OWASP Track

Swiss Cyberstorm 2011 – OWASP Track

Hunting Slowloris and FriendsOn Practical Defense Against Application Layer DDoS Attacks that use Request Delaying Techniques

Dr. Christian Folininetnea.com / Swiss Postchristian.folini@netnea.com

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Christian Folini CV

IT Consultant for Swiss Post, Swiss Federal IT, Swiss TV, one or two banks etc.

Specialised in Webserver Security and Web Application Security on Unix Servers and System Administrationin general

Speaker at OWASP conferencesDeveloper of a ModSecurity Rule Editor named “REMO“Studies in Fribourg (Switzerland), Berne, Bielefeld,

BerlinPhD in Medieval History at Fribourg University,

Switzerland

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

The probability of an application level DDoS using Request Delaying Techniques hitting Swiss Post is very low - and the result would be a complete disaster.

Christian Folini, 2006

Internal Swiss Post Memo

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

ModSecurity ML in 2006

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

RSnake Announcing Slowloris

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Writing about Slowloris in LWN.net

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

For Completeness: Matteo

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Swiss Post Press Release

FIXME: Screenshot

http://lwn.net/Articles/338407/

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Attack Waves Traffic Graph

Two weeks of TCP traffic on one of the links of Swiss Post

One week of TCP traffic on one of the links of Swiss Post

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

How to DDoS on the Application Level?

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Attack Waves Traffic Graph

Two weeks of TCP traffic on one of the links of Swiss Post

One week of TCP traffic on one of the links of Swiss Post

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Apache ModStatus Example Output

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Statements from IRC (1 of 2)

< machiavelli> again I think holding postfinance.ch down for several weeks would lead to cash in wikileaks' hands. Postfinance would be forced to actually release the wikileaks funds they've stolen or go out of business.

The Plan (here summarised after the attack was over)

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Statements from IRC (2 of 2)22:12 < biertrinker> paypal is wasting time. lets do postfinance.ch again to let them see that war is still not over

...

23:12 < pride2> what is the site of the bank that blocked assanges account?

...

23:12 < pride2> we can take that one out?

...

23:13 < OPBIG_7> postfinance pride2

...

23:14 < RemmiDemmi> postfinance.ch would be good

...

23:14 < pride2> i agree

23:14 < pride2> it would make a good statement

...

23:15 < OPBIG_7> pride2 and co: postfinance was complete down when we attacked them and they had to block all non CH ip's. They will do same if we attack again. Its not a long term target

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Internal Swiss Post Memo

The probability of an application level DDoS using Request Delaying Techniques hitting Swiss Post is very low - and the result would be a complete disaster.

Christian Folini, 2006

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

Practical Defense

A Problem of Strict Differentiation:

It is about telling good traffic from bad traffic when the bad traffic mimics good traffic and you are blind to start with.

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

What You Can Do (1 of 3)

Know your architecture

Know your protocols

Know your application

Know your customers

Know your allies and their phone number

Know your tools

Know your defense plan

Know your enemies

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

What You Can Do (2 of 3)Think about using an "event based" webserver (but they have other

limits...)

Think about routing the traffic through an external specialist

Understand HTTP Keepalive and decide if you really need it

Lower your timeouts (3s sounds like a decent value in my eyes)

Use mod_reqtimeout

Look into mod_qos (by Pascal Buchbinder, Winterthur)

Use GeoIP

Use netstat

Use tcpdump

Use IP Blacklisting

Look into ModSecurity – there are a few useful directives

Look into mod_backdoor

Think about separating File Uploads from the rest of the application

Forget mod_evasive

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

What You Can Do (3 of 3)Slowloris type DDoS tools don't ever finish a request -> comparing netstat output and the access log should be

able to tell you moreOther DDoS tools do full requests, but they do not fetch follow up css,

javascript and image files -> the access log has the detailsThere is a typical median lifetime of a connection to your application -> observing netstat output should give you an idea

And now the really advanced stuff:Run an agent that supervises the connections and observes the access log and the login log (if that exists in your application): Look for clients accessing the wrong URLs Look for clients using the wrong method on the wrong URLs (i.e. Doing a POST on a page where POST is not expected)

Look for clients having an atypical order of requests Look for clients with atypical request structure

Hunting Slowloris and Friends – Swiss Cyberstorm 2011 – OWASP Track

What You Can Do (4 of 3: Bonus Exercises)

Browserrecon Project

-> Marc Ruef, computec.ch

HTTP Client Fingerprinting Using SSL Handshake Analysis -> Ivan Ristić: SSL Labs