Infrastructure fuzzing by Salo Shp, SRE Expert. In this session We will cover the reason and methods hackers use to DDOS our production, and learn how to mitigate that threat by doing it ourselves as part of an overall Chaos Engineering methodology.

1. FUZZING
INFRASTRUCTURE
Salo Shp

2. /whoami
2
https://www.linkedin.com/in/salo-shp/
tikalk.com
Salo Shp

3. 1
2
3 4
DISTRIBUTED
DENIAL
OF
https://www.yellowstonepark.com/news/wolves-hunt
SERVICE

4. STRESSERS
LOIC
http://sourceforge.net/projects/loic/files/loic/loic-1.0.8/LOIC-1.0.8-binary.zip/download

5. STRESSERS
HOIC
http://sourceforge.net/projects/highorbitioncannon/files/Hoic.rar/download

6. STRESSERS
XOIC

7. STRESSERS
MOAR WAREZ
▸ https://packetstormsecurity.com/distributed/trinoo.tgz
▸ https://packetstormsecurity.com/distributed/tfn2k.tgz
▸ https://packetstormsecurity.com/files/112856/HULK-Http-Unbearable-Load-King.html
▸ http://packetstormsecurity.com/files/98831/
▸ http://packetstormsecurity.com/files/123084/DAVOSET-1.1.3.html
▸ http://packetstormsecurity.com/files/120966/GoldenEye-HTTP-Denial-Of-Service-Tool.html
▸ http://sourceforge.net/projects/ddosim/
▸ http://sourceforge.net/projects/pyloris/
▸ https://code.google.com/p/owasp-dos-http-post/
▸ https://code.google.com/p/r-u-dead-yet/
Salo Shp

8. STRESSERS
DDOS AS A SERVICE
https://www.ipstresser.com

9. STRESSERS
MOAR LINKZ
▸ https://www.stressthem.to
▸ https://bullstresser.to
▸ https://freeipstress.com/
▸ https://fiberstresser.com/
▸ https://www.stresser.wtf/
▸ https://zodiac-stresser.com/
▸ https://www.booter.pw/
▸ https://vdos-s.co/
▸ https://booter.xyz/
▸ https://www.webstresser.biz/
▸ https://www.stresser.pw/
▸ https://bootstresser.com/
▸ https://networkstress.xyz/
▸ https://www.stressed.host/
▸ https://criticalsecurity.to/
▸ https://arkstresser.com/
▸ https://instant-stresser.com/
▸ http://stresser.io/
▸ https://meteor-stresser.to/

10. 未来
https://github.com/jgamblin/Mirai-Source-Code
https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers.html

11. SYN flood

12. Amplification factor
TFTP: 60
CHARGEN: 358.8
NTP: 556.9
DNS: 28 TO 54
SNMP: 650
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
MEMCACHED: 10,000 TO 51,000
https://www.us-cert.gov/ncas/alerts/TA14-017A https://tools.ietf.org/html/rfc2827
https://tools.ietf.org/html/rfc3704

13. https://github.blog/2018-03-01-ddos-incident-report/
http://www.techrepublic.com/article/chinese-government-linked-to-largest-ddos-attack-in-github-history/

14. https://www.cnbc.com/2019/05/08/binance-bitcoin-hack-over-40-million-of-cryptocurrency-stolen.html

15. ATTACK CLASSIFICATION
VOLUMETRIC ATTACKS
PROTOCOL BASED ATTACKS
APPLICATION LAYER ATTACKS
UDP Amplification
SNMP Reflection
SYN flood
BWRaep
PING of death
HTTP GET flood
ICMP flood
HTTP POST flood
SSDP reflection
Slowloris
Smurf
Fraggle
Teardrop
R.U.D.Y
MIRAI
Salo Shp
ARME
:(){ :|:& };:

17. https://theconversation.com/abss-night-of-disaster-as-servers-crash-and-millions-fail-to-complete-the-census-63737

