hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users

Security & Risk ConferenceOctober 26th - 29th 2011Lucerne, Switzerland

Sniping Slowloris and Friends Taking out DDoS attackers with minimal harm to your users

Dr. Christian Folini - netnea AG - [email protected]

#days Security Conference – October 26th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 2

Christian Folini CV

IT Consultant at netnea, Berne.Working for Swiss Post, one or two banks etc.

Started to work on defense against Slowloristype DDoS in 2006

Specialised in Webserver Security and Web Application Security on Unix Servers and System Administrationin general

Speaker at Security Conferences (OWASP, Swiss Cyberstorm etc.)Developer of a ModSecurity Rule Editor named “REMO“Studies in History and Computer Science in Fribourg, Berne,

Bielefeld and BerlinPhD in Medieval History at Fribourg University, Switzerland


ModSecurity Mailinglist 2006


RSnake Announcing Slowloris


Swiss Post Press Release Dec 06, 2010


Being Attacked By Anonymous

„We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.“


Quotes from the Attacker's Chat-Room

< machiavelli> again I think holding postfinance.ch down for several weeks would lead to cash in wikileaks' hands. Postfinance would be forced to actually release the wikileaks funds they've stolen or go out of business.

< biertrinker> paypal is wasting time. lets do postfinance.ch [...] to let them see that war is still not over

< RemmiDemmi> postfinance.ch would be good

< pride2> it would make a good statement


Incoming Internet IP Traffic During Attack

Two weeks of Internet traffic on one of the links of Swiss Post(Above the line are outgoing, below the line are Incoming PPS = IP Packets per Second)

● The attacks started within minutes after the press release.● The attacks were very chaotic and heterogeneous. Literally dozens of attacks in parallel.

● The attackers were able to fill the complete network bandwith for a certain time (even if 90% of the attack traffic was filtered by the ISP).


Request Delaying / Slowloris DDoS Explained

Imagine somebody paying a big bill with small coins ... producing them ... slowly ... one ... by ... one ...


Blindness / Apache mod_status screenshot

A standard webserver does not have a clue what is happening. The attack hits home before he has finished initializing the request, hence the ”..reading..“.


Defense: What Everybody Tells You

● Ivan Ristić: „With some exceptions, DoS are very difficult to defend against.“

● Official Response to bug report regarding Slowloris: „DoS attacks by tying up TCP connections are expected.“

● Apache documentation: „All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely.“


It boils down to a problem of Strict Differentiation:

The defense is about telling good traffic from bad traffic when the bad traffic mimics good traffic and you are blind to start with.

Defense Strategy


What You Can Do : Build Up Knowledge

● Know your architecture So you know your weak spots● Know your protocols So you know the options of the attackers● Know your application So you know their behaviour under normal load and under attack● Know your customers So you are aware of their habits and tolerance levels● Know your allies and their phone number So you are not alone when the attackers hit you● Know your tools Because a combination of tools is your best defense● Know your defense plan So you are sure to react in a well-prepared manner● Know your enemies So you know their motivation, resources, location and knowledge level


What You Can Do: The Basics

Think about using an "event based" webserver (but they have other limits...)

Think about routing the traffic through an external specialist

Understand HTTP Keepalive and decide if you really need it

Lower your timeouts (3s sounds like a decent value in my eyes)

Use mod_reqtimeout

Look into mod_qos (by Pascal Buchbinder, Winterthur)

Use GeoIP

Use netstat

Use tcpdump

Use IP Blacklisting

Look into ModSecurity – there are a few useful directives

Look into mod_backdoor

Think about separating Uploads / big POSTs from the rest of the application

Forget mod_evasive


ModSecurity / modreqtimeout stuff

You work with the following directives:

ModSec: Limit number of connections:

● SecReadStateLimit 5

● SecWriteStateLimit 5

ModReqtimeout: Limit the total timeout per request phase:

● RequestReadTimeout header=1, body=30

Ryan Barnett put all the details on the ModSecurity Blog:

http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html


What You Can Do: Combining the Tools

Slowloris type DDoS tools don't ever finish a request

-> comparing netstat output and the access log should be able to tell you more

Other DDoS tools do full requests, but they do not fetch follow up css, javascript and image files

-> the access log has the details

There is a typical median lifetime of a connection to your application

-> observing netstat output should give you an idea

And now the really advanced stuff:

Run an agent that supervises the connections and observes the access log and the login log (if that exists in your application):

Look for clients accessing the wrong URLs

Look for clients using the wrong method on the wrong URLs (i.e. Doing a POST on a page where POST is not expected)

Look for clients having an atypical order of requests

Look for clients with atypical request structure


Introducing: flying-frog.rb

Flying frog is a monitoring agent that hovers over the incoming traffic and the application log. It picks individual attackers, like a frog eats a mosquito.

Features:● Monitoring SYN requests as they come in (and add connections to

the its own connection table).● Check out the connections in the connection table and calculate their age.● Monitor authentication log and register authstate of client IPs

(Their ability to authenticate their session with the server). ● Report median connection lifetime of all connections

(this is the key variable that tells you if you are under an attack).● Report client IPs with more connections then the limit allows.● Report client IPs with a connection that is older than the limit allows.● Limits can be configured based on GeoIP country field, port and authentication

state: i.e. The maximum lifetime of a connection should be 10s, but authenticated customers from Switzerland on port 443 are allowed 60 seconds (so they can upload the files to the server)


Limit the individual number of connections: $params["basemaxconnection"] = 10 $params["maxconnectionconditions"] = <<EOF country:CH 20 auth:auth 100 EOF

Limit the individual timeouts:

$params["basetimeout"] = 5 $params["timeoutconditions"] = <<EOF port:443 10 country:CH 20 auth:auth 50 country:CH auth:auth 100 EOF

Configuring flying-frog.rb


Downloading flying-frog.rb

CAVEAT: flying-frog.rb is provided as is with no warranty attached. It has been tested, but please consider it alpha code quality.

Download from https://www.netnea.com


Defense of Medieval Castles

Just a thought which might be new to you:

Footpaths around castles and staircases within the towers are almost always in clockwise direction. Who knows why?

Technology

hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users