unrelated隐士ddos

UniversalDDoSMitigationBypassTonyT.
N.
Miu1,AlbertK.
T.
Hui2,W.
L.
Lee2,DanielX.
P.
Luo2,AlanK.
L.
Chung2,andJudyW.
S.
Wong21NexusguardLimitedtony.
miu@nexusguard.
com2NetworkThreatsInformationSharingandAnalysisCenter(NT-ISAC)BloodspearLabs{albert,leng,daniel,alan,judy}@bloodspear.
orgAbstract.
Today'scommercialdistributeddenialofservice(DDoS)mitigationtechnologiesemploymanydifferenttechniquesforidentifyingDDoStrafficandblockingthesethreats.
Commontechniquesrangefrombasicmalformedtrafficchecks,totrafficprofilingandratelimiting,totrafficsourceverificationandsoon,withcaptiveredirectionutilizingJavaScript-orCAPTCHA-basedauthenti-cationsbeingthemosteffectivebyfar.
However,inourresearchweaknesseswerefoundinamajorityofthesesortoftechniques.
Werolledallourexploitsintoaproof-of-conceptattacktool,givingitnear-per-fectDDoSmitigationbypasscapabilityagainstalmosteveryexistingcommercialDDoSmitigationsolutions.
Theramificationsarehuge.
Forthevastmajorityofwebsites,thesemitigationsolutionsstandasthelastlineofdefense.
Breachingthisdefensecanexposethesewebsites'backendtodevastatingdamages.
WehaveextensivelysurveyedDDoSmitigationtechnologiesavailableonthemarkettoday,uncoveringthecountermeasuretechniquestheyemploy,howtheywork,andhowtodefeateachofthem.
Essentially,bypassisachievedthroughemulatinglegitimatetrafficcharacteristics.
Afterwards,ourattacktoolisintro-ducedtodemonstratehowalltheseexploitscanbebroughttogethertoexecutea"comboattack"tobypassalllayersofprotectioninordertogainaccesstothebackend.
TheeffectivenessofthistoolisillustratedviatestingresultsagainstspecificDDoSmitigationproductsandpopularwebsitesknowntobeprotectedbyspecifictechnologies.
Toconcludeourresearch,anext-genmitigationtech-niqueisalsoproposedasacountermeasureagainstourattackmethodology.
Keywords:DDoSmitigation,DDoS,large-scalenetworkattack1IntroductionDDoSattacksremainamajorthreattointernetsecuritybecausetheyarerelativelycheapyethighlyeffectiveintakingdownotherwisewell-protectednetworks.
OneneedlooknofurtherthantheattackonSpamhaustorealizethedamagepotential–bandwidthclogpeakedat300Gbps,allfromamere750Mbpsgeneratedattacktraffic[1]!
Inthefollowingsections,wefirstexamineDDoSattacksobservedinthewildandcommerciallyavailablemitigationtechniquesagainstthoseattacks,withbriefdiscus-siononeachtechnique'sinherentweaknesses.
Next,weintroducebypassmechanismsthatexploittheseweaknessesand,throughillustratingourproof-of-concept(PoC)tool"Kill'emAll",showhowbypassmechanismscanbecombinedtoachievetotalbypass,therebydefeatingdefense-in-depthdesigntypicallyadoptedinDDoSmitigationsolu-tions.
Toconclude,wesubstantiateourclaimwithtestingresultsagainstspecificmitiga-tionsolutions,andproposeanext-generationmitigationmethodologycapableofde-fendingagainst"Kill'emAll"-typeattacks.
2DDoSAttackCategoriesThecrudestformofDDoSattackarevolumetricDDoSattacks,wherebyahugevolumeoftrafficpoursintothevictiminabrute-forcemanner,hoggingallbandwidthotherwiseavailableforlegitimatepurposes.
Executionisexpensive,astheattackerwouldhavetosendtrafficwhosevolumeisonparwiththevictim'ssparecapacity.
Thistranslatestoahighermonetarycostassociatedwithhiringbotnets.
Theage-oldpingfloodisaprimeexample.
SemanticDDoSattacksworksmarter,amplifyingfirepowerbyexploitingsemanticcontextssuchasprotocolandapplicationweaknesses[2].
Thiseffectivelytipsthebal-anceintheattacker'sfavor,makingattacksmuchcheaper.
Examplesofsemanticat-tacksincludeSlowloris[3]andSmurf[4]attacks,aswellasattacksthatmakeexcessivedatabaselookupsinwebapplications.
