DENYING SERVICE TO DDOS PROTECTION SERVICES

Black Hat USA 2013

Presented by: Allison Nixon
Date: Wednesday July 31, 2013
Time: 11:45 - 12:15
Location: Palace 2

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.

Allison Nixon

Allison Nixon does penetration testing and incident response at Integralis, either assisting companies in post-compromise situation, or compromising them. She gained an interest in security by cheating at video games, but quickly learned that the only way to make real gold is to work for a real company. She is intensely interested in all facets of security and continues to perform security research spanning any and all topics. Allison is a regular host on the Pauldotcom podcast, has spoken at B-Sides Boston 2013, local OWASP meetings, and sits on the executive board of MalShare. She also designed the electronics and software for the laser maze at the 2012 Braintank conference.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats