>>Cool. So, hi DefCon. Um, I’m Redezem. Uh, don’t ask about the name it involves an, eh, incident with a Caesar cypher and a preschool. Um, welcome to PEIMA DefCon addition where we’re going to talk about how to break denial of service attacks and, uh, do anomolated action on the cheap. Um, this is mostly a defense talk, so no cool exploits. Sorry. 
Um, but, uh, there is a lot we can play around with here and if you like hacking, this is probably for you. Alright, so who am I? My real name is Stefan. I am, uh, by most accounts a Phd student. I live in the beach and sunshiney wastes of Perth, Western Australia which is about 28 hours worth of flying time from here. 
Um, the bonus is that the weather is basically the same over there in summer so I mean, the heat’s been kind of meh. Um, now I’m a network kind of guy. I love my networks and network security. I work in research with Curtin University. That’s the first logo in case you were confused. Um, I also work with a company called ES2 which let’s me do my hacking stuff. They’re the second logo. They’re some great guys. If you’re in the Perth region, call them up. They’re lots of fun to hang with. Uh, cool. 
So what are we talking about today? We’re talking about how you can use power laws to protect your stuff basically. Um, in short this is anomaly detection without any sort of AI whatsoever. 
>>Woo!
>>Um, it’s pretty great. So, um, we’re going to have a look at what they are. How they work. What I’ve been using them for, which is denial of service detect- um, defense. Uh, and, uh, we’re going to look at what the research shows is possible and consequentially where your hacking efforts would be really, really useful and probably get you some serious cred. Um, and then I’ll release a neat tool to get you on your way and a demo that can show you what you can actually do with it if you work with it. 
So power laws, or most honestly, power law probability distributions, which is a mouthful so nobody’s got time for that. Um, basically they’re are natural processes out there in nature. Earthquakes, light from stars, mutation in DNA, y’know, language, that sort of thing. Um, the things that are descriptive of these things tend to follow these things called power law distributions which is the second graph over there. 
Uh, there kind- there are a couple of popular ones. The well known, relatively speaking, uh, V Source did a great video on Zipf’s Law that you should totally watch if you’re interested in this sort of thing. Um, but yes. So Zipf’s Law basically says if you’ve got, ‘cause language is a natural process, if you take a book and count all of the words in the book, the second most popular word will appear about half as much as the first most, and the third most popular word appears about a third much as the first most, and so on and so forth. And it’s really weird because it works in every single language, in every single book, period.
Which is bizarre. We have no idea why. Um, this also works for financial transactions. You can use this, uh, to detect fraud because funnily enough, when something should be following a power law and isn’t, something’s wrong and it’s very, very sensitive to that. So banks have been using this for ages and we’ve only started using this is, um, network security in the last year.
So what does that mean for us? Well basically network traffic is somehow natural, which means that Skynet is real, the singularity is here, uh, Elon Musk was right, and we’re all gonna die.
Seriously though, um, it just means we can apply power laws to it to do anomaly detection without any sort of AI to it because what we do know is, under normal circumstances, it should follow one of these power laws. Things should follow a power laws in network detection and if they don’t, we already know that something is wrong.
Cool.
The neat bit about this for pat- for denial of service attacks is, thanks to the nature of denial of service attacks wanting to, or specifically flood based denial service attacks, wanting to overwhelm the network, you can’t actually do one without breaking a power law, so I will know you’re doing it.
Cool, so, um, basically we don’t have to teach a computer what normal is anymore so no AI. Great stuff.
Uh, the cool one is Benford’s Law which you hard code because it never changes. Uh, basically if you have a number that’s long enough, say the amount of time in milliseconds between any two packets arriving on a system, um, we know that the probability that the first digit is one is about thirty percent. We actually know what the probability for all digits in that number being any given number is, which is great and conveniently the whole thing never changes so you can just hard code it and away you go.
What could we do with that?
Well, I’ve been beating denial of service with it for the last six months. Um, basically flood based denial of service attacks. Amplification attacks are particularly good. Uh, y'know, the sort of things that the internet of things uh, is likely to cause more of as there are more of these ridiculously insecure devices enter the internet. So, um, basically in this graph here you can see ten separate denial of service attacks. One after the other. It’s actually on a network where we’ve got a bunch of gamers playing Unreal Tournament 99 and someone’s trying to stop them from winning because, y'know, we like blasts from the past and whatnot.