Thelastone,effectingdatabaselookups,exemplifiesemergingapplicationlevelat-tacks,wherebyattackstargetweaknessesinspecificapplications.
Asofthetimeofthispaper,APIattacksareontherise,pavingthewaytoattackpivotingwithwhichattackscanbeextendedtoothercomputingsystemsthroughtheAPIofapplicationsonthesystembeingdirectlytargeted.
Athirdcategory,blendedDDoSattacks,aimstoachievestealthyattacksthroughblendingintolegitimatetraffic,practicallyrenderingineffectivemostcountermeasuresdesignedtofilteroutabnormal,presumablymalicious,traffic.
HOIC[5]with"boosterpacks"(elementsthataddrandomizedheadersandsooninordertomakeattacktrafficslooklegit)isanexampleofanattackthatemploysblendingtechniquesviarandomizedheaders.
AnotherflavorofblendedDDoSattacks[6]mixesweaponizedexploitswithhighvolumeDDoSattacks,inordertoincreasetheexploitsuccessrateandevadede-tection.
ThisworksbecausemanysecuritycontrolsfailunderDDoS,leavingaffectedsystemswide-opentoexploits(seeFigure1foranexample).
Moreover,DDoScanalsooverwhelmaudittrailandloggingmechanisms,makingincidentresponseandforensicsmuchmoredifficult.
Notethatthesecategoriesarebynomeansmutuallyexclusive.
Forinstance,blendedattacksthatalsoexploitapplicationweaknessesarenotatalluncommoninthewild.
Figure1.
ExampleofsecuritycontrolfailureunderDDoS.
3CommercialDDoSMitigationTechniquesandTheirWeaknessesOvertheyears,asDDoSattacksgainsophistication,sodocountermeasures.
DDoScountermeasurescanbebroadlyclassifiedintothreeelements:prevention,detectionandmitigation.
InthispaperweshalllimitourscopetoDDoSmitigation,whichcon-cernscopingwithongoingattacks,reducingtheimpactandcontainingthedamage.
Forimmediaterelevanceweonlyconsidercurrentlyavailablecommercialsolutions.
WithreferencetoFigure2,commoncommercialdetectionandmitigationmethodsarediscussedbelow.
BigDataAnalysisBaselineEnforcementTrafficPolicingRateMeasurmentSourceHostAuthenticationProactiveHouseKeepingCDN/CleanPipeVolumetricDDoSSemanticDDoSBlendedDDoSProtocolBehaviorCheckingProtocolSanityCheckingTracebackMaliciousSourceIntelligenceProtocolPatternMatchingBBlack-/WhitelistingFigure2.
DDoSMitigationTechniques3.
1TechniquesPrimarilyDealingwithVolumetricAttacksAnetworksystemhasmultiplecapacitylimits,suchas:1.
maximuminboundbandwidth(datalinklayerstatistics),2.
maximumnumberofpacketrate(networklayerstatistics),3.
maximumHTTPrequestrate(applicationlayerprotocolstatistics),4.
maximumHTTPobjectreturnrate(serverloadstatistics),5.
maximumconcurrentTCPconnections(systemresourcestatistics),andsoon.
Volumetricattacksattempttoexhausttheselimitsinordertorenderthesystemuna-vailable.
RateMeasurement,BaselineEnforcementandTrafficPolicingAgainstvolumetricattacks,adirectmitigatingtacticemploystrafficpolicingtocurbattacktraffic.
Commonimplementationstypicallyinvolvebaselineenforcementandratelimiting,wherebytrafficthatexceedsacapacitythresholdorotherwiseviolatespredeterminedtrafficconditions(baselineprofile)areforciblysuppressedtoensureconformancewithcapacityrules.
Thisisusuallyachievedthroughselectivepacketdropping(trafficshaping),oroutrightblacklistingofinfringingtrafficsources.
Aninherentweaknessofthisapproachisthatanattackercanprobethetargetwithtesttraffictodeterminethethresholdsatwhichpolicingwilltakeplace.
Uponthisdis-covery,theattackercanfireanattackthatgoesjustbelowtheradar,andmultiplythefirepowerbyusingmultipleattacksources.
Indeed,ratemeteringandbaselineenforcementcanbeappliedtospecificsourceIPaddressesortoaddressrangessuchasentiresubnets.
But,apuretrafficpolicingap-proachcannotcorrelateacrossunrelatedsources,becausethatwouldrequirevisibilityintotrafficcharacteristicsdeeperthanjustcapacityruleviolations.
