Application layer (D)DoS attack and defense






13116754G

Guo  Feng

www.leafonsword.org

leafonsword@gmail.com

Three Steps:


  1. Setup a website with CDN protected
  2. Launch (D)DOS attack
  3. Detect  (D)DOS attacks
  4. Defend (D)DOS attacks
Setup a website

www.leafonsword.org

Hardware

        CPU:1 core,2.3GHz

        Memory:512M

        DISK:4K random IOPS--5000 r/w

        Bandwith:80Mbps(Download),25Mbps(Upload)       


Protect by Cloudflare(or nexqcloud)

How:

Just change NS record to cloudflare(or nexqcloud)'s nameservers


Launch (D)DOS attack


With cloudflare(or nexqloud) protected

Attacks was absorbed by CDN,anything is as normal

So  must defeat CDN or bypass CDN's protection

bypass CDN's protection--Find real IP behind CDN(method 1)

Direct ping:
Ping fake subdomain:

bypass CDN's protection--Find real IP behind CDN(method 2)

 By default dns resolver

bypass CDN's protection--Find real IP behind CDN(method 2)

Specified dns resolver

Find addtional  information

By Whatweb



Something useful:
CMS:Ghost 0.4
Web Server:just node.js buildin webserver

Find Other website's information

By nmap


Something useful:
22 ssh
80 http

Consider attack purpose

Consuming something:

CPU

Mem

Disk

Bandwith


Consider 7 layer attack methods

  • HTTP(s) Flood
  • FTP
  • SMTP Error DDOS



I Choose HTTP Get Flood

Types of Layer 7 DDOS web attacks

  • HTTP GET
  • HTTP POST


HTTP GET Flood

time-delayed HTTP headers to hold on to HTTP connections and exhaust web server threads or resources

Consider tools

Loic(loiq)

Hoic

OWASP HTTP Post Tool

SlowHTTPTest

Slowloris

Goloris

R.U.DY (R U Dead Yet?)


Example--Using loiq

  • The  loic  clone  in  linux
  • Three attacking ways:HTTP、TCP、UDP
  • Self-define thread num and packet send speed

Before attack


CPU:          2~5% usage
Mem:        331M free
Network: <10kb/s
Disk:         <100k/s

After attack

Tcpdump's output

After attack


CPU:         100% usage
Mem:       12.7M free
Network: >400kb/s
Disk:         >2M/s

Detect (D)DOS attacks


Method one

Monitor resource consuming

CPU、Mem、Disk、Network......





Drawback:
DDOS => Resource consuming !
Resource consuming =>  DDOS ?

Method Two--Monitor connections



Defend (D)DOS attacks

Method One--timeout limits for HTTP headers

For Apache like web servers, waiting for the HTTP headers to complete sending is a basic and inherent behavior of web servers

So choose other web servers with timeout limits for HTTP headers,such as Nginx,IIS,lighttpd................

Apache could also use module(mod_antiloris)

Method Two--Limit Connections

Example--Nginx(ngx_http_limit_conn_module)

The ngx_http_limit_conn_module module is used to limit the number of connections per the defined key, in particular, the number of connections from a single IP address


http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    ...

    server {

        ...

        location /download/ {
            limit_conn addr 1;
        }

Method Three--Block Attacker

(D)DOS Deflate

  • Iptables based
  • maximum connections specified
  • banning expiration time specified


When triggering definded connection limit: