A Cyberwarfare Weapon: SlowReq

Maurizio Aiello maurizio.aiello@ieiit.cnr.it

Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy

Genoa, Cpexpo meeting, Italy 30 October 2013

Maurizio Aiello

Cyberwarfare

“Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an

informative system owned by the adversary”

Governments vs. Governments

Groups vs. Governments

¤  Titan Rain

¤  Moonlight Maze

¤  Hacktivistic Groups Operations

¤  Anonymous

¤  LulzSec

Maurizio Aiello

Attack Technologies

DENIAL OF SERVICE (DoS)

DISTRIBUTED DENIAL OF SERVICE (DDoS)

INTRUSIONS & MALWARE

SQL INJECTION BUFFER OVERFLOW TROJAN HORSES

BACKDOOR

“An attempt to make a machine or network resource unavailable to its intended users”

Amplification of the attack resources through the enrollment of (willing or not) botnet agents

Maurizio Aiello

Denial of Service Attacks

¤ Attacks to the system ¤  ZIP Bomb

¤  Fork Bomb

¤ Attacks to the network ¤ Multipliers: DNS, Smurf attack, etc… ¤ Volumetric: flooding DoS attacks

¤ Application Layer: Slow DoS Attacks

Maurizio Aiello

“Old Style” Flooding DoS Attacks

¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, …

Flooding based attacks

LEVEL-4 Denial of Service

Maurizio Aiello

The ISO/OSI Model

Application Presentation

Session Transport Network Data Link Physical

Flooding DoS Attacks

Slow DoS Attacks

Hacktivist Groups: Anonymous and LulzSec

2008 2009 2010 2011

Iranian election protests

2012

Operation Payback

Project Chanology

Visa, Mastercard, Paypal

Operation Payback

Operation Sony

Interpol

Vatican

Hacktivist Groups

Anonymous LulzSec

Maurizio Aiello

Slow DoS Attack (SDA)

“An attack which exhausts the resources of a victim using low

bandwidth”

Maurizio Aiello

SDAs’ Strategy

¤ They move the victim to the saturation state

¤ Low bandwidth rate: ¤ Attack resources are minimized

¤  It’s easier to bypass security systems

¤ ON-OFF Nature

¤ Almost all the packets contribute to the success of the attack

Maurizio Aiello

Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language

¤  Used during the protests against Iranian presidential elections in 2009

¤  It sends a lot of endless requests with the pattern:

\r\n X-a: b\r\n X-a: b\r\n X-a: b\r\n

Source: http://ha.ckers.org/slowloris/

GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n X-a: b\r\n

Maurizio Aiello

Making Order Into the Slow DoS Field

SLOWLORIS

R-U-DEAD-YET APACHE RANGE

HEADER

#HASHDOS

REDOS QUIET ATTACK

SHREW

INDUCED SHREW THC-SSL-DOS LORDAS

CPU/Memory/Disk Network

Server Timeout Client

Request Response

Slow DoS Attacks

Other Unknown Attacks

Delayed Responses

Delayed Responses

Slow Requests

Pending Requests

Resources Occupation

Planning

Server Behavior Alteration

Maurizio Aiello

SlowReq Attack

¤  It opens a large amount of endless connections with the victim

¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure

SLOWLORIS SLOWREQ

X-a: b\r\n [space]

[space]

GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n

X-a: b\r\n [space] X-a: b\r\n [space] X-a: b\r\n [space]

Maurizio Aiello

SlowReq Attack

¤ No \r\n implies no parsing (stealth and difficult to prevent)

¤ Bandwidth very limited

¤ Cpu and ram requested limited

¤ Tunable in parameters (number of connections; wait timeout; time between characters etc)

Maurizio Aiello

Protocol Independence

¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case)

¤ SlowReq is able to naturally affect multiple protocols ¤ Packets payload is a sequence of white spaces

¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols

Maurizio Aiello

Performance Results

DoS state reached after a few seconds

Maurizio Aiello

Signature Based Countermeasures

Apache Web Server software modules

¤ mod-security module limits the number of simultaneous connections established from the same IP address

¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests

Maurizio Aiello

Performance Results – mod-security

A non distributed attack is successfully mitigated

Maurizio Aiello

Performance Results – reqtimeout

Differently to Slowloris, SlowReq is not mitigated

Maurizio Aiello

Statistical Based Countermeasures

!request

!delay

!response

!next

tstart _ request

tend _ request

tstart _ response

tend _ response

Maurizio Aiello

Statistical Signature Based SDAs Detection

Maurizio Aiello

Statistical Signature Based SDAs Detection

Comparison with standard traffic conditions

MINIMUM VALUE

(NCV)

n(y) = ( f (x)! g(x + y))2 dx!"

"

#

NCV =min(n(y))

Maurizio Aiello

Statistical Signature Based SDAs Detection

Real traffic distribution (Δdelay example)

Maurizio Aiello

Statistical Signature Based SDAs Detection

Protocol:

¤  n representations of standard traffic

¤  m comparisons extracting m different NCV values

¤  Retrievement of μ and σ values from NCV

¤  Baseline: μ + 3σ

¤  Comparison of anomalous traffic with f (average) standard distributions

¤  NCV value retrieval for analyzed traffic and result

Maurizio Aiello

Conclusions and Future Work

¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection

¤ Due to its requirements, we are working to a mobile deployment of SlowReq

¤ Deployment of a (mobile and) distributed attack

Maurizio Aiello

Acknowledge

Enrico Cambiaso

Gianluca Papaleo

Silvia Scaglione

Maurizio Aiello

The End

Thanks!!