Universal DDoS Mitigation Bypass

Presented at Black Hat USA 2013, July 31, 2013, 2:15 p.m. (60 minutes)

Today's commercial DDoS mitigation technologies employ many different techniques for identifying DDoS traffics and blocking these threats. Common techniques range from basic malformed traffic check, to traffic profiling and rate limiting, to traffic source verification and so on, with captive redirection utilizing Javascript- or CAPTCHA-based authentications being the most effective by far. However, in our research weaknesses were found in each and every such technique. We rolled all our exploits into a PoC attack tool, giving it near-perfect DDoS mitigation bypass capability against all existing commercial DDoS mitigation solutions. The ramification is huge because for vast majority of web sites, these mitigation solutions stand as their last line of defense, having this last line breached can expose these web sites' backend to devastating damages. We have surveyed extensively the entire range of DDoS mitigation technologies available on the market today, uncovering the countermeasure techniques they employ, how they work and how to defeat each of them. Essentially bypass is achieved through emulating legit traffic characteristics. Afterwards our attack tool is introduced to demonstrate how all these exploits can be brought together to execute a "combo attack" to bypass all layers of protection in order to gain access to the backend. To coincide with the publication of this talk, our highly effective _attack_tool_will_be_made_freely_available_. The effectiveness of this tool is illustrated via testing results against specific DDoS mitigation products and popular web sites known to be protected by specific technologies. To conclude our research, a next-gen mitigation technique is also proposed as a countermeasure against our attack methodology.

Presenters:

• Wai-leng Lee - Bloodspear Research   as Wai Leng Lee
  Dr. Wai Leng Lee, VP of Engineering, Bloodspear Research With "Impossible is Nothing" as his motto, Dr. Lee never fails to impress with his ingenious implementation prowess. With years of SOC experience behind his back, systematic security engineering and process optimization are his specialties. As a testament to his versatility, Dr. Lee has previously presented in conferences across various disciplines including ACM VRCIA, ACM VRST, IEEE ICECS and IEEE ECCTD.
• Albert Hui - Bloodspear Research
  Having spent years breaking and protecting IT systems for investment banks, government and national critical infrastructures, Albert is an established guru on high-sensitivity mission-critical systems security. As a natural born Sherlock Holmes, he takes pride in having co-designed the original digital forensics curriculum for the Hong Kong Police Force. Lately, at the 5th Annual HTCIA Asia-Pacific Conference Albert has given a talk on "Incident Response Triage". Albert is a SANS GIAC Advisory Board Member, a Digital PhishNet member, and a member of the Association of Certified Fraud Examiner. He is a current holder of GXPN, GPEN, GREM, GCFA, GCFE, GCIH, GCIA, GAWN, GSNA and CISA.
• Tony Miu - BloodSpear Research Group
  As a battle-hardened veteran in the DDoS battlefield, Tony "MT" Miu has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, day-in day-out he deals with high-profile mission-critical clients, architecting for them full-scale DDoS mitigation solutions where failure is not an option. He has presented at DEF CON 20 a talk titled "DDoS Black and White Kungfu Revealed", AVTokyo 2012 a talk titled "DDoS Black Kungfu Revealed, Japan edition" and at the 6th Annual HTCIA Asia-Pacific Conference a workshop titled "Network Attack Investigation". As a battle-hardened veteran in the DDoS battlefield, Tony "MT" Miu has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, day-in day-out he deals with high-profile mission-critical clients, architecting for them full-scale DDoS mitigation solutions where failure is not an option. He has presented at DEF CON 20 a talk titled "DDoS Black and White Kungfu Revealed", AVTokyo 2012 a talk titled "DDoS Black Kungfu Revealed, Japan edition" and at the 6th Annual HTCIA Asia-Pacific Conference a workshop titled "Network Attack Investigation".

Links:

• https://www.blackhat.com/us-13/archives.html#Miu
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Universal DDoS Mitigation Bypass.mp4
• https://www.youtube.com/watch?v=AJKt41u5c1w
• https://media.blackhat.com/us-13/US-13-Lee-Universal-DDoS-Mitigation-Bypass-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Lee-Universal-DDoS-Mitigation-Bypass-WP.pdf
• https://media.blackhat.com/us-13/US-13-Lee-Universal-DDoS-Mitigation-Bypass-Code.zip

Similar Presentations:

• Still Hacking Anyway (SHA2017) / DDoS attack and defense: for the lulz
• DEF CON 21 (2013) / Kill 'em All - DDoS Protection Total Annihilation!
• 32C3 (2015) / DDoS mitigation EPIC FAIL collection