Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
1. Layer 7 DOS attack
By :Oussama Elhamer Abdelkhalek.
2. Summary
• The History of Dos attack .
• Layer 4 Ddos : Overview.
• Layer 7 Dos One attacker Brings Down one site .
• Link-Local Dos : RA ip6 attack.
5. Layer 4 Ddos Attack :
• Primitive DDOS attack controlled via
IRC.
• Sends Thousands of packets per second
from the attacker directly to the target.
• Needs Thousands of participants to
bring down a large site.
• Take down master card for more than a
day (3.000 to 30.000)
• Nothing More Than Pressing F5. (The
Low Orbit lon Cannon Do That For u
/:p)
6. Layer 7 DOS
• Operates at the application protocol level
(OSI Layer 7).
• Can Be routed through proxies .
• More Dangerous.
• Low Bandwidth .
• Can Be Very Difficult To Distinguish From normal trafic.
Eg. HTTP(S), SMTP, FTP and etc.
7. Some Example Of Layer 7 Dos
Attacks
We will focus on The weaknesses of The Http
Protocol .
9. HTTP GET attack :
-Dont Send A Complete Request To The WebServer (Incomplete
Headers ) Send SomeThing That Will hold The Web Server
Continues To Send Headers at Regular intervals to keep the
Sockets active !
-So If You Open One Thousand Connection On A server That can Only
Handle Five Hundred It Will be Rejecting Requests .
Example Message syntax :
GET /indexPage.html HTTP/1.1 CRLF <- Request Line
Host : www.host.com:8080 CRLF
Content-Length :25 CRLF
CRLF
<Optional Messaga Body >
- The Server Stop Reading When See Two CRLF and Start generating
the response and sending feed back .
10. • Example
• The Server Will Drop The Connection If There Are No Data In 60 Seconds !
• Get/http/1.1 rn
• Host :Server rn
• X-skdvbk :sdjvjrn
• ----59 Sec later
• X-skdvbk :sdjvjrn
• ----59 Sec later
• X-skdvbk :sdjvjrn
• ----59 Sec later
• X-skdvbk :sdjvjrn
• ----59 Sec later
Client Server
• This Attack Don’t Works With IIS because it Use a time out .
• No Realible Configurartion Universal To Protect your Web Server
• But there Are some Recommandation THAT minimize the damage
11. SlowLoris
• Send Incomplete GET requests
• And Freezes Apache With One Packet Per Second .
• keeps sessions at halt
• using neverending GET transmissions
12. HTTP post
• Similar To http gET.
• The Connections Whith The Server Stay Opened.
• instead of prolongating The Header Section Of The http
Request It Prolongate The Message Body Section
13. R-U-Dead-Yet :
• Incomplete HTTP POSTs
• implements the generic HTTP DoS attack via long form field
submissions.
• Stops IIS, But Requires Thousands Of packets per second.
14. More Variation
• Keep-Alive Dos: A variation of The incomplete http get
requests But Less Powerful .
• XerXes A Tool Developped By Th3j35t3r
•
• -Can be Imported To a 3G cell phone
• -Can be run throught VPN.
15. Link-Local Dos
• IPv6 Router Advertisments
• In ip v4 :
• The Client Request An Ip
• The Router Provides One
• In ipv6
• The Router announces its presence
• Every client on the Lan Creates an adress and joins the
network
16. • The problem That you can Send A lot Of Router advertisement
• The Lan Machines Will Join All Those Networks
• And Windows Is inefficient in doing That
• You can take Down all The Lan .