 So, I'm Sam Bowne and I'm here to talk to you about DOS attacks and I've got some help in doing that. It was very good. So I'm going to talk a little bit about the hacktivists that have used DOS attacks because I find them interesting and they have dramatized how much damage you can do with the various kinds of DOS attacks at the peril of going to prison themselves for it, which is a drag. But anyway, it helps the rest of us sell security appliances and it helps me entertain students and keep them interested in learning how these attacks and defenses work. So you will be participating as victims, now how many people brought a device to get killed? One, two, three, yeah not very many, four of you over there, okay that's kind of what I thought. Okay, because Ryan who's setting up a wireless network says he probably can't connect more than 40 or 50 before it'll crash and I didn't think there'd be that many volunteers to get their device killed. However, I was trying in the speaker room and I believe this attack could be used to kill every machine at DEFCON. I was going to demonstrate a version of that, not so lethal on the stage, but it wouldn't connect at all in the prep room so I decided to skip that for the moment. But if any of you were unscrupulous you could try it. Anyway, we'll talk about that later. So that's me, I'm on Twitter, I teach at City College in San Francisco and I've got two guests with me. I've got Matthew Prince here who's going to talk about his inside dealings with Lulsec which I was very pleased to have, in fact I met him because both of us were deplored as immoral evil people helping Lulsec because I retweeted some Lulsec tweaks, the point of the stolen data which I thought was important and he ran a service which they used to protect themselves from attacks. And so it'd be interesting to hear about that and Ryan here, over there he's going to set up the network and kill people who wish to volunteer to be doused with this attack because we could learn some new vulnerabilities here. Now they're not zero days because this, the attack I'm using here, I didn't write it and it's not new. It's been known for a year, it's just an awful lot of people at manufactured devices don't care and have not patched it. So if anybody has any exotic devices it would be interesting to see if they're vulnerable. Anyway, here's the summary of what I want to show you. The DOS Circus is about the history of this stuff and the attackers that have been using it and then I'll talk about the three kinds of DOS. Layer four DOS where you use thousands of attackers to bring down one machine, usually distributed denial of service. Layer seven DOS where one attacker can bring down one server or more. And the link local IPv6, router advertisement attack. I talked to you last year about IPv6 and I said it was going to bring a lot of security problems and so it has. It's given us a time warp when a bunch of things designed in 1993 are now back on our networks. So the old tricks work again and this is not really an old trick but it's devastating and I'll show it to you. You can kill all the Windows machines on a network from one attacker. And again, you only need a few packets per second to do it. So Julian Assange stirred everybody up by leaking US secrets and he published this mysterious encrypted file as his insurance and if any of her gets irritated enough at the fact that he's being held in house arrest and perhaps going to be deported and stuff he can release the secret key and reveal something terrible not yet specified. So this stirred up these anonymous people that had gotten tired of just posting pictures of cats on 4chan and decided to save the world through denial of service which makes a lot of sense to them although not to me. So they started attacking if anybody they could all agree to hate they would blow them away. So it started with Scientology because it's pretty easy to hate the Scientologists. And then it went on to other people and eventually HB Gary Federal this guy couldn't he was supposed to be here but he was issued a court order about three days ago forcing him to not speak at the panel and tell what really happened for the inside story here. But anyway in order to publicize his new government security contracting company Aaron Barr said that he could find the people running Lulsec and expose them by doing a correlation of social networking so it appeared in Twitter he would correlate with what appeared in Facebook and elsewhere and so they decided to take him down and it was extremely easy they got a team of anonymous members now anonymous was a low tech group usually using really primitive tools but a small number of them got together who were relatively skilled compared to the others and they decided to take these guys down they found a sequel injection and took over the email server and then they sent emails pretending to come from the owner of the company asking him to please change the password change the user name and turn off the firewall thanks that's working now. And once they were in they took all their emails and dumped them on the web because the whole thing about these guys later became Lulsec the whole point about them was completely responsibility the fun thing is to take everything every same person every told you not to do and just do it and then you laugh haha so what would happen if I just dumped your whole email log out everything personal hurting who knows how many innocent people that just had something to say about their medical conditions that would be a lot of fun so that's what they did and they found a lot of real dirt in there it looked like these they were planning to do a lot of really nasty things from HB Gary and so then anonymous decided to attack the chamber of commerce having found out that they were involved in this where the drew ball exploit again showing more intelligence technically than they anonymous had which mostly