Three Generations of DoS Attacks

Video thumbnail (Frame 0) Video thumbnail (Frame 1600) Video thumbnail (Frame 3115) Video thumbnail (Frame 4226) Video thumbnail (Frame 5304) Video thumbnail (Frame 6408) Video thumbnail (Frame 7548) Video thumbnail (Frame 8839) Video thumbnail (Frame 9885) Video thumbnail (Frame 11297) Video thumbnail (Frame 12443) Video thumbnail (Frame 13681) Video thumbnail (Frame 14620) Video thumbnail (Frame 16228) Video thumbnail (Frame 17451) Video thumbnail (Frame 18526) Video thumbnail (Frame 20457) Video thumbnail (Frame 23100) Video thumbnail (Frame 24104) Video thumbnail (Frame 25221) Video thumbnail (Frame 26237) Video thumbnail (Frame 27346) Video thumbnail (Frame 28329) Video thumbnail (Frame 29268) Video thumbnail (Frame 30479) Video thumbnail (Frame 31614) Video thumbnail (Frame 32741) Video thumbnail (Frame 33677) Video thumbnail (Frame 34897) Video thumbnail (Frame 36145) Video thumbnail (Frame 38711) Video thumbnail (Frame 40553) Video thumbnail (Frame 41542) Video thumbnail (Frame 42529) Video thumbnail (Frame 43774) Video thumbnail (Frame 44907) Video thumbnail (Frame 46093) Video thumbnail (Frame 48023) Video thumbnail (Frame 49428) Video thumbnail (Frame 51579) Video thumbnail (Frame 52715) Video thumbnail (Frame 53704) Video thumbnail (Frame 55401) Video thumbnail (Frame 57349) Video thumbnail (Frame 62361) Video thumbnail (Frame 63836) Video thumbnail (Frame 65094) Video thumbnail (Frame 66208) Video thumbnail (Frame 67831) Video thumbnail (Frame 69355)
Video in TIB AV-Portal: Three Generations of DoS Attacks

Formal Metadata

Three Generations of DoS Attacks
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker. I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011). Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor. Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, Toorcon and BayThreat, and taught classes and seminars at many other schools and teaching conferences. Sam has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Associate of (ISC)^2, Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Hurricane Electric IPv6 Guru, CCENT.
Execution unit Empennage Drag (physics) Cellular automaton Prisoner's dilemma Virtual machine Online help Bit Denial-of-service attack Arm Crash (computing) Software Software testing Drum memory Information security
User profile Presentation of a group Server (computing) Software PRINCE2 Letterpress printing Coma Berenices Twitter Vulnerability (computing)
Image warping Server (computing) Link (knot theory) Link (knot theory) Multiplication sign Virtual machine Denial-of-service attack Computer network Denial-of-service attack Revision control Software Data acquisition Computer network Website Router (computing) Local ring Information security Local ring Window
Advanced Encryption Standard Information management Key (cryptography) Computer file Military operation Denial-of-service attack Encryption Computer-assisted translation Orbit Leak Local Group
Multiplication sign Raw image format Group action Trail Maxima and minima Twitter Twitter Number Facebook Cross-correlation Facebook Computer cluster Order (biology) Information security
Injektivität Point (geometry) Email Execution unit Email Dependent and independent variables Server (computing) Social software Sequel Firewall (computing) Real number Exploit (computer security) Canonical ensemble Social engineering (security) Orbit Local Group Web 2.0 Password Convex hull Website Force
Frequency Blog Military operation Planning Website Login Bounded variation Information security Twitter Power (physics)
Wiki Game controller Variety (linguistics) Denial-of-service attack Game theory Mereology
Point (geometry) Hamiltonian (quantum mechanics) Cellular automaton Content (media) Database Student's t-test Line (geometry) Login Local Group Hash function Single-precision floating-point format Password Website Game theory Website Game theory Window
Dataflow Wechselseitige Information System call Dataflow Euler angles Electronic Government Uniformer Raum Radical (chemistry) Hacker (term) Hacker (term) Simulation Chi-squared distribution Capability Maturity Model
Band matrix Server (computing) Operator (mathematics) Denial-of-service attack Perturbation theory Denial-of-service attack Information security Twitter
Web page Wechselseitige Information Server (computing) Clique-width Tesselation Virtual machine Canonical ensemble Web browser Orbit Orbit Number Software Internetworking Military operation Band matrix Commodore VIC-20 Website Quicksort Website
Web page Server (computing) Information Server (computing) 1 (number) Line (geometry) Complete metric space Mereology Flow separation Revision control Web 2.0 Software Band matrix FAQ
Boss Corporation Graphical user interface Server (computing) Scripting language Server (computing) Web page Mereology Line (geometry) Bounded variation Disk read-and-write head Sanitary sewer 2 (number)
Server (computing) Game controller Link (knot theory) Ferry Corsten Firewall (computing) Source code Virtual machine Canonical ensemble Rule of inference Dressing (medical) Revision control Direct numerical simulation Different (Kate Ryan album) Operating system Software testing Series (mathematics) Local ring Address space Domain name Default (computer science) Email Link (knot theory) Cellular automaton Prisoner's dilemma Orbit Software Data acquisition Local ring Window Router (computing)
Point (geometry) Server (computing) Multiplication sign Virtual machine Client (computing) Computer network Local area network IP address Revision control Broadcasting (networking) Dynamic Host Configuration Protocol Process (computing) Software Natural number Different (Kate Ryan album) Computer network Process (computing) Game theory Router (computing) Booting Address space Router (computing) Address space
Web page Server (computing) View (database) Virtual machine Maxima and minima Student's t-test Backtracking Web 2.0 Root Virtual reality Software Computer network output Computer-assisted translation Window Social class
Web page Execution unit Server (computing) Online help View (database) Server (computing) View (database) Lemma (mathematics) Limit (category theory) Bookmark (World Wide Web) Connected space Whiteboard Revision control Direct numerical simulation Convex hull Right angle Drum memory Summierbarkeit Maß <Mathematik>
Execution unit Random number Online help Keyboard shortcut Virtual machine Login Menu (computing) Canonical ensemble IP address Hand fan Connected space Root Direct numerical simulation Right angle Summierbarkeit Window Directed graph Window
Web page Mathematics Root Link (knot theory) Touchscreen Online help View (database) Virtual machine ACID Neuroinformatik Condition number
Mathematics Data model File format Quicksort Number
Addition Touchscreen Prisoner's dilemma Computer file Canonical ensemble Virtual machine Orbit Number Window
Web page Polygon mesh Server (computing) Dataflow Multiplication sign File format Virtual machine Menu (computing) Complex number Thomas Kuhn Connected space 2 (number) Web 2.0 Root Whiteboard Direct numerical simulation
Revision control NP-hard Electronic meeting system Direct numerical simulation Control flow Login Window Address space Repeating decimal Modem
Web page Default (computer science) Polygon mesh Server (computing) View (database) Online help Multiplication sign Line (geometry) Connected space 2 (number) Backtracking Virtual reality Whiteboard Personal digital assistant Network topology Direct numerical simulation Normal (geometry) Maize
