keep the sockets active § Discovered by Wong Onn Chee and popularized by Tom Brennan in 2009 BSIDES DETROIT 2012 17 Thursday, December 13, 12
How Slow POST works Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn ... BSIDES DETROIT 2012 18 Thursday, December 13, 12
Slow Read § Attack that keeps server sockets busy by maliciously throttling down the receipt of large HTTP responses § Uses known Network Layer flaws to aim Application Layer § First mentioned by Outpost24 in sockstress. Implemented as part of nkiller2 by Fotis Hantzis, a.k.a. ithilgore in 2009 BSIDES DETROIT 2012 19 Thursday, December 13, 12
Related TCP details   §“Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive” – Wikipedia BSIDES DETROIT 2012 20 Thursday, December 13, 12
How Slow Read works Client Server Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes bigpage.html Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes BSIDES DETROIT 2012 21 Thursday, December 13, 12
How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes ... BSIDES DETROIT 2012 21 Thursday, December 13, 12
Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesn't fully fit into socket's send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesn't set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. BSIDES DETROIT 2012 22 Thursday, December 13, 12
Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesn't fully fit into socket's send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesn't set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. Rme BSIDES DETROIT 2012 22 Thursday, December 13, 12
Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order § Pays § Takes the order § Next! BSIDES DETROIT 2012 23 Thursday, December 13, 12
Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order It  is  possible  to  idenRfy  and  isolate   slow  client  in  his  request  state § Pays § Takes the order § Next! BSIDES DETROIT 2012 23 Thursday, December 13, 12
Why Slow Read is different? Slow Read DoS § Makes an order for party of 50 § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24 Thursday, December 13, 12
Why Slow Read is different? Slow Read DoS § Makes an order for party it  is  quite  late  to  do  anything,  as   of 50 the  request  was  already  accepted   and  processed § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24 Thursday, December 13, 12
Why is Slow Read is different? § Customer stuck deciding § Makes an order for party what he wants Makes an of 50 orderPays Takes the order § Pays Next! § Cannot take the entire order with him, makes several trips to the car § Next! BSIDES DETROIT 2012 25 Thursday, December 13, 12
Why is Slow Read is different? (continued) § Defense mechanisms expect the crushing fist of malice to appear in the request § Instead, the entire transaction should be monitored BSIDES DETROIT 2012 26 Thursday, December 13, 12
Am I vulnerable? § There is a good chance that you are. Default configurations of nginx, lighttpd, IIS, Apache, Varnish cache proxy, Shoutcast streaming server - are vulnerable to at least one of the mentioned attacks BSIDES DETROIT 2012 27 Thursday, December 13, 12
What should I do? § Use available tools to simulate attacks. SlowHTTPTest covers all mentioned attacks and some more at http://slowhttptest.googlecode.com § Check out http://slowhammer.me soon to get access to your own whitehat botnet in the cloud § Use Qualys WAF or other firewalls that are supposed to protect, but test before you pay! BSIDES DETROIT 2012 28 Thursday, December 13, 12
Detection and Mitigation § Drop connections with abnormally small TCP advertised window(s) § Set an absolute connection timeout, if possible § Limit length, number of headers to accept § Limit max size of message body to accept § Drop connections with HTTP methods (verbs) not supported by the URL § Limit accepted header and message body to a minimal reasonable length § Define the minimum data rate, and drop connections that are slower than that rate BSIDES DETROIT 2012 29 Thursday, December 13, 12
Detection and Mitigation continued § Qualys Web Application Scanner passively detects the slow attack vulnerabilities § ModSecurity v2.6 introduced a directive called SecWriteStateLimit that places a time limit on the concurrent number of threads (per IP address) § Snort is working on detecting connections with small TCP advertised window(s) § Christian Folini introduced Flying Frog script at https://www.netnea.com BSIDES DETROIT 2012 30 Thursday, December 13, 12
Example of misconfiguration § Even if the server is configured to handle tens of thousands of concurrent connections, the OS might still create a bottleneck by limiting the server by the number of open file descriptors BSIDES DETROIT 2012 31 Thursday, December 13, 12
Are anti-DoS solutions going to help? § Have no idea, test yourself! BSIDES DETROIT 2012 32 Thursday, December 13, 12
Who reacted first? BSIDES DETROIT 2012 33 Thursday, December 13, 12
Who reacted first? BSIDES DETROIT 2012 33 Thursday, December 13, 12
Who reacted first? Those who really care - gamers! Open Transport Tycoon Deluxe found that by using a slow read type attack, it is possible to prevent anyone from joining a game server with virtually no resources. Patches for all affected version where released within a week! BSIDES DETROIT 2012 33 Thursday, December 13, 12
Summary § Even though the simpliest distributed DoS attacks are enough to knock down most web sites today, the nature of the attack will be sure to improve, and it’s better to be ready or, at least be aware of upcoming problems. BSIDES DETROIT 2012 34 Thursday, December 13, 12
References ModSecurity Advanced Topic of the Week: Mitigation of 'Slow Read" Denial of Service Attack http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of- slow-read-denial-of-service-attack.html DDoS attacks in H2 2011 http://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011 The State of the Internet http://www.akamai.com/stateoftheinternet/ Evaluation of slowhttptest against servers protected by CloudFlare http://samsclass.info/123/proj10/slow-read.html Blog posts on hardening web servers https://community.qualys.com/blogs/securitylabs/ BSIDES DETROIT 2012 35 Thursday, December 13, 12
Thank you! sshekyan@qualys.com @sshekyan Thursday, December 13, 12