just used that lower word I on cannon which is pretty primitive so the gesture gets in here is a demonstration of the power of a layer seven attack although no one knows exactly what he does is truly secret and I'm guessing what it does but from people who have been attacked and kept logs of his packets they've told me that I am correct that what he is doing is essentially using a slow Loris attack with some variations and his plan here is to be right wing essentially where anonymous and Lulsec are left wing he is pro military he comes from the military and he tries to punch back at anybody that he regards as endangering soldiers like Julian Assange and Islamic she hottest recruiting websites and he brings them down with his tool and then tweets about it he's prominent on social networking you can go chat with him I've checked with him but he doesn't have any partners unlike Lulsec he works alone and therefore he hasn't been caught yet he understands military operational security nobody can retray him something that Lulsec forgot anyway so he brought down WikiLeaks single-handedly and held it down for more than a day and to prove it I was chatting with him an IRC and he said okay I'm going to turn off the attack and let it come back up and it came back up he said now I'm taking it down again and it went down again so that convinced me that he was really in control of the attack and here's the net craft map of WikiLeaks going down for more than a day thanks to the gesture so that was his game then he decided to fight with Anonymous because Anonymous didn't like him taking down WikiLeaks and he's been focusing on them for about the last year Anonymous and Lulsec blasting each other apart with a variety of tricks but among them denial of service and then the gesture got mad at Westboro Baptist now these guys are also pretty easy to hate I mean they have some ridiculous hatred of homosexuals and then they also picket funerals and they basically their profit method seems to be to be annoying until someone finally punches them in the face and then sue but the gesture decided to take him down so he took down four websites with his tool which he had ported to a cell phone and from a single 3g cell phone he says he held down four websites for two months straight and I don't doubt that because I know I could do it and any of my students could do it and any you can do it if you just pay attention to this talk it's not hard the slow loris attack runs on windows it's not hard to do it all and that's how it goes now Lulsec continued on a rampage hacking everybody in sight at one point they just opened up a telephone line and you could call in and they'd hack anybody you wanted they hacked US government military NATO British government sites they dumped the contents of the Booz Allen Hamilton database when they dumped out the Arizona cops is when I got really mad because that was real important and dumped out their names in their password hashes and the login for the emails and when they dumped out the Booz Allen Hamilton password hashes that struck me as outrageous 150,000 password hashes half of them are cracked by the next day so all the top military their names and passwords are now out there where anybody can use them I didn't think much of that however they also took down some games websites which seemed which I didn't even notice but it seemed to be what really caused trouble for them and they put up a website to announce all the stuff they took down and all their stolen data and then hack PBS and put up a silly thing and I was pretty irritated by that too I said why would you hack PBS come on guys and anyway now they've been caught largely on Ryan Cleary was one guy kind of on the periphery of all sec they caught him in June and shortly after that they caught T flow who was much more important to all sec and just a couple days ago they caught topiary so they really are just British teenagers very messed up hardly left their house and their attitude of just taking down everything just for fun is a you know it comes from just childish immaturity you might wonder what makes them do this they are just young and foolish why they think they can just take down every government website and just for fun anyway by the way they're supposed to be both here they're both on Twitter claiming to be here they said they were at the pool yesterday the gesture said he was here and subwoo said he was here I kind of doubt it but maybe they are who knows subwoo is the main low sec person still at large and widely assumed to be on the way down because his friends have already been arrested and this is what always happens after they get the first one they will betray all the rest because they don't have much in the way of operational security anyway the technical part of this is you have a layer for DDoS is the simplest kind of attack and this is what was used to take down a mastercard and visa they couldn't take down Amazon this way anonymous try this this is a protest which involves many people so the reason it does is the tool they use is the lower but I on cannon which is just a network stress tester and it doesn't do much harm so it takes a lot of people to bring down a website this way but with the participation of three thousand or perhaps thirty thousand attackers the number is not entirely clear they were able to hold down mastercard for more than a day and many other sites and this is the kind of attack that Casper ski was talking about when they interviewed him a while ago and asked him how many infected machines would it take to bring South Africa off the internet completely or I'm not sure South Africa some nation and he said it would take hundreds of thousands of infected machines to do that and I know that's false I know it would take one 3g cell phone however he's not thinking that kind of attack he's thinking of the layer for attacks where it takes thousands of machines to take down one target