DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda - - PowerPoint PPT Presentation

ddos mitigation collection
SMART_READER_LITE
LIVE PREVIEW

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda - - PowerPoint PPT Presentation

Nov 13, 2022 185 likes •659 views

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

slide-1
SLIDE 1

DDoS Mitigation collection

TL;DR: DDOS STRATEGISTS DO DRUGS 1

slide-2
SLIDE 2

Agenda

Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A

2

slide-3
SLIDE 3

~$ whoami

 Moshe Zioni, Head of Research, Comsec  3 years (and counting) of designing & providing full-blown an on-demand

DDoS attack service.

2nd time at hack-in-paris, 1st time as speaker (thanks!)

 .///. END OF SHAMELESS PROMOTION SLIDE .///.

3

slide-4
SLIDE 4

Method

4

slide-5
SLIDE 5

DDoS for Everyone!

5

slide-6
SLIDE 6

Run-of-the-Mill DDoS attacks nowadays

Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Most attacks does not require brains Amplification and Reflection relies on 3rd party

domains (DNS, NTP etc.)

6

slide-7
SLIDE 7

Strike harder! (!=bigger)

There is more to a web site then a front-end (!!)

Overload the backend by making the system

work for you

Keep it stealthy, they are looking for you Generalized term for Amplification

7

slide-8
SLIDE 8

Generalized Amplification - “4 Pillars”

Amplification factors

Network – The usual suspect CPU – Very limited on some mediators and

web application servers

Memory – Volatile, everything uses it Storage – Can be filled up or exhausting

I/O buffer

8

slide-9
SLIDE 9

Just before we start

 NO SHAMING POLICY - Client identity will remain

anonymous

 Meet - “SuperBank”  10 common-practices and the appropriate

bypass/attack 9

slide-10
SLIDE 10

Ready? Set. FACEPALM!

10

slide-11
SLIDE 11

11

slide-12
SLIDE 12

“Limit the rate

  • f incoming

packets”

12

slide-13
SLIDE 13

The bank has been hit by a DDoS attack

that consumed ALL BANDWIDTH

To rectify the situation the ISP suggested

limiting incoming packet rate to ensure availability

13

slide-14
SLIDE 14

Reflection to the rescue!

Consumption by reflection

Send in 1Kb Consume according to file-length

14

slide-15
SLIDE 15

15

slide-16
SLIDE 16

“It’s OK now, monitoring shows everything is back to normal”

16

slide-17
SLIDE 17

MegaCommonPractive now went on to

buy a Anti-DDoS solution

A known Anti-DDoS cloud-based

protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring

17

slide-18
SLIDE 18

ACTUALLY TRY TO ACCESS THE WEB SITE!!!!

18

slide-19
SLIDE 19

19

slide-20
SLIDE 20

“Backend servers are not important to protect against DDoS”

20

slide-21
SLIDE 21

Mapping the backend for DDoS

 Databases are very susceptible to DDoS attacks and

provide good grounds for intra-amplification

 How can we find DBs?

You can always guess, pentersters do that

all the time…

Takes more time == talk more with BE !!!

PROFIT!!!

21

slide-22
SLIDE 22

22

slide-23
SLIDE 23

23

slide-24
SLIDE 24

Really??!?! ALL OF THE DOMAINS?!?

What is the strategy of

mitigation? Do you understand it?

24

slide-25
SLIDE 25

25

slide-26
SLIDE 26

“We don’t trust the vendor, we don’t give them certificates”

26

slide-27
SLIDE 27

Talk to me in layer 7…

Defense have chosen not to

monitor layer 7 – HTTPS attacks..

SSL re/negotiation Full blown HTTPS GET/POST/… no

  • ne can see you now

27

slide-28
SLIDE 28

28

slide-29
SLIDE 29

“We need Big Data, collect all the logs”

29

slide-30
SLIDE 30

Logs need to be handled

Storage Boom Result in a complete lock-down,

including not be able to manage the

  • verflowed device

It was the IPS, so no traffic allowed to

anything

SILO NEEDED!

30

slide-31
SLIDE 31

31

slide-32
SLIDE 32

“We are under attack – enforce the on-demand Scrubbing Service”

32

slide-33
SLIDE 33

Learning mode – did you do it?

All is learned Attack considered legitimate

traffic

33

slide-34
SLIDE 34

34

slide-35
SLIDE 35

“So what CDN is not dynamic? Let’s enable it”

35

slide-36
SLIDE 36

NOT IN CACHE? ASK THE ORIGIN!

36

slide-37
SLIDE 37

37

slide-38
SLIDE 38

38

slide-39
SLIDE 39

How to find an ‘invisible’ origin?

Find other known subdomain ->

translate to IP -> scan the /24 or /16 -> good chance it’s there.

AND….. WHOIS never forgets http://viewdns.info FTW!

39

slide-40
SLIDE 40

40

slide-41
SLIDE 41

“Block ‘em!, now

them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “

41

slide-42
SLIDE 42

Total IPs in FR: ~82 M

42

slide-43
SLIDE 43

About 1,200 class B ranges

43

slide-44
SLIDE 44

Now think of a monkey blocking every incoming alert. 10 MINUTES TO SELF INFLECTED DDOS

44

slide-45
SLIDE 45

Collected misconceptions

There is no magic pill or best cocktail mix of

technologies/appliances/services, never was

DDoS is a subset of DoS, not the other way

around

You can have all the toys and money in the

world – you have to be prepared and have trained people in mitigation because of those reasons

If you won’t do that – you can be evaluated

for this presentation in the future

46

slide-46
SLIDE 46

Questions?

47

slide-47
SLIDE 47

Thank you!

Moshe Zioni

zimoshe@gmail.com, @dalmoz_

corp:moshez@comsecglobal.com

48