"A hacker’s view of DoS attacks" by David Robinson, BSides Canberra 2023

so let's start the next talk so grab you seat let's start the next talk we have uh David Robinson who will be talking about a hackers view on dos attack so let's welcome David to the stage cool um hello everyone I'm Dave or carrot um I'm a hacker over at Z security over in Wellington also getting I've talked at bides camera before back at number two and helped run K kaon and done a bit of kakon as well um yeah so let's look at what we're going to look at today going to go over what is a denial surfice attack why people are going to want to perform denial surfice attacks what they're going to Target inside your organizations how they're going to go about actually identifying these targets and then we're going to look at how you can protect your systems and maybe prioritize and put together a little ordering of tasks into a plan if you have to go back to work on Monday actually think about some of the stuff so just up front we'll get rid of get over some terminology so deny a service attack is a class of vulnerabilities where it stops users being able to use a system as as intended um going to use origin server a lot so when I say origin server I'm meaning the actual application server that's running a web application something that's generally protected behind say a Content distribution Network or CDN so when I say that it's something that CES data near the near the users than that might have some we protections some um denial service protections and that's going to be your Cloud FL your Cloud front your eomis that type of thing um dos verse deny distributed deny service so dos is the overall class of vulnerability and a distributed doar service attack or dos is a specific subset of Dos attacks where many nodes AKA botnet are used to send the data or actually do their attack H it been distributed so what is a denial service attack so as I said you know when attack performs actions system unavailable to users these fall into two main categories volumetric and L seven protocol attacks so volumetric is a bit like a traffic Jame you just send more traffic more data than the infrastructure can handle it all clogs up nothing actually happens and it's not necessarily always inbound traffic we an example were doing some Doss work with a customer a little while ago and it was actually the outbound we managed to saturate rather than the inbound in this case they had a cont distribution Network in front of their system um but they had this big image you know was over a megabyte if we just requested the image on its own it was fine that was being cached but if we added a get parameter so a question mark and then some random string as a random get parameter the CDN was going hey I haven't seen this before I better go and ask the or server and get the copy of the image and pass that so what actually happened is we flooded the outbound pipe from the origin server out to the internet with these large images and because the get requests going in can be quite small and you know and then the the requests coming out were over a megabyte so we actually really clog things up that way so last seven protocol attacks this is when we exploited a weakness in the infrastructure or the application these can be quite attractive to attackers cuz they're going to be low low input for a high impact so for instance one request ties up resources that stop other requests happening um and these are quite hard to block because they're going to look like legitimate traffic so it's going to be hard to filter out with sort of Dos scrubbing or other buzzwords because it's going to look like normal users using the system as intended so if you've ever had a performance test report today you may see hey we found this couple of slow Pages it doesn't really matter users don't really use these Pages don't worry about it it's got an expensive database query it's most probably not worth doing about it so yeah from a performance testing perspective and a user perspective yeah that most probably makes sense but as an attacker I'm going to see that and go yep that's what I want to hit over and over and over again cuz that's cheering up CPU or Ram resources or something so it's going to be a good attack potentially and these can also take the form of crashes and infinite Loops so Z we have zip bombs which is a large file that compresses down really small so when some antivirus extracts it say in your mail Gateway or your file upload it consumes all the dis or consumes all the ram because this you know zip file of hundreds of kilobytes suddenly becomes gigabytes or terabytes of data simar this the bulian laughs recursive XML attack um lot of frame which now block it but hey we still find it from time to time so that little snippet of XML we've got there will expand out to be about 3 gbes Once all the recursion has been followed through so which one are attackers going to use volumetric layer seven in a large attack they most going to use both because their attack has got a limited number of sort of bots in their bot net most likely so they want to get their best value for money they want to give you the most impact on the target with the least amount of resources on their behalf cuz they can make more money or if it's if that's what they're doing if they can attack more different targets so why would people perform a denial of service attack sort of got to start thinking about the the motives the people are attacking are going to have particular motives so if it's sort of the ransom black white black male so this is the one where you might get an email saying hey if you don't pay us so many Bitcoins by Wednesday we're going to perform a denial of service attack against you in this case b indicates there is a business behind this they've got monthly kpis to achieve theyve got to bring in so many Bitcoins they've got to attack so many targets they've got Boards of directors and shareholders wanting dividends out of all their attacks they're performing so it's a business it's full capitalism yeah another thing a group may just dislike your organization for instance if you're a mining organization chances are there are some environmental groups who dislike what you're doing so they're going to attack you to sort of because they just dislike you and it can also be distraction so if I'm a attacker and I want to actually exfiltrate some data do a privilege escalation and I want to get the security team looking somewhere else I might launch a denial of service attack because it's noisy it's obvious it's going to get the the security team focused on the D