and it's really nothing more than just pressing f5 in your browser f5 f5 f5 if enough people do that you get the slash job effect the page goes down it isn't a lot of service of a sort it's just a very weak primitive one the more powerful ones one like the Solaris attack that arsenic came up with a couple years ago and there were many our previous versions of the same thing here you do something smarter instead of sending a complete request to the web server and just sending a lot of complete request to the web server so it has to work too hard to serve them all up you send it something that will jam up the web server on the HTTP get request to get a page from a server looks like this you have the layer 2 information the layer 3 information and down here you've got the get which is several lines of information and if you just send part of the get and you never send the rest of it then the network assumes that you're on some kind of unreliable network and the packets have been fragmented and so I've got the first half of it in the other half is still coming so it waits for the other half and that ties up incoming lines and it's extremely powerful I'll show it to you here in a couple minutes that's the Solaris will freeze all available incoming lines and all you need is about one packet per second and it stops an Apache server dead are you dead yet is another similar one but it uses posts and it affects IIS IIS is not affected by the Solaris attack with incomplete get requests but it is affected by incomplete post requests there are other variations of it now there's one using keep alive DOS that works and tried that it's somewhat effective is not as powerful as the Solaris attack but it's another way to send requests that make the server do a lot of work the gestures tool presumably uses one of these principles it's calls it Xerxes it is a graphical interface looks like it runs on a bunch of Linux to me but who knows and then he has his attacker one important thing about layer seven attacks is you can run them through an anonymizer so you don't go to prison the low-arbit ion cannon does not enjoy this feature because it has to send a lot of traffic from you to the other end if you try to run it through the tour network it'll just choke off your attack and it'll just bring down the tour network because it's like a flamethrower it burns everything between you and the target of that the Slayer seven attacks are like a guided missile it just send a few packets that you know harmed anything when they get to the server blam the server becomes unavailable so you can run it through an anonymizer which is what he does which means that not only can they not find out where it's coming from but they also can't protect from it by any kind of simple firewall rules that search by source address because all the packets come from different source addresses although if you block all tour exit nodes which you should all do that will stop them from using tour and they'd have to use something else like a botnet of compromised machines to do it and that would make it a little harder but anyway his tool starts runs this thing through an anonymization network and then brings down the target and it's independently a series of tests to the target when the target goes down that sends out one of those tweets can go down anyway that's where we are up to maybe two years ago these things were running the link local DOS is much newer with IP version 6 you're using IP version 6 if you have any version of any modern operating system any modern version of Linux any windows Vista or windows 7 or I or windows XP if you turn on IP version 6 although it's not on by default and your servers your domain controllers your DNS servers your email servers are all using IP version 6 whether you like it or not unless you have gone out of your way to turn it off and like any other unwanted service if you're not using it it's opening you to the tax so an IP version for whenever she joins a network unless you're weird enough to be using static IP addresses which most people aren't your machine boots up and it asks the router the HPB server I need an IP it says okay use this IP then there's another back and forth to make sure nobody else is using that IP and it's the end of the game there will be no further DHCP traffic until restart that machine or until a long time passes like four days that's a pull process I need an IP I ask for an IP but IP version 6 is not normally done in that fashion IP vision 6 is generally addresses are distributed by router advertisement so the router pushes out a router advertisement says I am the router everybody stop what you're doing and join my network now everybody has to stop make up an address and join the network it's a broadcast packet although the purists will tell me there is no broadcast in IP version 6 but there is something called multicast to all nodes so the difference the difference between these things is theological in nature and I don't intend to go into it but the the point is the router sends out one packet that goes to every node and every node now has to join the network which doesn't seem that bad here's the router advertisement packet going to a multicast to all nodes address FFO 2 colon colon 1 and telling people what network to join the problem is you can send out a lot of router advertisements and when you do the poor target joins all these networks and that would be all right except that windows is extremely inefficient at doing that so let me show you a few of these attacks I should have some virtual machines set up now this is how I do it in class with my students I use virtual machines on isolated network and I was when I first well I'll tell you a little more when I get there so let's start with the old fashion attacks here I've got a backtrack 5 Linux machine and it's running as a web server so if I go to local hosts and refresh I put up a web page here with a