Wechselseitige Information Execution unit Online help Computer file Virtual machine Login Port scanner Revision control Data management Virtual reality Whiteboard Configuration space Maize Window Address space Task (computing)
Revision control Data management Root Befehlsprozessor Software Virtual machine Router (computing) Window Task (computing)
Root Bit rate Multiplication sign Computer network Projective plane Normal (geometry) Denial-of-service attack Student's t-test Router (computing) Event horizon Address space 2 (number)
Domain name Ocean current Web page Area Asynchronous Transfer Mode Game controller Email Server (computing) Dependent and independent variables Projective plane Virtual machine Electronic mailing list Bit Student's t-test Drop (liquid) Twitter Power (physics) Revision control Goodness of fit Computer network Information security Window Address space
Wechselseitige Information Multiplication sign Virtual machine 1 (number) Revision control Frequency Software Computer network Configuration space Atomic nucleus Hydraulic jump Fingerprint Window Chi-squared distribution
Software Password Demo (music) Computer network Electronic mailing list Password Window Chi-squared distribution
Computer icon Execution unit Key (cryptography) Multiplication sign Demo (music) Password Denial-of-service attack Voltmeter Predictability Connected space Moment of inertia Data mining Fingerprint
Web page Denial-of-service attack Quicksort Demoscene Information security Twitter
Web page Server (computing) Denial-of-service attack Website Denial-of-service attack Volume Information security Twitter
Message passing Server (computing) Personal digital assistant Different (Kate Ryan album) Website Information security Twitter
Dataflow Information Sound effect Information privacy Demoscene Sic Software Computer crime Point cloud Right angle Statement (computer science) Quicksort Information security Proxy server Physical system Reverse engineering
Web page Email Computer file Transport Layer Security View (database) Bit IP address 2 (number) String (computer science) Website Configuration space Right angle Maize Information security
Web page Noise (electronics) Slide rule 1 (number) Control flow Denial-of-service attack Coma Berenices Event horizon 2 (number) Website Quicksort Information security Information security
Point (geometry) Randomization Server (computing) Multiplication sign Denial-of-service attack Denial-of-service attack Limit (category theory) IP address Front and back ends Web 2.0 Revision control Frequency Googol Website Quicksort Information security Address space Asynchronous Transfer Mode Physical system
Cybersex Web 2.0 Server (computing) Frequency Software Hacker (term) Denial-of-service attack IP address Twitter
Web crawler Sine Hoax Multiplication sign Range (statistics) Virtual machine Reflection (mathematics) Online help Client (computing) Distance IP address Rule of inference Power (physics) Frequency Casting (performing arts) Different (Kate Ryan album) Natural number Band matrix Googol Router (computing) Information security Physical system Area Pairwise comparison Email Surface Interface (computing) Denial-of-service attack Band matrix Googol Software Order (biology) Interface (computing) Data center Quicksort Router (computing)
Noise (electronics) Software Server (computing) Real number Network topology Pattern language Drop (liquid) Office suite Quicksort Information security Sanitary sewer
Link (knot theory) Information Computer Website Information security
Presentation of a group Message passing View (database) Demo (music) File format Password Convex hull Hecke operator Game theory Permian Twitter
Email Group action Server (computing) Firewall (computing) Direction (geometry) Multiplication sign Firewall (computing) Source code Virtual machine Denial-of-service attack IP address Subset Revision control Goodness of fit Computer network Right angle Information Block (periodic table) Extension (kinesiology) Router (computing) Address space Window Router (computing) Vulnerability (computing)
Email Source code Server (computing) Scripting language Multiplication sign Java applet Computer network IP address Connected space Revision control Cache (computing) Software Case modding Computer network Revision control Direct numerical simulation Website Convex hull Software testing Information security Website Information security Metropolitan area network Condition number
Server (computing) Game controller Freeware Proxy server Structural load Multiplication sign Virtual machine Student's t-test Canonical ensemble Direct numerical simulation Logic Queue (abstract data type) Software testing Information security Address space Vulnerability (computing) Server (computing) Computer network Denial-of-service attack Control flow Orbit Shooting method Software Point cloud Website Lastteilung
so I'm Sam bound and i'm here to talk to you about Doss attacks and I've got some help in doing that it's very good so um
I'm going to talk a little bit about the
hacktivists have used dos attacks because I find them interesting and they have dramatized how much damage you can do with the various kinds of dos attacks at the peril of going to prison themselves for it which is a drag but anyway it helps the rest of us cell security appliances and it helps me entertain students and keep them interested in learning how these attacks and defenses work so I'm you will be participating as victims now how many people brought a device to get killed one two three yeah not very many for me over there okay it's got it what I thought okay because Ryan who's setting up a wireless network says he probably can't connect more than 40 or 50 before the crash and I didn't think there'd be that many volunteers to get their device killed however I was trying to speak her room and I believe this attack could be used to kill every machine at DEFCON from here I was going to demonstrate a version of that the not so lethal on stage but it wouldn't connect at all in the prep room so I decided to skip that
for the moment but if any of you were unscrupulous you could try it anyway we'll talk about that later so that's me i'm on twitter i teach at City College San Francisco and I've got two guests with me I've got Matthew prints here
who's going to talk about his inside dealings with all-sec which I was very pleased to have in fact I met him because both of us were deplored as immoral evil people helping lowsec because i retweeted some ole sect weeks the pointed to stolen data which i thought was important and he ran a service which they used to protect themselves from attacks and so they be interesting to hear about that and Ryan here no way over there he's going to set up the network and kill people who wish to volunteer to be dosed with this attack because we could learn some new vulnerabilities here now they're not zero days because this the attack i'm using here I didn't write it and it's not new it's been known for a year it's just an awful lot of people at manufacture devices don't care and have not patched it so if anybody has any exotic devices it would be interesting to see if they're vulnerable anyway
