DDoS Attack Mitigation

good morning everyone uh Welcome to our DS attack mitigation today my name is blim Rea I will be chairing the presentation today and guiding you through castot maybe the slides oh yes good I'll be sharing the presentation today and guiding you through this handson experience on attack mitigation with my senior colleagues V Roa kri F and three excellent students Al Di and Mal D our presentation outline is as follows I supposed to stand here but let uh so we will follow with small short introduction about motivation of dosex and anatomy of dosex why we're using dosex why the do attacks are still among us we will continue explaining the infrastructure setup how and what we

have prepared for you today and what it needs to run this doax we have preped five scenarios starting bottom up from the simple simplest one dos attack from a single IP then complicating every step so D do attack from single country multiple IPS a very interesting one with a common and control attack and the last one Advanced DS attacks we will conclude our presentation for a few takeaways that I think everybody should take from our presentation why we using denial of service attacks and what is denial of service attacks there are many definitions of denial of service I have gathered three of them from three very most important big players on the market starting with a cloud flare we will be

referring Cloud flare later on as is on our example that we have prepared today based on cloud flare D do attack denial of service attack is a malicious attempt to overwhelm a web property uh cisa United States computer information security agency defines dust attacks when legitimate users are not en able to access the web services and the third definition is about from ana ana is a European Network Information Security Agency they Define do attack as uh when legitimate users cannot access the web services and where they are totally uh provided uh denied from this service to three this main playist will coming we refering later on to our uh presentation why we are still uh dealing with DOs tax

they are still Among Us in fact the first dos attack happened in 1996 yes 1996 is the first dos attack incident recorded but still nowadays we have DOS attacks in many large companies like Microsoft Google Amazon and so on even last year Cloud flare reported the largest HTTP dos attack with 71 million requests per seconds also in our presentation we will be referring to HTP dos attacks but in order to understand HTP dust attack we will go down and layer down our Network layer just to show why what is an anatomy of the Dust attacks in fact dust attacks are still to many among many institution and they are con a constant concern every ins

organization but we have evidence recently that do attacks are becoming easers as you can see here we have only three laptops here so it means it's very easy to conduct them cheaper do attack require only internet connection and laptop that you can run your uh source code and what is very much concerned from everyone Dosa attacks are becoming very aggressive Ana just filed a report about dos attack from 2022 and 23 and here I just summarized the result of this report it can be summarized on this Statistics 40% of the Dust attacks were targeting public administration so if any chance public administration officer is Among Us they should know that they are the main target 50% of these attacks

were motivated by the war of in Ukraine aggression of from by the Russia 56 of these attacks have totally cause the disruption of the services this is very very important so if you are under dust attack it means by the probability of 56% you have a totally uh disruption of your services and 2/3 of them are politically motivated so having said this gives us a motivation still today to uh have an demo about D attacks and mitigation techniques which are very important uh to protect our web services web web resources in order to understand the Dosa text we need to boil down to the TCP segment structure just to recall you from the computer network courses when a

source and destination trying to communicate with each other they establish a communication and here comes the TCP segment structure and specially this negotiation phase that we called three-way handshake during this three-way handshake that is a negotiation between client and server between two nodes uh very particular bit is very important so-call sin bit which is here marked with red if a client start initiation with a server it sets the sin bit one telling the server that it start a negotiation to for all the parameters that need to have reliable TCP connection where for example the client here said the initial sequence client and the server allocates server initial number acknowledgement number and other resources but happens here and

exactly this point is with the malicious user exploits this point this behavior of TCP segment structure the same analogy goes for HTTP the application layer so our presentation today goes only the application layer on HTP request which follows follows the same pattern what happens in real the user the malicious users present here sends many sin initiation bits and packages call we call this s s flood so flooding the server with many requests that the server needs to allocate resources buffers and so on and depleting all the server resources so the S flat the server answer with acknowledgement but these acknowledgement are never accepted by the client or in the worst case they are spoofed IP addresses from the

clients that never initiated such a request so the server is busy with this request and this time the legitimate client will be not will be denied from its service furthermore we can can capture these packets with a wi shark tool as it's more familiar to you and here you can see my packets on my client and my laptop from my home address and the server on cloud flare and here you can see the s Cent to one so these packets are going on the beginning every negotiation the same analogy is also in HTTP requests that are sent to the server and remains open till the client responds to them but the malicious use exploits them in order to show you to

showcase the Dos attack these five scenarios let's give you a small uh overview of our instructure setup I will call naan to continue yes thank you Professor raaza so now we are going to show the infrastructure that we have prepared for all scenarious so uh infrastructure is very simple is nothing complicated as you see in the slide so we have used has n clo provider so we have set up a server there the server is set up on obuntu we have installed the WordPress which has a database and since the focus is uh not to defend to protect the WordPress but to handle the deas that may be come from attackers uh we have used the Cloud

Player where we have registered the uh domain there so as you see in the slide so uh there is another hasner firewall uh we have we didn't configure this firewall we left with default parameters because the because the aim is to handle all the request uh from the cloud fler also there is important to highlight that the access direct from user that may be attacker is not possible to the server because all the request will go through the cloud flare since they will type the DNS uh it will go through the cloud flare so the only way would be if uh they will know the IP address of the server but in the cloud flare level we

have used the proxy and the IP address will not be shown uh we going explain how the infrastructure looks but uh maybe you interested in how the product looks we have just published a simple free template WordPress site that is bide d.com that everyone can access and just to show a real example of how this specific uh uh website hosted in this kind of environment work and looks like so coming to the cloud layer configuration and Cloud layer overall most of the people's thinks that very submit that most of the people thinks that if you want to protect your infrastructure your web application you just need to have a Cloud Player but but it's not true

because even though when you config the cloud fler you might make some mistakes cloud fler is a platform that have many features one of them it can be it can be used only as a d service service provider just to link the D course and if you do that like we are showing here in this presentation if you if you do that like a record that we are pointing this domain to this IP that actually we have uh uh mask it and you you live this this proxy trigger without enable it you will have only a DNS DNS record and and this way you can expose your IP and all the rules that you applying in Cloud layer

firewall will not be applied so everything going to go through that with like you you haven't Implement any any far wall between uh the uh end users and and your servers so it's very important uh when you when we configuration uh we do configuration Cloud here if you want to have the full protection to enable this this proxy the the other thing is the other thing that you might see here a lot of a lot of um uh companies have the same domain that serve different application they might serve in a in a different servers or in the same server and if you see here in the slides like this domain this subdomain of from the University of

Pristina is going to the cloud layer the second one is going to Cloud layer too but this one that is web that University of Pristina that education is not going through the cloud fler we don't know is this the propos of the should be like this or the administrator forgot it but in this case the user administrator actually have exposed the IP and a lot of small to medium companies use the same server to to serve multiple application and if this is the case for the uh for the University of Chistina what we can do as a attacker is just attack IP directly and this way we're going to bypass the cloud flayer configuration and Cloud flayer

protection because the traffic will not go through the cloud far wall but will go directly to the IP and this case probably we can make more damage of attacking IP directly when going through the domain and the third scenario is something that is called D history a lot of companies used to have for many years the the uh default configuration of simple D records and after that they have attack and decide to go through the cloud flayer but what they happened is the a lot of organization and a lot of service providers used to Casual Dynasty record how they used to be like 2 or 3 years ago if we have analyzed the bze Pisa website and we have seen that at

2022 they have switched from the D from Amazon uh to the cloud layer but actually we can see here that the IP address from Amazon is still still showing in D history if the uh uh besides Pisa haven't changed the IP of the server is mean we can directly attack the IP without going through the through the cloud protection so this these three examples are very common exam mistake that a lot of people who just want to protect the application just buy the cloud FL and they say they are they might think they are save but they make mistake configuration on on it so always if you want if you have a legacy application that was running

without of the your server and first to implement the cloud layer after that change IP to point in another IP and not not to use the liquid IP that you have used before thank you let's now dive to our five scenarios and we have prepared the first the very simple scenario let me show you here castot and vgan will be on the server side they will explain what happens in Cloud flare what kind of configuration they are undergoing in order to protect this massive attack and here my three young colleagues starting from alar DEA and Alba will playing attackers once per time individually sometimes in together so the first scenario will be an attack just attack from a single IP I will ask

Alba to continue and showing us how simple is to write a code and to execute a do attack thank you Professor so let's start with the first live uh demonstration so sometime uh so for in this case we are going to do this attack from a single IP so sometimes some things are really easy to do so uh we know that everyone here is familiar with Chad gbt so you don't have to be you don't have to uh to have a chbt premium account but right now I'm using chat gbt 3.1 is not the latest version of chat gbt so uh this attack will be uh really easy if I ask uh chud gbt in this way so

my uh question for Jud gbt will be like write a python

script that uh connects um to a destination

sorry to a destination server given types the request for the chat gbt uh this is just to show case that how easy is to write the python code that will run the python code that will run in parallel and will bring down a server if this is addressed exposed with IP address or is put on cloud player without proper configuration in meantime I think Alba is trying to put a proper question to chat gbt take your time Alba we have tested this many times the code runs perfectly so even uh not you have not to be a computer scientist in order to ask a CH gbt and to run the python code so just we give her some

some time without ten stress should okay and generate properly given okay okay so my question for jet gbt will be in this way so if I put enter jet gbt is going to generate me a code not every time CH gbt generate the same code so to be transparent I will copy this code and we'll paste in visual studio so after I paste this code I create uh before this file like test file and I will save this file after I save uh the file we are going to uh terminal and we will execute so uh for CD desktop this is where my uh python file is saved and I'm going to run this code in this way python