picture of cat all right so I'm it's handing out that glorious web page now if you run this page you can see the status of your server and let me see if I can figure out how to turn off some junk to save some room here can I right click and see view toolbars are good to get rid of toolbars come on use toolbars bookmarks there that's getting somewhere okay now that's the server status and down here these are the current connections there's one connection waiting here and all the rest are available of hundreds of connections available this server can handle hundreds of people viewing that web page so if I go over here and this guy views that web page it should show up here as another connection and so it does now I have a couple connections so now let's attack this poor linux machine from this windows machine we'll start with the old-fashioned stuff the lower but iron cannon let's get these things out of my way all right lower but iron cannon is here the thing that anonymous people use as a short cut to go into prison and I'll need an IP address here let me join this there we are okay one nine two and sixty eight one HTTP one ninety two one sixty eight one ninety eight one seventy three hopefully I got that right yeah it looks pretty good one ninety eight one seventy three okay so this attack goes here I need a little more room on my screen come on come on hey this is lion it lets you drag the corner from the middle now but it doesn't seem to refresh this page in any hurry well that's irritating turn to your computer well I don't like virtual machines much but under these conditions I'm kind of forced to use them uh seems do what uh well it won't even respond to anything I do right now this is fairly common um I might have to restart might have to restart that one oh there it finally responded I think there that's good that's all right it's just a little slow I'm sort of getting used to this all right should I have to lock on until the number appears here yeah there we are number appears there and now I can do different kinds of attacks here and I would like to scroll down but I don't see a scroll bar because I'm being hosed here pardon me all right I'll have to go to full screen I see only thing I could do I make it big enough so I can see what I'm doing all right because the lower but I can and in addition to sending you to prison isn't very well written it doesn't let you see what you need to see too well all right so I'm going to send um HTTP requests here and um I need to get to the fire button there I'm a charge in my laser her wrote there now it should be there it's sending stuff numbers okay sending complete requests back to my poor target which is here so my poor virtual machine here will now show that people are using up the connections and there they are see it's filling up with a bunch of C's now those C's are connections at the web server it is gradually filling up here so it's using up all the that web server can do but what is doing is complete connections they form a connection they download that little web page and then they wait to time out so this does fill up all the connections and make the web server unavailable but it does it in a very weak way because each connection terminates normally and then just ends its time normally so it's only ties it up for a couple of seconds so that's what this one does uh let me get back to my virtual machine which is here so all right and let's stop that one I should have stopped it and get rid of that one let's do the slow loris one which is much more powerful and owasper wrote a windows version of it which is really nice and it's also small enough that I don't need some you have such a big window for it all right so now I have to put that address in here 192 re-break I can get it out of here couldn't I yeah that'd be fun copy it from there put it in here okay now this is going to run that attack let me just get this back to normal since I'm no longer attacking it it goes back to normal only one connection there's an extra one there I don't know what it is but I'm not worried about it now run that attack there we go now if I refresh this page you see it's filling up and it's filling up this time with ours those are pending requests each one of those will take 400 seconds to time out by default so you don't need to send very many of them and it uses up all available incoming lines and this server is toast so that's the slow loris attack and the HTTP post attack is similar so it's very powerful and very dangerous and now it's this easy and when you stop it will recover it recovers pretty fast in this case I don't know why it's not taking 400 seconds but maybe the default timing in Apache on backtrack five is different than what I think it is I'm not quite sure what causes that but anyway now that we've shown you how to kill Linux or Windows let's go the other way with the more powerful attack let me clear all this stuff up and set up my poor Windows machine to show you the evil that is about to happen to it so if I go here and go ipconfig slash more or pipe more you'll see this machine is an ordinary Windows machine I put on a static address of 2 colon colon 2 and ip version 6 it's got an ip version 4 address and really not much else going on now let me bring up a task manager window because that's the interesting way to see the damage that's going to happen to this machine task manager shows the CPU is now at zero percent so let me shove these things over near each other and shove it over the side there's my Windows machine just sitting there now if I send it some IP version 6 packets here I'm going to do fake router 6 first fake router 6 this is the THC IPv6 IPv6 attack suite from Vanhausen in Europe someplace and I'll do that on eth1 and I'll send it defcon I can't get an n though but I can get that far of defcon I'm going to send that okay now it's sending some packets advertising that network don't need to wait any