Narzędzie do testowania odporności aplikacji na ataki typu odmowa dostępu
s26290
Prezentacja wyłącznie do celów edukacyjnych
Spis treści
- Ataki DoS
- Zagrożenia
- Mitygacje
- Moja praca
Ataki DoS i ich mitygacje
Model sieciowy ISO/OSI
| Warstwa | Protokół |
|---|---|
| 7. Aplikacji | HTTP, DNS, FTP, SSH |
| 6. Prezentacji | |
| 5. Sesji | |
| 4. Transportowa | UDP, TCP |
| 3. Sieci | ICMP |
| 2. Łącza danych | |
| 1. Fizyczna |
Ataki DoS
Przykłady
HTTP FLOOD
GET / HTTP/1.1 Host: localhost:8080 User-Agent: curl/8.5.0 Accept: */*
HEAD / HTTP/1.1 Host: localhost:8080 User-Agent: curl/8.5.0 Accept: */*
Slowloris
Zagrożenia
- Osłabienie zabezpieczeń online
- Koszty finansowe
- Pogorszenie reputacji
- Przerwanie łańcucha dostaw
- Niższa produktywność pracowników
Mitygacje ataków DoS
Miejsca mitygacji
Diagram sieci
ISP
Firewall
IPS
Aplikacja
Web Application Firewall
IF SRC_IP EQUALS 127.0.0.1 AND
USER_AGENT CONTAINS 'curl' AND
FILE_EXTENSION EQUALS 'JPEG'
THEN BLOCK
Intrusion Prevention System
Rozpoznawanie zagrożeń na podstawie sygnatur
CAPTCHA
Content Delivery Network (CDN)
Odciążanie serwera/łącza poprzez serwowanie statycznych plików
Blackholing
Kierowanie złośliwego ruchu przez operatora tak by nie docierał do aplikacji
Moja praca
Stworzenie narzędzia które pozwoli w sposób zautomatyzowany przetestować
- aplikację
- infrastrukturę
- zainstalowane zabezpieczenia i reguły
Moja wizja
Cztery guziki oraz wybór typu ataku
Provision
Start
Stop
Destroy
Technologie
Ansible
hosts.toml
[all] 192.168.42.1 192.168.42.2
playbook.yaml
--- - hosts: all tasks: - name: Instal web server. apt: name: nginx state: present
Wireshark
Narzędzie do analizy ruchu sieciowego
Flask
Web framework do języka Python
Grafana
Prometheus
Struktura plików
user@localhost$ tree ├── Containerfile ├── README.md └── root ├── dashboards │ ├── dashboard01.json │ └── dashboard02.json ├── prometheus.yml ├── promtail.yaml ├── provisioning │ ├── dashboards │ │ └── node_exporter.yaml │ └── datasources │ ├── loki.yaml │ └── prometheus.yaml └── server ├── ansible.cfg ├── inventory │ └── inventory_aws_ec2.yml ├── main.py ├── playbooks │ ├── deploy.yaml │ ├── destroy.yaml │ └── templates │ └── node_exporter.service.j2 ├── ssh_key.pem ├── static │ └── style.css └── templates └── index.html
user@localhost$ tree ├── Containerfile ├── README.md └── root ├── dashboards │ ├── dashboard01.json │ └── dashboard02.json ├── prometheus.yml ├── promtail.yaml ├── provisioning │ ├── dashboards │ │ └── node_exporter.yaml │ └── datasources │ ├── loki.yaml │ └── prometheus.yaml └── server ├── ansible.cfg ├── inventory │ └── inventory_aws_ec2.yml ├── main.py ├── playbooks │ ├── deploy.yaml │ ├── destroy.yaml │ └── templates │ └── node_exporter.service.j2 ├── ssh_key.pem ├── static │ └── style.css └── templates └── index.html
user@localhost$ tree ├── Containerfile ├── README.md └── root ├── dashboards │ ├── dashboard01.json │ └── dashboard02.json ├── prometheus.yml ├── promtail.yaml ├── provisioning │ ├── dashboards │ │ └── node_exporter.yaml │ └── datasources │ ├── loki.yaml │ └── prometheus.yaml └── server ├── ansible.cfg ├── inventory │ └── inventory_aws_ec2.yml ├── main.py ├── playbooks │ ├── deploy.yaml │ ├── destroy.yaml │ └── templates │ └── node_exporter.service.j2 ├── ssh_key.pem ├── static │ └── style.css └── templates └── index.html
Uruchomienie projektu
user@localhost$ podman build -f Containerfile --> 9820f7565a38 user@localhost$ podman run --rm -it \ -p 127.0.0.1:3000:3000 \ -p 127.0.0.1:5000:5000 \ -p 127.0.0.1:9090:9090 \ -e AWS_ACCESS_KEY_ID="XXX" \ -e AWS_SECRET_ACCESS_KEY="XXX" 9820f7565a38
user@localhost$ podman build -f Containerfile --> 9820f7565a38 user@localhost$ podman run --rm -it \ -p 127.0.0.1:3000:3000 \ -p 127.0.0.1:5000:5000 \ -p 127.0.0.1:9090:9090 \ -e AWS_ACCESS_KEY_ID="XXX" \ -e AWS_SECRET_ACCESS_KEY="XXX" 9820f7565a38
containerfile
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
FROM docker.io/library/alpine:3.19.1 # Install packages RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ ansible \ jq \ openssh \ py3-flask \ py3-boto3 \ py3-botocore \ grafana \ loki \ loki-promtail \ prometheus && \ ansible-galaxy collection install amazon.aws && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* # Copy local files COPY root/ / # Set path for grafana provisioning ENV GF_PATHS_PROVISIONING="/provisioning" #ENV GF_AUTH_ANONYMOUS_ENABLED="true" #ENV GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" #ENV GF_AUTH_DISABLE_LOGIN_FORM="true" ENV GF_PANELS_DISABLE_SANITIZE_HTML="true" # Expose ports EXPOSE 3000 EXPOSE 5000 EXPOSE 9090 # Command to run after launching image CMD ["/bin/sh", "-c", "cd /server && flask --app main run --host 0.0.0.0 &> /var/log/flask.log & \ cd / && prometheus &> /var/log/prometheus.log & \ loki -config.file=/etc/loki/loki-local-config.yaml & \ promtail -config.file=/promtail.yaml & \ grafana-server --homepath='/usr/share/grafana' --config='/usr/share/grafana/conf/defaults.ini'"]
Panel kontrolny
Grafana
Prometheus
Exporter
Dziękuję za uwagę
Narzędzie do testowania odporności aplikacji na ataki typu odmowa dostępu s26290