test test. file so um our code run successfully so I have to go at the besides uh web site and I will copy the URL after I copy the URL we will put in our terminal and we have to put the the number of paral par parallel connections to generate that we have 500 and uh the rate of connections that are the request for seconds that we have also 500 so we should wait

and uh now it we Swit from the uh uh administrators or how that this kind of does attack looks like uh when it kick in from the a probably we can see here we have like 3 point to the CPU of the server is like pretty low right now but when the attack going to kick off what we're going to notice we going to notice the that the resource is going to go pretty high and depends on the internet connection and and the and the attack power that all is able to generate but it might go up to 100 100% of the CPU and RAM uses are you ready the script yes are you sure the domain is right

because I'm not receiving the I will try again save the file here okay uh let's wait a bit until the Alba start the script and attack to our server and in Meanwhile we're going to demonstrate that we have no security rules applied in a cloud flare this is like a default configuration no security rules no rate limit and no nothing and if you go and analyze the traffic in last 30 minutes when the traffic going to come we're going to see a spike on this graph but the traffic is pretty low it might be because the internet speed of the environment that we we are we are using it but it's uh uh pretty low uh

just to just to see this example now you can see now it's coming to 57 and it depends on the uh Power of the user but this is how how it come and uh if the power of the user who attacking is uh pretty high it might go up to 100% of that and uh maybe to most of the you this kind of attack might look like A Primitive attack that one user with just a simple computer is attacking one one server but most of the small to medium applications who have no protection or have default configurations they fail down they go down from this kind this type of uh attacks and U uh this kind of attacks

are are pretty easy to to block because since the source of the attack is coming from a single IP it's very easy to block it and in cloth L you have many ways of analyzing it but one of the way to analyze it is going through the analytics is LS traffic here and focus on the Range when when you are receiving attack actually we are receiving in last this 5 minutes and here you can go and see the source IPS what L ler provide here they provide you what are the top most IPS that are attacking and here you can see that this is coming to the to the first place and this other IP is

just kick in uh uh uh recently so uh it's very easy to block it and how we can block this kind of Ip from this kind of uh from this kind of sources uh or our colleague wean going to explain how you can apply a rule to block this yeah so since we have logs and we see clearly in the log that this is the IP which caused many of the requests so we are just going to copy this IP address and we'll go U uh and we'll go here here at security and we'll use the W which is the web application firewall of the cloud flayer so uh just I'm going back again to see if

uh if uh that is the IP address that calls

the source IP addresses so so I'm going to block this one security web application firewall so here we will need to create one rule and based on this rule uh we block the uh request that will come from this IP so I'm going to create one rule I'll name it let's say single IP block since we know the source IP address from log so I will post it [Music] here and now we need to take an action so the action will be to block it so what we will do now uh because we want to show that uh this is blocked uh and we will call it the first scenario since we are doing the first scenario so I'm

going to use the HTML

and I will name a respond code I I will name like that 410 so I'm going to deploy it so it shouldn't take more than 2 minutes to be applied and then uh it should have effect uh since this uh this is like very uh easy technique to to block and um uh is it's just by by blocking the IPS and this kind of uh uh rules most of the time take two to 3 minutes to to apply we're going to move to the second second demo when we're going to show uh to interrupt you maybe we can just switch to the Ola screen and showing the response now the attack client so this is now the

screen from Alba she trying to access the page DS besides dds.com and she receives now the message that the vgan previously configured that this is blocked by the server so this is the custom message now that the attacker receives having said this we have finished with the first scenario so the attacker is very simple to write even Chad gbt can do for us can run and very simple rule that the vgan created let's move down to the second scenario the second scenario is similar to First scenario but now we going to we're going to simulate that multiple attackers from this same country with different tools going to going to apply the attack but before doing this just to show that we

all the rules that we are applying here are kicking with a with a different scenarios what we are going to do now we are just going to delete the the first blocking rule that actually blocked alas attacks and now can you see this kind rule have blocked till now have blocked 272 requests all the requests that ala was doing with uh her python script now I'm deleting this just to to show that uh we going to block the outcoming attack from a multiple devices from a multiple IPS uh with another rule SL SC [Music]

okay the scenario looks similar to the worst one now we have just many attackers we have here three attackers in front of us they are trying to connect with different internet service providers like vaa ipco art motion at what are possible here so I'm giving now the floor to De thank you Professor Rea um so what you saw from the previous demonstration from Alba that was a denial of service when she attacked and then later on tried to access the web page it said that uh it has been blocked so that was done from a single IP from Alba's IP and what we're here for today is to mitigate the Dos attacks so what will make the a