longer all the devices on that network have been commanded to join it and there it is it's made an address starting defco now this is what's supposed to happen when you add a router in normal course of events I add a router it advertises its prefix everybody joins and the game is over but if I send a flood of unwanted packets at the rate of hundreds per second eth1 I'm going to stop it very soon there after each dot is 100 I've sent about a thousand this is now at 100% and it's just going to sit there at 100% for a long long time and what's worse is I got this far I was trying to make a project for my students sitting outside a coffee house I said well this is fun but the problem is it's killed it so bad that you can't see the addresses if you run ip config now if I stop it really fast this will actually respond without waiting forever and you can see what it's done and that's why hopefully I stopped there it is you see it's joined all these networks page after page of network that's what it's doing and it's still adding more to that list at the rate of about five per second so this is all right but when I first tried it I ran it for a while nothing seems to happen hey my windows machine doesn't respond at all what happened here so well this is no fun students don't learn anything they can't look at the damage so I thought well this is a bad project what do I do and then I thought hey wait a minute this would kill the domain controller and the email server and everything this is really bad this is so bad I can't tell my students at all I better tell Microsoft quietly so so I sent out a tweet I mean at first I did this I sent out a tweet saying hey this attack hurts Windows 7 not surprising and then I said hey you know I need a security contact inside Windows so Ed bought and other people on my Twitter feed immediately gave me good people inside Microsoft and they sent me to the right people and within two days I had an official answer for Microsoft saying yeah Vanhausen told us about that a year ago and we don't care we're not going to do anything about it for current versions of Windows we do not care that Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, XP are all going to die at the drop of a hat we may put in Windows 8 or Windows 9 or something if we have nothing better to do I said fine if you're going to be that way I'll tell the whole world about it and I gave it to my students for homework and I said use an isolated network don't kill every machine at the college because you could kill every machine at the college including our servers and everything else and my students did not kill the whole college with it which is nice of them therefore I'm still working there I'm not out on the street with a tin cup and so anyway that's the power of that attack and so let me talk a little bit about defenses but I think before I do that I'm going to hand it over to Matthew here the only thing I want you to do is if you would like to try this now Windows machines are vulnerable to this and one version of BSD Unix is vulnerable to this attack Windows Mac OS is not if you look at my Mac here I have config it will show yeah you see them here let's try pipe more there we are see the Mac got the attack too the Mac is the host and as you can see it joined some of these those are 2001s let's see it joins I think those are useless networks it joined some of those useless networks but it didn't join them all well I think those might be from DEF CON but anyway what you see if you expose the Mac to it it joins about the first 10 and no more it has the sense to ignore all router advertisements after the first 10 for some period of time which is a pretty good defense and that's what I think Microsoft should do in Windows but they are not interested in my opinion Cisco patched it Juniper didn't but anyway if you have any devices to test Ryan's going to set up a network there and kill anybody that wants to join it and if you want to participate in this here's how you do it there you join a network called do not use and it's WPA2 encrypted and the password is do not use so if you join that network he'll see how many people joins and then run this attack and kill you and if it kills you it's interesting because other devices are vulnerable besides Windows and BSD and if you have some people said they were going to bring interesting devices here any device that networks may be vulnerable to this and I would like to know and I'd like you to go to the question room afterwards and tell me so we can inform the vendor and get stuck patched because I think a bunch of people are vulnerable to this and they don't know but anyway let me hand it over to you you can tell them your story about Losec and then I'll come back and talk about defenses if we have time left your stuff should be on the desktop let me dig down to it yeah do not use or do not connect right do not connect oh do not connect okay thank you okay yet so it's name is do not connect and the key is do not connect okay thanks Sam Sam is the only person that I know who can make running DDoS attack seem charming so my name is Matthew Prince and I know Sam we both live in San Francisco and we both got sort of dragged into the little security kerfuffle reluctantly and so I'm going to tell you the story of how I got dragged into it and talk to you about some of the DDoS attacks that we saw during the 23 days that they were active and then what we did to stop them so on June 2nd at about 4.54 p.m. Greenwich meantime the Lowell Security Twitter account announced that they had finally gotten around actually making a web page what was pretty amazing was that within about 15 minutes that web page was knocked offline by a fairly significant denial of service attack I don't I don't know the details of this particular attack because we hadn't been involved yet about an hour after the web page was first announced Lowell's announced that they had actually