here's the summary of what I want to show you the DA circus is about the history of this stuff and the attackers that have been using it and then I'll talk about the freak on das layer for das where you use thousands of attacker to bring out one machine usually distributed denial of service layer seven disrobe one attacker can bring down one server or more and the link local ipv6 router advertisement attack I talked to you last year about IP version 6 and I said it was going to bring a lot of security problems and so it has it's given us a time warp when a bunch of things designed in 1993 are now back on our networks so the old tricks work again and this is not really an old trick but it's devastating and I'll show it to you you can kill all the windows machines on a network from one attacker and again you only need a few packets
per second to do it so Julian Assange
has stirred everybody up by leaking us secrets and he published this mysterious encrypted file as his insurance and if any he ever gets irritated enough at the fact that he's being held in house arrests and perhaps going to be deported and stuff he can release the secret key and reveal something terrible not yet specified but so this stirred up these
anonymous people that had gotten tired of just posting pictures of cats on 4chan and decided to save the world through denial of service which makes a lot of sense to them well not to me so
they started attacking if anybody they could all agree to hate they would blow them away so it started with Scientology because it's pretty easy to hate the Scientologists and then it went on to
other people and eventually HP Gary federal this guy couldn't he was supposed to be here but he was issued a court order about three days ago forcing him to not speak at the panel and tell what really happened for the inside story here but anyway in order to publicize his new government security contracting company aaron barr said that he could find the people running low sec and exposed them by doing a correlation of social networking so is what it appeared in twitter he would correlate with what appeared in facebook and elsewhere and so they decided to take him down and it was extremely easy they
got a team of anonymous members now anonymous was a low tech group usually using really primitive tools but a small number of them got together who were relatively skilled compared to the others and they decided to take these
guys down they found a sequel injection and took over the email server and then they sent emails pretending to come from the owner of the company asking him to please change the password change the username and off the firewall thanks that's working now and once they were in they took all their emails and dumped him on the web because the whole thing about these guys later became well sec the whole point about them was completely responsibility the fun thing is to take everything every sane person ever told you not to do and just do it and then you laugh haha so what would happen if I just dumped your whole email log out everything personal hurting who knows how many innocent people that just had something to say about their medical conditions that would be a lot of fun so that's what they did and they found a lot of real dirt in there it looked like the they were planning to do a lot of really nasty things from HP Gary and so
then anonymous decided to attack the Chamber of Commerce having found out that they were involved in this weather dubal exploit again showing more intelligence technically than they anonymous had which mostly just use that low orbit ion cannon which is pretty primitive so the gesture gets in here is
a demonstration of the power of a layer 7 attack although no one knows exactly what he does his Puli secret and I'm guessing what it does but from people who have been attacked and kept logs of his packets they've told me that I am correct that what he's doing is essentially using a slow loris attack with some variations his plan here is to be right wing essentially we're anonymous and Louis occur left wing he is pro-military he comes from a military and he tries to punch back at anybody in he regards as endangering soldiers like Julian Assange ax and Islamic jihadist recruiting websites and he brings him down with his tool and then tweets about
it he's prominent on social networking you can go chat with him i chat with him but he doesn't have any partners on my clothes sakky York's alone and therefore he hasn't been caught yet he understands military operational security nobody can retrain something that low sec forgot anyway so he brought down WikiLeaks
single-handedly and fell it down for more than a day and to prove it i was chatting with him in IRC and he said okay i'm going to turn off the attack and let it come back up and it came back up he said now i'm taking it down again and he went down again so I convinced me that he was really in control of the attack and here's the neck crafts map of
WikiLeaks going down for more than a day thanks to the gesture so that was his
game then he decided to fight with anonymous because anonymous didn't like him taking on wiki and he's been focusing on them for about last year anonymous and low sec blasting
each other part with a variety of tricks but among them um denial of service and then the gesture got mad at westborough
baptist now these guys are also pretty easy to hate I mean they have some ridiculous hatred of homosexuals and then they also picket funerals and they basically their profit method seems to be to be annoying until someone finally punches him in the face and then sue but the gesture decided to take him down so we took down for websites with his tool which he had poured it to a cell phone and from a single 3g cell phone he says he held down for websites for two months straight and I don't doubt that because I know I could do it and any of my students could do it and any you can do it if you just pay attention to this talk it's not hard the slow loris attack runs on Windows it's not hard to do at all and that's how it goes now lolz SEC
continued on a rampage hacking everybody in sight at one point they just opened up a telephone line and you could call in and hack anybody you wanted they hacked US government military NATO British government sites they dumped the contents of the booz allen hamilton database when they dumped out the arizona cops is when i got really mad because that was real important and dumped out their names and password hashes and the logins really emails and when they dumped out the booz allen hamilton password hashes that struck me is outrageous how do you 50,000 password hashes half of them are cracked by the next day so all the top military their names and passwords are now out there where anybody can use them I didn't think much of that however they also took down some games websites which seemed which I didn't even notice but it seemed to me what really caused trouble for them um and they put up a website to
announce all the stuff they took down and all their stolen data and then
hacked PBS and put up a silly thing and I was pretty irritated by that too I said why would you hack PBS come on guys and anyway now they've been caught
largely i'm ryan cleary was one guy kind of on the periphery of all sex they caught him in june and certainly after
that they caught chi flow who was much more important to low sec and just a
couple days ago they caught topiary so they really are just British teenagers very mad stop hard left their house and their attitude of just taking down everything just for fun is um a you know it comes from just childish immaturity you might wonder what makes them do this they are just young and foolish is why they think they can just take down every government website and just for fun anyway by the
