Precision Munitions For Denial Of Service by Gerald Benischke

thank you very much um so this is real me oh this isn't um basically I'm uh I'm old I remember German 1.2 I actually used it um I started at my sort of journey into appsec as a as a book standard software developer I had seven stints and several boring things and uh about a few years ago I moved into application security [Music] um over the course of um my career I've had lots of different hats as you end up having to know everything in order to know something um I generally go off in Tangent when I talk so please stop me and I've never done the lightning talk before I tend to ramble on quite a bit I'm gonna try not to do that so in this talk um I want to talk about um I did not see the distributed ones that are so the worker and so familiar with were some bad actor throws terabytes of and traffic against and some suspected servant and I'd rather talk about Precision strikes includes how performing and I'm going to use an example from the play framework and talk about how this these kinds of attacks can be automatically Amplified or what we can do about it so to start off with um like I said is small targeted attacks you want a Precision strike we don't want to have lots and lots and lots of packets some sort of DDOS protection that never gets gets through low order right so what what it sort of looks at is look what does infrastructure look like so when when your typical user goes and wants to talk to an application they typically go through the content delivery Network that is going through a web application firewall then little hits a number of proxies and load balances and then at some points it's the application which has got some database and along the way in any sort of infrastructure you have got protections built in so the CDN will protect against DDOS the wrap will protect against lots of different um accident once it it all gets through through the application so the analogies that have sort of drawn here is the the attack on the left Stone sort of set previously a fleet of Imperial Star Destroyers is not going to do much good you need a small targeted missionary to get there so the effective you need to find such a trench for easy Force so what I want to focus on here is a specific vulnerability that blowing my own trunk as I found and it's in the play frame I'm not going to read out all this text but essentially what we found is that you can send a payload of Json this is valid Json which is just an array nested inside an array Nest is inside an array if you continue that to somewhere else in the theater and you get something that um with play causes it out of angry exception it basically blows up the um the application and the application then quits if this would be error message say because you've not set to a particular configuration I'm just going to adapt is actually the thing that he wants because when things go wrong you have to maybe the best thing is to to stop and something else to restart as we all know in software engineering the only other thing that we ever do to fix things is to turn off Anonymous so this then leads me to this idea of automatically amplifying an attack so if I submit this payload this is from square brackets [Music] it dies sends back usually a HTTP 503 which means to indicate something went wrong I'm not there typically happens in Android infrastructure is the load balances will look at that and go oh something went wrong issues there so I'm going to send it on another instance which then dies again because it's the nature of the three tries typically what I've seen in instances so one single request can kill three instances and now what we'll say this um the first sort of thought was well you know we have we've got uh infrastructure we've got self-healing stuff we've got Auto scaling groups we automatically restart our things you know we're no longer living in a place where applications manually started basically logging into the systems and booting up in an application there's a sequence of 10 steps well I hope we're not there anymore and in reality we will probably all do you still deal with some Legacy systems where that is exactly what happens but anyway let's assume that we're somewhere in the nice cloud and we've got self healing and auto scaling groups and automatic restarts and there's me sitting with the line of bash that just sends the same requests every 10 seconds because typically our infrastructure 23 tries and it sort of self heals and restarts all these things they're not back instantly it takes a while for these things to come up and if I can just sit there with 50 requests and that's what's effectively kill 150 instances I can sit there and bring down science quite quite easily and the the beauty of this is um the web application firewall that you typically have in front of an infrastructure will not save us either because they're good against abnormal requests you know somebody sends you requests with the Lord for Shell payload and the match will go around and the talent that I was describing here is this is different not because it's different but because typically the wax only inspects the first AIDS age divides are 16 kilobytes of a message and if I put 60 000 spaces at the front of my payloads then the backup has got nothing to inspect and it will hit the load balance if you don't pay for this works because play and by default except payloads for the materializing science and but there's um angle brackets that are going over to the lecture theater um they don't need um so yeah so the math works and look surely a bit of tendency analysis some vulnerability thing will say just because as I've said before identified this particular vulnerability and we've looked at it it's got a CDs it's in all the vulnerability databases and software components analysis tools will identify that you know we're using play but interestingly the score of that is only a 7.5 as it happens is the maximum CV SS score that you can get for something that's just a denial of service unless it's something like a sexy remote code execution you won't find more than 7.5 and I've seen lots of vendor presentations where they go on this tool is great and you can set your policies and any scores that are hired in Aid and will automatically block you and what that means is that when you only have to have a score of 7.5 you might as actually that's what you might think yeah I've gone and locked all the vulnerabilities so you really have to sort of check all the CDs especially and this is just an example there's a there's a whole class of all abilities where if you use regular Expressions to validate some some data it's very easy to do that in your own code the developer says all right I just want to verify this pattern um but you didn't craft and strings at that point long but then caused something to just keep the CPU and sit there for 10 minutes spinning and that's effectively going to be the same as killing an instance so there's lots of vulnerabilities will not actually and uh [Music] anyway and so the lessons that I that I wanted to sort of take away from this is to take the amount of services seriously because if you imagine that you're running your website organization somebody comes along and starts just starts sending 50 requests at a time over the course of um you know over the course of having to start dropping out so every time you request hits it and yeah what can you do against that I think the best thing is to sort of just be aware of what be aware of any vulnerability that comes in through one of your life which might contains you know something could be classed as a cbr5 and you sort of look at the CVSs score a five and look at it and say ah this might affect me yes and really in order to be able to find this injector I need the right observability in the system to succeed on what went on it just to a graph of instances I'm not really sure what kind of payloads are being sent um as with anything it's good it's interesting to do is I'm not saying that the cdns or graphs or all these things that are useless they serve a purpose but it's a it's a Swiss cheese magazine is raised to everything and I thought this was an interesting sort of topic situation so that's um I'm not sure how long I was on the insurance um any questions what's the um kind of protection or the metis that we can use in operations I guess to sort of a highlight that this is occurring but also to resolve it without without necessarily having the underlying effects available well I think one of the things to look at is somebody needs an overall understanding of what things do you know if this Play service for example is used as a front-end service that just serves out um form-based posts and HTML does it have to be able to accept um adjacent content and one of the reasons why this is an interesting vulnerability is because even if you just using form-based HTTP requests you can actually send Json to the same endpoint and play and play will try to convert it into almost all over the process or reduce and we all patch everything to all the latest versions all the time right I think the the thing really is is to have some sort of program where where you can look at the security of your systems and those little thing and that means probably somebody will have to evaluate every one of the series and is that all right yeah yes do you have any particular resources to actually identify these vulnerabilities um I mean the best one of my favorites was I'm gonna use my BBC because child's property just a box down the web proxy or purpose or something like that to inspect what's going on and just curl to sort of try hitting things and playing with them this this was this vulnerability we found is we're playing around what happens if there's a nested thing that's just to create a huge amount of angle brackets and something happens um I think this is the problem with sort of finding issues a lot of it is a lot of good experiences and finding something involves it looks a bit strange and more sort of scratching that edge pulling on that string and running out of cliches but that's why I think so many things that you don't know where to look at that scale I think they can look back can you look back if you've lost the last two weeks back Payless and that then allows you to do everything but unfortunately I think ultimately it's a logical likelihood where somebody will have to look at if you just put in a few automated delivers oh my arrows go over and five percent for the rest not fine fix it um well thank you very much [Applause]