DDoS Attack Preparation and Mitigation

  • Published on

  • View

  • Download

Embed Size (px)


Layered controls to help you prepare for and defend yourself from a distributed denial of service (DDoS) attack.


  • 1.DDoS Attack Preparation and Mitigation Presented by Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

2. Overview What is a DDoS attack? Why are these attacks launched? How do we prepare? How do we respond? Resources 3. In the News http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/ 4. DoS Attacks Denial of Service o Network resources o Host resources o Application resources Types o ICMP Flood Smurf attack Ping flood Ping of death o SYN Flood SYN SYN/ACK Wait. Wheres my ACK? Unending knock-knock joke o Teardrop Attack o Low and Slow 5. DDoS Attacks Distributed Denial of Service o Simultaneous attacks from multiple sources o Traditional countermeasures dont work Examples o Botnet downloads entire site, repeats ad nauseum o Abuse SSL negotiation phase 6. Why Launch a DDoS Attack? Motive o Extortion o Revenge o Hacktivism o Unintentional (@feliciaday) Means o Botnet Infected machines Voluntary (mobile devices?) o Availability of tools Low Orbit Ion Cannon (LOIC) TCP/UDP slowhttptest HTTP Slowloris HTTP Opportunity o Were talking about the INTERNET 7. Preparation Technical: Defense-in-Depth o Network o Operating System o Web/Application Server o Application Procedural: Security Incident Response o Policy o Procedures o Tabletop Exercises 8. Preparation Network Architecture Align with Cisco SAFE security reference architecture o Redundancy Deploy and tune tools o Intrusion Prevention System (IPS) o Security Information Event Management (SIEM) o Bandwidth Monitoring and Management o Anti-DDoS Hardware (*) Cisco Guard / PrevenTier (Rackspace) DOSarrest RioRey Evaluate IPv6 configurations 9. Preparation Network Router Enable Reverse Path Forwarding o ip verify unicast reverse path Filter all RFC-1918 address spaces o - (10/8 prefix) o 169.254.0 (169.254/16 prefix) o - (172.16/12 prefix) o - (192.168/16 prefix) Network Ingress Filtering, per RFC-2827 o Drop forged packets Enforce rate limiting for ICMP and SYN packets 10. Preparation Network Firewall Deny private, illegal, and routable source IPs o o o o o o o 11. Preparation - Operating System Harden the Host o Center for Internet Security o DISA STIGs Defense Information Systems Agency Security Technical Implementation Guides o Vendor guides Patch o Automate the process o Trust, but verify Host Vulnerability Scans o DoS vulnerabilities 12. Preparation Apache on Linux Advanced Policy Firewall (APF) o iptables (netfilter) (D)DoS Deflate o netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort n o Automatically block attacking IPs o Automatically unblock IPs after x seconds Apache modules o mod_evasive o mod_security 13. Preparation IIS on Windows UrlScan o Integrate with IIS o Mitigate SQL injection attacks o Restrict potentially malicious HTTP requests (web app firewall function) Dynamic IP Restrictions o Requests over time o Deny action o Logging 14. Preparation - Application Third Party Services o Akamai Web Application Acceleration o Prolexic Pipe Cleaner Web App Firewall o Hosted o Cloud Load Balancers o Take advantage of virtualization Baseline Your Performance o Thresholds (Load Testing) o Source IP reports Web Application Vulnerability Scan o DoS vulnerabilities o Vulnerable forms (CAPTCHA) 15. Mitigation - Network Log analysis o Understand the attack o netstat, awk, grep Contact your ISP o Drop attacking traffic before it hits any of your resources Null route attackers o Example: ip route Null0 Implement yourgeographic IP rules o Deny all traffic from non-customer IP blocks Enable third party services/solutions o Temporary o Cost 16. Mitigation Host and App Add additional servers o Temporary (co$t) o Again, take advantage of virtualization Tighten web app firewall rules o Based on attack pattern 17. Contact Law Enforcement? Pros o Prevent future attacks against your org o Prevent future attacks against other orgs Cons o Attack becomes public record o Additional resources = time + money Decide in writing what action you will take before an incident occurs. 18. Resources Denial of Service Attacks Explained o CERT http://www.cert.org/tech_tips/denial_of_service.html o Wikipedia http://en.wikipedia.org/wiki/Denial-of-service_attack RFCs o RFC-1918 Address Allocation for Private Internets http://tools.ietf.org/html/rfc1918 o RFC-2827 Network Ingress Filtering http://www.ietf.org/rfc/rfc2827.txt HardeningInformation o Center for Internet Security http://www.cisecurity.org/ o Cisco SAFE http://www.cisco.com/en/US/netsol/ns954/index.html o Country IP Blocks http://www.countryipblocks.net/ o DISA STIGs http://iase.disa.mil/stigs/ o How to Protect Against Slow HTTP Attacks (via @Qualys) https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http- attacks 19. Resources (contd) Tools o Low Orbit Ion Cannon http://sourceforge.net/projects/loic/ Installed on your iPhone: http://www.youtube.com/watch?v=9VxA_DSflG0 o slowhttptest http://code.google.com/p/slowhttptest/ o Slowloris http://ha.ckers.org/slowloris/ o Advanced Policy Firewall (APF) http://www.rfxn.com/projects/advanced-policy-firewall/ o (D)DoS Deflate http://deflate.medialayer.com/ o UrlScan http://technet.microsoft.com/en-us/security/cc242650 o Dynamic IP Restrictions http://www.iis.net/download/DynamicIPRestrictions Apache Modules o Mod_evasive http://www.topwebhosts.org/articles/mod_evasive.php o Mod_security http://www.topwebhosts.org/articles/mod_security.php 20. Questions / Contact Info Jerod Brennen, CISSP http://www.linkedin.com/in/slandail http://twitter.com/#!/slandail http://www.jacadis.com/ contact@jacadis.com