The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.

1. DDOS Attacks
and Mitigation Methods
Özkan Erdoğan
ozkan.erdogan@btpsec.com
Ms.C, CISA, CEH, ISO 27001 LA
BTPSec Corp
info@btpsec.com
Office:+90 216 4647475
+44 203 6084760
Address:Turaboğlu Sk. Hamdiye Yazgan İş Merkezi,
Kozyatağı Kadıköy İSTANBUL

2. What is DOS & DDOS?
D = Distributed
DOS : focused on vulnerabilities, using single source
DDOS : overflow focused, using multiple sources
Target of attacks is to eliminate availability of the resource

3. What is DDOS

4. Is it possible to mitigate Ddos attacks?
Our experience shows that its quite possible to mitigate ddos attacks. However, there are caveats such
that:
Most ddos attacks come big in volume where it saturates your bandwidth . Attack volume > Target
network bandwidth (mbps).
These attacks can be handled by obtaining service from global anti ddos providers: e.g. Cloudflare,
Incapsula, Akamai etc.
Other kinds of attacks are usually ineffective if we configure our network with correct measures.

5. Botnet
Lethic , Cutwail, Grum (spam), Flashback (Mac), Zeus (bank), Spyeye
(banka) etc..

6. Botnet Builder (10$)

7. Ddos Survey Results
61% loss of access to information
38% business stop
33% loss of job opportunities
29% reputation loss
26% insurance premium increases
65% Received security consultancy
49% More investments on IT
46% Started legal processes
43% Informed customers
36% Applied legal ways
26% Informed the media
● Spamhaus
● Chinese domain authority (.cn)
● Pohjola -Finland bank
● Nasdaq
● Bitcoin
● Bank of America

8. Ddos Costs

9. BOTNETs
Controlled by Botnet herders
Commanded via : Mirc, http(s), Tor (popular now)
Injection methods: Wordpress, Joomla etc. old Windows systems are easiest
targets.
Botnet members are targeted to be amongst data center systems.

11. DDOS events
1. Spamhaus (DNS Amplification) 300gbps.
a. 11 Feb 2015: New NTP attack: 400gbps
2. Brobot (American Financial companies)
3. Chinese attacks
4. Russia: DDOS gangs
5. Syn reflection attacks are gaining a rise.

12. DDOS Detection Methods
Honeypot
Flow
DPI

13. DDOS Mitigation Methods (General)
ACL
BGP Routing (Cloud service)
Blackhole
Mitigation devices (Inline, Offline)

14. Basic DDOS Attacks
Signature based attacks (Teardrop, Land, Smurf, Nuke,Fraggle vb)
Volumetric attacks (legal and illegal attacks)
Reflection (dns, syn)
Application based attacks: e.g. Slow attacks
Connection attacks

15. Protocols used in DDOS
TCP/IP
Tcp,udp, icmp,
Other (GRE, ESP etc)
IPv4
IPv6
Application layer
Http, dns, VOIP etc.

16. IP Spoofing (&How to detect it)
uRPF- Unicast reverse path forwarding.
Source IP of packet is compared to the FIB table in router and dropped if
routes are not the same.
Authentication
First packet drop, and let following packets go.

17. Attack Tools
Hping, nping, mz, isic
Slowloris, httpflooder, Torshammer, jmeter, ab, httpDOS, R-U-D-Y, pyloris
etc.
Scripts (socket programming: Python, Perl etc)

18. Volumetric Attacks
Band filling attacks
Network attacks (syn, syn-ack, ack, udp flood etc)
Application Attacks (http, https, dns, voip etc)
Botnet, HOIC, LOIC

19. Application Layer DDOS
Slow attack (Apache)- slowloris, pyloris etc
Slow Read- tcp window size
RUDY- HTTP post
XML dos
SIP invite- multiple udp calls to overwhelm server..

20. How to mitigate DDOS attacks?
WL/BL (ALL protocols)
ACL (All protocols)
Fingerprint (udp, dns)
Authentication (tcp, http, dns)
Session management (dns, tcp)
Statistical Methods
Rate Limit

21. Syn Flood and Prevention
Attacker
ServerSyn
Syn
Syn
Syn
• Most popular ddos attack is syn flood.
• Protection method: Authentication and WL. (Whitelisting) (Syn
cookie vs. syn proxy)
• Syn reflection factor
• Syn flood from real IP addresses: TCP ratio mechanism

22. Syn-Ack Flood and Mitigation
Attacker
ServerSyn-Ack
Syn-Ack
Syn-Ack
Syn-Ack
• Protection: Check session table if syn-ack’s are real.