Dos to a DOS is the distributed responsibility of attacking the website so uh Alba malur and I all will be attacking the website at the same time and see how this will um affect the cloud flare and how this will affect the responsibility responsivity of our website uh we will be running similar Python scripts and I'm here today to describe the python script that I will use to attack the targeted website so I will just be showing how easy it is and um most of this could also be generated with chat GPT and we would just need to accommodate whatever it is that we need for example the URL the target of the website that we want to attack so I will

be describing shortly what what this code does so I will be running this code from the terminal and it's important for me to visually see how the response status code of the website will be so I can color code it into green and red respectively so I have um used the colorama library and imported some of its specifics as well as uh since we're going to be making get requests to our designated website I have imported the request library and it's also important that since we want to dis to demonstrate that we want to have as many requests as possible we want to do this through um a multi-processing approach so we want to have uh we want to import pools so that

different processes can run our main function simultaneously and what this will do uh in our hopes is that block the website and then we will go on to show how we can best mitigate this so what I've done is firstly you can have a global variable that defines the number of attacks that you want to launch and the target URL which was uh the website that we have created for demonstration purposes so the main part of this code is the uh attack function where we have given um the parameters uh the X parameters so as I mentioned earlier we we're going to do this with processes and it's important that we can track what process is doing what is sending

what requests so that we can have this um in order for us to um debug or things of the sort so what I've done is that we're going to be sending a get request we will give the parameters of the URL we have constructed some headers which are just some sample headers used via a python dictionary and I've also set the timeout of this request to three meaning that if the server does not respond within 3 seconds then the uh server will abort this request and then as I mentioned earlier in our terminal we can see the pool of uh in which the process sent launching the attack belongs to the request that is being made as well as

the stat status code of this request if this is success uccessful the code within the tri block will be executed otherwise we'll have the site is down printed in our terminal indicating that the site indeed is down um this will be uh the attack from my side and I will pass it on to milore to tell us about the attack that he will be launching to our website thank you thank you de we just have to switch the port okay just wait a few seconds to show it up in the screen screen so we are using uh an open source tool which is used for educational uh purposes as usual but we know our demonstrating how this tool

named GM can be used also for denial of services attacks so first uh First St that we're going to do is uh we're going to run the gmet batch file and it opens a interface of Apache JM now we're going to create there a the test plan and thread grab and on it we're going to create an HTTP request we go back to thread groups and uh we have to talk a little about thread properties so we see there the number of threads that in our case is going to be 500 and uh this determines the total number of virtual users that concurrently execute the test plan and represents the simulated loading the server and we have here there the ramp

up period in seconds which specifies the time duration which the uh defined number of threads will be started and also we have we have the loop count that we're going to do it in infinite which defines the number of times each viral user will execute the test plan so we we are going to go to http request and we're going to write the protocol layer which is https and the server name or IP is besides dasde do.com and we're going to do there the get method because it's typically typically used for ret retriving data from the server and this suitable for requests that don't modify server site data now we're going to run that also the squad going to run layer

scripts after saving that so now we have three concurrent attacks going on from three laptops here from different isps uh let's check now we see the 100% so castri maybe you take from here or be Yes actually now you can see that the attack is coming from multi sources and now the power is pretty high and what is happening with our small server is the CPU is going up to 100% as you can see in the slide and the is pretty high too is uh uh around 80 80 to 90% because not showing the percentage the same thing what we can do is since since this kind of a graphs in in a in a

cloth layer are not real time and and they might take some time but you can see it just started to have to have a spike but uh this kind of attack is again pretty easy to to to block because what our our attacker has has a common they are using the same uh they are using the same uh same country and probably the same service provider in this case how we can see how of the traffic from which source is coming if you want to see from a country we just need to go here and uh we will see and it will list that the traffic Bas based on the country and now you can see here

that the spike is coming up we are not waiting until this the request going to go too high because this already this is already thring our application and our our server but what we can see here we can see that the major of traffic is coming from Kosovo and now uh Von going to tell how you can block a specific region or country on a clo FL but this this kind of rules apply only when attacker is going to come from a country when you are not or giving services so for example if the if the attack is coming from our country and we are serving the services to our country we cannot block Kosovo because

in this case we going to block legitim traffic legitim users to access or our website but if the uh this scar is very suitable in a case for example like a foreign country that you don't have any relation with them for example if the country if the attack is coming from Russia or or or China if we don't serve any of our services to them probably just go and and block the service of them we're going to we're going to be safe and secure we G [Music] yes so uh based on logs we see that the country is our country Kosovo since the most of the request are coming from this country and we have some others 51 from

Albania Serbia but we are going to block this one so same again so we are going to security and under the W uh we will need to create uh one rule similar like previous rule that we did uh I I uh type a name of rule block country block now this time uh we will not select the IP Source address but we are going to select the country there is continent so since we know the country uh we'll find the COV also it's very easy because Cod player list the list of countries so it will avoid for any mistake that can be caused now we'll need to choose the action same again we are going to block it and uh we will

provide response type because we need to show that uh when you try to open the website it will show the block from Scenario 2

