layer 7 denial of services attack mitigation
DESCRIPTION
RISTEK - IT lesehan 12 nov 2011TRANSCRIPT
![Page 1: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/1.jpg)
Layer7 Denial Of Sevice Attack Mitigation
IT LESEHAN - y3dipsSaturday, November 12, 11
![Page 2: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/2.jpg)
Agenda
• Introduction
• Denial Of Service
• Layer 7 Denial Of Service
• Case Stories
• Demo
• Discussion
Saturday, November 12, 11
![Page 3: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/3.jpg)
Introduction• Freelance IT Security Consultant
• More than 9 years in IT Security
• Founder of “ECHO” one of Indonesian Hacker Community, established 2003
• Founder of IDSECCONF - Indonesia Security Conference in Cooperation with DEPKOMINFO
• More Info:
• @y3dips
Saturday, November 12, 11
![Page 4: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/4.jpg)
Denial of ServiceSuatu jenis kegiatan yang bertujuan untuk menggagalkan kerja suatu
sistem secara maksimal baik sebagian atau seluruhnya.
Saturday, November 12, 11
![Page 5: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/5.jpg)
DOS
• Stupid Act
• Exhausted also yours
• Old story,
• moby write ddos in 2003 *
• I write apache dos in 2003**
• Well handle by now*http://ezine.echo.or.id/ezine2/ddos%7EMoby.txt**http://ezine.echo.or.id/ezine2/dos_buat_apache%7Ey3dips.txt
Saturday, November 12, 11
![Page 6: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/6.jpg)
Type of Network DOS
• Layer 4
• Attack layer 4 protocol
• TCP
• SYN, FIN, ACK
• smurf, TRINOO, stacheldart, teardrop
Saturday, November 12, 11
![Page 7: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/7.jpg)
Type of Network DOS
• Layer 7
• Attack Layer 7 Protocol
• HTTP, FTP, DNS
• HTTP-slow post, HTTP-GET
Saturday, November 12, 11
![Page 8: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/8.jpg)
Real Life Stories When this all begin
Saturday, November 12, 11
![Page 9: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/9.jpg)
DOS Terhadap ECHO
• 7 - 8 November 2011
• Unknown Motives
• Echo Web Access Down
Saturday, November 12, 11
![Page 10: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/10.jpg)
Attack Detection
Saturday, November 12, 11
![Page 11: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/11.jpg)
See TKP :)
Saturday, November 12, 11
![Page 12: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/12.jpg)
Check Validitas DOS
• Only you?
• Or for everyone :D
• http://downforeveryoneorjustme.com/
Saturday, November 12, 11
![Page 13: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/13.jpg)
Analyze :|
Saturday, November 12, 11
![Page 14: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/14.jpg)
Analyze
• The Server Down?
• Or onlye specific service Down
Saturday, November 12, 11
![Page 15: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/15.jpg)
In this Case 80 down
Saturday, November 12, 11
![Page 16: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/16.jpg)
Layer 7 DOSLets Dig arround on 80!
Saturday, November 12, 11
![Page 17: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/17.jpg)
See Stats :)
Saturday, November 12, 11
![Page 18: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/18.jpg)
Ganti Periode Laporan: 201111 - Bulan Nov 2011 Go
Statistik untuk: echo.or.idTerakhir diupdate: 08 Nov 2011 - 14:20Periode Laporan: Bulan Nov 2011
Kapan: Monthly history Days of month Hari Jam (Waktu Server) Siapa: Countries Daftar Lengkap Host Daftar Lengkap Kunjungan Terakhir Alamat IP yang tidak teresolve Robot/Spider Daftar Lengkap
Kunjungan Terakhir Navigasi: Lama kunjungan Jenis File Halaman yang Dilihat Daftar Lengkap Halaman masuk (entry page) Halaman keluar (exit page) Sistem Operasi
Versi Tidak Diketahui Browser Versi Tidak Diketahui Referer: Asal Search engine referer Situs referer Pencarian Frase Pencarian Kata Kunci Pencarian Lainnya: Miscellaneous Kode error HTTP Halaman tidak ditemukan (not found)
Ringkasan Periode Laporan Bulan Nov 2011Kunjungan Pertama 01 Nov 2011 - 00:00Kunjungan Terakhir 08 Nov 2011 - 11:35
Pengunjung Unik Jumlah Kunjungan Halaman Hit Bandwidth
Traffic viewed * 10021
14357(1.43 kunjungan/pengunjung)
102822(7.16 Halaman/Kunjungan)
417078(29.05 Hit/Kunjungan)
1.45 GB(105.69 KB/Kunjungan)
Traffic not viewed * 88111 145915 395.12 MB
* Not viewed traffic includes traffic generated by robots, worms, or replies with special HTTP status codes.
