Mitigating Nuclear DDoSer, R-U-Dead-Yet, Dirt Jumper, Keep-Dead, and Tor Hammer with F5

It’s an unofficial DDoS week, as attacks continue against major US financial institution web sites. F5 has people onsite helping to mitigate these attacks but due to non-disclosure agreements we can’t talk about specifics. The severity of these attacks is bringing attention to DDoS, specifically layer 7 DDoS, which is what F5 excels at identifying and mitigating.

Attack tools have been moving to layer 7 for some time. Five of these tools in particular have gained some caché.

· The Dirt Jumper attack suite evolved from the RussKill crimeware bot and makes use of HTTP-flood and SYN-flood attacks.

· R-U-Dead-Yet (or RUDY for short) uses Slow POST and a generic HTTP DoS attack via long form field submissions.

· The Tor Hammer uses a more efficient Slow POST (written in Python).

· The acclaimed Nuclear DDoSer tool uses a multithreaded Slow POST / Slowloris attack with randomized POST data.

· The Keep-Dead tool, which is actually quite simple, sends rapid-fire HEAD requests designed specifically to tie up Apache servers.

In general, layer 4 attacks get mitigated automatically by the Local Traffic Manager (LTM), which leverages the full reverse proxy functionality to detect and mitigate every single connection. Up the stack, transport and session layer attacks get mitigated by LTM, iRules, and the Global Traffic Manager (GTM). The layer 7 attacks can be mitigated with the Application Security Module (ASM) or iRules.

Sometimes it’s not obvious which F5 technology to use during a DDoS attack, so we put together the following table to show what F5 tools work best for mitigating particular known attacks and their particular layers. The layer 7 attacks are at the bottom.

Attack Matrix

It’s not surprising to see that many of these tools have incorporated the Slowloris and Slow POST techniques. At least one bot has incorporated the Apache Range Killer as a vector as well. Don’t be surprised if we see the layer 7 HashDos technique incorporated into these tools as well (with IIS servers still 40% unpatched).

Here’s another way to look at the attacks and which technologies to use for the mitigations.

 

Published Sep 29, 2012
Version 1.0
ddos
security
us

Was this article helpful?

1 Comment

Sort By
  • David_Holmes_12's avatar
    David_Holmes_12
    Historic F5 Account
    Jun 09, 2013
    Some versions of dirt Jumper don't include // in their referrer field. Here's an easy iRule for mitigation

     

     

    when HTTP_REQUEST {

     

    if { [HTTP::header exists "Referer"] } {

     

    if { not ([HTTP::header "Referer"] contains "\x2F\x2F") } {

     

    drop

     

    }

     

    }

     

    }