Notes from: Three Generations of DoS Attacks

Three main layers of DDoS attacks:

Layer 3 or 4 DDoS, usual DDoS, thousands of attackers

Layer 7, one attacker brings down one site

(Layer refers to the OSI layer the attack focuses on)

Link-Local IPv6 RA Attack, one attacker brings down a network


Assange distributed an encrypted file via bittorrent, if he’s ever harmed, the key will be released.

Anonymous was inspired by him, and is an example of an “Opt in Botnet”, where instead of slaving other people’s computers, many of them would agree to attack a target at a specific time. Many of them were unskilled (mainly used Low Orbit Ion Cannon), but there were a number of more experienced Anonymous members eventually became LulzSec, and the name comes from the fact that they don’t care about the consequences of some data being open.

Th3j35t3r is different, and usually uses the Slow Loris attack. He apparently comes from a military background, and will take down sites that threaten the military and other right-wing interests. He works alone, and thereby keeps operational security. Unlike LulzSec, where if one member gets caught, they could rat on their other members.

Supposedly he kept the Westboro baptist sites for 2 months from a 3G phone.

The layer 4 DDoS is the most common DDoS attack. Mastercard and Visa were taken down this way, but Amazon didn’t get taken down via a layer 4 DDoS attack. They normally use a Low Orbit Ion Cannon, which is just a stress tester, but with enough people in unison using this amount of requests, most sites can be taken down. Layer 4 attacks usually require thousands of machines to have a slashdot effect, and is on the TCP layer.

Layer 4 attacks take advantage of the TCP handshake, where a SYN packet is sent to a server for a handshake, but the SYN ACK from the server is ignored. The server is waiting for the final ACK from the client to complete the 3-way handshake, and since servers limit the number of open TCP connections, legitimate traffic cannot complete handshakes.

Layer 7 DoS attacks, like the RUDY (R U Dead Yet) and Slow Loris, connects already via layer 4, and has an established TCP connection with the target. Once connected, the client makes GET requests, especially for large objects or files. The Slow Loris makes a request that will jam up the webserver, so if you send only part of a GET request, instead of all of it, the server thinks you are a legitimate client on an unreliable network and it will block and wait for the rest of the packet to come through. With this approach all you need is about 1 packet a second to stop an Apache Server. RUDY is another one but uses POSTs. Keep-Alive DoS is another that makes requests that makes the server work harder, but not as effective as Slow Loris.

One benefit of Layer 7 attacks is that you can use anonymizers. The Low Orbit Ion Cannon doesn’t enjoy this feature. Layer 4 attacks require huge amounts of requests to overwhelm the host, so if you send a SYN flood through a chain of proxies, those proxies will be DoS’d, and thereby give you no way to send the huge amount of packets cleanly through to the target.

This makes defending against Layer 7 attacks much more difficult, since you can’t simply block an IP that has a high volume of requests. Now, every request will be untraceable, and harder to know if the attack is a legitimate use of resources or not. Though it will help to just block all known Tor exit nodes, forcing them to find other proxies.

Link-Local DoS utilizes IPv6, which almost everything uses by default now. In IPv4, the machine will ask the router for an IP dynamically. Then after a number of days, or you restart your machine, you will get a new one. It’s a pull process. In IPv6, the router gives IPs via a push process. The router announces its presence to every machine on the LAN, and the machine has to respond with an address. This is called a router advertisement.

If you send a lot of router advertisements to a machine, it will attempt to join all of the networks it receives an advertisement for. Windows machines are very inefficient in joining these networks.

He spins up a server to demonstrate this. He has a page that shows all the connections available. He starts with demonstrating the layer 4 SYN flood with the low orbit ion cannon which attempts to take down a server by using up all available TCP connections. It will only tie it up for a couple of seconds.

He uses an OWASP tool to attack his server with Layer 7 attacks. The Slow Loris uses up resources with pending requests that take about 400 seconds before the server stops waiting for the rest of the packet to come in.

For the IPv6 attack, specifically for Windows servers, he uses an attack suite from van hausen. It sends packets commanding devices to join their network. So the machine will have joined thousands of networks. Macs will ignore after the first 10, so this attack doesn’t work on macs, and only one version of BSD Linux. Windows didn’t patch yet.

Then CloudFlare spoke about their time being used by LulzSec. The majority of attacks they incurred – aimed at LulzSec’s website – were mostly Layer 3 (network, like a UDP flood) or 4 (transport) DDoS attacks, and a smaller amount of Layer 7 attacks that were mostly harmless.

Pissing off the hackers populating twitter is not nearly as bad as pissing of the Chinese or Eastern European internet mafias that run incredibly large DDoS extortions.

They run an “Anycasted network” which means they have hundreds of servers globally listening on the same IP address, which allows them to take DDoS or volumetric attacks and spreads them out over a very large surface area.

San Jose Data Center

They mitigated a very large volumetric attack: one attacker had so much bandwidth and was close to their San Jose data center, so they moved all of their other clients to other data centers and for a time, their San Jose data center was only serving LulzSec.

Google ACK reflection

One attacker used Google as a reflector. Cloudflare will whitelist google addresses so as to not block legitimate crawler traffic. So if you send a lot of SYN requests with fake headers with IP addresses pointing back to Cloudflare sites, Google would ACK back to those.

They mitigated these by blocking ACKs that didn’t have a SYN attached to them. It was a clever attack though that looked at how their system worked and attacked based on that.

IP Scanning

One attacker scanned Cloudflare’s IP Address ranges and found some exposed router interfaces, and targeted those specific routers, which were vulnerable because they were outside Cloudflare’s “Anycast”.

They mitigated by just blocking the IPs that were attacking, though this did knock a couple of their routers offline for a few minutes.

After the discussion of Cloudflare, Sam comes back to talk about defense and mitigating D/DoS attacks. For the router advertisement attack: you can turn off IPv6 (not preferred), you can turn off network discovery, you can block router advertisements with a firewall, or whitelist to only known routers.

Just one angry person can take down your website. If your website is not down, it’s because nobody is trying to take it down at this moment. And for every defense, there is another attack.

There are some tools to use that can help with DoS protection: Mod Security is a free, open source tool that supposedly helps defend by blocking high volume IP addresses, but that won’t help against Layer 7 attacks through a proxy chain. Akamai is paid and uses a few tricks like DNS redirection, Javascript second requesting and caching to protect you. Load balancers are important by only letting complete requests make it to the server, but the load balancer itself will go down with enough traffic (around 4x the number of packets in his tests.).

One clever counter attack is pointing your DNS back to the command and control server attacking you, thereby redirecting the attack back on the attacker. This will work for Layer 3 or 4 attacks, but not so much for Layer 7. Cloudflare is a free service that defends against DDoS attacks. Th3j35t3r couldn’t take down Cloudflare, and uses a network of proxies to balance high volumes.