Um, so the higher that number, so the higher that line goes, the worse it’s error from Benford’s Law is and you can easily see when your denial of service happens.
This is a single machine. You throw in more machines in there, you make it a larger attack, it becomes more ridiculous. Uh, it’s practically instantaneous too. Uh, each data point in that graph represents about a- a thousand packets, a window about a thousand packets in length with takes, y'know, a couple milliseconds to appear. So we know about an attack starting and stopping within milliseconds of it happening. .
Uh, and I’ve seen it work in real time in gigabit scenarios and it’s likely it’s capable of going even faster so you can do some really cool stuff with this. Uh, again it detects this without any training whatsoever. I didn’t have to train anything I just said “when the number is greater than zero point five, tell me a denial of service attack is happening” and it’s pretty much always accurate.
So how do we do it? Well, it’s really, really cheap. We get ourselves a TCP dump, so really complex piece of software. Uh, we get it to dump in dash NN so just you want to get the headers and none of that cool, y’know, resolving thing. We extract features, namely the length and what their timestamp is. Uh, we check how well those features fit power laws by our goodness of fit function. Uh, if you want to investigate more of these please look at the code in the dem- in the demo I’m gonna be- uh, in the tool I’m gonna be releasing.
Uh, you print out the result to a CSV and thrown an alarm or something.
And, I mean, this works with any subset of traffic data so you can actually narrow this down by excluding- excluding the people you know are good until eventually you figure out exactly who the people that are, y’know, denial of servicing you and you can probably, like, change your IP tables at that point to drop their packets. 
So what can you do? Well, unless you're a really big company this probably won’t save your network because if someone wants to, uh, distribute a denial of service attack, y’know, we saw with Krebs uh, 600 gigabits a second - I’m not entirely sure your router can deal with that. 
Um, but what you can do is you can look for attacks and you can tell where they’re coming from. So you can report to your ISP and say “Hey. I’m being denial of serviced by these people” and that makes their life a lot easier. Um, you can actually invert this too and look at your own network. 
So you can turn around and say “hey, my laptop is sending out a denial of service attack. Who the heck has owned my laptop?” 
Um, which is great because that probably means you’re part of a botnet and you want to go ahead and flash that thing. 
Alright, so what else can you do? Well, research. We can see that, um, you can actually see more than just denial of service because obviously that’s not the only disturbance on a network. You can see some attacks. Now the attacks we have seen so far are end map and some, uh, buffer overload style attacks specifically for NGINX. You can see them happening but that’s because I'm not doing anything smart with my detection. I’m literally drawing a line and saying “if it’s above that, there’s something wrong.” Um, you can actually probably train something to figure out the shapes of each of these attacks because each spike looks slightly different. That one there is an end map port scan, um, so not using the, uh, end map scripting engine. So um, yeah, you can tell that trained thing to make decisions for you and yeah, it’s- it’s- it’s pretty cool. We don’t know exactly what limit of the threats are that you can detect and pretty much anything that happens will change how your network works and power laws are really good at picking up  that. 
So, um, some disturbances aren’t attacks. Uh, power laws are really good at telling when that underlying process that’s creating your traffic changes. Uh, in this graph, uh, here there’s actually some kind of anomaly. Sure, there’s some spikes there but the one we’re actually looking at here is the big bump in the middle of it. That’s actually when everyone starts logging in at 6 AM in the morning. 
We can actually tell when people start logging in just by looking at the Benford’s Law compliance of the data. It’s pretty cool. 
So basically if you see a change that isn’t regular and doesn’t match with any of your activities, you might see someone doing something to your network, doing something to one of your computers, or something is broken. And that’s pretty helpful too I guess. 
However, that’s not the only things we can look for changes in. We can look for changes in your user. You see, uh, humans are pretty natural, right? Yknow, language is natural. Finances are natural. They’re both done by humans. Well, turns out users interacting with keyboards is also pretty natural in terms of process. 