way they're supposed to be both here they're both on Twitter claiming to be here they said they were at the pool yesterday the gesture said he was here in Cebu said he was here I kind of doubt it but maybe they are who knows subbu is the main lowsec person still at large and widely assumed to be on the way down because his friends have already been arrested and this is what always happens after they get the first one they will betray all the rest because they don't have much in the way of operational security anyway the technical part of
this is you have a layer for ddos is the simplest kind of attack and this is what was used to take down mastercard and visa they couldn't take down amazon this way anonymous tried this this is a
protest which involves many people so the reason it does is the tool they use is the low orbit ion cannon which is
just a network stressed Chester and it doesn't do much harm so it takes a lot of people to bring down a website this
way but with the participation of 3,000
or perhaps 30,000 attackers the number is not entirely clear they were able to hold down MasterCard for more than a day and many other sites and this is the
kind of attack that kaspersky was talking about when they I interviewed him a while ago and asked him how many infected machines would it take to bring South Africa off the internet completely or so i'm not sure south africa some nation and he said it would take hundreds of thousands of infected machines to do that and I know that's false I know it would take 1 3g cell phone however he's not thinking that kind of attack he's thinking of the lair for attacks where it takes thousands of machines to take down one target and it's really nothing more than just pressing f5 in your browser at 5i five at five if enough people do that you get sliced out affect the page goes down it is an allow service of a sort it's just a very weak primitive one the more
powerful ones one like the slow loris attack that arsenic came up with a couple years ago and there were many brow previous versions are the same thing here you do something smarter
instead of sending a complete request to the web server and just sending a lot of complete requests to the web server so it has to work too hard to serve them all up you send it something that will jam up the web server HTTP GET request to get a page
from a server looks like this you have the layer to information layer 3 information and down here you've got the guess which is several lines of information and if you just send part of the get and you never send the rest of it then the network assumes that you're on some kind of unreliable network and the packets have been fragmented and so I've got the first half of it and the other half is still coming so it waits for the other half and that ties up incoming lines and it's extremely powerful and I'll show it to you here in
a couple minutes that's the slow loris will freeze all available incoming lines and all you need is about one packet per second and it stops an apache server dead are you dead yet is another similar
one but it uses posts and it affects i is i is is not affected by the slow loris attack with incomplete get requests but it is affected by incomplete post requests there are other
variations of it now there's one using keep alive boss that works and tried
that and it's somewhat effective is not as powerful as the slow loris attack but it's another way to send requests that
make the server do a lot of work the gestures tool presumably uses one of these principles it's calls it jerk sees it is a graphical interface looks like
it runs on a bunch of Linux to me but who knows and then it has its attacker one important thing about the layer seven attacks is you can run them through an anonymizer so you don't go to prison the low orbit ion cannon does not enjoy this feature because it has to send a lot of traffic from you to the other end if you try to run it through the Tor network it'll just choke off your attack and it'll just bring down the Tor network because it's like a flame thrower it burns everything between you and the target of that the cell your seven attacks are like a guided missile it just send a few packets that you no harm to anything when they get to the server blam the server becomes unavailable so you can run it through an anonymizer which is what he does which means that not only can they not find out where it's coming from but they also can't protect from it by any kind of simple firewall rules that search by source address because all the packets come from different sources dresses although if you block all tor exit nodes which you should all do that will stop them from using tor and they'd have to use something else like a botnet of compromised machines to do it and that would make it a little harder but anyway his tool starts runs this thing through an anonymous a shin network and then brings down the target and it's independently as a series of tests to the target and when the target goes down then it sends out one of those tweets10 go down anyway that's where we are up to maybe two years ago these things are running the link local das is
much newer with IP version 6 you're using IP version 6 if you have any version of any modern operating system any modern version of Linux any Windows Vista or Windows 7 or I or windows XP if you turn on IP version 6 although it's not on by default and your server is your domain controller is your DNS servers your email servers are all using IP version 6 whether you like it or not unless you have gone out of your way to turn it off and like any other unwanted service if you're not using it it's opening you to tie tacks so an IP
version 4 whenever she enjoys the network unless you're weird enough to be using static IP addresses which most people aren't your machine boots up and it asks the router the DHCP server I need an IP it says okay use this IP then there's another back and forth to make sure nobody else is using that IP and it's the end of the game there will be no further DHCP traffic until restart that machine or until a long time passes like four days that's a pull process I need an IP I asked for an IP but IP version 6 is not normally done in that fashion ipv6 is generally addresses are distributed by router advertisement so the Browder pushes out a router advertisement and says i am the router everybody stop what you're doing and join my network now everybody has to stop make up an address and join the network it's a broadcast packet although the purists will tell me there is no broadcast in IP version 6 but there is something called multicast to all nodes so the difference the difference between these things is theological in nature and I don't need to tend to go into it but the point is the router sends out one packet that goes to every node and every note now has to join the network which doesn't seem that bad here's the router
advertisement packet going to a multicast all nodes address FFO to colon colon 1 and telling people what network to join the problem is you can send out a lot of router advertisements and when
you do the poor target joins all these networks and that would be all right except that Windows is extremely
inefficient at doing that so let me show
you a few of these attacks I should have some virtual machines set up now this is
how I do it in class with my students I use virtual machines on an isolated
network and I was when I first well I'll