service ATT while performed some other attacks in an organization so back in August 2020 the New Zealand Stock Exchange nzx had a long series of denial and service attacks which went on for a few weeks uh this was one of the blackmail type ones there was a threat saying hey pass some Bitcoin or keep dossing you and because of the market was shut down and there was a lot of media coverage about it and they sort of ended up in a bit of Catch 22 cuz nidex said we're not going to pay the ransom and normally The Ransom companies if you don't pay after a couple of weeks or a week they're going to move on somewhere else because you're not going to make any money but because this was getting so much media coverage they had to keep on attacking because else they'd lose their their credit and lose their threats if they know oh they'll just give up after a week don't need to worry about it that that R crew had to make sure that they kept going to so all the media coverage they could Point adless media coverage and the long ongoing D Serv attack as a badge of honor as a certificate say hey we actually know how to Dos well you better pay us money so how do you go about performing a denial service attack um so volumetric you're most probably going to need some sort of Bot net to send all the data you know there's lots of cheap devices IP modems routers on the internet with default sreds you can have them send traffic icmp you know UDP TCP hdp um UDP can become quite inter interesting because it's reflective and it's also amplification so what I mean by that is reflective is because UDP doesn't have a handshake like TCP you could spoof The Source address so in this example we've got the botn net does a DNS look up instead of saying the source address of the botet n it says the source address is the target so when the DNS server responds it responds to the Target opposed to the botnet so that's reflection and then the botn net is going to be scaled out it's going to do requests on a whole range of domains there be a whole range of DNS servers in the middle and then there's the target additionally there's amplification so a simple DNS Locker might be you know small 20 20 odd bytes and the responses can be up to 512 bytes so you've find the right responses you can get like a 20 times amplification so if you got one megabyte leaving your botonet you've actually got 20 megabytes hitting the Target and this can also be quite dangerous even if you're that reflective Target in the Middle where a customer a few years back who left a Ms SQL MP Port open to the internet and this port was used in a reflective attack and just over a weekend they received a multi th000 aure Bill and they were weren't even the target of their attack they just happened to be uh innocent bystander um and they were just relaying as part of this attack luckily they talked to a Microsoft wrote The Bell off with a bit of a thing hey we won't do it again please because a m000 bill can ruin a small business so how do you go about making botnets well you look on the internet there's a bunch of stuff that hasn't been patched and updated in years 2013's people just put unpatched internet um integrated lights out Management Systems so you can directly access the server on online you know these things have bugs that allow access to them some people just put ceds on the front page of their websites some people put printers on the internet with no passwords um or if that's all too complicated that's 2023 of course so there's as a there's as a service for everything including deny a service as a service so last seven attacks these are going to be a little bit more difficult CU it's not just volume so the first thing is you're going to need to find a vulnerability in the application or the network that you want to Target chances are you still might need a bot net cuz but the number of hosts are smaller but in some cases you don't even need a bought it we an engagement where a customer had bought some denial service protection they wanted us to validate that it was all working correctly we spent 12 cents an hour for an E2 instance and took their system offline because their system was designed for volumetric attacks but we came along with the last seven attack so what would an attacker actually Target in an organization so like we had the motives before for these align also with their attackers goals so if it's the blackmail ones that want to disrupt business operations they want to cause pain to the business so they pay up because they just need to get business working again if it's that issue made Evia group they're going to do something that has public relations they want to do something public facing in the hope that the media will cover it and when the media says such such a company had their site knocked offline with the Don service tech this organiz this issue motivator group claims responsibility because they don't like the company doing X Y and Z and if it's distraction you're most probably going to attack all the systems because you want to spread that security team thin and you want that security team looking at everything but your actual data XFL your privileg isulation or whatever you're doing so Target selections if you just a brocher website you know a static website that just lists an about page and a contact us page attacking that what's really the point someone might need to use Google to look up your phone number it's not really affecting any business income business impact want something that has it's going to affect business operations so if you want to attack a website you most want to get to the origin server so even if they're using a cot distribution Network you want to find a way to get past that and down to the origin server so there's many different ways that we can find what the origin server is we've had customers who have put production behind a CDN but CDN cost money so to save money they didn't put test behind the CDN and don't know if anyone sort of worked in the industry a b what are the chances that the production server and the test server are behind the same firewall running on the same host or using the same database would people say it's fairly High so you know so even if I attacked the test system I'd actually be attacking the production system as well CU it's the same as Net Connection the same CPU the same firewall the same Ram so you can get origin servers in other ways as well um so attacker is going to be scanning the internet to find things that aren't just the public websites the obvious things so had those screenshots before that's at ZX we've got a to called flaming p one bit