Historicallythisin-herentweaknesshasgivenrisetotheproliferationofbotnets,astheymakepossibletheexecutionofcoordinatedattacksacrossmassiveunrelatedsourceswhicharedeadlyagainstthesefirstgenerationDDoSmitigationtechniques.
3.
2TechniquesPrimarilyDealingwithSemanticAttacksSemanticDDoSattacksexploitweaknessesinprotocol,applicationorotherdesignis-suestocauseresourcestarvation.
Examplesinclude:1.
SmurfAttack(exploitICMPreplyandIPbroadcastbehavior),2.
SYNFlood(exploitTCPhalf-openconnection'sprovisionforwaiting),3.
SlowlorisAttack[3](exploitHTTPrequest'sprovisionforwaiting),4.
TeardropAttack(crashOSwithmalformedIPpackets),5.
CrashIISAttack(crashIISwithmalformedHTTPGETrequests),6.
ApacheKiller(exploitsweaknessinApache'srangeimplementation),7.
databaseamplificationattack,i.
e.
makingcheapHTTPrequeststhatinvolveexpen-sivedatabasequeriesinrapidsuccession(exploitrequest-responsecostasymmetry),andsoon.
ProtocolSanityandBehaviorCheckingSemanticattacksusuallyfollowspecificpatterns.
Forinstance,TeardropAttack'stell-talesignatureisitsoverlappingIPfragments.
Checkingforthesesignaturesmaynotbetrivialtoimplementbutneverthelessprovidesdefinitecriteriaforfiltering.
Itisforthisreasonthatprotocolsanityandbehaviorcheckingaremostlyeffectiveforcatchingknownsemanticattacks.
However,extendingsanitycheckingtocover0-daysemanticattacksbycheckingformalformedprotocoldataunits(packets,datagrams,segments,HTTPrequests,etc.
)ingeneralisoftenmetwithmixedsuccess.
ThisisbecauseRFCsareoftenambiguousaboutlesscommonconditions,andallnetworkingstackimplementationshavetheirowninterpretationsofthestandardsandidiosyncrasies.
Therearealsowidespreadus-agesthatareactuallynon-compliant—thisrealitymakesanaggressivefilteringap-proachpronetobreakingreal-worldapplications.
Interplayamonglayersofnetworkingprotocolsfurthercomplicatestheissue,givingwaytoampleopportunitiesforexploitation.
OnesuchexampleistheTCPxHTTPAt-tack[7].
ProactiveResourceReleaseAnotherapproachthatismosteffectiveagainstresourcestarvationattacksisproactiveresourcereleasewherebyresourcespronetostarvationareforciblyfreedup.
Forcompatibilityandscalabilityreasons,commercialmitigationsolutionsareusu-allydeployedexternallytoindividualcomputersystemsandnetworkingdevices,treat-ingthemasblackboxes.
Thisprecludesresourcereleasemeasuresthatrequirehost-basedmechanismssuchasenlargingtheTCPconcurrentconnectionpool.
Thatsaid,resourcefreeingbymeansofTCPconnectionresetcanbeinstrumentedexternally—sendingaTCPRSTpackettoaserverhostissufficienttocloseandfreeupaconnection.
ForTCP-basedDDoSattacks,forcefulTCPconnectionresetisaverypracticalcontrolmechanism.
However,proactiveresourcereleasecaninadvertentlydisruptlegitimateuses.
Assuchgracefulrecoveryisadesirablecompensatoryfeaturetohave.
ResourceholdingattackslikeSlowloris[3]arebesthandledwithproactiveresourcerelease.
However,thedetectionoftheseattacksoftenrequiresmatchingpredefinedtrafficbehaviorprofiles.
Evenmoretroublesomeformodifiedimplementations,forwhichnopredefinedprofilewouldwork,detectionwouldhavetoresorttospottingdeviationsfromnormaltraffic.
Proactiveresourcereleasecanbydefinitionbecircumventedbystayingjustbelowreleasethreshold.
3.
3TechniquesPrimarilyDealingwithBlendedAttacksInresponsetomitigationtechniquesthatexcelatfilteringoutmalformedtraffic,blendedattacksgainedpopularity.
Theystrivetoevadefilteringbymimickinglegiti-matetraffic,suchasforHTTPrequeststobearbelievablereal-worldUser-Agentstring,andhavevariablelengths.
