TOPERA v0.2IPv6 and Slow HTTP

AttacksDaniel Garcia a.k.a Cr0hn (twitter.com/

ggdaniel)Rafa Sánchez - (twitter.com/

r_a_ff_a_e_ll_o)

Que vamos a contar´

Que vamos a contar´

IDS -->

Que vamos a contar´

IDS --> SNORT -->

Que vamos a contar´

IDS --> SNORT --> Topera v0.1 -->

Que vamos a contar´

IDS --> SNORT --> Topera v0.1 -->

DEMO -->

Que vamos a contar´

IDS --> SNORT --> Topera v0.1 -->

DEMO --> Topera v0.2-->

Que vamos a contar´

IDS --> SNORT --> Topera v0.1 -->

DEMO --> Topera v0.2--> DEMO

IDS/IPS

Sistema de Detección/Prevención

de Intrusos

IDS/IPS

Sistema de Detección/Prevención

de Intrusos

SNORT

No se lleva muy bien con IPv6

SNORT

No se lleva muy bien con IPv6

SNORT

Extension Headers

http://www.tcpipguide.com/

IETF

Rfc2460 -> IPv6 nodes must accept and attempt to process extension headers in any order and occurring any number

of times in the same packet […]Dec. 1998

IETF

A Uniform Format for IPv6 Extension Headers

(draft, April 2012)[…]further work required in this area. Some

issues that are left unresolved beyond this document include: There can be an arbitrary

number of extension headers […]

IETF

A Uniform Format for IPv6 Extension Headers

(draft, April 2012)[…]further work required in this area. Some

issues that are left unresolved beyond this document include: There can be an arbitrary

number of extension headers […]

IETF

Security Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor

Discovery[…] this document proposes that hosts silently

ignore Neighbor Discovery messages that use IPv6 Extension Headers[…]

(F. Gont) - IPv6 maintenance Working Group (6man)

IETF

Security Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor

Discovery[…] this document proposes that hosts silently

ignore Neighbor Discovery messages that use IPv6 Extension Headers[…]

(F. Gont) - IPv6 maintenance Working Group (6man)

Topera v0.1

SNORT es vulnerable ante determinado tipo de paquetes IPv6

Topera v0.1

SNORT es vulnerable ante determinado tipo de paquetes IPv6

Presentada en #NN2ED

Topera v0.1

SNORT es vulnerable ante determinado tipo de paquetes IPv6

Presentada en #NN2EDEscaneos TCP indetectables por SNORT

Topera v0.1

SNORT es vulnerable ante determinado tipo de paquetes IPv6

Presentada en #NN2EDEscaneos TCP indetectables por SNORT

Topera v0.1

SNORT es vulnerable ante determinado tipo de paquetes IPv6

Presentada en #NN2EDEscaneos TCP indetectables por SNORT

Topera v0.1

Topera v0.1

CONSECUENCIASde TOPERA...

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

Topera v0.1

DEMO

http://code.google.com/p/topera/

Nuevos Ataques

TOPERA evoluciona…

Nuevos Ataques

TOPERA evoluciona…

Slow HTTPDenial Of Service Attack

Slowloris

Denial Of Service Attack

CRLFContent-Length

Slowloris

Denial Of Service Attack

CRLFContent-Length

TOPERA v0.2

Y si mezclamos todo?

http://securityreactions.tumblr.com/

Topera v0.2

DEMO

Topera v0.2

Topera v0.2

https://github.com/toperaproject/topera/

Es un Riesgo Real??

Es un Riesgo Real??

Gracias Ralli, Fran!!

Es un Riesgo Real??

Gracias Ralli, Fran!!

Es un Riesgo Real??

Gracias Ralli, Fran!!

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Es un Riesgo Real??

Gracias!!