tell you a little more when I get there so let's start with the old-fashioned attacks here I've got a backtrack 5
linux machine and it's running as a web server so if i go to localhost and
refresh i put up a web page here with a picture of cat all right so um it's handing out that glorious web page now in if you run this page you can see the
status of your server and let me see if I can figure out how to turn off some junk to save some room here can i right
click and see view toolbars all good the
creative tool bars come on you to Mars
bookmarks that's getting somewhere okay
now that's the server status and down here these are the current connections there's one in connection waiting here and all the rest are available of hundreds of connections available this server can handle hundreds of people viewing that webpage so if i go over
here and this guy have used that webpage um it should show up here as another
connection and so it does now i have a couple connections so now let's attack this poor linux machine from this
windows machine will start with the old-fashioned stuff the lower but ion
cannon just get these things out of my way all right Laura Dyan Cannon is here
the thing that anonymous people use as a
shortcut to go into prison and
I'll need an IP address here let me join
this there we are okay when I to 168 1
HTTP 192 168 1 98 173 hopefully I got that right yeah it looks pretty good my
98 173 ok so this attack goes here I
need a little more room on my screen come on come on hey this is lion and let
you drag the corner from the middle now
and it doesn't seem to refresh this page in any hurry that's irritating friend of
your computer well I don't like virtual machines much but are these conditions
I'm kind of forced to use them seems do
it well it won't even respond to anything I do right now this is fairly
common I might have to restart might
have to restart that one oh there I
finally responded i think there that's good i thought it's just a little slow i'm sort of getting used to right so i have to lock on until the number appears here yeah there we are number appears
there and now i can do different kinds
of attacks here and i would like to scroll down but I don't see a scroll bar because I'm being hosed here um
pardon me all right I'll have to go to
full screen that's the only thing i could do I make it big enough so I can
see what I'm doing all right because the low orbit ion cannon in addition to sending you to prison isn't very well written it doesn't let you see what you need to see too well alright so i'm going to send HTTP requests here and i need to get to the fire button there i'm
a charge in my laser who wrote there now it should be there are sending stuff numbers ok sending complete requests back to my poor target which is here so
my poor virtual machine here will now
show that people are using up the connections and there they are she is filling up with a bunch of C's now those seas are connections at the web server it is gradually filling up here so it's using up all the web server can do but what is doing is complete connections they form a connection they download that little web page and then they wait to timeout so this does fill up all the connections and make the web server unavailable but it does it in a very weak way because each connection terminates normally and then just ends its time normally so it's only ties it up for a couple seconds so that's what
this one does let me get back to my virtual machine which is here so alright
and let's stop that one and should have stopped it and get rid of that one let's do the slow loris one which is much more
powerful and a wasp brought a windows
version of it which is really nice and
it's also small enough that I don't need some you have such a big window for it
alright so now I have to put that address in here 192 me a break I can get it out of here couldn't I yeah that would be fun copy it from there put it in here okay now this is going to run that attack let me just get this back to
normal sense i'm no longer attacking it goes back to normal only one connection there's an extra one there i don't know
what it is but i'm not worried about it i run that attack there we go now if i
refresh this page you see it's filling up and it's filling up this time of ours those are pending requests each one of those will take 400 seconds to time out by default so you don't need to send very many of them and it uses up all available incoming lines and this server is toast so that's the slow loris attack
and the HTTP POST attack is similar so it's very powerful and very dangerous and now it's this easy and when you stop
it will recover it recovers pretty fast in this case I don't know why it's not taken four hundred seconds but maybe the default timing and apache on backtrack 5 is different than what i think it is i'm
not quite sure what causes that but anyway now that we've shown you how to kill linux or windows let's go the other way with the more powerful attack let me clear all this stuff up and set up my poor Windows machine to show you the evil that is about to happen to it so if
i go here and dry p config / more or pipe more you'll see this machine is an ordinary windows machine i put on a static address of 2 colon colon 2 an IP version 6 it's got a IP version 4 address and really not much else going on now let me bring up a task manager
window because that's the interesting way to see the damage that's going to
happen to this machine task manager
shows the CPU is now at zero percent so
let me show these things over near each other and shove it over sorry there's my Windows machine just sitting there now
if I send it some IP version 6 packets here i'm going to do fake router 6 first fake router 6 this is the tht ipv6 ipv6 attack sweet from Van Heusen injured in Europe someplace and I do that on eath one and i'll send it def con i can't get an end though i can get that far of DEFCON when you send that you know it's sending some packets advertising that network don't need to wait any longer all the devices
on that Network hipping commanded join it and there it is it's made an address starting def co now this is what's supposed to happen when you add a router in normal course of events i add a router it advertises its prefix everybody joins and the game's over but if i send a flood of unwanted packets at
the rate of hundreds per second eath 1 i'm going to stop it very soon there after each dot is 100 I said about a
thousand this is not a hundred percent
and it's just going to sit there at a hundred percent for a long long time and and and what's worse is it's well I got this far I was trying to make a project for my students sitting outside of coffee Allah says well this is fun but the problem is it's killed it so bad that
