DDoS HandleringBy Sumedt Jitpukdebodin

whoami• Name: Sumedt Jitpukdebodin

• Website: www.r00tsec.com, www.techsuii.com

• Jobs: Senior Security Researcher@I-SECURE, Writer of “Network Security - ก้าวแรกสู่นักทดสอบและป้องกันการเจาะระบบ”

• Hobby: Hacking, Forensic, Linux, Android, Writing

• Social Network & Another story of me: Please Google

CIA

• Confidentiality

• Integrity

• Availability

DoS vs DDoS

• Old day hacking - Modern day hacking

• Vulnerability of system - Flood of traffic

• one by one - one by many

Example of DoS• ICMP Attack

• Ping of death

• Smurf Attack

• Ping Flood

• SYN flood attack

• Half Connection Attack

• Unending knock knock

• Application Layer

• Low and slow attack

• Etc.

DDoS• Simultaneous attack from multiple sources

New Era of DDoS• Amplification

Amplification

• Response = 5-6 xRequest

• NTP

• DNS

Statistic of DDoSSource:: Verisign’s Distributed Denial of Service Trends Report 2014

DDoS as a ServiceSource:: Verisign’s Distributed Denial of Service Trends Report 2014

Show Time

Migration• IDS/IPS

• Incident Response

• SIEM

• Log Management

• Rate Limit

• Firewall

• Firewall @Company

• Firewall @ISP

• Firewall @your server

• Web Application Firewall

Protect your server to be a tool of hacker

• NTP

• DNS

Web Server X DDoS• Apache (with mod_evasion)

• DOSHashTableSize 2048

• DOSPageCount 20 # maximum number of requests for the same page

• DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener

• DOSPageInterval 1.0 # interval for the page count threshold

• DOSSiteInterval 1.0 # interval for the site count threshold

• DOSBlockingPeriod 10.0 # time that a client IP will be blocked for

• DOSLogDir “/var/log/apache2/evasive”

• DOSEmailNotify admin@domain.com

Web Server X DDoS(2)• Nginx

• client_body_buffer_size 128k;

• large_client_header_buffers 4 256k;

• limit_req_zone $binary_remote_addr zone=name:16m rate=1r/s;

• limit_req_zone $http_x_forwarded_for zone=name:16m rate=1r/s;

–Anonymous

“Security can’t be 100% for sure.”

Thank you for watching

Reference• https://labs.opendns.com/2014/03/17/dns-amplification-attacks/

• https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/

• https://community.qualys.com/blogs/securitylabs/2014/01/21/how-qualysguard-detects-vulnerability-to-ntp-amplification-attacks

• http://www.slideshare.net/JerodBrennenCISSP/ddos-attack-preparation-and-mitigation-27027980

• http://www.i-secure.co.th/2014/07/%E0%B8%A3%E0%B8%B0%E0%B8%9A%E0%B8%9A%E0%B8%82%E0%B8%AD%E0%B8%87%E0%B8%84%E0%B8%B8%E0%B8%93%E0%B9%80%E0%B8%95%E0%B8%A3%E0%B8%B5%E0%B8%A2%E0%B8%A1-ddos/

• http://securityaffairs.co/wordpress/33916/cyber-crime/verisign-ddos-attacks-as-a-service.html

• http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html

• http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/

• http://www.helicontech.com/ape/doc/mod_evasive.htm