similar to Showdown with a bit of customization for what we best need it scans USP address space it edifies what's there it takes screenshots list what ports are open it's going to be fair to where to assume an attacker is going to be doing something similar to find all the nonobvious targets inside a business know for one thing you can do is you can find like Branch sites and Retail sites because people will put their fuel tanks online including how much leaders or any every tank at a track truck stop um Supermarket managers need to keep an eye on their supermarkets remotely and people need to buy pizzas without a password and change all the prices without a password either um and Retail sites can be quite interesting because you got to assume chances are it's most only have one dig internet connection so even if that sort of monitoring stuff is there chances are that the point of sale where you can swipe your card do your pay wve it's most use the same internet connection so if you take that out what's the financial impact if a shop can't do sales for an hour a day a week there's a lot of you know a lot of financial impact that's really going to affect business operations so if you have sort of retail sites or something you know could an attacker easily identify these by what you've left online and this flows on to remote access as well um become more priv over the last few years you know will people will brand up their VPN login pages of council's names and the fact that Scara so you know that's most probably some sensitive important stuff if they're calling it Scara people instead of using the default outlock web access page they'll brand it with their company name and their logo so when you're scanning IP address space and you see this pop up you know hey this is a this is the company I want to Target I've found their ow so and attacking remote accessing points is going to disrupt people working from home it's going to make remote support more difficult so everything's down the sis admins can't log in to understand why stuff's down and you've also got to consider what traverses the same firewall as the VPN or the outlock web access cuz even if you don't take out a server directly it's still most we're using the same firewall the same internet connections these is going to be collateral damage with other business operations another way to find hosts in a system is certificate transparency so every time that a https certificate is issued it gets added to a public Ledger which you can look up so an attacker can use this to find hosts or subdomains that could be hosts if they resolve to DNS that can become interesting if these aren't behind a CDN can be useful for identifying origin service for instance so here's an example from Google this is staic log for Google it actually goes on much longer but I had to trim it down so you actually had a chance of reading it on the screen but there's a whole bunch of different subdomains which you can then plump through the DNS lock up find out where they are also spidering a site so we went back to the earlier on said hey there's do performance tests you find slow queries so even if slow Pages if even if you're on a CDN the fact that one page is a lot slower than all the other pages will most probably indicate that it's not being cased if it's not being C it's most probably having to go back to the origin server each time because it's a dynamic content or something like that so that's not case that can be a good Target you know sometimes spider insights is just a good indication that someone has spec their servers correctly cuz the number of times from my laptop I've accidentally taken SES down using burp or dur Buster with the default 10 threads is more than I can actually count um and even we've had examples where we've typed it we've done our naughty strings into a search dialogue box it's gone and broken the search in some way and the whole site falls down again you know some of the stuff can be real easy and you find accidentally so emails and I'm not talking about email list in this case I'm talking about sign up emails password resets ones that are emails that actually coming out of the application itself email headers will list all the IP addresses of like every host involved and sending that email chances are some of the first IP addresses in that email headers are going to be the origin server of the web application so you can use that to potentially attack and find that origin server or some sort of Bypass or other servers to attack another thing is historical DNS um so when DNS is will generally only tell you the current DNS records IP addresses for a host what some places are stor in historical DNS so you can go back and look at what previous IP addresses were for a particular domain this can be particularly interesting if a customer has or your target has recently moved behind find a CDN if you go back one or two IP addresses before it was actually CDN IP addresses that's most probably the origin server because it's quite common that when someone moves to a CDN they don't actually change the IP address of the origin server so you use that old IP address you're actually heading the origin server again and those have all sort of been technical requirements and Technical attacks there's also regulatory requirements or and how businesses interact with different systems human to computer into faes and things like that so if we go back to the New Zealand Stock Exchange example it was only the website that was attacked the actual trading platform where people could trade and Sh sell shares was up all the time but they still actually had to Halt the market and stop trades because there's a regulatory requirement that particular Market documents needed to be accessible to all Market participants they were hosted on the website so when the website went down these documents weren't available to the participants they had to actually Hal the trading of shares and there's also collateral damage so if you use a service provider a web host to host some of your systems what happens if one of their other the service providers customers gets attacked have they actually isolated each customer does each customer have dedicated internet connections what happens you know do you have your own firewalls are there own web servers you know what's the dam what's the collateral damage if one of your service providers gets attacked so a little story for collateral damage is we had a doing another denal service test for a customer they had a site that was behind a CDN we tested that site it was all right you know it was Cent correctly doing what