Monthly history
Jan2011
Feb2011
Mar2011
Apr2011
Mei2011
Jun2011
Jul2011
Agu2011
Sep2011
Okt2011
Nov2011
Des2011
Bulan Pengunjung Jumlah Halaman Hit Bandwidth
Statistik untuk echo.or.id (2011-11) http://echo.or.id/index.cgi
1 of 10 11/9/11 1:46 PMSeems all LegitSaturday, November 12, 11
![Page 19: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/19.jpg)
7, 8 November?Saturday, November 12, 11
![Page 20: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/20.jpg)
7, 8 November?Saturday, November 12, 11
![Page 21: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/21.jpg)
Ask the Logs :)
Saturday, November 12, 11
![Page 22: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/22.jpg)
Logs
• HTTP/S logs
• http-access
• http-error
Saturday, November 12, 11
![Page 23: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/23.jpg)
A Valid OneSaturday, November 12, 11
![Page 24: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/24.jpg)
A Valid One but also http-flood GET Saturday, November 12, 11
![Page 25: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/25.jpg)
Conclusion
• Its an HTTP-flood GET
• Connection need to be Established
• IP need to be valid?
Saturday, November 12, 11
![Page 26: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/26.jpg)
Learn from Code :)
Saturday, November 12, 11
![Page 27: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/27.jpg)
*Credit to Google for the code, just dig and found
Saturday, November 12, 11
![Page 28: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/28.jpg)
Attack Mitigation
Saturday, November 12, 11
![Page 29: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/29.jpg)
Mitigation
• Always Have your backup
• No privil8 access to server; LAPORKAN
Saturday, November 12, 11
![Page 30: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/30.jpg)
Mitigation
• Had The Privileged
• check netstat -n | grep 80 | wc -l
• block :
• iptables -A INPUT -s x. x. x. x -p tcp -j TARPIT
• iptables -A INPUT -s x. x. x. x -p tcp -j DROP
Saturday, November 12, 11
![Page 31: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/31.jpg)
TARPITING
http://www.secureworks.com/research/threats/ddos/
Care to Send and double the packet :) ?
Saturday, November 12, 11
![Page 32: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/32.jpg)
Hardening Apache
•TimeOut=Default 300 detik atau 5 Menit, disarankan 10 detik
• TimeOut akan melindungi server dari rikues dalam jumlah besar, dan tidak pernah di putus oleh Attacker, dengan adanya TimeOut, apabila tidak terjadi transaksi dalam waktu tersebut (10 detik), maka Apache akan memutus koneksi
Saturday, November 12, 11
![Page 33: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/33.jpg)
Hardening Apache
•KeepAlive = On• KeepAlive akan mengijinkan Berbagai jenis HTTP rikues
dilakukan dalam satu koneksi.
•KeepAlive = 15 detik• Setting ini akan melindungi Server dari Rikues Keepalive tanpa
transaksi
Saturday, November 12, 11
![Page 34: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/34.jpg)
Hardening Apache
•AcceptFilter = http/https data• Melindungi dari jenis serangan, dimana attacker membuka
koneksi via socket dan membiarkannya tanpa terjadinya transaksi data. Dengan mendefinisikan data pada http dan https akan meminimalisir jenis serangan ini.
Saturday, November 12, 11
![Page 35: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/35.jpg)
DeMo
Saturday, November 12, 11
![Page 36: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/36.jpg)
Saturday, November 12, 11
![Page 37: Layer 7 denial of services attack mitigation](https://reader033.vdocument.in/reader033/viewer/2022052900/5559f658d8b42ad00a8b4853/html5/thumbnails/37.jpg)
Layer7 Denial Of Sevice Attack Mitigation
IT LESEHAN - y3dipsSaturday, November 12, 11