DDoS Attack Preparation and Mitigation
Presented by Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Overview • What is a DDoS attack?
• Why are these attacks launched?
• How do we prepare?
• How do we respond?
• Resources
In the News…
http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/
DoS Attacks • Denial of Service
o Network resources
o Host resources
o Application resources
• Types o ICMP Flood
• Smurf attack
• Ping flood
• Ping of death
o SYN Flood
• SYN – SYN/ACK… Wait. Where’s my ACK?
• Unending knock-knock joke
o Teardrop Attack
o Low and Slow
DDoS Attacks • Distributed Denial of Service
o Simultaneous attacks from multiple sources
o Traditional countermeasures don’t work
• Examples o Botnet downloads entire site, repeats ad nauseum
o Abuse SSL negotiation phase
Why Launch a DDoS Attack? • Motive
o Extortion
o Revenge
o Hacktivism
o Unintentional (@feliciaday)
• Means o Botnet
• Infected machines
• Voluntary (mobile devices?)
o Availability of tools
• Low Orbit Ion Cannon (LOIC) – TCP/UDP
• slowhttptest – HTTP
• Slowloris – HTTP
• Opportunity o We’re talking about the INTERNET…
Preparation • Technical: Defense-in-Depth
o Network
o Operating System
o Web/Application Server
o Application
• Procedural: Security Incident Response o Policy
o Procedures
o Tabletop Exercises
Preparation – Network Architecture
• Align with Cisco SAFE security reference architecture o Redundancy
• Deploy and tune tools o Intrusion Prevention System (IPS)
o Security Information Event Management (SIEM)
o Bandwidth Monitoring and Management
o Anti-DDoS Hardware (*)
• Cisco Guard / PrevenTier (Rackspace)
• DOSarrest
• RioRey
• Evaluate IPv6 configurations
Preparation – Network Router
• Enable Reverse Path Forwarding o ip verify unicast reverse path
• Filter all RFC-1918 address spaces o 10.0.0.0 - 10.255.255.255 (10/8 prefix)
o 169.254.0 – 169.254.255.255 (169.254/16 prefix)
o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
• Network Ingress Filtering, per RFC-2827 o Drop forged packets
• Enforce rate limiting for ICMP and SYN packets
Preparation – Network Firewall
• Deny private, illegal, and routable source IP’s o 0.0.0.0
o 10.0.0.0-10.255.255.255
o 127.0.0.0
o 172.16.0.0-172.31.255.255
o 192.168.0.0-192.168.255.255
o 240.0.0.0
o 255.255.255.255
Preparation - Operating System
• Harden the Host o Center for Internet Security
o DISA STIG’s
• Defense Information Systems Agency Security Technical Implementation Guides
o Vendor guides
• Patch o Automate the process
o Trust, but verify
• Host Vulnerability Scans o DoS vulnerabilities
Preparation – Apache on Linux
• Advanced Policy Firewall (APF) o iptables (netfilter)
• (D)DoS Deflate o netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort
| uniq -c | sort –n
o Automatically block attacking IP’s
o Automatically unblock IP’s after x seconds
• Apache modules o mod_evasive
o mod_security
Preparation – IIS on Windows
• UrlScan o Integrate with IIS
o Mitigate SQL injection attacks
o Restrict potentially malicious HTTP requests (web app firewall function)
• Dynamic IP Restrictions o Requests over time
o Deny action
o Logging
Preparation - Application • Third Party Services
o Akamai – Web Application Accelerat ion o Prolexic – Pipe Cleaner
• Web App Firewall o Hosted o Cloud
• Load Balancers o Take advantage of virtualization
• Baseline Your Performance o Thresholds (Load Test ing)
o Source IP reports
• Web Application Vulnerability Scan o DoS vulnerabilit ies o Vulnerable forms (CAPTCHA)
Mitigation - Network • Log analysis
o Understand the attack o netstat, awk, grep
• Contact your ISP
o Drop attacking traffic before it hits any of your resources
• Null route attackers
o Example: ip route 192.168.0.0 255.255.0.0 Null0
• Implement your geographic IP rules
o Deny all traffic from non-customer IP blocks
• Enable third party services/solutions
o Temporary
o Cost
Mitigation – Host and App • Add additional servers
o Temporary (co$t)
o Again, take advantage of virtualization
• Tighten web app firewall rules o Based on attack pattern
Contact Law Enforcement? • Pros
o Prevent future attacks against your org
o Prevent future attacks against other orgs
• Cons o Attack becomes public record
o Additional resources = time + money
• Decide in writing what action you will take before an incident occurs.
Resources • Denial of Service Attacks Explained
o CERT • http://www.cert.org/tech_tips/denial_of_service.html
o Wikipedia
• http://en.wikipedia.org/wiki/Denial-of-service_attack
• RFC’s o RFC-1918 – Address Allocation for Private Internets
• http://tools.ietf.org/html/rfc1918
o RFC-2827 – Network Ingress Filtering • http://www.ietf.org/rfc/rfc2827.txt
• Hardening Information
o Center for Internet Security • http://www.cisecurity.org/
o Cisco SAFE
• http://www.cisco.com/en/US/netsol/ns954/index.html
o Country IP Blocks • http://www.countryipblocks.net/
o DISA STIG’s • http://iase.disa.mil/stigs/
o How to Protect Against Slow HTTP Attacks (v ia @Qualys) • https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-
attacks
Resources (cont’d) • Tools
o Low Orbit Ion Cannon • http://sourceforge.net/projects/loic/ • Installed on your iPhone: http://www.youtube.com/watch?v=9VxA_DSflG0
o slowhttptest • http://code.google.com/p/slowhttptest/
o Slowloris • http://ha.ckers.org/slowloris/
o Advanced Policy Firewall (APF)
• http://www.rfxn.com/projects/advanced-policy-firewall/ o (D)DoS Deflate
• http://deflate.medialayer.com/ o UrlScan
• http://technet.microsoft.com/en-us/security/cc242650
o Dynamic IP Restrict ions • http://www.iis.net/download/DynamicIPRestrictions
• Apache Modules o Mod_evasive
• http://www.topwebhosts.org/articles/mod_evasive.php o Mod_security
• http://www.topwebhosts.org/articles/mod_security.php
Questions / Contact Info
Jerod Brennen, CISSP http://www.linkedin.com/in/slandail
http://twitter.com/#!/slandail
http://www.jacadis.com/