solved this problem on a Twitter account and the only thing that had changed as far as I've been told is that nine minutes earlier they signed up for Cloudflare now Cloudflare doesn't we don't we we're a service we make websites faster and we protect them from some attacks but we don't really think of ourselves as anti DDoS service so it was somewhat of a surprise for the Lowell Security people to do that it was even more of a surprise when an hour later Lowell Security sent out a message to me saying hey we love your service so much can we exchange rum for a free pro account I had no idea who Lowell Security was at this point and so I tweeted back a tweet which my legal counsel has since told me to remove which said it depends on how many cases and how good the rum is they never sent the rum and we never gave them a pro account but Cloudflare is free and thousands of sites sign up for it every single day and we typically don't have problems with them these guys we had some more issues with and so over the course of the next 23 days they wreaked mayhem in lots of different ways and finally on June 25th they called it quits and what was interesting is that the way Cloudflare works were a reverse proxy so all of the traffic which goes to Lowell Security passes through our network first which has two significant effects the first is anyone who attacks Lowell Security was attacking us so that was amusing and then secondly it meant that Lowell Security was actually able to hide where their origin was where they were actually hosting from and that's a side effect of how our system is designed but it was one that they used to create effect Sam actually contacted me a little while ago he said he was going to do a talk on DDoS and we sort of talked about the experience and he said would I be willing to share some information about it and again we have legal counsel and we're a real company and we have a privacy policy and even if you're an internationally wanted cyber criminal we try to respect the privacy policy and so I wrote the following email there's a little bit more to it to the email account that we had on file for Lowell Security on July 2nd right after they had called it quit saying hey I've been invited to talk about this at DEF CON would you mind and I didn't hear anything for quite some time and then 11 days later someone by the name of Jack Sparrow so here I am so I can talk about some things I can't talk about anything everything I can talk about things writ large I can talk about how they affected us I don't want to get the host necessarily that they were using in trouble so I'm not going to be revealing their exact IP addresses but let me tell you a little bit more about what happened over those 23 days so this is the actual traffic to Lowell Security's website over those 23 days they received a little over 18 million page views as people went to that site you can see it peaked early and then it's trailed off since then the website is still actually on Cloudflare although the website behind it has been taken down so if you go to it today you'll see an Apache configuration page I don't know what they have planned next what's interesting is that we can actually look at what is just the attack traffic and break that down and you know I'd say that this attack traffic up until the spike kind of in the middle there was almost just background noise it was not something that we were particularly concerned with and in fact what I say on a slide in a couple of seconds is that the three weeks that Lowell security were on Cloudflare was actually three of the quietest weeks for denial of service attacks that we had seen which is strange because a lot of people were saying that they were attacking them there was this one spike in the center but that seems to have been caused by a couple of very distinct events that they that they engaged in and and I'll talk about what that is and then I'll talk about exactly what the sort of attacks that we saw for Lowell against Lowell's and what we did to defend ourselves and and then the ones that were sort of annoying to us so one thing that was particularly interesting this is on June 25th this is the the gesture I don't know who the gesture is Sam Sam's given me some background he publishes a web page he spent a huge amount of time trying to figure out what the backing where the where the Lowell security site was was hacked and he proudly pronounced what has become gospel which was that www.LowellSecurity.com was at 204.197.240.133 and LowellSecurity.com was at 111.90.139.55 I know where the site was on January or on June 25th and I tell you it wasn't there at all in fact they use seven different hosts over the course of 23 days the original host was in Montreal, Canada they were briefly in Malaysia but it was in early June it was that's the 111 address that's accurate I don't know where the other address comes from most of the hosts that they used were actually U.S. based hosts including one large host that is specifically specializes in DDoS mitigation ultimately they're using German hosting and that's where they still are today one thing that was interesting was that a lot of people claimed that they had found some way to knock Lowell's security offline and they posted pictures online this is actually a service that we offer at Cloudflare which is if your back end origin server goes down then we'll actually show a cached version of this and we put an orange bar across the top that says you're viewing a cached version sort of like if you view as cached in Google what's interesting is that while a lot of the world was claiming that they had done this what I think actually must have happened is that the Lowell Security guys got kicked off their host because for a brief period of time for about a 36 hour period what they did was they actually pointed their IP address at 2.2.2.2 which is an invalid there's no host there's no web server running