This document discusses universal DDoS mitigation bypass techniques. It provides an overview of common DDoS attack categories and detection/mitigation techniques. It then demonstrates how to bypass authentication methods using a proof-of-concept tool that can emulate true TCP/IP behavior, solve CAPTCHAs, and model HTTP traffic to bypass current DDoS protections. The document concludes that next-generation solutions are needed to address these bypass techniques and make attacks more expensive.

1. Universal DDoS Mitigation Bypass
DDoS Mitigation Lab

2. About Us
DDoS Mitigation Lab
Independent academic R&D division of Nexusguard
building next generation DDoS mitigation knowledge
and collaborate with the defense community.
Industry body formed to foster synergy among
stakeholders to promote advancement in DDoS
defense knowledge.

3. • DDoS Attack Categories
• DDoS Detection and Mitigation Techniques
– How they work?
– How to bypass / take advantage?
• DDoS Mitigation Bypass
– How to use our PoC tool?
– PoC tool capability
• Next-Generation Mitigation
Outline

4. Financial Impact
Source: NTT Communications,
“Successfully Combating DDoS Attacks”, Aug 2012

5. Volumetric Attacks
• Packet-Rate-Based
• Bit-Rate-Based

6. Semantic Attacks
API attacks
Hash DoS
Apache Killer
Teardrop
(old textbook example)
Slowloris / RUDY
SYN Flood
(old textbook example)
Smurf
(old textbook example)

7. Blended Attacks

8. Attack Quadrant
Complexity
Simple Sophisticated
Volume
xxx Gbps+
xxx Mbps+

9. DDoS Mitigations
Traffic
Policing
Proactive Resource
Release
Black- /
Whitelisting
xxx Gbps+
xxx Mbps+
Complexity
Simple Sophisticated
Volume

10. DDoS Mitigation:
Traffic Policing
Source: Cisco

11. DDoS Mitigation:
Proactive Resource Release
RST
1. Open lots of TCP connections
2. TCP connection pool starved3. Detect idle / slow TCP connections
4. Close idle / slow TCP connections
With RST
Example:
Slowloris Attack

12. B
Backend
(dropped)
DDoS Mitigation:
Black- / Whitelisting
Black List
White List
1.2.3.4
5.6.7.8
5.6.7.8
3.4.5.6
6.7.8.9
= free pass
(for awhile / for x amount of volume)
Src: 1.2.3.4
Src: 3.4.5.6

13. DDoS Mitigation:
Source Isolation
Source: http://www.cs.duke.edu/nds/ddos/
AS
AS
AS

14. DDoS Solution: Secure CDN
Backend
End User
3: return
1: request
2: redirect
to nearest
server
4: bypass distribution,
attack backend!

15. DDoS Detection
Rate Measurement
(SNMP)
Baselining
(Netflow)
Protocol Sanity
(PCAP)
Application
(SYSLOG)
Protocol Behavior
(PCAP)
Big Data Analysis
Complexity
Simple Sophisticated
Volume
xxx Gbps+
xxx Mbps+

16. Rate- / Flow-Based Countermeasures
Detection
Mitigation

17. Protocol-Based Countermeasures
Detection
Mitigation

18. Blanket Countermeasures
Traffic Statistics and Behavior
Big Data Analysis
Detection
Mitigation
Source Host Verification

19. Source Host Verification
• TCP SYN Auth
• HTTP Redirect Auth
• HTTP Cookie Auth
• JavaScript Auth
• CAPTCHA Auth

20. PoC Tool

21. • True TCP/IP behavior (RST, resend, etc.)
• Believable HTTP headers (User-Agent strings, etc.)
• Embedded JavaScript engine
• CAPTCHA solving capability
• Randomized payload
• Tunable post-authentication traffic model
PoC Tool Strengths

22. PoC Tool: Authentication Bypass

23. TCP SYN Auth (TCP Reset)
SYN ACK
SYN
ACK
RST
SYN
SYN ACK
ACK


24. TCP SYN Auth (TCP Out-of-Sequence)
RST
SYN
SYN
SYN ACK
ACK

SYN ACK

25. HTTP Redirect Auth
GET /index.html
HTTP 302 redir to /foo/index.html
GET /foo/index.html
HTTP 302 redir to /index.html
GET /index.html


26. HTTP Cookie Auth
GET /index.html
HTTP 302 redir to /index.html
HTTP 302 redir to /index.html
GET /index.html
GET /index.html


27. HTTP Cookie Auth (Header Token)
GET /index.html
HTTP 302 redir to /index.html
[X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]
HTTP 302 redir to /index.html
[X-Header: foo=bar]
GET /index.html
[X-Header: foo=bar]

28. JavaScript Auth
GET /index.html
HTTP 302 redir to /index.html
GET /index.html
POST /auth.phpans=16
JS 7+nine=?


29. CAPTCHA Auth
GET /index.html
HTTP 302 redir to /index.html
GET /index.html
POST /auth.php


30. CAPTCHA Pwnage

31. PoC Tool: TCP Traffic Model

32. TCP Traffic Model
NumberofConnections
Connection Hold Time
Before 1st Request
Connection Idle Timeout
After Last Request
Connections
Interval
Connections
Interval
TCP Connection
TCP Connection
TCP Connection

33. PoC Tool: HTTP Traffic Model

34. HTTP Traffic ModelNumberofRequests
perConnection
Requests
Interval
Requests
Interval
Requests
Interval
TCP Connection
HTTP Connection
HTTP Connection
HTTP Connection
HTTP Connection

35. • 3 tries per authentication attempt (in practice more
likely to success)
• True TCP/IP behavior thru use of OS TCP/IP stack
• Auth cookies persist during subsequent dialogues
• JavaScript execution using embedded JS engine (lack
of complete DOM an obstacle to full emulation)
PoC Tool Design

36. 1. Converted to black-and-white for max contrast
2. 3x3 median filter applied for denoising
3. Word segmentation
4. Boundary recognition
5. Pixel difference computed against character map
CAPTCHA Bypass Design

37. PoC Tool in Action

38. Testing Environment
Against Devices Against Services
Measure
Attack
Traffic
Measure
Attack
Traffic

39. Mitigation Bypass
(Protection Products)
Auth Bypass Post-Auth
Testing results under specific conditions,
valid as of Jul 13, 2013
Proactive
Resource Release

40. Mitigation Bypass
(Protection Services)
Auth Bypass Post-Auth
Testing results under specific conditions,
valid as of Jul 13, 2013
Proactive
Resource Release

41. • Client Puzzle – add cost to individual zombies.
Next-Generation Mitigation

42. • DDoS is expensive to business
• Existing DDoS protection insufficient
• Next-Generation solution should make attack
expensive
Conclusion

43. tony.miu@nexusguard.com
albert.hui@ntisac.org
waileng.lee@ntisac.org
Thank You!
http://www.ntisac.org