TrafficStatisticsandBehaviorBigDataAnalysisTrafficstatisticsandbehaviorbigdataanalysisaimsatbuildingabaselineprofileoftrafficsuchthatsignificantdeviationatruntimecantriggeraredflag.
Generallydata-miningcanworkonthefollowingthreeaspects:ProtocolParameterProfiling—Historicalimplementationshavegivenindividualpro-tocolscertaincommonchoicesforparametervaluesinnormaltraffic,forinstance,anormalTCPSYNpacket(createdviaconnect())is48to60-bytelong,hasaTTLvalueof64andhastheDFbitset,whereasSYNpacketscommonlyfoundinDDoSattacksareusuallymuchshorterandhavedifferentvaluesforTTLandDF,mainlyduetotheuseofrawpacketcraftingandforbandwidtheconomy.
AnotherexampleisthatamajorityoflegitimateICMPPingshaveaTTLvalueofeither128(forWindows)or255(forLinux).
Likewise,frequencydistributionofcommonvaluescanbedrawnforupperlayerattributessuchasHTTPmethodsandUser-Agentstrings.
TrafficBehaviorProfiling—Certainbehaviorfeaturescanbeminedfromtraffictoindividualsites.
Themostprominentaspectisthatoftemporalactivitypatterns.
Forinstance,webgamestrafficgenerallypicksupfrom6aminthemorning,graduallyrampingupuntil9amatwhichpointtrafficplummets,onlytopickupbrieflyagainduringlunchhours,with7pmto3ambeingthemostheatedgamingtimeperiod.
Otherusefulfeaturestobeminedincludeproportionsofindividualprotocols,averagesessionlengthsandfrequencydistributionofTCPflags.
DemographicProfiling—Visitorstoawebsiteexhibitacertaindemographicprofile,suchaswheretheycomefromandwhatbrowserstheyuse.
Likewise,othernetworkdestinationstendtocatermainlytoaspecificgroupofsimilarclients.
Detectionofthesecorrelationswillfacilitatered-flaggingofabnormaltraffic.
Forinstance,asurgeofvisitortrafficfromRussiatoawebsitewrittenonlyinGermanisalmostalwaysindicativeofanongoingDDoSattack.
ProtocolPatternMatchingThetechnologybehindprotocolpatternmatchingcanbeassimpleasold-schoolattacksignaturematching,yethighlyeffective.
ThisisbecausemanywidespreadDDoStoolsgeneratetrafficwithidiosyncraticpacketpatternsthatcanbeeasilyidentified.
Forin-stance,HOIC[5]version2.
1makesan"HTTP/1.
0"GETrequestwitha"Host:"headerwhichisalsostrangelylistedlast,andbeforeheaderpayloadstelltaledouble-spacescanbeseen.
Whereasmatchingcanbeappliedtopayloadsjustaswellasheaders,implementa-tionsarenotascommonduetothehighcostassociatedwithpayloadmatching.
Ahigh-confidencematchwouldrequiremultiplematchingcriteriatoallbesatisfied.
Forthisreason,regularexpressionalgorithmsareusuallyemployedforefficientexe-cution.
Duetothehighcostassociatedwithmatchingafterrequestreassembly,acom-monimplementationshortcomingistheinabilitytomatchacrossindividualpackets,makingitpossibletoevadematchingbyfragmentingrequestsintomultiplepackets.
SourceHostVerificationSourcehostverificationaimsatidentifyingillegitimatesources(mainlyspoofedad-dressesandzombiecomputersrunningspecializedDDoStrafficgenerators)andblock-ingthem.
Astepupfrompassivelyinspectingtraffictolookforredflags,thisapproachactivelyprobesthesourcesforverification,usuallyviacheckingforfeaturesnormallyonlyfoundinfull-fledgedbrowsersandTCP/IPstacks.
TCPSYNAuthentication—Withthismethod,theauthenticityoftheclient'sTCPstackisvalidatedthroughtestingforcorrectresponsetoexceptionalconditions.
CommontacticsincludesendingbackaRSTpacketonthefirstSYNexpectingtheclienttoretry,aswellasdeliberatelysendingbackaSYN-ACKwithwrongsequencenumberexpect-ingtheclienttosendbackasRSTandthenretry.
ThebestapproachtodefeatingthismethodistohavetheOSnetworkingstackhan-dlesuchtests.
HTTPRedirectAuthentication—ThebasicideaisthatalegitimatebrowserwillhonorHTTP302redirects.
