topic Re: Can the PAN device block HTTP Dos Attacks? in General Topics

Can the PAN device block HTTP Dos Attacks?

JTR — Wed, 19 Jun 2013 05:36:21 GMT

Hello Guys,

I'm going to do some service availability test in the near future. We can't get any information of the attack pattern. The only information we know is that the tester will conduct these attack.

HTTP CC(cache-control) attack
Slowloris attack
Http post attack
Http Hash dos attack

I'm afraid that those attack patterns seem to be normal for the PAN device (It's like brute force attack, working base on the threshold value)

I've heard that the best way to block these kinds of attacks is the setting server's timeout value or threshold value.

But I have to find out some way to do this job with PAN.

Can we block those attack with IPS Dos Signature or Custom Signature? If we can, does anyone know how set-up to the custom signature for those attacks?

Regards,

Re: Can the PAN device block HTTP Dos Attacks?

Gregoux — Wed, 19 Jun 2013 06:02:22 GMT

you can found explanation for DOS protection by paloalto with this doc https://live.paloaltonetworks.com/docs/DOC-5078

but there is no information in this doc about HTTP DDOS.

I'm interresting in hhtp ddos too

Re: Can the PAN device block HTTP Dos Attacks?

Gregoux — Wed, 19 Jun 2013 06:05:31 GMT

http ddos could be limited by rate limiting

Re: Can the PAN device block HTTP Dos Attacks?

UhMayYeah — Wed, 19 Jun 2013 06:29:30 GMT

Ref : Resources Protection Page : 38 and

Appendix 😧 Slow HTTP Test Output

Re: Can the PAN device block HTTP Dos Attacks?

JTR — Wed, 19 Jun 2013 06:59:51 GMT

I think these attacks can exhaust server resource with normal Http transaction, and before the the server reaches its max concurrent connection limits, its resource worn out ..

And PA's Dos Protection uses Layer 3~4 information, those attacks are based on Layer 7 information (Http get, post value etc...). In my opinion I should be able to set up Http get method threshold.

Re: Can the PAN device block HTTP Dos Attacks?

Gregoux — Wed, 19 Jun 2013 07:14:30 GMT

You right about get flood, but when a get request is sent you sent a tcp request and it 's why if you implement rate limiting you minimize the impact of this kind of attack

see how to implement QOS

Re: Can the PAN device block HTTP Dos Attacks?

JTR — Wed, 19 Jun 2013 07:34:41 GMT

I've found one IPS signatures which can block HTTP Slowloris attack.. :smileygrin:

Attack Name	HTTP: Apache Denial Of Service Attempt
Description	This event indicates that someone want to exhaust the apache resources, as described by slowloris.
Threat ID	40018
References	https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40018
Severity	high
Category	brute-force

Re: Can the PAN device block HTTP Dos Attacks?

Gregoux — Wed, 19 Jun 2013 07:49:02 GMT

good to know!!

Re: Can the PAN device block HTTP Dos Attacks?

Retired Member — Fri, 21 Jun 2013 05:44:19 GMT

I think it's not exact for your case. HTTP: Apache DOS signature that triggered only 40 times in 60 second and only Apache related case. In my case I created a Custom Signature for HTTP post, CC that blocked in security rule while having BMT.

Re: Can the PAN device block HTTP Dos Attacks?

JTR — Fri, 21 Jun 2013 07:07:33 GMT

Dear My Lovely Roh..

Can you send me the custom signature information that you used for the BMT? :smileygrin:

Thanks ahead..

Re: Can the PAN device block HTTP Dos Attacks?

Retired Member — Thu, 27 Jun 2013 02:28:44 GMT

Hi hjlee.

You can make a custom signature easily using as below info

But It's not important thing in real world because 7.7 DDOS attack of Korea was not related certainly above and HTTP Get flooding and UDP flooding that made it.

Thanks.

Regards,

Roh

Re: Can the PAN device block HTTP Dos Attacks?

JTR — Fri, 28 Jun 2013 00:21:59 GMT

Thanks Roh,

I love You. :smileygrin:

Re: Can the PAN device block HTTP Dos Attacks?

rmonvon — Fri, 28 Jun 2013 14:07:20 GMT

FYI, if you want the threat signature to trigger by a threshold value (i.e 30 hits in 10 sec), you can use the signature type=combination and define its time attribute. Thanks.

Re: Can the PAN device block HTTP Dos Attacks?

JTR — Thu, 04 Jul 2013 02:52:38 GMT

CC Attack means Challenge Collapsar Response attack. In south Korea we call this 'Cache-control attack' .

To make combination signature we need basic signature.

This is my custom signature 41023 which block cache control message based on threshold value.

So far I couldn't find any signature for Challenge Collapsar.

So I made custom signature for this attack.

I used my custom signature 41111 to make custom signature 41023 (combination signature working on threshold value).

As you might know, the problem is signature 41111 work before 41023..

you guys have any solutions??

Regards

Re: Can the PAN device block HTTP Dos Attacks?

StevenYin — Fri, 29 Jul 2016 16:26:04 GMT

This is an old issue but we still don't have signature for CC right now. Actually you shoud set the action of 41111 to allow, then 41023 can be triggered when threshold been reached.