a cyberwarfare weapon: slowreq
DESCRIPTION
by Maurizio Aiello CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni mail: [email protected]TRANSCRIPT
A Cyberwarfare Weapon: SlowReq
Maurizio Aiello [email protected]
Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy
Genoa, Cpexpo meeting, Italy 30 October 2013
Maurizio Aiello
Cyberwarfare
“Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an
informative system owned by the adversary”
Governments vs. Governments
Groups vs. Governments
¤ Titan Rain
¤ Moonlight Maze
¤ Hacktivistic Groups Operations
¤ Anonymous
¤ LulzSec
Maurizio Aiello
Attack Technologies
DENIAL OF SERVICE (DoS)
DISTRIBUTED DENIAL OF SERVICE (DDoS)
INTRUSIONS & MALWARE
SQL INJECTION BUFFER OVERFLOW TROJAN HORSES
BACKDOOR
“An attempt to make a machine or network resource unavailable to its intended users”
Amplification of the attack resources through the enrollment of (willing or not) botnet agents
Maurizio Aiello
Denial of Service Attacks
¤ Attacks to the system ¤ ZIP Bomb
¤ Fork Bomb
¤ Attacks to the network ¤ Multipliers: DNS, Smurf attack, etc… ¤ Volumetric: flooding DoS attacks
¤ Application Layer: Slow DoS Attacks
Maurizio Aiello
“Old Style” Flooding DoS Attacks
¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, …
Flooding based attacks
LEVEL-4 Denial of Service
Maurizio Aiello
The ISO/OSI Model
Application Presentation
Session Transport Network Data Link Physical
Flooding DoS Attacks
Slow DoS Attacks
Hacktivist Groups: Anonymous and LulzSec
2008 2009 2010 2011
Iranian election protests
2012
Operation Payback
Project Chanology
Visa, Mastercard, Paypal
Operation Payback
Operation Sony
Interpol
Vatican
Hacktivist Groups
Anonymous LulzSec
Maurizio Aiello
Slow DoS Attack (SDA)
“An attack which exhausts the resources of a victim using low
bandwidth”
Maurizio Aiello
SDAs’ Strategy
¤ They move the victim to the saturation state
¤ Low bandwidth rate: ¤ Attack resources are minimized
¤ It’s easier to bypass security systems
¤ ON-OFF Nature
¤ Almost all the packets contribute to the success of the attack
Maurizio Aiello
Slow DoS Attacks An Example: Slowloris ¤ A script written in Perl programming language
¤ Used during the protests against Iranian presidential elections in 2009
¤ It sends a lot of endless requests with the pattern:
\r\n X-a: b\r\n X-a: b\r\n X-a: b\r\n
Source: http://ha.ckers.org/slowloris/
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n X-a: b\r\n
Maurizio Aiello
Making Order Into the Slow DoS Field
SLOWLORIS
R-U-DEAD-YET APACHE RANGE
HEADER
#HASHDOS
REDOS QUIET ATTACK
SHREW
INDUCED SHREW THC-SSL-DOS LORDAS
CPU/Memory/Disk Network
Server Timeout Client
Request Response
Slow DoS Attacks
Other Unknown Attacks
Delayed Responses
Delayed Responses
Slow Requests
Pending Requests
Resources Occupation
Planning
Server Behavior Alteration
Maurizio Aiello
SlowReq Attack
¤ It opens a large amount of endless connections with the victim
¤ It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure
SLOWLORIS SLOWREQ
X-a: b\r\n [space]
[space]
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n
X-a: b\r\n [space] X-a: b\r\n [space] X-a: b\r\n [space]
Maurizio Aiello
SlowReq Attack
¤ No \r\n implies no parsing (stealth and difficult to prevent)
¤ Bandwidth very limited
¤ Cpu and ram requested limited
¤ Tunable in parameters (number of connections; wait timeout; time between characters etc)
Maurizio Aiello
Protocol Independence
¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case)
¤ SlowReq is able to naturally affect multiple protocols ¤ Packets payload is a sequence of white spaces
¤ Tested against FTP, SMTP, SSH servers ¤ Bounded to TCP based protocols
Maurizio Aiello
Performance Results
DoS state reached after a few seconds
Maurizio Aiello
Signature Based Countermeasures
Apache Web Server software modules
¤ mod-security module limits the number of simultaneous connections established from the same IP address
¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests
Maurizio Aiello
Performance Results – mod-security
A non distributed attack is successfully mitigated
Maurizio Aiello
Performance Results – reqtimeout
Differently to Slowloris, SlowReq is not mitigated
Maurizio Aiello
Statistical Based Countermeasures
!request
!delay
!response
!next
tstart _ request
tend _ request
tstart _ response
tend _ response
Maurizio Aiello
Statistical Signature Based SDAs Detection
Maurizio Aiello
Statistical Signature Based SDAs Detection
Comparison with standard traffic conditions
MINIMUM VALUE
(NCV)
n(y) = ( f (x)! g(x + y))2 dx!"
"
#
NCV =min(n(y))
Maurizio Aiello
Statistical Signature Based SDAs Detection
Real traffic distribution (Δdelay example)
Maurizio Aiello
Statistical Signature Based SDAs Detection
Protocol:
¤ n representations of standard traffic
¤ m comparisons extracting m different NCV values
¤ Retrievement of μ and σ values from NCV
¤ Baseline: μ + 3σ
¤ Comparison of anomalous traffic with f (average) standard distributions
¤ NCV value retrieval for analyzed traffic and result
Maurizio Aiello
Conclusions and Future Work
¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection
¤ Due to its requirements, we are working to a mobile deployment of SlowReq
¤ Deployment of a (mobile and) distributed attack
Maurizio Aiello
Acknowledge
Enrico Cambiaso
Gianluca Papaleo
Silvia Scaglione
Maurizio Aiello
The End
Thanks!!