there I think they just picked a random IP address and what that did was it caused our system to kick into the always online mode that actually caused that cached version to exist for a limited period of time until that cache expired at that point they pointed it back to a host for a short amount of time then pointed it back to a fake address to get it up I am not aware of any person or any time when the Lowell Security site was actually knocked offline in spite of the fact that a lot of people were trying to do that on the other hand they knocked a lot of people offline which was interesting to watch a lot of the attacks that we saw again as I said we were really surprised we had everyone on high alert we were watching for big attacks to come in and the attacks that we saw were generally actually significantly less than we would have expected pissing off the hackers that populate Twitter is not nearly as dangerous as pissing off the Chinese cyber mafia or the Eastern European cyber mafia or people that run really big extortion attacks they run big DDoSs these guys they run you know they're clever but it's not the same it's not the same league we saw some layer seven attacks that were relatively harmless while slowloris and some of those tools are interesting to attack an individual web server a cloudflare was specifically designed not only to stop layer seven attacks dead but we actually then record all the IP addresses that are committing those attacks which just makes it I mean we actually are happy when people attack us over layer seven the more annoying attacks for us are the layer three layer four DDoS attacks that we see but you know we run this we run a network which is in any casted network and what that means is that we have a bunch of machines hundreds and hundreds and hundreds of machines running in 14 different data centers all around the world listening on the same IP address so that tends to take distributed denial of service attacks or high volume attacks and spread them out over a very large surface area which makes it much more difficult to launch something like that against us what is more interesting though what the annoying attacks that hurt us were a couple of different things the first was a someone had a really big network and a lot of traffic and they pointed almost all of it at us and it happened that they were geographically proximate or sort of network geographically proximate to our San Jose data center and so they were doing enough bandwidth to our San Jose data center that what we did was we took all of our clients other than local security and we moved them to other data centers no one ever noticed but the San Jose data center for that period of time was only serving local security kept them online though another attack which was really interesting it's actually not a particularly big threat to most people it was a threat to us was using Google as a reflector so we have special rules that are in place for Google's IP addresses in order to make sure that we're never blocking legitimate crawler traffic from coming to us and so someone who is actually very clever found out that if they sent a lot of sin requests with fake headers pointing back at our IP addresses to Google Google would act back to those and that actually created some issues for us internally it was a pretty easy solution we blocked the acts that didn't have a sin attached to them and we called our friends at Google and said you'll never get origin traffic coming from this so just firewall it off and that was solved within a few minutes but that was actually a clever attack that looked at the nature of how our system worked and challenged us based on that the last one which was the most annoying someone did a thorough scan of our IP address ranges and found some exposed router interfaces that were that were out there and figured out the routers that we were using or just a dictionary attacked against the routers were not sure and they were able to launch attacks that actually shut down some of our routers and they were able to bypass any cast because those were specific to that the solution again was fairly straightforward we just blocked those IP addresses off to the outside network but it was the attack that actually caused us the biggest problem and knocked a couple of our routers offline for a couple of minutes but largely again when I compare the big attacks that we see when a client of ours gets a letter in the mail that says hi I'm the helpful Chinese government agency by the way we've detected on your network that someone is going to attack you if you send us $10,000 you know we can probably do something about it obviously not a real Chinese agency and you they they really can do something about it because they're launching it those are big attacks these were relatively small by comparison Sam I think I'm losing power so yeah you can just make sure it's plugged in so so a couple of a couple of things I think I got it there so sorry about that so a couple of things that were interesting the first was you know again when the gesture and all those guys were attacking that's that sort of background noise pattern what really started to it seems trigger pissing people off was when the little security guys went after minecraft and that was the real spike in traffic and then the drop back off in traffic was caused when they stopped attacking minecraft in fact internally in our office the biggest debates were in terms of whether we should drop them off our network or not came from the minecraft aficionados who said you're now causing me pain and that's not cool so I guess the lesson is that if if you're if you're going to you know launch DDoSs against people indiscriminately don't pick on minecraft so you know we we've watched I have very little information on who actually the lol security folks are I will say that one of the user names that signed up for the cloudflare account