23. Ack Flood ve Mitigation
Attacker
ServerAck
Ack
Ack
Ack
• Protection: Check session table if ack’s are real.

24. FIN/RST Flood and Mitigation
Attacker
ServerFin/Rst
Fin/Rst
Fin/Rst
Fin/Rst
• Protection: Check session table if packets are real.

25. Udp Flood and Mitigation
Attacker
ServerUdp
Udp
Udp
Udp
• Udp is the most effective for ddos
• Protect method: Payload and Header.
(Fingerprint)
• Dest.port, source port, ttl, source/dest IP also
checked
• ACL

26. Icmp Flood and Mitigation
Attacker
ServerIcmp
Icmp
Icmp
Icmp
• Protect method: Payload and Header.
(Fingerprint)
• Session check (query, response)
• Rate limit
• ACL

27. TCP Connection Flood & Mitigation
Low rate attack (Protection: Number of connections are analyzed- Bot detection methods are used)
TCP Null connection attack (No packets after handshake)
Also check for rates of:
New connections
Total connections per
second

28. TCP Retransmission Attack

29. SIP Flood

30. SIP Invite Flood

31. SIP Flood Prevention Methods
Traffic limiting
Source IP limiting
Fingerprint

32. Http(s) Get/Post Flood
Attacker
ServerSyn
HTTP get
Ack
HTTP get
HTTP get
HTTP get

33. Http Ddos Detection & Mitigation
Methods
Authentication (Http redirection)
SSL Ddos (Crypto handshake messages increase abnormally)
Captcha usage
Fingerprint

34. Example: Http Get Attack

35. DNS Flood
Is the target DNS: Authoritative DNS or cache DNS?

36. DNS Attacks- Continued
Dns Cache poisoning attack
Dns reflection attack
Dns query/repsonse attacks

37. DNS Query/Response Attacks
SP DNS
1. What is the IP for abc.google.com?
2. What is the IP for abc.google.com?
Attacker
3. IP= XXX.XXX.XXX =news.google.com
DNS Reply Flood
Attacker

38. DNS Cache Poisoning
SP DNS
1. What is the IP for abc.google.com?
2. What is the IP for abc.google.com?
Attacker
3. abc.google.com= x.x.x.x
DNS Reply
Attacker
• Domain info on Cache DNS servers are attempted
to be changed with the fake one.
• Attacker should guess the query id correctly.
(which is so easy if query id’s are not random)
DNS Reply

39. DNS Reflection
Open DNS
resolvers
1. What is the IP for abc.google.com?
2. What is the IP for abc.google.com?
Attacker
DNS Reply
• Attacker uses victim’s IP address as his source,
and sends a dns query to all known dns servers.
• Thousands of resolvers return the answer to the
victim and victim is Ddos’ed
DNS Reply
DNS authority
Victim

40. DNS Attacks
Conclusion:
DNS attacks are very dangerous and can be performed with the least effort
and cost .
Ddos attacks are on the rise every year and quite possible to be so in the
future.
Udp and Dns based ddos attacks are the most effective protocols for ddos.

41. Methods To Protect Against DNS Ddos
Attacks
Session control (Two way traffic)
DNS proxy, caching
DNS-Tcp Authentication
First packet drop
Domain name limiting
Traffic limiting

42. An Effective Mitigation Technique:
Fingerprinting
Packet header and payload is analyzed to determine a fingerprint of attack.

43. Syn Reflection

44. DNS Reflection (Attack multiplier 10x)

45. NTP Amplification ( Attack multiplier 300x)
Can also use snmp for upto 600x , however snmp seldom allows
nonauthenticated clients
11 February 2015: New NTP
attack: 400gbps

46. Ddos Summary
Extremely easy to attack ( Many free and user friendly tools)
Impossible to be detected (If correctly hides)
Big effects on the victim
Attack types and methods are broad.
Every application or service has its own ddos vulnerabilities
...Spoofing is possible and mostly costless
...AGAIN.. attack tools are free

47. THANKS
QUESTIONS???