Um, we’ve actually seen in research that you could turn around and take the time between each, well, between each key press you make and that actually conforms with Zipfs Law, y’know, the law that actually, y'know, language conforms with. So, um, whenever you actually change user, the error slightly changes. If you, instead of looking at how well it conforms with Benford’s law, you look at the difference between the actual law itself and what you do. So, what the errors are individually, and you save that as a profile. Whenever you're using the computer you’ll be around about that profile, and whenever someone else uses your computer, they’ll be completely different and you can immediately tell that someone is- is using your computer and you didn’t ask them to. 
So, keyboards are great and all but that’s not the only thing you can do because it’s entirely based on human interaction you can probably extend this to all sorts of stuff. Command usage, network usage for that user, et cetera, et cetera. So when your computer determines that something is up here you can turn around and tell it to start doing stuff. You can say “oh, I’d better start a keylogger, or start sandboxing things, denying access to things.” Whatever. Be creative. 
Speaking of being creative, we have no idea where this goes. This has been looked into for the last six months by research teams who are notoriously slow. So hacking input is great and that’s what I’ve been doing with the denial of service thing and that’s pretty much the furthest we’ve gotten. So the tool I’m handing out today is basically a “here’s basically where I’m up to.” This is how you can do some power law analysis. Start putting stuff in and see what you get. It’s everywhere. There’s a lot of stuff this can be applied to. We don’t even know the limits of the network detection capacity. And we think we can apply it to pretty much anything that has to do with a computer. So, this might be really, really cool if you’re an engineer wanting to play around with something. 
And it’s basically really fast and simple to play around with anyways, so why not? 
So now the tool. So bare with me here. Oh. Whoa. No. 
[laughter and noises from audience] 
Come back screen! 
[laughter]
Hey, AV guys. I can’t do a demo when, uh, the screen’s blank. Can you help, please? Please?
Well, while that’s happening I’ll set this up so we’ll just jump straight into it, right? I think that- I think that’s fair enough. 
>>Can you answer questions for a second?
>>Yeah, sure. Sure. Um. 
>>So if I’m looking at data that doesn’t- isn’t really natural is this still, like, maybe an interesting metric to look at?
>>Oh, yeah, sure. No. ‘Cause the human data right? With keyboard stuff. Um, question being, y'know, is this a good thing to look at with stuff that isn’t natural? Uh, human keyboard data. They figured out you can actually do profiling just based on the, um, the Benford’s Law. Which doesn’t conform with keyboards at all, right? So it’s completely erroneous, but the profile of error from the user was actually able to be used as a profile just as well as the Zipf’s Law stuff. So, even if something isn’t natural, yeah, there are things you can do with this. It’s- it’s really, really good at telling when something has been changed. So. 
>>We lost your signal. 
>>Oh really? Well, that’s odd. It’s plugged in. 
>>[inaudible off mic from AV team]
>>Well. Unplug, and we’ll plug it back in. 
>>[inaudible off mic from AV team]
>>No. No. Same operating system. 
>>Second question.
>>Yup. 
>>[inaudible question from audience]
>>Taken out themselves?
>>[more inaudible from audience]
>>They probably...
>>Repeat the question!
>>Sorry! Um, has- is there a- is there a history of banks being taken offline for four or five hours by denial of service attacks? Maybe? I’m not exactly sure. I’m pretty sure that’s happened before. 
>>[inaudible off mic]
>>Oh, well there you go. 
[laughter]
I mean, you know. I mean, you know. Like, the important thing here is that, um, y'know distributed denial of service attacks, specifically ones that you would expect from, um, your, uh, your internet of things devices are going to get, like, significantly more common over the next ten to twenty years. 
>>Sorry, we’re just resetting. 
>>Yup. 
>>So what’s the on the overhead on running these calculations? Obviously, you said you can handle a lot of data really fast, but if you wanted to say, look at particular IP addresses inside the network to determine who’s actually sending the denial of service out…
>>Yup.
>>Like, what’s the O of N?
>>Okay, so what’s the O of N on the actual, uh, detections... I am pretty sure it’s O N squared. So it’s not- it’s not slow, like super slow, but it’s not ultra, ultra fast. I mean, that’s mostly due to my tool being pretty d**n slow. You can probably make this a lot faster. I mean, I’ve written the tool in basically Python so. 
>>Perfect.
>>Python 2 rules. Screw Python 3. 
[laughter]
>>Another question.
>>Yes.
>>[inaudible off mic question]
>>Showing drops in traffic. Oh. 