is very very similar to one of the user names that's been arrested I don't know if that means that it's just a coincidence or that they've actually been taken offline we haven't seen much activity that moved their host around and again their website is down now but it was an interesting 23 days watching kind of the attacks and as all the world tried to take them down seeing how we could help keep it up for better or worse so if this is of any interest to you I'm used to code on Twitter and and work cloudflare so thanks for having me all right thank you Matthew I really appreciate you coming to do that because I'm trying to improve my game you know for I've been a breaker for quite a while let me see if I can find my presentation there we are you know I've been giving a lot of talks and like attack is easier than defense so my talk show is the same I have this new attack it blows everything away ha ha ha and if you don't like it tough you have to like wait for Microsoft to patch it or something basically you're hosed which is a common message you'll hear at Defcon and other conferences but I'm trying to move up so I told you this stuff by the way there are some defenses see I'm trying to move into defense which is tougher most of the time defense is difficult now if you want to block those router advertisement floods you could turn off IPv6 that will protect you but IPv6 is necessary and it does things you probably want like home groups and direct access you can turn off router discovery with a netsh command at the command line and that will mean that your machine does not listen so it does not do anything when it gets RA's and it will protect it from this attack it'll mean you have to put a static IPv6 address on it which is probably the right thing to do on a server you can block it with the windows firewall and only accept router advertisements from the authorized router and that will protect your clients although it's pretty easy to defeat that by just making rogue router advertisements that appear to come from that source address but it will stop the attacks to some extent and Cisco makes a switch with RA Guard Cisco patched their own vulnerabilities for this as soon as they were told by Mark Housa and they made a proprietary protection for your network so if you buy a Cisco switch with RA Guard okay good read on time here anyway you can evade that pretty easily by putting in fragmented router advertisements we'll go right past Cisco's RA Guard so for every defense there is another attack but anyway as far as defending my conclusion has been for a long time the only reason your website is up is because nobody hates you if even one person hated you you'd be down that's what the jester proves that's why I think the jester is so important for network security he proves that just one angry man can take down a lot of websites and you're helpless basically now it's not entirely true that you're helpless but the defense seems to be a little difficult to put in I tried playing with some defenses you can use mod security now in a laboratory condition mod security's latest version has an anti-layer seven DOS feature but all it does is stop too many connections from the same IP address so it will save you from a test on your network with that old Wasps tool but it won't stop the jester because he goes through Tor or some similar network and all the attack packets come from different networks you can pay a service like Akamai to protect you and they'll use a few tricks to protect you you can put in a load balancer load balancers will protect your server by only letting complete requests to make it to the server but the load balancer itself will go down when you give enough traffic it's a defense but it's not a perfect defense it took something like four times as many packets to free the load balancer in my test so it's something you can also do things like counterattack hdmore had a good one here somebody tried attacking him with a botnet so he pointed his DNS address back to their command and control server so they blew themselves away and that's effective of course but it does mean your site is down while it's happening and it's questionably legal I mean now he's taken the flame just like if I had a shield and I've collected bullets back to shoot back at the bad guy shooting at me I don't know and anyway there may be some legal issues there but it did work and it'll work against flood attacks like anonymous with the lower of an iron cannon but I was very pleased to observe Claudeflare here because I've got the same talk I give everywhere there's this horrible attack there's not much you can do and now I'm contacting people out of the blue that have vulnerabilities exposed on pastebin to try to get them to fix their stuff and they're typically small businesses that don't know much that don't have any security team and I can't tell them to purchase and implement a extra server to protect your server but what I couldn't tell them to do is just use Claudeflare which is a free service and that's not too hard to do and it really will protect you and I was very pleased to observe that it really stopped the gesture the gesture really wants to take him down and he really can't it's the first thing I've seen that would do that that you could easily deploy without you know having an expensive network security team so I'm going to be playing with it with my students next semester we're going to be setting up all these defenses and trying to blast through them and trying to make them good and strong defense is much harder than attack anyway I guess that's it did anybody actually get murdered here Ryan that's that yeah did anybody's machine actually go down from attacking his network anybody want to talk about it no volunteers well you know when you volunteer to ruin machines up here you don't get too many volunteers okay fair enough so I guess that's it see you next year oh there's a Q&A room