I'll also name the response code 420 and I'm going to deploy now so we'll wait a bit and we'll check if the site is really blocked and if it shows the blocked by can AIO 2 again a rule might take some time to kick in and how we can see if the rule have kick in is uh here Von have set specific uh Response Code for block from our country is 4220 and in analytics here we can see that if if we filter with the S code that is the code that we respond to the users that we have blocked and if you if you put here 420 and apply this filter uh I did a mistake on applying

the [Music]

filter apply now you can see that it's just stored to block and here you can uh see that still the traffic is 100% because a lot lot of requests are in queue but if you wait like 1 minute we're going to see the traffic going to go down and our service or service going to uh our service going to be again up but only for the user that are not not in a covo because we have block as a country and even even though if you switch to to the attackers uh screen you can see that all the requests for them now are getting if if the site is responding they are getting 4 to Z the status code

that is used to block and even though if one of the user that is showing the screen can see in the in the browser is is saying block by scenario too so or or applied rule by blocking by country has actually work and same you can see here now is one 1,000 request block so is the and even now it's 4,000 request block so it's it's blocking but the the graphs and and analytics in the class layer.com immediately if they need some time to to process but we have still we have now you can see it's going down but always when you apply some rules the web server that we are using here is Apachi and it

needs some time to process all the all the traffic that actually have come from the but yeah now it's going down now it's going down because have processed all the Cure request um the rul is applied now I will ask attackers to to stop attacking because we don't want to choke or server when we delete the rule in Cloud flayer and we're going to move we're going to move with the scenario number three meanwhile I'm deleting just show I'm deleting show this yeah and meantime so we have shown the attackers coming from same country with different IPS and in meantime castri will delete all the rules applied to the server attackers will stop the attacking and now we moving to our third

scenario attacking from multiple it and multiple country of course for this we will need some collaboration from outside so we using another tool and we go back now to Ola again she will now uh try to simulate the multiple user from multiple count therefore she will she's using a loader .io a tool a software tool that simulates uh different countries with specific load so ala the floor is yours now thank you so uh the third scenario will be attacked from multiple IPS so I will use loader iio Lo loader iio is a cloud-based service that helps to test performance and scalability for web application so to for not taking in time I create some drafts so uh I'm using this draft and I

will uh say uh things that I edit in this file so uh every test should need a name that right now I use the hi traffic test and of course the test type we have different test types but we use the clients for seconds and then uh the number of clients that we want to use that are 10,000s and the duration is the time that we want to do this attack that that is 5 minutes after we uh put this uh numbers we have advanced settings that uh some um in a regular file is uh 50% but we use uh 0% for errors and after uh doing this we have to change the protocol because it was HTTP and we

have to use https and the host that is our website uh so after we put this uh uh we have to run the test so I'm going to run the test we should wait some seconds meile we will switch to our screen and since the loader iio is a tool Cloud tool that is actually able to make a lot of requests second you saw the you saw the configuration that allba did is it can go up to 10,000 uh requests for second what we will see we will see that our CPU is again 100% And even though if you try to access now the site probably it's going to take a lot of time or not going to be

loading the reason why I'm I'm doing this because now we don't we are not blocking our IPS we're not block in our country Kosovo so in this case if we have some rules applied in this case we should be able to to access the site but what we are seeing here just loading and now if you go to the traffic as I said before this kind of traffic don't come immediately but if you wait like a couple of uh more seconds you can see is going is going the spike now we have a scenario that we cannot apply we cannot apply the rules that we used to apply before we cannot block the IPS because there is coming from different

IPS with different load we can we cannot block the country because they are coming from different countries in this case mostly from us but in other scenario they will come from a multi multiple countries multiple IPS and we cannot block because there is something in internet called net and a a lot of user might use the same IP from the same country and we don't want the user that want to access our site they are legitim user we don't want to block that and this scenario uh we cannot apply blocking IPS we cannot apply blocking countries but we need to know our application to apply different rules for example we know that our application is

a WordPress site that actually serve news and we know that every user will not look more than five to 10 News at most for a minute so what we can do we can apply a rate limit what we can do we can limit the IP of how many requests can make for specific minute and what we will do right now uh Professor vgan going to explain how you can Implement rate limit uh uh rules in a cloud flare that going to limit IPS to 100 requests per minute and if they ex extend this kind of rate limit we're going to block only the IPS who extend this kind of limit so since C explained that this kind of