Assuch,byinsertingartificialredirects,itwouldbesafetoblocknon-compliantclients.
Clearly,itisnotparticularlydifficulttoimplementjustenoughsupportforHTTPredirectstofoolHTTPRedirectAuthentication.
HTTPCookieAuthentication—Thismethodworkslike,andisusuallyusedtogetherwith,HTTPRedirectAuthentication.
Essentially,browser'scookiehandlingistested.
ClientsthatdonotcarrycookiesinsubsequentHTTPrequestsareclearlysuspectandcanbesafelyblocked.
AsinaddingsupportforHTTPRedirectAuthentication,cookiesupportdoesaddadditionalcomplexityandreducesrawfirepowerinDDoSattacks.
JavaScriptAuthentication—WithJavaScriptAuthentication,apieceofJavaScriptcodeembeddedintheHTMLissenttoclientsasachallenge.
Obviously,onlyclientsequippedwithafull-fledgedJavaScriptenginecanperformthecomputation.
ItwouldnotbeeconomicalforDDoSattacktoolstohijackorotherwisemakeuseofarealheavyweightbrowsertocarryoutattacks.
AnextendedimplementationwouldmakeuseofUIelementssuchasJavaScriptdialogboxesordetectingmousemovementsinordertosolicithumaninputs.
Goingthisfarwouldimpedeotherwiselegitimateautomatedqueries,makingthismechanismonlysuitableforasubsetofwebsitesdesignedforhumanusages,butnotthosewebAPIssuchasRESTwebservices.
Attacktoolshowever,canincorporatestandaloneJavaScriptenginessuchasSpider-monkey1orV82whicharerelativelylightweightandwouldnotbogdownattackstoomuch.
Asofthiswriting,themajorchallengewiththisbypassmethodlieswithade-quateDOMimplementations.
CAPTCHAAuthentication—Averyheavy-handedapproachthatinvolveshumanin-terventionwherebyCAPTCHAchallengesareinsertedintosuspicioustraffic.
IftheclientendissuccessfulinsolvingtheCAPTCHA,itwillbewhitelistedforacertain1https://developer.
mozilla.
org/en-US/docs/SpiderMonkey2https://code.
google.
com/p/v8/periodoftimeorforcertainamountofsubsequenttraffic,afterwhichitwillneedtoauthenticateitselfagain.
Thismethodis,initself,ratherintrusiveandinpracticeusedonlysparingly.
Whilefarfromeasy,automatedmeanstosolveCAPTCHAdoexistandisatopicofongoingresearch.
3.
4GenerallyApplicableDetectionMethodsSourceIsolationSourceIsolationmechanismsaimtofigureoutwhereDDoSattacktrafficcomesfromandstopitatthesources.
Ifanattackerisabletobypassattackidentification(andde-tectioningeneral),suchaswithdetectiontechniquesdiscussedinthispaper,nomiti-gationincludingSourceIsolationwillbetriggered.
Inpractice,theeffectivenessofsourceisolationisquestionableduetotheextensiveuseofbotnets.
Anexampleofsourceisolationimplementationisgivenin[11]SourcePathIsolationEngine(SPIE).
MaliciousSourceIntelligenceMuchlikesourceisolation,blockingdecisionscanalsobebasedonattacktrafficiden-tifiedelsewhere(inthiscase,primarilythroughthfiird-partylterlists),savingidentifi-cationburdenandreducingdelaysinmitigation.
Trustplacedonthirdpartiesmustbecarefullymanagedhowever.
3.
5GenerallyApplicableMitigationMethodsBlacklistingBlacklistingisessentiallyashortcircuitmechanismaimedatcuttingdownthetediousworkofhavingtoclassifyindividualflowsbyoutrightdroppingtrafficfromentireIPaddressesforacertainperiodoftimeorforacertainamountoftrafficvolumeimme-diatelyuponidentificationofoneattackfromthosesources.
Blacklistingcannotbeper-manent,asIPaddressescanbedynamicallyassignedandzombiedcomputerscanberepaired.
Mitigationbypassshouldstrivetoavoidtriggeringblacklisting.
WhitelistingIncontrasttoblacklisting,whitelistingpreapprovestrafficfromentireIPaddressesforacertainperiodoftimeorforacertainamountofvolumeupondeterminingthosesourcesarewellbehaving.