Recommandé

OpenSplice DDS v5.1
OpenSplice DDS v5.1OpenSplice DDS v5.1
OpenSplice DDS v5.1Angelo Corsaro
 
Harris Bdr
Harris BdrHarris Bdr
Harris Bdrwericsmith
 
Tweeting with OpenSplice DDS
Tweeting with OpenSplice DDSTweeting with OpenSplice DDS
Tweeting with OpenSplice DDSAngelo Corsaro
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent themConcentrated Technology
 
Buffer Size Matters, within Limits
Buffer Size Matters, within LimitsBuffer Size Matters, within Limits
Buffer Size Matters, within LimitsDavid Gray
 
The Impact of Disk Fragmentation On Servers
The Impact of Disk Fragmentation On ServersThe Impact of Disk Fragmentation On Servers
The Impact of Disk Fragmentation On ServersDiskeeper
 
Turning your surveillance camera against you
Turning your surveillance camera against youTurning your surveillance camera against you
Turning your surveillance camera against youSergey Shekyan
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 

Recommandé

OpenSplice DDS v5.1
OpenSplice DDS v5.1OpenSplice DDS v5.1
OpenSplice DDS v5.1Angelo Corsaro
 
Harris Bdr
Harris BdrHarris Bdr
Harris Bdrwericsmith
 
Tweeting with OpenSplice DDS
Tweeting with OpenSplice DDSTweeting with OpenSplice DDS
Tweeting with OpenSplice DDSAngelo Corsaro
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent themConcentrated Technology
 
Buffer Size Matters, within Limits
Buffer Size Matters, within LimitsBuffer Size Matters, within Limits
Buffer Size Matters, within LimitsDavid Gray
 
The Impact of Disk Fragmentation On Servers
The Impact of Disk Fragmentation On ServersThe Impact of Disk Fragmentation On Servers
The Impact of Disk Fragmentation On ServersDiskeeper
 
Turning your surveillance camera against you
Turning your surveillance camera against youTurning your surveillance camera against you
Turning your surveillance camera against youSergey Shekyan
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS UnleashedAngelo Corsaro
 
Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.Angelo Corsaro
 
Open Cloud System Networking Vision
Open Cloud System Networking VisionOpen Cloud System Networking Vision
Open Cloud System Networking VisionRandy Bias
 
Why Speed Matters
Why Speed MattersWhy Speed Matters
Why Speed Mattersdarinrs
 
Remote mobile debugging
Remote mobile debuggingRemote mobile debugging
Remote mobile debuggingPatrick D'Souza
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
Solving MySQL replication problems with Tungsten
Solving MySQL replication problems with TungstenSolving MySQL replication problems with Tungsten
Solving MySQL replication problems with TungstenGiuseppe Maxia
 
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...Indonesia Network Operators Group
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications IJosep Bardallo
 
20140313_tu_delft
20140313_tu_delft20140313_tu_delft
20140313_tu_delftUniversity of Twente
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpValery Boronin
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
MongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous DataMongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous DataMongoDB
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupmichaelxin2015
 
