Upload
sumedt-jitpukdebodin
View
478
Download
6
Embed Size (px)
Citation preview
whoami• Name: Sumedt Jitpukdebodin
• Website: www.r00tsec.com, www.techsuii.com
• Jobs: Senior Security Researcher@I-SECURE, Writer of “Network Security - ก้าวแรกสู่นักทดสอบและป้องกันการเจาะระบบ”
• Hobby: Hacking, Forensic, Linux, Android, Writing
• Social Network & Another story of me: Please Google
DoS vs DDoS
• Old day hacking - Modern day hacking
• Vulnerability of system - Flood of traffic
• one by one - one by many
Example of DoS• ICMP Attack
• Ping of death
• Smurf Attack
• Ping Flood
• SYN flood attack
• Half Connection Attack
• Unending knock knock
• Application Layer
• Low and slow attack
• Etc.
Migration• IDS/IPS
• Incident Response
• SIEM
• Log Management
• Rate Limit
• Firewall
• Firewall @Company
• Firewall @ISP
• Firewall @your server
• Web Application Firewall
Web Server X DDoS• Apache (with mod_evasion)
• DOSHashTableSize 2048
• DOSPageCount 20 # maximum number of requests for the same page
• DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener
• DOSPageInterval 1.0 # interval for the page count threshold
• DOSSiteInterval 1.0 # interval for the site count threshold
• DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
• DOSLogDir “/var/log/apache2/evasive”
• DOSEmailNotify [email protected]
Web Server X DDoS(2)• Nginx
• client_body_buffer_size 128k;
• large_client_header_buffers 4 256k;
• limit_req_zone $binary_remote_addr zone=name:16m rate=1r/s;
• limit_req_zone $http_x_forwarded_for zone=name:16m rate=1r/s;
Reference• https://labs.opendns.com/2014/03/17/dns-amplification-attacks/
• https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
• https://community.qualys.com/blogs/securitylabs/2014/01/21/how-qualysguard-detects-vulnerability-to-ntp-amplification-attacks
• http://www.slideshare.net/JerodBrennenCISSP/ddos-attack-preparation-and-mitigation-27027980
• http://www.i-secure.co.th/2014/07/%E0%B8%A3%E0%B8%B0%E0%B8%9A%E0%B8%9A%E0%B8%82%E0%B8%AD%E0%B8%87%E0%B8%84%E0%B8%B8%E0%B8%93%E0%B9%80%E0%B8%95%E0%B8%A3%E0%B8%B5%E0%B8%A2%E0%B8%A1-ddos/
• http://securityaffairs.co/wordpress/33916/cyber-crime/verisign-ddos-attacks-as-a-service.html
• http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
• http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/
• http://www.helicontech.com/ape/doc/mod_evasive.htm