DDoS Attacks and Countermeasures

DDoS Attacks & Countermeasures

Duong Ngoc Thai<thaidn AT gmail DOT com>

http://vnhacker.blogspot.com

Hello!

OverviewOverview

DDoS Attacks What's new?

DDoS Countermeasures What NOT to do? What to do?

Q & A

Part IPart I

DDoS Attacks – What's new? Botnet Attacks

DRDoS Distributed Reflected DNS Attacks

xFlash Attacks HTTP-based applications Welcome to the brave new world of Flash 9 Socket

What is botnet?

DDoS Attacks through Botnet Traditional DDoS Attacks

DRDoS

DDoS Attacks through Botnet Distributed Reflected DNS Attacks

Okay, botnet is scary.

But wait, there's no botnet in VN,YET!

Bad news: building a botnet is easy!

bot source code is available for free! some even released under GPL!


Gái đẹp online đây bà con ơi!!!! Remember

gaixinh or xRobot?

Bad news: building a botnet is easy!I don't want to pay for software! ever wonder what those keygen.exe or crack.exe

actually do? no license --> no update --> hack me please!

(hint: use Linux)


can't build yourself? buy one online!

Vietnam Botnet Factbook

What's xFlash?

ActionScript in Flash can send HTTP requests to 3rd party sites through the browser which

invoked it.

What's xFlash?

The main DDoS attack mechanism used to attack many websites in VN: hvaonline.net, vietco.com, ddth.com, <insert your sites here>, etc...

xFlash to attack HTTP-based applications

<insert x-flash source code here>


forging HTTP request headersvar req:LoadVars=new LoadVars();

req.addRequestHeader("Foo","Bar");

req.send("http://www.site.com/index.php","_blank","GET");


forging HTTP request headersvar req:LoadVars=new LoadVars();

req.addRequestHeader("Foo","Bar");

req.decode("a=b&c=d");

req.send("http://www.site.com/index.php","_blank","POST");

Welcome to The Brave New World of Flash 9 Socket

Quote from Flash 9 documentation “The Socket class enables ActionScript code to make socket connections and

to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”




Let's port nmap to ActionScript!




Let's port nmap to ActionScript!

Err wait, how about same origin policy?

Part IIPart II

DDoS Countermeasures DON'T

.htaccess referer checking PHP anti-DDoS script

DOs performance tuning - killing the bottlenecks

start small, think big defense in depth

First thing first:

SHOW ME THE MONEY

Security is always a trade-off

The Art Of Performance Tuning

What is performance?

The Art Of Performance Tuning

What is performance?

rps = requests per second

cu = concurrent users

Howto Find The Bottlenecks

code profiling – xdebugsystem profiling – oprofiledatabase query profiling

Caching's Your Good Friend, Always

opcode caching – APC, Zend Platformobject caching – memcachedhttp request caching - squid

Start Small Think BIG what is scalability?

Start Small Think BIG what is scalability?

readily enlarged what is scalable system?

able to accommodate increased usageable to accommodate an increased dataset

maintainable

Hello, world! Is Very Scalable

<?php

sleep(1);echo “Hello, world!”;

?>

Verizontal vs Horizontal Scaling

Share Nothing Architecture

Scaling The Database With SNA

Scaling The Storage

Amazon S3 anybody?

Wikipedia: a scalable system

The Blueprint of Defense In Depth

The case for the reverse proxy

Recommend ReadingRecommend Reading

Building scalable web sites

Kí sự các vụ DDoS vào HVAOnline.net

DDoS Attacks & Countermeasures

Thank you!

Questions/Comments?

Duong Ngoc Thai

Technology

DDoS Attacks and Countermeasures