you can't see the addresses you've run ipconfig now if I stop it really fast this will actually respond without waiting forever and you can see what it's done and that's why hopefully I stopped area are you see it's joined all these networks page after page of networks that's what it's doing and it's still adding more to that list at the rate of about five per second so this is all right but when I first tried it I ran it for a while nothing seems to happen hey my Windows machine doesn't respond at all what happened here said well this is no fun students don't learn anything they can't look at the damage so I thought well this is a bad project what do I do and then I thought hey wait a minute this would kill the domain controller an email server and everything this is really bad this is so bad I can't tell my students all I better tell Microsoft quietly so so I sent out a tweet all right at first I did sound out tweet saying hey this attack works windows 7 not surprising and I said hey you know I need a security contact inside windows so ed bott and other people on my Twitter feed immediately gave me good people inside Microsoft and they sent me to the right people and within two days I had an official answer for Microsoft saying yeah van heusen told us about that a year ago and we don't care we're not going to do anything about it for current versions of windows we do not care that windows vista windows 7 windows server 2003 windows server 2008 XP are all going to die at the drop of a hat we make put in Windows 8 or Windows 9 or something if we have nothing better to do I said fine if you're going to be that way I'll tell the whole world about it and I gave it to my students for homework and I said use nice elated that works don't kill every machine at the college because you could kill every machine at the college including our servers and everything else and my students did not kill though college with it which is nice of them um therefore i'm still working there i'm not on the street with a tin cup and so uh anyway that's the power of that
attack and so let me talk a little bit about defenses but i think before i do that i'm going to hand it over to Matthew here the only thing I want you
to do is if you would like to try this now Windows machines are vulnerable to this and one version of bsd unix is vulnerable this attack windows mac OS is not if you look at my mac here
I have config it will show yeah you see them here and insolence here let's try a pipe more there we are see here the Mac got the attack to the mac is the host and as you can see it joined some of these others in two thousand ones will see it joins I think those are useless networks he joined some of those useless networks but it didn't join them all well I think those might be from Def Con but anyway what you see if you expose the mac to it he joins about the first ten and no more it has the sense to ignore over outdoor advertisements after the first ten for some period of time which is a pretty good defense and that's what I think Microsoft's you do in Windows but they are not interested in my opinion Cisco patched it juniper didn't but anyway um if you have any devices to test Ryan's going to set up a network there and kill anybody that wants to join it and if you want to participate miss here's how you do it
there you join a network called do not
use and it's a it's wpa2 encrypted in
the password is do not use so if you join that network he'll see how many people joins and then run this attack and kill you and if it kills you it's interesting because other devices are vulnerable besides windows and BSD and if you had some people said they were going to bring interesting devices here any device that networks may be vulnerable list and I would like to know and I'd like you to go to the question room afterwards and tell me so we can inform the vendor and get stuck patched because I think a bunch of people are volatile to this and they don't know but anyway let me hand it over to you you can tell them your story about low sec and then I'll come back and talk about
defenses if you have time left your
stuff should be on the desktop when you dig down to it yeah
is it do not use your do not care crying you're not today oh do not connect ok
thank you ok that's what's name is do not connect and the key is do not connect ok thanks Sam Sam is the only
person that I know who can make running DDoS attack seem charming so my name is
Matthew Prince and I know Sam we both live in San Francisco and we both got sort of dragged into the little security her father reluctantly and so I'm going to tell you the story of how I got dragged into it and talked to you about some of the DDoS attacks that we saw during the 23 days that they were active and and then what we did to stop them so
on jun 2nd at about 450 4 p.m. greenwich mean time the low-security twitter account announced that they had finally gotten around actually making a web page what was pretty amazing was that within
about 15 minutes that web page was knocked offline by a fairly significant denial of service attack i don't i don't know the details of this particular attack because we hadn't been involved yet about an hour after the web page was
first announced lolz announce that they had actually solved this problem on a Twitter account and the only thing that had changed as far as I've been told is that nine minutes earlier they signed up
for CloudFlare now CloudFlare doesn't we don't we we're a service we make websites faster and we protect them from some attacks but we don't really think of ourselves as if anti-ddos service so it was somewhat of a surprise for the lulz security people to do that it was even more of a surprise when an hour
later little security sent out a message to me saying hey we love your service much can we exchange rum for a free pro account I had no idea who lil security was at this point and so I tweeted back a tweet which my legal counsel has since told me to remove which said it depends on how many cases and how good the rum is they never sent the rum and we never gave them a pro account but CloudFlare is free and thousands of sites sign up for it every single day and we typically don't have problems with them these guys
we had some more issues with and so over the course of the next 23 days they wreaked mayhem in lots of different ways and you know finally on jun 25th they
called it quits and what was interesting
is that the way cloud flow works were a reverse proxy right so all of the traffic which goes to lowell security passes through our network first which has two significant effects the first is anyone who attacks little security was attacking us so that was that was amusing and then secondly it meant that low security was actually able to hide where their origin was where there where they were actually hosting from and that's it's a side effect of how our system is designed but it was one that they used to great effect Sam actually contacted me a little while ago he said he was going to do a talk on dee da sand would I and we sort of talked about the experience and he said what I'd be willing to to share some information about it and again we have legal counsel and we're a real company and we have a privacy policy and even if you're an internationally wanted cyber criminal we try to respect the privacy policy and so
I wrote the following email there's a little bit more to it to the email account that we had on file for lulz security on july second right after they had called it quits saying hey I've been invited to talk about this at Def Con would you mind and I didn't hear anything for quite some and then 11 days later someone by the name of Jack Sparrow so here I am so I can talk about some things I can't talk about anything everything I can talk about things writ large I can talk about how they affected us I don't want to get the host necessarily that they were using in trouble so I'm not going to be revealing their exact IP addresses but let me tell you a little bit more about what happened over those 23 days so this
is the actual traffic too little securities website over those 23 days they received little over 18 million page views as people went to that site you can see it peaked early and then it's trailed off since then the website is still actually on CloudFlare although the website behind it has been taken down so if you go to it today you'll see an Apache configuration page I don't know what they have planned next what's
