Open Source DoS Testing and Defense Christian Ternus @ternus OSCON July 23rd, 2014 1 / 44 Who's This Guy? ▶ ▶ ▶ ▶ ▶ ▶ Christian Ternus @ternus https://cternus.net Sr. Security Researcher at Akamai I write and test DoS attacks among other things... 2 / 44 Who's This Talk For? ▶ ▶ ▶ ▶ ▶ ▶ ▶ Self-hosted sites Startups Stuff on VPSes Community pages Public APIs App APIs etc. 3 / 44 DoS Attacks are Making the News 4 / 44 Just Ask Akamai's CSO - New York Times BITS 5 / 44 What is a DoS Attack? A DoS (Denial of Service) attack is an action taken by an adversary against an availability goal. ▶ ▶ ▶ ▶ ▶ ▶ "My website stays accessible" "Admins can SSH to the prod server" "People can call customer support" "I have WiFi/cellphone access" "Employees can enter the building" etc. 6 / 44 Think Like an Attacker ACME.ly ▶ ▶ ▶ ▶ ▶ Small web startup, two devs, two admin people, one sysadmin They sell widgets online through a fulfillment service They use a PHP-based ordering system with SSL on a VPS They have a Google Voice customer service hotline and a feedback form They work in a small office on the top floor of a warehouse How would you DoS the average web startup? 7 / 44 Lots of DoS Vectors Target Website SSH on prod server Customer hotline WiFi Cellphone signal Building entrances Attack GET flood attack SSH connection flood Malicious robocalls Disassociate spam Radio jammer Fill the locks with glue 8 / 44 Not All DoS Attacks are Created Equal 9 / 44 Internet Attacks are Easy and Effective 10 / 44 When You're Out of Luck 11 / 44 Sometimes Math is Not On Your Side 300 Gbps > 40 Gbps ▶ ▶ ▶ Block at the ISP/AS level (if you can…) Send the traffic somewhere else (CDN/scrubber/blackhole) Give up and go home - New York Times BITS 12 / 44 So What Can You Do? Most attacks don't make the news. You can make yourself safer against smaller attacks (far more common!) 13 / 44 Three Types of DoS Symmetric Asymmetric Instant Death 1:1 1:N 1:∞ GET flood SSL Negotiation SMB Bug 14 / 44 DoS Attack Playbook ▶ ▶ ▶ ▶ ▶ Adversarial Testing Filtering Rate-Limiting Upgrading Making Tradeoffs 15 / 44 Hold On a Second Attack myself ? Are you nuts? 16 / 44 Bite the (DoS) Bullet The only way to know if you can take a punch… is to take it. Unfortunately, adversaries don't make appointments. 17 / 44 If You Don't Do It Now, You'll Regret It Later Prime Directive of Test Planning: If you fear testing, your system needs it. 18 / 44 Where's the (Open Source) Beef? 19 / 44 Let's Talk Tools Everything mentioned and more can be found at: cternus.net/dos 20 / 44 Disclaimer OBLIGATORY BUT REAL WARNING These tools can take down sites. (That's the point.) Never use them against a site you do not control -- you may be legally and financially liable. I am not responsible for anything you do with these tools! 21 / 44 Tool Rundown Boom! URL License Language TL;DR github.com/tarekziade/boom Apache 2.0 Python ab (apache-bench) replacement for simple HTTP load generation Use case load-testing basic HTTP sites 22 / 44 Tool Rundown FunkLoad URL License Language TL;DR funkload.nuxeo.org GPL Python a load tester that can emulate a real web browser Use case when DoSing your webapp takes complex actions 23 / 44 Tool Rundown Siege URL License Language TL;DR joedog.org/siege-home/ GPL C HTTP/S regression testing and benchmarker Use case good balance of features, performance, and ease-of-use 24 / 44 Tool Rundown Bees with Machine Guns! URL License Language TL;DR github.com/newsapps/beeswithmachineguns MIT Python BEEES! Automatically spin up Amazon EC2 micro instances to attack your site Use case when one attack machine isn't enough but you don't have your own botnet handy 25 / 44 Tool Rundown LOIC: Low Orbit