Cloudand Xchange
Cloudand XchangeCloudand Xchange
Cloudand XchangeSkills Matter
 
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoSRunning At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoSryan_huber
 
M5 internet systems & applications ii
M5 internet systems & applications iiM5 internet systems & applications ii
M5 internet systems & applications iiJosep Bardallo
 

Contenu connexe

Similaire à Tweaking to get away from Application Layer DoS attacks

DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.Angelo Corsaro
 
Open Cloud System Networking Vision
Open Cloud System Networking VisionOpen Cloud System Networking Vision
Open Cloud System Networking VisionRandy Bias
 
Why Speed Matters
Why Speed MattersWhy Speed Matters
Why Speed Mattersdarinrs
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
Solving MySQL replication problems with Tungsten
Solving MySQL replication problems with TungstenSolving MySQL replication problems with Tungsten
Solving MySQL replication problems with TungstenGiuseppe Maxia
 
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...Indonesia Network Operators Group
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications IJosep Bardallo
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpValery Boronin
 
MongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous DataMongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous DataMongoDB
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupmichaelxin2015
 
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoSRunning At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoSryan_huber
 
M5 internet systems & applications ii
M5 internet systems & applications iiM5 internet systems & applications ii
M5 internet systems & applications iiJosep Bardallo
 

Similaire à Tweaking to get away from Application Layer DoS attacks (20)

DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS Unleashed
 
Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.Getting Started with OpenSplice DDS Community Ed.
Getting Started with OpenSplice DDS Community Ed.
 
Open Cloud System Networking Vision
Open Cloud System Networking VisionOpen Cloud System Networking Vision
Open Cloud System Networking Vision
 
Why Speed Matters
Why Speed MattersWhy Speed Matters
Why Speed Matters
 
Remote mobile debugging
Remote mobile debuggingRemote mobile debugging
Remote mobile debugging
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
Solving MySQL replication problems with Tungsten
Solving MySQL replication problems with TungstenSolving MySQL replication problems with Tungsten
Solving MySQL replication problems with Tungsten
 
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
08 - IDNOG04 - Anton Purba (Amandata) - On-Premise, Cloud or Hybrid? DDoS Mit...
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
 
20140313_tu_delft
20140313_tu_delft20140313_tu_delft
20140313_tu_delft
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can Help
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 
MongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous DataMongoDB Hadoop and Humongous Data
MongoDB Hadoop and Humongous Data
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
 
Cloudand Xchange
Cloudand XchangeCloudand Xchange
Cloudand Xchange
 
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoSRunning At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoS
 
M5 internet systems & applications ii
M5 internet systems & applications iiM5 internet systems & applications ii
M5 internet systems & applications ii
 