interesting is that we can actually look at what is just the attack traffic and break that down and you know I'd say that this is attract traffic up until the spike kind of in the middle there was was almost just background noise it was not something that we were particularly concerned with and in fact what I say on a slide in a couple of seconds is that the three weeks that low security were on CloudFlare was actually three of the quietest weeks for denial of service attacks that we had seen which is strange because a lot of people were saying that they were attacking them there was this one spike in the center but that seems to have been caused by a couple of very distinct events that they that they engaged in and I'll talk about what that is and then i'll talk about exactly what the sort of attacks that we saw for lowell against lolz and what we did to defend ourselves and and then the ones that were sort of annoying to us so one thing
that was particularly interesting this is on jun 25th this is the the gesture I don't know who the gesture is Sam Sam's given me some background he publishes a webpage he spent a huge amount of trying trying to figure out what the backing where that where the Lowell Security site was was hacked and he proudly pronounced what has become gospel which was that WWL security com was at two of four dot 1972 4133 and Lowell security com was at 111 dot ninety dot 139 dot 55 I know where the site was on January and June fit 25th and I will tell you it wasn't there at all in fact they use seven different
hosts over the course of 23 days the original host was in Montreal Canada they were briefly in Malaysia but it was or in early June it was that's the 111 address that's accurate I don't know where the other address comes from most of the hosts that they used were actually us-based house including one large host that is specifically specializes in DDoS mitigation ultimately they're using German hosting and that's where they still are today one thing that was interesting was that a lot of people claimed that they had found some way to knock lulz security offline and they posted pictures online
this is actually a service that we offer at CloudFlare which is if your back-end origin server goes down then we'll actually show a cached version of this and we put an orange bar across the top that says you're viewing a cached version sort of like if you view as cash and Google what's interesting is that while a lot of the world was claiming that they had done this what I think actually must have happened is that the lowest security guys got kicked off their host because for a brief period of time for about a 36-hour period what they did was they actually pointed their IP address at 2222 which is an invalid there's no host there's no web server running there I think they just picked a random IP address and what that did was it caused our system to kick into the always-online mode that actually caused that cash version to exist for a limited period of time until that cash expired at that point they pointed it back to a host for a short amount of time then pointed it back to a fake address to get it up I am not aware of any person or any time when the lowest security site was actually knocked offline in spite of the fact that a lot of people were trying to do that on the
other hand they knocked a lot of people offline which was interesting to watch a lot of the attacks that we saw you know
again as I said we were really surprised we had everyone on high alert we were watching for big attacks to come in and the attacks that we saw were generally actually significantly less than we would have expected pissing off the hackers that populate twitter is not nearly as dangerous as picking off pissing off the Chinese cyber mafia or the Eastern European cyber mafia or people that run really big extortion attacks they run big d doses these guys they run you know they're clever but it's not it's not the same it's not the same league we saw some layer 7 attacks that we're relatively harmless while slow loris and some of those tools are are interesting to attack an individual web server CloudFlare was specifically designed not only to stop layer 7 attracts dead but we actually then record all the IP addresses that are committing those attacks which just makes it I mean it it's actually we actually are happy when people attack us over layer 7 the more annoying attacks for us or the layer 3 layer for das attacks that we see but you know we run this we run a network which is in any
casted network and what that means is that we have a bunch of machines hundreds and hundreds of hundreds machines running in 14 different data centers all around the world listening on the same IP address so that tends to take distributed denial-of-service attacks or high-volume attacks and spread them out over a very large surface area which makes it much more difficult to launch something like that against us what was more interesting
though what the annoying attacks that hurt us were a couple of different things the first was a someone had a really big network and a lot of traffic and they pointed almost all of it at us and it happened that they were geographically proximity or sort of network geographically proximate to our San Jose data center and so they were doing enough bandwidth to our San Jose data center that what we did was we took all of our clients other than little security and we moved them to other data centers no one ever noticed but the San Jose data center for that period of time was only serving little security kept him online though another another attack which was really interesting it's actually not a particularly big threat to most people was a threat to us was using google as a reflector so we have special rules that are in place for Google's IP addresses in order to make sure that we're never blocking legitimate crawler traffic from coming to us and so someone who is actually very clever found out that if they send a lot of sin requests with fake headers pointing back at our IP addresses to Google Google would act back to those and that actually created some issues for us internally it was a pretty easy solution we block the acts that that didn't have a sin attached to them and we called our friends at Google and said you'll never get origin traffic coming from this so just firewall it off and that was solved within a few minutes that was it that was actually a clever attack that looked at the nature of how our system worked and challenged us based on that I'm the last one which was the most annoying someone did a thorough scan of our IP address ranges and found some exposed router interfaces that were that were out there and figured out the routers that we were using or just dictionary attacked against the routers were not sure and they were able to launch attacks that actually shut down some of our routers and they were able to bypass any cast because those were specific to that the solution again was fairly straightforward we just blocked those IP addresses off to the outside network but it was the it was the attack that that actually caused us the biggest problem and knocked a couple of our routers offline for a couple of minutes but largely again you know when I compared the big attacks that we see when a client of ours gets a letter in the mail that says hi I'm the helpful Chinese government agency by the way we've detected on your network that someone is going to attack you if you send us ten thousand dollars you know can probably do something about it obviously not a real Chinese agency and you they they really can do something about it because they're launching it those are big attacks these were relatively small by comparison Sam I think I'm losing power so yeah you just make sure it's plugged in so so a couple