attack is different and it's a bit tricky also to uh prevent it so we are going to add another rule but this time the rule is different so uh we'll need to create a rule under the rate limit rules so here I'm going to create a rule uh I'm naming it rate limit in the field now we need to select the host name the host name is the domain of or server so is this one bides dds.com and now we will uh select the when the rate exceeds we will provide the request 100 and the period required will be for 1 minute so of course we'll need to take an action for this and we are going to

block same again I'm using a HTML to show the message

and for duration I will leave for 1 hour we will deploy it wait a bit and we'll see the result so uh this kind of attack thata is doing please run run attack again if if it's if it's not running this kind of attack that ala is doing is doing from cloud services and is not going from or IP so if we if we try to or side after the uh rule kick in uh we cannot see the message that is blocked by scenario two or scenario 3 but the attacker is going to going to see that message and how we can see that our rule is applied successfully again we can go to the uh

analytics we can again we can serve with the rate limit and the rate limit that is applied for for the uh uh the CTIC code that we are cor responding for the uh rate limit is 430 what we can do here we can have a filter we can select the uh Edge code 430 and we going to need to apply again I make it mistake it's not happy okay yeah

uh the problem is that uh uh Cloud FL is not allowing me to select the the codes that is not like a known as a code but here we can see in the ads that status 431 has kick in and how we can do we can just see the filter like this and we can see that a lot of traffic is going going on from the is is blocking with this kind of rules but still we have 100% like in the previous previous scenario and we need some time to wait until the this rule have blocked all IPS and after that we going to be able to to open the side so is block myp2

probably because we have the same rate uh limit because probably the users have try many requests for the same time so if all bu is attacking from a cloud but a lot of you users are extending that 100 request with this IP that we are using in this network it going to block us too but yeah it's blocked and probably after some time you can see the CPU of our server is done and we can say in this way that attack is mitigated successfully castria thank you very much so with this we have wrapping this scenario 3 having for multiple IP addresses as we showed by the uh loader iio just to remind you loader iio is

meant for good positive testing but malicious user can use them also for such case let's move to very now very less more attractive attack scenario when we use a botn net or soal command and control for this we're using our special hardw the facult of electrical and computer engineering we call a special sof server called Huna and D now is going to Showcase how we can exploit this Dia thank you um so as you were here and were able to firsthand see how we are employing different attacking strategies to best try to unblock this website so far we did try to do um attacks from the same country from uh different IP addresses and high requests so a high

rate limit uh rule was able to block our attacks so I'm going to try and make this situation work complicated so I will be Distributing the attack across multiple regions so multiple geographic regions in a low rate limits in a row low number of requests per second so that this will not go as a suspicious activity at least that's what we hope and this will make the attack a little bit more complicated since the rate limit rule will not be applying what I will will be using to demonstrate this attack is our high performance Computing cluster of the faculty of electrical and computer engineering at the University of Pristina which is used to facilitate research and we're going to use its

computing power to run a python script to use a proxy so the proxy will be able to geographically distribute the attacks that we will be launching into our Target website before we jump into the attack phase I would like to introduce you to the hesa uh website a little bit more so that you can see what it actually is uh you can recognize the names from yian female names U holding historical significance for our culture and you can see there are nine computing noes named as follows what I would like to show you is the technical details of this um perform high performance Computing uh node it has for example 2 * 16 physical course and 64 logical course

as well as 128 GB of RAM so you can see that it's it's a quite high performance Computing node so what I will be doing is I will be um connecting to this uh to This Server via remote desktop connection where I have been granted credentials and uh will try to make the connection and access it remotely so for demonstration purposes we have created a a special website called besides prishtina and I will be entering the credentials to access it and hopefully um present to you uh what it looks like and how we can initiate an attack um from that so uh in just a couple of seconds I will be um going into the

terminal where the python script is saved so uh we can just see um that it's a python script as mentioned and we can just run it using the Python 3 um Python 3 command and um proxy dop so this is the command used to run this python script which will um initiate the attack and right now we're going to be able to see that the request was successful and um after some time we're going to see what will happen in the back end of this with the CIO showing the Cloud Player aspect the scenario that actually they is showing is like a a scenario that is uh uh very likely to happen when a specific group or a a hacker have in

fact a lot of uh uh PCS and they have a command and control that that manage a lot of them and address all of them to attack against one target the problem with this kind of attack is because it comes from many sources many IPS many countries and even though what is making more difficult to block is they go with a low request for second so instead of having 10 IPS that go with a 100 request for second now they use thousand IPS that go with the 10 request for second so they kind of spread horizontally and what what did happen in our case if you can see in our uh CPU is again 100% the

reason why you though if you have a rate limit rule applied they going to go under our rate limit in this case block and IPS don't work because there are many IPS you cannot block thousand IPS one by one blocking countries not going to work because they are coming from a count that we Ser service and rate limit not going to work because they are going under our late rate limit we cannot set a rate limit one request per second because no one going to be able to access our service anymore now what we we need to do we need to find what the what the attacker have common and most of the time when when the attackers come