Acommonexploitagainstwhitelistingmechanismsistohavetrafficsourcessendlegitimatetrafficlongenough,andtopassauthenticationifrequired,forthosesourcestotriggerwhitelisting,andthenstartDDoSattacksundertheprotectionofbeingwhite-listed.
3.
6OtherMitigationSolutionsAndToolsCleanPipesSo-calledcleanpipesworkbyredirectingallincomingtraffictoascrubbingcenterwhichappliesDDoSdefensemechanismsincludingallothermitigationtechniquesdocumentedinthispaper,inordertoscrubthemclean—takingoutattacktrafficleavingonlycleantraffictothebackend.
Asignificantdrawbacktothisasymmetricapproachisthatonlytrafficinboundtobackendsevergetstobeinspectedbythescrubbingcenter(returntrafficgoesdirectlyfromthebackendstotheclients).
Thislimitedvisibilityprecludesstatefulinspectionthatrequireslookingattrafficinbothdirections.
Forinstance,cleanpipescanbeobliv-ioustoTCPHalf-OpenAttacksbyfollowingSYNpacketswithanappropriateACK,unlessinformationaboutreturntrafficissomehowfedbackfrompeernetworkstocompletethepicture.
SecureCDNsWhilenotinitiallydesignedasaDDoSmitigationmechanism,CDNsneverthelessaresometimes(mis)usedasapreemptivedefensetoalleviateDDoSdamages.
TheproblemwiththisapproachisthatbackendstypicallytrusttheCDNuncondi-tionally,makingthemsusceptibletoattacksspoofingastrafficfromtheCDN.
Ironi-cally,thepresenceofCDNcaninadvertentlyworsenaDDoSattackbyaddingitsownheaders,occupyingevenmorebandwidth.
FirewallsandIPSSystemsTraditionalprotectiondevicessuchasfirewallsandIPSsystems[8]generallyhavemanyofthemitigationtechniquesdealingwithvolumetricandsemanticattacksimple-mented.
Itisagainstblendedattackswheretheyfallshort.
4PerformanceTestingThroughextensivetestingwehavedevelopedasure-firemethodologycapableofby-passingmostcommercialmitigationsolutions.
Thekeyideaistosatisfysourcehostverification(authentication)soastobeclearedoffurtherscrutiny,andthensendattacktrafficstayingjustbelowtrafficthreshold.
Aproof-of-concepttool"Kill'emAll"de-velopedtodemonstratetheeffectivenessofthisapproach,isshowninFigure3.
Figure3.
Proof-of-ConceptTool"Kill'emAll"Testswereconductedagainstproducts:1.
ArborPeakflowSPThreatManagementSystem(TMS)version5.
7,and2.
NSFocusAnti-DDoSSystem(ADS)version4.
5.
88.
2.
026aswellassecureCDNservices:3.
ClouflareBusiness,and4.
Akamai.
WeareconvincedTMSandNSFocusADSrepresentamajorityofthemarket,withtheformermostprevalentamongFortune500enterprisesandthelatterdeployedinmosteverypubliclylistedcompanyinmainlandChina.
4.
1TestingMethodologyTestswereconductedagainstproductsandcloudservices.
ForproducttestinganattackworkstationwasconnectedtoawebsitethroughtheDDoSmitigationdeviceundertest.
Forcloudservicetestingawebsitewasplacedundertheprotectionoftheserviceundertest,andthensubjectedtoattacksfromaworkstationdirectingattackstowardsitthroughtheinternet.
Inordertosimulatenormalshort-termbrowsingconditions,inalltestsasingleTCPconnectionwasusedtocarryamultitudeofHTTPrequestsandresponses.
Underthisvigorousarrangementnotasingleattackidentificationmechanismcanbetriggeredlesttheentireconnectiongetsblocked.
Duringtesting,attacktrafficwassenttothebackendatwhichpointreceivedtrafficwascomparedagainsttheoriginalgeneratedtraffic.
Bypasswasconsideredsuccessfulifallattacktrafficpassedthroughintact.
4.
2TestingResultsAttackswithbypasscapabilitywereappliedagainstindividualdetectiontechniquesasimplementedontheaforementionedproductsandservices.
Duringtheattack,effec-tivenessoftheattackswasevaluatedandobservationswererecordedasshowninTable1below.
A""meansthebypasswassuccessfulwithnomitigationactivityobserved.