of a couple of things I think I got it
there so sorry about that so a couple of
things that were interesting the first was you know again when the gesture and all those guys were attacking that's that sort of background noise pattern what really started to it seems trigger pissing people off was when the lulz security guys went after minecraft and and that was the real spike in traffic and and then the drop back off in traffic was was caused when they stopped attacking minecraft in fact internally in our office the biggest debates were in terms of whether we should drop them off our network or not came from the Minecraft aficionados who said you're now causing me pain and that's not cool so I guess the lesson is that if if
you're if you're going to you know launch d doses against people to indiscriminately don't pick on minecraft um so you know we we've watched I have
very little information on who actually the lowest security folks are I will say that one of the user names that signed up for the CloudFlare account is very very similar to one of the usernames that's been arrested don't know if that means that it's just a coincidence or that they've actually been taken offline we haven't seen much activity to move their hosts around and again their website is down now but it was an interesting 23 days watching kind of the attacks and is all the world tried to take them down seeing how we could help it up for better or worse so if this is
a vinay interest to you I'm used to coda on Twitter and and we're cloudflare so thanks for having me
alright thank you matthew i really
appreciate you coming to do that because i am trying to improve my game you know
free I've been a breaker for quite a
while let me see if I can find my
presentation there we are you know I've
been giving a lot of talks and like heck
attack is easier to in defense so my
talk shawl is the name I have this new attack it blows everything away hahaha and if you don't like it tough you have like wait for Microsoft patch it or something basically you're hosed which is a common message you'll hear at tuffcon another conferences but I'm trying to move up so um I told you this
stuff by the way there are some defenses see I'm trying to move into defense which is tougher most of the time defense is difficult now if you want to block those router advertisement floods you could turn off IP version 6 that will protect you but IP version 6 is necessary and it does things you probably want like home groups and direct access you can turn off router discovery with a net SH command at the command line and that will mean that your machine does not listen so does not do anything when he gets our age and it will protect it from this attack it'll mean you have to put a static IP version 6 address on it which is probably the right thing to do on a server you can block it with the windows firewall and only accept router advertisements from the authorized router and that will protect your clients although it's pretty easy to defeat that by just making rogue router advertisements that appear to come from that source address but it will stop the attacks to some extent and Cisco makes a switch with our a guard Cisco patched their own vulnerabilities for this a as soon as they're told my mark hausa and they made a proprietary protection for your network so if you buy a Cisco switch with our a guard okay good right on time here anyway you can evade that pretty
easily by putting in fragmented router
advertisements will go right past Cisco's are a guard so for every defense there is another attack but anyway as
far as defending my conclusions been for a long time the only reason your website is up is because nobody hates you if even one person hated you you'd be down that's what the gesture proves that's why I think adjuster is so important for network security he proves that just one angry man can take down a lot of websites and you're helpless basically now it's not entirely true that you're helpless but the defense seems to be a little difficult to put in I I tried playing with some defenses you can use modsecurity now in a laboratory condition mod securities latest version has an anti layer 7 dose feature but all it does is stopped too many connections from the same IP address so it will save you from a test on your network with that Olaf's tool but it won't stop the gesture because he goes through tor or some similar network and all the attack packets come from different networks you can pay a service like Akamai to protect you and they'll use a few tricks to protect you you can
put in a load balancer the load balancers will protect your server by only letting complete requests make it to the server but the load balancer itself will go down with you go in enough traffic it's a defense but it's not a perfect defense it took something like four times as many packets to free the load balancer in my test so it's something you can also do things like
counter-attack HD Moore had a good one here somebody tried attacking him with a botnet so he pointed his DNS address back to their command and control server so they blew themselves away and and that's effective of course but it does mean your site is down while it's happening and it's questionably legal I mean now he's taken the flame just like if I had a shield never elected bullets back to shoot back at the bad guy shooting at me I don't know anyway there may be some legal issues there but it did work and it'll work against flood attacks like anonymous with the low orbit ion cannon but I was very pleased to observe CloudFlare here because I've got the same talk i give everywhere there's horrible attack there's not much you can do and now I'm contacting people out of the blue that I have vulnerabilities exposed on pastebin to try to get them to fix their stuff and they're typically small businesses that don't know much that don't have any security team I can't tell them to purchase and implement a extra server to protect your server but what I couldn't tell them to do is just use cloud player which is a free service and that's not too hard to do and it really will protect you and I was very pleased to observe that it really stopped the gesture the gesture really wants to take him down and he really can't it's the first thing I've seen that would do that that you could easily deploy without you know having an expensive network security team so I'm going to be playing with it when my students next semester we're going to be setting up all these defenses and trying to blast through them and try to make them good and strong defense is much harder than attack anyway I guess that's it did anybody actually get murdered here Ryan what's that yeah didn't anybody's machine actually go down from attacking his network anybody want to talk about it no volunteers well you know when you volunteer to ruin machines up here you don't get too many volunteers okay fair enough so I guess that's it I'll see you next year oh there's a queue a room