from a butt net they have the same overare infected and they're going to have the same pattern of the attack how we how we can analyze how that attack is coming from and how it looks like you can analyze this in in the EV in the events under the security and if you go and last 30 minutes there are many scenarios many types of attacks you you might have experience to analyze them and but what are scenarios have in common if you go to the items you can see this kind of a top IPS are coming a lot of requests but a lot of ips that we cannot show for now are going with a a low request but what

we can see is this we can see that most of the headers are legitim headers for the legitim users but some of them are from python request and we know that no one from a python should be a should be access or service because we are serving web server and they might access it from a browser so what we can do we can list this kind of uh headers right here for example this is not expected to come in our website this is not expected to come in a expect to come in a website and probably this is from J matter because JM is by Apachi and they do HTP request probably this is not legit use

uh heer uh is not user agend that we want and the loader IO is not the user that we want to but we are leaving out because we know right now in this demonstration we are not attacking from the loader IO what we can do here we can apply filters and we can go here and say give me the all the requests that are from this kind of user agent that actually we we detect it as a not a normal traffic from our site this the first one this is the second one and this is the third

one and if you apply this filter what you can see here we can see that all the traffic coming from this kind of simulated buttet with a ro with a lot of ips as you can see but very low request for seconds are coming from this kind of user agent and what we can do now we going to explain how we can we apply a rule to block users that are coming from a specific user agent yeah since we use the filters now so the is very easy to create the rule so now the rule will be created here so I

put BL take con action so I'm going to block it I will use the same custom block by four so in this case the Response Code will be four four 4 4 Z and now we don't need to change anything so it seems to be okay and just we are going to deploy it and we'll wait for results uh when the rule going to apply if you switch back to the to the de computer you will see that now there instead of having 200 Response Code that is kind of replying to that he she is receiving 404 but the rule that we have applied to block the butt net similar if you or or scenario

is the load is coming down so we can see that the that the rule have actually applied in this case we mitigate kind of scenarios when we have a huge amount of ips attacking from different countries but in a very low attack this is the scenario four Von please delete the rule and uh you please block uh stop the first you need to block let's move since we are a little bit behind of time I think the next present is waiting yearly to come on the floor let's move to the last scenario the fifth scenario we are concluding the fourth scenario with very complicating rules to attack from multiple ipce level low liit low level liit and also some uh

browsers that utilize our website we're moving to the last one to advance DS attack something that you might happen to uh uh take out to work on it so the last scenario that scenario is we're using now malsor to through to simulate the attacks through the G meter and castot and vegan will show what happened on the server side uh mil the floor is yours just show us what are you doing and on meantime maybe we can speed up little bit the last presentation what happens on the service side let me allow before the uh before the mon attack on this we need to to make some clarification when this kind of a rules can be applied

uh it's very important to know the the or application if you don't know or application probably going to have a problem by applying this because now that what we're going to do as a a protecting rule we can apply caching and if our application have a dynamic content we cannot do that we can do this only in the static static pages that don't change often and here we have this page that is just uh uh is showing only only the is just showing the uh simple page that is or abstract or or presentation and we know that this page not going to change or going to change very very rarely what we can do we can grab this

link and we can go in Cloud flayer just to refresh here to see that this medicator rule has be deleted uh we can go under the rules and and we're going to go page Rule and we going to delete this because it's already applied we're going to create uh a rule what what is the rule is we are doing for this URL we are applying cash rules so what we are doing we are applying Cash Cash level everything we want to C post get and uh headers parameters or everything that is really into the HTP request we are applying we are applying browser cast T that is the time when the browser going to uh browser going to uh clear the cash

we are doing this case only 5 minutes and we are applying as Cas T that we are putting 1 hour and we are deploying it so in this scenario we have deployed and if we run this we going to see the delay because it's going to all server but if you're running this you're going to see that it's blinking very fast because all the serve all all the content is serving directly from a cloud layer and not going to our server now I'm asking all the attackers to attack our site and to see if they can bring down everyone with any tool you have you can apply but it's very important to attack in this link

because you have mented in this case in the scenario only the cash for this link not for the all side so please adjust your codes and attack on it okay uh so we go back again to the jmeter tool we're going to do the same configurations as we did uh uh before so we just going to hurry up because we don't have so much time we're going to write their https besides Dash uh DD o.com get method and the path DDOS Das attack Das mitigation so we're going to attack the static page that they have there so we're going to start the attack also I'm uh trying to uh uh to get the help from the team

so we're going to save it and we're going to start it okay uh others please start attack in in this uh this link too and [Music] uh uh if you are you sure that we have put the right link all of you or all all of you attacking in the in that cash rule uh because I'm I'm having lot a lot of traffic but same thing we can just we can add another cash rule then we can put for example H