DetectionTechniquesArborPeakflowSPTMSNSFocusADSCloudflareAkamaiRateMeasurement/BaselineEnforce-ment(ZombieRemoval,Base-lineEnforcement,TrafficShaping,RateLimiting)N/AN/AProtocolSanity&BehaviorChecking(HTTPCountermeas-ures)N/AN/AProactiveResourceRelease(TCPConnectionReset)N/AN/ABigDataAnalysis(GeoIPPolicing)—(NotimplementedinADS)N/AN/AMaliciousSourceIntelligence(BlackWhiteList,IPAddressFilterList,GlobalExceptionList,GeoIPFilterList)—(NotimplementedinADS)N/AN/AProtocolPatternMatching(URL/DNSFilterList,PayloadRegex)N/AN/ASourceHostVerificationTCPSYNAuthenticationN/AN/AHTTPRedirectAuthenticationN/AHTTPCookieAuthenticationN/AJavaScriptAuthentication—(Notimplemented)inTMS)N/ACAPTCHAAuthentication—(NotimplementedinTMS)N/ATable1.
Mitigationbypasstestingresults.
WithreferencetoArborNetwork'sAGuideforPeakflowSPTMSDeployment3,againstTMSwewereabletodefeatalldocumentedorotherwiseactivedetectiontech-niquesrelevanttoHTTPDDoSattacks,passingthroughtheTMSunscathed.
AttacksagainstNSFocusADS4weremetwithremarkablesuccessdespitethepres-enceofheavy-handeddefensesincludingCAPTCHAAuthentication—wewereabletoachievearemarkable50%successratesolvingADS'sCAPTCHAimplementationwithourOCRalgorithms.
Duetotheshotgunapproachtoattack,andthatgettingwhite-listedisabigwinfortheattacker,a50%successrateforsolvingCAPTCHAismuchmoreimpressivethanitmayappearatfirstglance.
CloudflareessentiallyemploysJavaScriptthatimplementsallJavaScript,CookieandRedirectAuthenticationsinone.
Weweresuccessfulindefeatingthemallandpushingattacktraffictothebackend.
EventhoughCloudflaredoessupportCAPTCHAAuthentication,weobservedthatitsuseisnotparticularlyprevalentinthewild,andforthepurposeofourPoCsincewehavealreadydemonstratedaworkablesolutionagainstCAPTCHAforADS,wehaveoptednottorepeatthisforCloudflare.
Akamaihasimplementedsourcehostverificationtechniquesinitssecuritysolutionsforafewmonthsnow,withwhichaccordingtomarketingbrochure[8]visitorswillberedirectedtoaJavaScriptconfirmationpagewhentrafficisidentifiedaspotentiallymalicious.
However,despiteourbesteffortsendingbigtraffictoourtestingsitebearingrandomHTTPquerystrings(inordertothwartcaching)wehavebeenunabletotriggerthatfeature.
Whereaswecannotruleouttheremotepossibilitythatourtesttrafficwaswaybelowdetectionthreshold,amuchmoreplausiblereasonmightbethatourtrafficwasindistinguishablefromthatgeneratedbyarealbrowser.
5DiscussionsandNext-GenMitigationInthiseraofblendedattacks,detectionmethodsdesignedtopickoutbadtrafficsarerenderedfundamentallyineffective.
Thereasonwhytodaytoacertainextenttheystillworkismainlyduetoimplementationimmaturity(e.
g.
thelackofready-to-useJavaS-criptenginewithaworkableDOM).
Obviouslythesehurdlescanbeeasilyovercomegivenalittlemoretimeanddevelopmentresources,asourresearchdemonstrated.
AnotableexceptionistheuseofCAPTCHA.
DespitethefactthatwehavealsodemonstrateddefeatingcertainCAPTCHAimplementationsinuseonsecurityprod-ucts,andthattherehavebeenpromisingresultsfromfellowresearches[9]aswell,admittedlyCAPTCHAstillrepresentthepinnacleofsourcehostverificationtechnique.
However,CAPTCHAisnecessarilyaheavy-handedapproachthatmateriallydimin-ishestheusabilityandaccessibilityofprotectedwebsites.
Specifically,automatedque-riesandWeb2.
0mashingaremadeimpossible.
Thisshortcomingsignificantlyreducesthescopeofitsapplication.
ItisthereforenotsurprisingthatCAPTCHAisoftendefaultoffinsecurityserviceofferings.
3http://www.
arbornetworks.
com/component/docman/doc_download/301-threat-management-system-a-technical-overviewItemid=4424http://www.
nsfocus.
com/jp/uploadfile/Prod-uct/ADS/White%20Paper/NSFOCUS%20ADS%20White%20Paper.
pdf5.