Tweaking to get away from Application Layer DoS attacks

  • 1. BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012 Thursday, December 13, 12
  • 2. BSIDES DETROIT 2012 22 Thursday, December 13, 12
  • 3. Denial of Service Attacks BSIDES DETROIT 2012 22 Thursday, December 13, 12
  • 4. Denial of Service Attacks BSIDES DETROIT 2012 22 Thursday, December 13, 12
  • 5. Types of attack There is a variety of forms aiming at a variety of services: − Traffic consuming attacks (DNS, firewall, router, load balancer, OS, etc.) − Application Layer attacks (web server, media server, mail server) BSIDES DETROIT 2012 33 Thursday, December 13, 12
  • 6. Network Layer attacks BSIDES DETROIT 2012 44 Thursday, December 13, 12
  • 7. Network Layer attacks BSIDES DETROIT 2012 44 Thursday, December 13, 12
  • 8. Application Layer attacks BSIDES DETROIT 2012 55 Thursday, December 13, 12
  • 9. Application Layer attacks BSIDES DETROIT 2012 55 Thursday, December 13, 12
  • 10. What is low-bandwidth attack? Slowloris GET Flood 400 300 Mbps/sec 200 100 0 0 10 20 30 40 Seconds BSIDES DETROIT 2012 66 Thursday, December 13, 12
  • 11. DDoS economics § DDoS attacks are affordable (from $5/hour) § DDoS attack is a great way to promote your start-up (attacks on Russian travel agencies are 5 times as frequent in high season) § Longest attack detected by Kaspersky DDos Prevention System in the second half of 2011 targeted a travel agency website and lasted 80 days 19 hours 13 minutes 05 seconds § Akamai reports DDoS attack incidents soar 2,000 percent in the past three years BSIDES DETROIT 2012 77 Thursday, December 13, 12
  • 12. Actual page from a forum offering DDoS services § We take projects with anti-DDoS § Wholesale discounts § We are clear against the law § Best quality-to-dollar ratio § $5/hour, $40/day, $260/week, $900/month BSIDES DETROIT 2012 88 Thursday, December 13, 12
  • 13. Same botnet operator offering menu: § HTTP GET flood § HTTP POST flood § Download flood § UDP flood § SYN flood BSIDES DETROIT 2012 99 Thursday, December 13, 12
  • 14. Application Layer DoS attacks § Slow HTTP headers attack (a.k.a. Slowloris) § Slow HTTP message body attack (a.k.a Slow Post) § Slow read HTTP attack (a.k.a. TCP Persist Timer exploit) BSIDES DETROIT 2012 10 Thursday, December 13, 12
  • 15. Demo time BSIDES DETROIT 2012 11 Thursday, December 13, 12
  • 16. What is common? § All mentioned attacks aim at draining the pool of concurrent connections (usually relatively small) BSIDES DETROIT 2012 12 Thursday, December 13, 12
  • 17. HyperText Transfer Protocol (HTTP) Message syntax Per RFC 2616 generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line BSIDES DETROIT 2012 13 Thursday, December 13, 12
  • 18. HyperText Transfer Protocol (HTTP) Message example GET /page.htm HTTP/1.1CRLF Host: www.example.com:8080CRLF Content-Length: 25CRLF CRLF Optional Message Body BSIDES DETROIT 2012 14 Thursday, December 13, 12
  • 19. Slowloris §Low bandwidth attack that sends HTTP requests with incomplete headers. Continues to send headers at regular intervals to keep the sockets active §First mentioned by Adrian Ilarion Ciobanu in 2007 and implemeted by Robert Hansen in 2009 BSIDES DETROIT 2012 15 Thursday, December 13, 12
  • 20. How slowloris works Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 21. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 22. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 23. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 24. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 25. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 26. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 27. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 28. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn ... BSIDES DETROIT 2012 16 Thursday, December 13, 12
  • 29. Slow POST § Attack that sends HTTP requests with complete headers but incomplete message body. Continues to send data at regular intervals to keep the sockets active § Discovered by Wong Onn Chee and popularized by Tom Brennan in 2009 BSIDES DETROIT 2012 17 Thursday, December 13, 12
  • 30. How Slow POST works Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 31. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 32. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 33. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 34. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 35. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 36. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 37. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 38. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 39. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn ... BSIDES DETROIT 2012 18 Thursday, December 13, 12
  • 40. Slow Read § Attack that keeps server sockets busy by maliciously throttling down the receipt of large HTTP responses § Uses known Network Layer flaws to aim Application Layer § First mentioned by Outpost24 in sockstress. Implemented as part of nkiller2 by Fotis Hantzis, a.k.a. ithilgore in 2009 BSIDES DETROIT 2012 19 Thursday, December 13, 12
  • 41. Related TCP details   §“Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive” – Wikipedia BSIDES DETROIT 2012 20 Thursday, December 13, 12
  • 42. How Slow Read works Client Server Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 43. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 44. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 45. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes bigpage.html Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 46. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 47. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 48. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 49. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 50. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 51. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 52. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes ... BSIDES DETROIT 2012 21 Thursday, December 13, 12