18. ATTACK CLASSIFICATION
Design Implementation Operation
Application
Presentation
Session
Transport
Network
Link
Physical
Spoofing
Tampering
Repudiation
Information disclosure
Degr. of service
Elevation of privilege
Damage
Reproducibility
Exploitability
Affected users
Discoverability
Salo Shp

19. https://www.bloomberg.com/news/articles/2019-04-11/sensors-linked-to-737-crashes-vulnerable-to-failure-data-show
Mar 10, 2019

20. “What’s in a name? That which we call a rose,
By any other name would smell as sweet.”
ÉMILE BOREL
1871 - 1956

21. https://en.wikipedia.org/wiki/Punched_card
A punch-card is a piece of stiff
paper that can be used to contain
digital data represented by the
presence or absence of holes in
predefined positions.
ArnoldReinhold, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=16041053
1950

22. https://ieeexplore.ieee.org/abstract/document/5010257
… results are presented which suggest that
random testing may often be more cost
effective than partition testing schemes.
1981 - Random Testing
https://dl.acm.org/citation.cfm?id=802530

23. http://www.folklore.org/StoryView.py?story=Monkey_Lives.txt
A small desk accessory that used the
journaling hooks to feed random events to
the current application, so the Macintosh
seemed to be operated by an incredibly fast,
somewhat angry monkey, banging away at the
mouse and keyboard, generating clicks and
drags at random positions with wild abandon
1983 - The monkey
STEVE CAPPS

24. https://books.google.co.il/books?isbn=1596932155
I needed to give
this kind of
testing a name that
would evoke the
feeling of random,
unstructured data.
After Trying out
several ideas, I
settled on the term
“fuzz”.
1988 - Barton Miller

25. ▸ CVE-2014-6271
▸ CVE-2014-6277
▸ CVE-2014-6278
▸ CVE-2014-7169
▸ CVE-2014-7186
▸ CVE-2014-7187
Sep 24, 2014
SHELLSHOCK (BASHDOOR)

26. FUZZERS
AMERICAN FUZZY LOP (AFL)
http://lcamtuf.coredump.cx/afl/
https://events.static.linuxfound.org/sites/events/files/slides/AFL%20filesystem%20fuzzing,%20Vault%202016_0.pdf

27. https://blog.mozilla.org/security/2007/08/02/javascript-fuzzer-available/
https://engineering.mongodb.com/post/mongodbs-javascript-fuzzer-creating-chaos/

28. https://google.github.io/clusterfuzz/
https://github.com/google/oss-fuzz

29. https://github.com/Netflix/SimianArmy/wiki/Chaos-Monkey

30. NUDNIK
MULTILAYER DISTRIBUTION
AB
C
Node A Node B

31. NUDNIK
MESSAGE TYPES - BASELINE
A
B
C
D
E
20ms
10ms
20ms
10ms
10ms
20ms
10ms
10ms
▸Tiny fingerprint
▸GRPC / REST
▸Multiplatform

32. NUDNIK
MESSAGE TYPES - LOAD
A
B
C
D
E
10ms
10ms
10ms
▸CPU
▸Memory
▸Disk
▸Network
▸Executable

33. NUDNIK
MESSAGE TYPES - CHAOS
A
B
C
D
E10%
10%
+? ms
? %
▸Set failure %
▸Set latency
▸.. Or randomise

34. NUDNIK
REPORTING
▸InfluxDB
▸ElasticSearch
▸Prometheus PG
▸Text csv / TTY
AB
TS
C

35. A
SCALE PLANNING / TESTING
B C
RuOK

36. SETUP
NUDNIK - INFRASTRUCTURE HEARTBEAT
▸ https://pypi.org/project/nudnik/
▸ pip install nudnik
▸ https://aur.archlinux.org/packages/
nudnik/
▸ pacman -S nudnik
▸ git clone
https://github.com/salosh/nudnik