Ion Cannon URL License Language TL;DR github.com/NewEraCracker/LOIC Public Domain C# One of Anonymous' favorites, a basic traffic flooder controllable over IRC, i.e. a voluntary-participation botnet Use case if you need to know if your site holds up against LOIC specifically 26 / 44 Tool Rundown sockstress URL License Language TL;DR github.com/defuse/sockstress Public Domain C Using raw sockets, open up TCP connections and leave them open, exhausting server-side sockets (0-window attack) Use case a non-flood asymmetric tool, still may be effective 27 / 44 Tool Rundown GoLoris URL License Language TL;DR github.com/valyala/goloris MIT Go Implements the slowloris (slowGET/POST) attack; makes partial HTTP requests and reads responses s l o w l y Use case like sockstress for HTTP, can consume lots of resources with little bandwidth/CPU 28 / 44 Tool Rundown zarp URL License Language TL;DR github.com/hatRiot/zarp GPL Python Multi-purpose attack tool; includes modules for SYN flooding, fragmentation attacks, and DHCP starvation Use case in 2014 you should be safe against fragmentation; make sure you are 29 / 44 Tool Rundown sslsqueeze URL License Language TL;DR github.com/mmgaggle/sslsqueeze GPL C Record SSL handshake packets, then spam them. Use case can take down badly-configured SSL servers easily 30 / 44 Mitigation Measures So what can we do? ▶ ▶ ▶ ▶ Filter Rate-Limit Tarpit Upgrade 31 / 44 ufw ufw enable ufw limit https ufw limit ssh And you're done. Default: 6 connections/30s 32 / 44 iptables Block IP 1.2.3.4: iptables -A INPUT -s 1.2.3.4 -j DROP 33 / 44 iptables iptables -N LIMIT_SSL iptables -A LIMIT_SSL \ -p tcp --dport 443 \ --syn -m state --state NEW \ -m hashlimit \ --hashlimit-above 120 --hashlimit-burst 20 \ --hashlimit-mode srcip --hashlimit-name ssl-conn \ --hashlimit-htable-expire 3600 \ -j DROP 34 / 44 ipset Use ipset for better performance when filtering many IPs: ipset create blacklist hash:ip hashsize 4096 ipset -A blacklist 1.2.3.4 ipset -A blacklist 3.4.5.6 [...] iptables -I INPUT -m set --match-set blacklist src -p TCP \ --destination-port 80 -j REJECT 35 / 44 ipset Use ipset to geoblock an entire country (e.g. Vietnam): ipset create geoblock_vn nethash -exist for IP in $(wget -O - \ http://www.ipdeny.com/ipblocks/data/countries/vn.zone) do ipset -A $IP geoblock_vn -exist done 36 / 44 Easy Defensive Measure: Fail2Ban fail2ban monitors log files (SSH, web server, FTP, etc.), using iptables to block repeat offenders. 37 / 44 Easy Defensive Measure: mod_evasive mod_evasive is an Apache module that blocks HTTP visitors who (quote): ▶ ▶ ▶ Request the same page more than a few times per second Make more than 50 concurrent requests on the same child per second Make any requests while temporarily blacklisted (on a blocking list) 38 / 44 HAProxy HAProxy is a multi-featured load balancer with some nice DDoS protection features. Example: Tarpitting bad users: # Ignore user-agents "Mozilla" or "MSIE", but block all others. reqipass ^User-Agent:\.*(Mozilla|MSIE) reqitarpit ^User-Agent: # block bad guys acl badguys src 10.1.0.3 172.16.13.20/28 reqitarpit . if badguys 39 / 44 Tarpitting with iptables iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT 40 / 44 django_banish django_banish is Django middleware that makes rate-limiting and IP bans easy. 41 / 44 Upgrade Often Widening your bottlenecks = better DoS resilience and better performance for your everyday users! 42 / 44 A Few Words on Tradeoffs ▶ ▶ ▶ No protection measure is 100% effective You may cut off legitimate users You may pay a performance cost 43 / 44 Thanks and Questions Sources, links to tools, and more: cternus.net/dos @ternus 44 / 44
© Copyright 2024 ExpyDoc