1Next-GenerationMitigationSeeingasthattheunderlyingissuewithamajorityofDDoSattacksthesedaysistheiramplificationproperty,whichtipsthecost-effectivenessbalancetotheattackers'favor,weareconvincedthatacontrolmechanismbasedonasymmetricclientpuzzleisthesolution,asitpresentsageneralapproachthatattacksdirectlythisimbalanceproperty,makingitalotmoreexpensivetoexecuteDDoSattacks.
PriorresearchesincludetheseminalPrinceton-RSApaper[10]and[11].
6AcknowledgementThisresearchwasmadepossibleonlywithdataandtestingresourcesgraciouslyspon-soredbyNexusguardLimited5fortheadvancementoftheart.
References[1]M.
Prince,"TheDDoSthatKnockedSpamhausOffline(AndHowWeMitigatedit),"20March2013.
[Online].
Available:http://blog.
cloudflare.
com/the-ddos-that-knocked-spamhaus-offline-and-ho.
[2]C.
Weinschenk,"AttacksGoLowandSlow,"ITBusinessEdge,3August2007.
[Online].
Available:http://www.
itbusinessedge.
com/cm/community/features/interviews/blog/attacks-go-low-and-slow/cs=22594.
[3]R.
Hansen,"SlowlorisHTTPDoS,"7June2009.
[Online].
Available:http://ckers.
org/slowloris/.
[4]CarnegieMellonUniversity,"CERTAdvisoryCA-1998-01SmurfIPDenial-of-ServiceAttacks,"5January1988.
[Online].
Available:http://www.
cert.
org/advisories/CA-1998-01.
html.
[5]J.
BreedenII,"Hackers'NewSuperWeaponAddsFirepowertoDDOS,"GCN,24October2012.
[Online].
Available:http://gcn.
com/articles/2012/10/24/hackers-new-super-weapon-adds-firepower-to-ddos.
aspx.
[6]E.
ChienandP.
Szor,"BlendedAttacksExploits,VulnerabilitiesandBuffer-OverflowTechniquesinComputerViruses,"2003.
[Online].
Available:http://www.
symantec.
com/avcenter/reference/blended.
attacks.
pdf.
[7]T.
Miu,A.
Lai,A.
ChungandK.
Wong,"DDoSBlackandWhite"Kungfu"Revealed,"inDEFCON20,LasVegas,2012.
[8]Akamai,"AkamaiRaisestheBarforWebSecuritywithEnhancementstoKonaSiteDefender,"25February2013.
[Online].
Available:5http://www.
nexusguard.
com/http://www.
akamai.
com/html/about/press/releases/2013/press_022513.
html.
[9]DC949,"Stiltwalker:Nucaptcha,Paypal,SecurImage,Slashdot,DavidsSummerCommunication,"26July2012.
[Online].
Available:http://www.
dc949.
org/projects/stiltwalker/.
[10B.
Waters,A.
Juels,J.
A.
HaldermanandW.
F.
Edward,"NewClientPuzzleOutsourcingTechniquesforDoSResistance,"inACMConferenceonComputerandCommunicationsSecurity(CCS),2004,2004.
[11D.
Stebila,L.
Kuppusamy,J.
RangasamyandC.
Boyd,"StrongerDifficultyNotionsforClientPuzzlesandDenial-of-Service-ResistentProtocols,"inRSAConference,2011.
[12R.
Kenig,"HowMuchCanaDDoSAttackCostYourBusiness,"14May2013.
[Online].
Available:http://blog.
radware.
com/security/2013/05/how-much-can-a-ddos-attack-cost-your-business/.
[13H.
Aljifri,"IPTraceback:ANewDenial-of-ServiceDeterrent,"11June2003.
[Online].
Available:http://ieeexplore.
ieee.
org/xpl/articleDetails.
jsparnumber=1203219.
[14K.
S.
ChaoGong,"AMorePracticalApproachforSingle-PacketIPTracebackusingPacketLoggingandMarking,"29August2008.
[Online].
Available:http://ieeexplore.
ieee.
org/xpl/articleDetails.
jsparnumber=4408575.
[15W.
Z.
M.
G.
YangXiang,"FlexibleDeterministicPacketMarking:AnIPTracebackSystemtoFindtheRealSourceofAttacks,"1August2008.
[Online].
Available:http://ieeexplore.
ieee.
org/xpl/articleDetails.
jsparnumber=4585371.