side so if you want to cat

everything one hour and I'm adding another rule with a is with a with a prefix because some some user might use a www some user might might not and I'm applying [Music]

again I'm deploying and now if you go to the caching under the the rules you can see in the last 30 minutes when we are applying that like most of the most of the apis even though in this time most of the most of the requests are coming from cash and only few of them are coming for our server and now if you go to our server even though they are still attacking the all resources are going going very very low so this is the last demo for this presentation and now going to take going to tell us some takeaways from this okay for takeaway and wrapping all five scenarios s very happy for the fourth and the

fifth one which are real scenarios that you might experience during your company or work etc so let me wrap up the takeaways from our presentation dust attacks are very simple we have showcased that for this you don't need an engineering background even uh chat gbt can help you and you can run the scripts so it's very simple very cheap to develop and execute a Dos attack cloud is not a magic word just having a cloud without proper configuration won't help you third it needs to understand your application and infrastructure if you have clients just in kovo you can block other countries but if your target is different countries that you cannot block just a specific country because

you're blocking LED lius and last but least you need to analyze your attack and to apply the smart mitigation technique as we showcased by by rate limit by spreading by a browser Etc having said this we coming to QA session and please if you have any question we are here to answer immediately and also we are here after the presentation during the coffee period given that uh we are a little bit behind uh schedule uh I would ask you to keep questions at you know like not so many questions so we don't run uh a little bit uh behind with the schedule uh castri professor raaza and the others are going to be around and then maybe you can

catch up with them on the hallway maybe for one and two question I will give an extra point okay any question let me just pass the mic [Music]

then uh thank you for the demonstration say if someone or a group of people were to deliberately Target the University of Pristina during exam period say to attack their service so that the students are not able to register to take their exams what's stopping them how well prepared is the University to defend against this type of

attack thank you thank you for the question yeah that that's very leg scenario when it can happen it there is no magic way of blocking the Tex you need to analyze that so if if there someone from uh the scenario that we show for the first or second scenario that we show that they might use a simple script or pre pre-u tool to attack to attack the server we might block we might block the the specific IP uh on it or applying rate limit to the to the register page and uh uh even though applying rate limit sometime can work sometime if if if if the all the users from the University want to register the

semester or exams and we apply apply the very aggressive rate limit they might block them too but this depends very much in in the in the in the attack and based on my experience like a lot of people who uh attack this do this kind of attacks for malicious poses they use uh uh preb tools like lower bit is one of the most famous for for doing uh D service attacks and they have like specific patterns how they do the attacks so the idea is to analyze and to filter the traffic that come from that tool and block all the traffic that come from that tool okay one more question last question don't be afraid going on the

last one here and we will be here around for taking another question or another comment suggestion as

well thank you uh it was very uh clear demonstration thanks uh if you do not want to use clo Fair do you have any alternatives things just thanks yeah uh per you want okay so that's that's a great great question uh for sure because uh not all the users want to use a cloth there uh most of the most of the rules applied in this uh this presentation don't have to be specific for cl or most of the uh firewall applic application far walls provide a similar filtering and blocking mechanism the reason why we explain the cloud layer because Cloud layer is uh just to uh give you example the plan that we are were using to block

this kind of teack in this is a Pro Plan that cost $20 for for monthly and cl since is a cloud service provider that provide firewall is the cheapest and the easiest solution to apply but if you have like a specific far wall implemented in your network same going to be applied but you have some takeaways from that too you need to have strong Network because if the attacker is going to apply more attack that your network can handle they going to block your switch before it come to the to your firewall and even though we have some Scar and government of Kosovo they they apply block and loose in the cloud layers but the uh not CL L but in their

own uh far walls but what they have in Far walls they can address not more than 17,000 requests per second and if the traffic is more than 70,000 requests per second the they going to sh the firewall too so it's very important and it's highly recommend not uh you can use for internal uh uh uses like internal firewall but from external for S Services is highly recommended to to use cloud services that might be able to address more traffic and and handle more more attacks thank you okay thank you thank you for your presentation I have a question if the attackers can and bypass the Cloud Player and they attack the IP of the server they found it through the DNS

history or whatever uh how could you protect against that and uh yeah there are some cases when there are some vulnerabilities in cloth flayer and the user can can block uh can bypass the rules that apply from the cloud flayer but actually in this case you need to trust someone if you want to use CL flayer you have the ATT way that you need to take a a risk if you Don you might address your your attacks manually by yourself but probably you're going to have more problem that that by passing the CL l so someone can do it so that is uh can I continue so uh also in the when we presented the infrastructure so we

have show that there is another firewall of hazar so in this case so we will need just to configure hner some parameters and then we will block this kind of attacks from the hner level not from CLA ler great with that being said we're going to wrap it up Professor Rea kastriot vgan and the rest thanks so much for this great demonstration we really appreciate it