DDoS PacSec Tokyo 2013
DDoS DDoS Nexusguard R&D
内 DDoS TCP SYN HTTP HTTP Cookie JavaScript CAPTCHA Proof Of Concept Proof Of Concept TCP HTTP r Proof Of Concept
20Gbps 250 30% 600 NTT Successfully Comba?ng DDoS AAacks, 2012 8
内
撃
内 撃 API 撃 DoS ( ) Slowloris / RUDY SYN ( ) Smurf ( )
撃
撃 xxx Gbps+ 撃 内 撃 xxx Mbps+ 雑
xxx Gbps+ xxx Mbps+ 雑
Proac?ve Resource Release
DDoS Source: Cisco
DDoS 3. TCP RST 2. TCP 4. TCP RST Slowloris 1. TCP
DDoS Src: 1.2.3.4 1.2.3.4 5.6.7.8 Black List B ( ) Src: 3.4.5.6 5.6.7.8 3.4.5.6 6.7.8.9 White List = ( X )
DDoS AS AS AS Source: hap://www.cs.duke.edu/nds/ddos/
DDoS 3: 2: 1: 4:
検
xxx Gbps+ (SNMP) (Ne4low) (PCAP) (PCAP) (SYSLOG) xxx Mbps+
検
検
検
TCP SYN HTTP HTTP Cookie JavaScript CAPTCHA Bypass to gain Whitelist pass Then Fire Away Freely!!
Proof Of Concept
Proof Of Concept 徴 TCP/IP RST HTTP JavaScript CAPTCHA 対
Proof Of Concept Demo Video
Proof Of Concept
TCP SYN TCP SYN SYN ACK ACK?! Retry RST SYN SYN ACK ACK
TCP SYN TCP SYN?! SYN ACK seq Retry RST SYN SYN ACK ACK
HTTP GET /index.html HTTP 302 redir to /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html
HTTP Cookie GET /index.html HTTP 302 redir to /index.html Set-Cookie: foo=bar Cookie: foo=bar GET /index.html HTTP 302 redir to /index.html Cookie: foo=bar GET /index.html
HTTP Cookie GET /index.html HTTP 302 redir to [X-Header: foo=bar] /index.html [X-Header: foo=bar] GET /index.html HTTP 302 redir to [X-Header: foo=bar] /index.html [X-Header: foo=bar] [X-Header: foo=bar] GET GET /index.html /index.html
JavaScript GET /index.html JS 7+nine=? ans=16 POST /auth.php HTTP 302 redir to /index.html GET /index.html
CAPTCHA GET /index.html POST ans= overlooks inquiry /auth.php HTTP 302 redir to /index.html GET /index.html
CAPTCHA
CAPTCHA 1. 2. 3x3 3. 4. 5.
Proof Of Concept
TCP TCP TCP TCP al
Proof Of Concept
HTTP TCP HTTP HTTP HTTP HTTP
Proof Of Concept OS TCP/IP TCP/IP cookie JavaScript JavaScript DOM
A A B B C C
HTTP HTTP HTTP HTTP Accept Accept: */* Accept: image/gif, image/jpeg, imag,..
Proactive Resource Release
Proactive Resource Release
DDoS DDoS
Thank You! tony.miu@nexusguard.com leng@bloodspear.org alan@bloodspear.org albert@bloodspear.org http://www.bloodspear.org Twitter : @b100dsp34r