1 / 19

Real Life Application DOS Attacks Ziv Gadot, Radware

Real Life Application DOS Attacks Ziv Gadot, Radware. Agenda. Short Introduction to DOS Attacks Real Life DOS Attacks Review Q & A. DOS Typology. DOS Typology (Cont). Sockstress. 20 RPS. ICMP Flood. Slowloris. SYN Flood. HTTP Floods. 100-500 K PPS. ReDoS. Numerous Packets

tamera
Download Presentation

Real Life Application DOS Attacks Ziv Gadot, Radware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real Life Application DOS AttacksZiv Gadot,Radware

  2. Agenda Short Introduction to DOS Attacks Real Life DOS Attacks Review Q & A

  3. DOS Typology

  4. DOS Typology (Cont) Sockstress 20 RPS ICMP Flood Slowloris SYN Flood HTTP Floods 100-500 K PPS ReDoS Numerous Packets Attacks Few Packets Attacks Application Level Design Weakness

  5. Lecture Scope Multi Packet DOS Attacks Web Attacks • Real life Attacks (seen by us) • SYN Flood • 3-Way-Handshake Flood • Connection Saturation Attack • GET Slash Flood • Image Fetching • Caching Bypass • Web Reflection Attack • Blended Attacks • Slowloris • Sockstress • ReDoS • SIP Attacks • SMTP Attacks • DNS Attacks

  6. Goals • Knowing the enemy (as it actually is) • Once an attack is fully identified and characterized it becomes much easier to mitigate

  7. DOS ATTACKS

  8. SYN Attack SYN SYN+ACK • Motivation • Simple yet effective • SRC IP is spoofed (Attacker’s IP is not compromised, difficult to block) • Botnets power challenges the capacity of existing protections • Characterization • From 1K PPS up to 1M PPS and more • Identification : TCP Flag Distribution

  9. 3-Way-Handshake Flood SYN SYN+ACK ACK FIN 27K PPS • Motivation • Evade SYN attack protections • Attacks different resource (application) • Characterization • 27K PPS • Identification • TCP Flag distribution • SRC IP is not spoofed

  10. Slow Connection Saturation Flood SYN SYN+ACK ACK Keep alive Keep alive • Motivation • Exhaustion the number of maximum sessions of a system • Evade classic protections • Characterization • Very slow rate (of opening new connections) • Identification • Numerous on-going connections from an IP

  11. GET Slash Flood • Motivation • Application level attack • Very simple • Characterization • Lower rate than L3-L4 attacks • 2K RPS • Identification • Increase in HTTP RPS • Increase in users or RPS-per-users • The “GET /” is very noticeable

  12. Large Image/Data Fetching /images/large-image.jpg Large replay • Motivation • Small request generates large reply (and labor) • Characterization • Fetching a reach page which triggered the pulling of large data Identification Change in inbound/outbound traffic rate (L2 bps) Normal: 1:5 Attack 1:30

  13. Caching Bypass GET …. HTTP/1.1 …. Cache-Control: no-store, must-revalidate …. Website • Motivation • Force all impact on web server Cache Cache • Characterization • Cache control directive to override • Identification • Appropriate ‘Cache Control’ values

  14. Reflection Attack Attacker Website A Website B (Victim) HTTP GET

  15. iframe, width=1, height=1 search.php

  16. Blended Attacks UDP Flood (18.4 Mbps) • Motivation • “SHITAT MATSLIACH” • Mitigation systems don’t handle well several attacks at once • Characterization • Blended attacks • Identification • Hard to identify, requires careful analysis PSH+ACK Flood (14.6K PPS) SYN Flood (16K PPS)

  17. SUMMARY

  18. Summary DOS attacks become more application oriented Attacker constantly raise the bar When handling a DOS attack its careful identification and characterization is a key to a successful mitigation

  19. Q & A

More Related