  • 53. Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesn't fully fit into socket's send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesn't set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. BSIDES DETROIT 2012 22 Thursday, December 13, 12
  • 54. Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesn't fully fit into socket's send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesn't set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. Rme BSIDES DETROIT 2012 22 Thursday, December 13, 12
  • 55. Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order § Pays § Takes the order § Next! BSIDES DETROIT 2012 23 Thursday, December 13, 12
  • 56. Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order It  is  possible  to  idenRfy  and  isolate   slow  client  in  his  request  state § Pays § Takes the order § Next! BSIDES DETROIT 2012 23 Thursday, December 13, 12
  • 57. Why Slow Read is different? Slow Read DoS § Makes an order for party of 50 § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24 Thursday, December 13, 12
  • 58. Why Slow Read is different? Slow Read DoS § Makes an order for party it  is  quite  late  to  do  anything,  as   of 50 the  request  was  already  accepted   and  processed § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24 Thursday, December 13, 12
  • 59. Why is Slow Read is different? § Customer stuck deciding § Makes an order for party what he wants Makes an of 50 orderPays Takes the order § Pays Next! § Cannot take the entire order with him, makes several trips to the car § Next! BSIDES DETROIT 2012 25 Thursday, December 13, 12
  • 60. Why is Slow Read is different? (continued) § Defense mechanisms expect the crushing fist of malice to appear in the request § Instead, the entire transaction should be monitored BSIDES DETROIT 2012 26 Thursday, December 13, 12
  • 61. Am I vulnerable? § There is a good chance that you are. Default configurations of nginx, lighttpd, IIS, Apache, Varnish cache proxy, Shoutcast streaming server - are vulnerable to at least one of the mentioned attacks BSIDES DETROIT 2012 27 Thursday, December 13, 12
  • 62. What should I do? § Use available tools to simulate attacks. SlowHTTPTest covers all mentioned attacks and some more at http://slowhttptest.googlecode.com § Check out http://slowhammer.me soon to get access to your own whitehat botnet in the cloud § Use Qualys WAF or other firewalls that are supposed to protect, but test before you pay! BSIDES DETROIT 2012 28 Thursday, December 13, 12
  • 63. Detection and Mitigation § Drop connections with abnormally small TCP advertised window(s) § Set an absolute connection timeout, if possible § Limit length, number of headers to accept § Limit max size of message body to accept § Drop connections with HTTP methods (verbs) not supported by the URL § Limit accepted header and message body to a minimal reasonable length § Define the minimum data rate, and drop connections that are slower than that rate BSIDES DETROIT 2012 29 Thursday, December 13, 12
  • 64. Detection and Mitigation continued § Qualys Web Application Scanner passively detects the slow attack vulnerabilities § ModSecurity v2.6 introduced a directive called SecWriteStateLimit that places a time limit on the concurrent number of threads (per IP address) § Snort is working on detecting connections with small TCP advertised window(s) § Christian Folini introduced Flying Frog script at https://www.netnea.com BSIDES DETROIT 2012 30 Thursday, December 13, 12
  • 65. Example of misconfiguration § Even if the server is configured to handle tens of thousands of concurrent connections, the OS might still create a bottleneck by limiting the server by the number of open file descriptors BSIDES DETROIT 2012 31 Thursday, December 13, 12
  • 66. Are anti-DoS solutions going to help? § Have no idea, test yourself! BSIDES DETROIT 2012 32 Thursday, December 13, 12
  • 67. Who reacted first? BSIDES DETROIT 2012 33 Thursday, December 13, 12
  • 68. Who reacted first? BSIDES DETROIT 2012 33 Thursday, December 13, 12
  • 69. Who reacted first? Those who really care - gamers! Open Transport Tycoon Deluxe found that by using a slow read type attack, it is possible to prevent anyone from joining a game server with virtually no resources. Patches for all affected version where released within a week! BSIDES DETROIT 2012 33 Thursday, December 13, 12
  • 70. Summary § Even though the simpliest distributed DoS attacks are enough to knock down most web sites today, the nature of the attack will be sure to improve, and it’s better to be ready or, at least be aware of upcoming problems. BSIDES DETROIT 2012 34 Thursday, December 13, 12
  • 71. References ModSecurity Advanced Topic of the Week: Mitigation of 'Slow Read" Denial of Service Attack http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of- slow-read-denial-of-service-attack.html DDoS attacks in H2 2011 http://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011 The State of the Internet http://www.akamai.com/stateoftheinternet/ Evaluation of slowhttptest against servers protected by CloudFlare http://samsclass.info/123/proj10/slow-read.html Blog posts on hardening web servers https://community.qualys.com/blogs/securitylabs/ BSIDES DETROIT 2012 35 Thursday, December 13, 12
  • 72. Thank you! sshekyan@qualys.com @sshekyan Thursday, December 13, 12