>>[off mic question continues]
>>Different… Yeah, yeah, yeah. 
>>[inaudible off mic]
>>No, it wasn’t on the presentation. 
>>Can you pull your presentation back up? 
>>Oh, sure. Sure, sure, sure. Okay, so if I put this back up. 
>>For some reason it doesn’t like this.
>>Okay, so we can do the presentation bit but we can’t do the… okay, cool. 
Alright, let’s see. Uh, duplicate. Ah, thank God for that. Thank you guys. The AV team everyone!
[applause]
Alright, alright. So, the demo right? Uh, it’s sitting on bitbucket because I’m a terrible person and I like Mercurial. Um, cool. The address is on the slides, y'know, take a shot when I switch back to the, um, to the slides. But basically, uh, y'know, here we’ve got, uh, your typical, y’know, end map outpoint. Um, you cat that into the preprocessor. It’ll strip out, uh, timestamps, uh, IP addresses, ports from and to, and a bunch of links and the IP flags. So if you’re interested in that sort of thing. Y’know. Obviously these aren’t all used for my, um, for the analysis and the tool itself but they basically give you some really, really quick extensibility options. 
Um, and if you then pipe that to the power, uh, law processor and give it say Benford‘s full enter arrival time, y’know, with a nice little CSV of all of the, uh, goodness of fit values and their timestamps which if you then run against, uh, so we’ve got- we’ve got,uh, one that I’ve prepared earlier because, y'know, that’s- that’s nice of me. Um. Uh. Yup. 
Um, if you then go Python plot code plot, uh, output... dun duh duh dun duh duh duh. If we pop over to here. Hey. Presto! You can see when a denial of service attack is happening. 
Of course that’s me being human and looking but again if you draw a line above point zero five you’d be going “Hey. Something’s gone wrong” as a program. Um, so. Duh duh duh duh duh duh duh. Take a shot of, oh, shoot. That’s not what I wanted. 
D**n you Microsoft!
Alright, cool. So there you go. Um, right there. Grab a shot of that. Whoa. Oh no. It ju-ju-just. It just crashed. 
Alright, alright, alright. 
Can you get- did everyone get that?
[laughter]
Okay, okay, okay. Okay. Let’s- let’s try that again. 
Please Microsoft. Hey. I’m not- I’m not going to click it. Just, just take a shot, alright? Um, my email will be at the end slide, y'know, take a- take a shot of that too. 
Okay, so last things last. Last thing to do. Magic trick. We’re going to do some Unreal Tournament denial of service direct in line mitigation without knowing anything about the attacker. Um. We cool doing that or? 
>>You got one minute.
>>Okay cool. One minute. 
Um, cool so. We got the server with a- with a, um, user in a server,, We got a user. We got, um, Kali. I will jump to the fun part of this because I do not have much time. Thank you AV screwy things. Alright, cool. 
Okay, so here we got the guy up top here. This is the server. We’ve got-
Oh s**t. It’s gone and done that thing where it’s, uh, stopped extending. Alright. Alright, alright, alright. Cool. There we go. Can we see it now? 
Alright, alright, alright. This guy is the server. This guy is the player. This guy is our really nice secret project, uh, filter in the middle and the gateway and this is Kali. If I jump ahead, uh, if I jump ahead here. Uh, we can see I’m doing HPing to launch an attack. Alright. Uh, the filter detects it. Uh, wait for it. Alright, so the filter’s detected it and it’s currently actively mitigating the attack. It is looking at individual packets and determining whether or not they are denial of service packets. It is not determining whether or not the, uh, machine that is attacking it is actually a bad guy. As you can see, there’s no lag. If I jump a bit forward I can actu- I’ve actually  turned it off. Uh, here we go. And as you can see, the, uh, player can no longer play. There’s a big jump in traffic on the server. Uh, if we jump over to here. Yeah. You can see up the top there that we are now seriously lagging because again there actually is a denial of service attack on. So that’s without the filter. And if we jump forward again, um, and we switch it back on. There you go. Um, so you can see that the, uh, the traffic has dropped again. The thing can detect an attack. It is currently mitigating. And yeah. There’s no- there’s no lag. So we’ve successfully used this to directly inline mitigate a denial of service attack. 
So that is it. Thank you very much. 
[applause]