HTTP Time Bandit

Explore an in-depth analysis of HTTP-based Denial of Service (DoS) attacks and their countermeasures in this conference talk from BruCON 0x05. Delve into various DoS classifications, including classic application layer attacks and Get Flooding techniques. Learn about a proposed method for normalizing data using statistical analysis, and witness a live demonstration of attack testing and service degradation measurement. Examine the role of load balancers and commercial protection services in mitigating these threats. Discover how to leverage the presented tools for identifying and fixing resource-intensive elements within web applications. Investigate Apache configurations and modules such as mod_security, mod_limitipconn, and mod_qos for enhancing protection against DoS attacks. Gain insights into the conflicts between certain modules and Slow* attacks, and explore future directions in HTTP-based DoS prevention.

Introduction
Who?
DOS Clasification
Classic Application Layer DOS/DDOS
Get Flooding With Spice
The Proposed Method
Lies, Dirty Lies and Statistics
Using Statistics to Normalize the Data Mean as the measure of central tendency • Calculate the mean of all resource download speeds • Calculate the means of each resource download
Speed Distribution
Demo
Attack Like Stage of Testing Measurement of service degradation while doing a hard test for narrowing down the choice of links
Load Balancers
Commercial Protection Services • Few players using limiters for
Using the Tool for Good Identify/Fix resource hogs o Use our tool for this
Playing with Apache Configs
mod_security
mod_limitipconn
mod_qos
mod_bwshare Accepts or rejects HTTP requests from each client IP address, based on thresholds set by past traffic from a particular IP address[8]
mod_evasive
Conflicts with Slow* Attacks
mod_httpbl
Back to the Future
References