DEFCON 20 (2012)

DEFCON 19 (2011)

Three Generations of DoS Attacks (with Audience Participation, as Victims)


Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker.

I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011).

Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor.

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, Toorcon and BayThreat, and taught classes and seminars at many other schools and teaching conferences.

Sam has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Associate of (ISC)^2, Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Hurricane Electric IPv6 Guru, CCENT.

Twitter: @sambowne


Windows 7 DoS with IPv6 Router Advertisements

"Layer 7 Attacks and Defenses" video, from the LayerOne conference, May 28, 2011

DEFCON 18 (2010)

Who Cares About IPv6?

(Click image for video)


What is IPv6? Why should you care? If we ignore it, will it just go away?

The current Internet Protocol numbering scheme, IPv4, is nearing its end-of-life. Within two years, all the IPv4 numbers will be allocated, so that new devices will not be able to connect directly to the Internet. We all will be forced to adapt to the new IPv6 system soon. But how can we get started?

This talk explains why IPv6 is necessary, how it works, and how everyone can quickly and easily start using it now. I will explain and demonstrate how to set up a free tunnel to access the Internet via IPv6.

I will also explain the Hurricane Electric IPv6 certifications. The certifications are great because they guide a novice through the stages of IPv6 knowledge: connecting as a client, setting up an IPv6-enabled Web server, email server, DNS server, and glue records.

There are large security implications to IPv6 too. I will explain several important IPv6 vulnerabilities and countermeasures, including auto-configuration privacy risks, torrents over IPv6, bypassing VPNs with IPv6, Routing Header Zero packet amplification attacks, and the ping-pong IPv6 DoS vulnerability.

My goal is to convince the audience to pay attention to IPv6 and to guide them to an easy way to start learning about it and using it now. All my students at City College San Francisco will have IPv6 homework from now on--you need to get on board now or be left behind!

PowerPoint Slides


Defcon-talk-1: crowded-train.jpg
Defcon-talk 2: Essential Next Steps in the US Government Transition to Internet Protocol version 6 (IPv6) (pdf)
Defcon-talk 3: IPv4 Address Report
Defcon-talk 4: DoD IPv6 Timeline
Defcon-talk 5: gogo6 | IPv6 products, community and services
Defcon-talk 6: SixXS - IPv6 Deployment & Tunnel Broker
Defcon-talk 7: Hurricane Electric Free IPv6 Tunnel Broker
Defcon-talk 8: Scanning on IPv6 with THC-IPv6
Defcon-talk 9: utorrent app now supports IPv6/teredo directly
Decfon-talk 10: Routing Header Zero Packet Amplification Vulnerability
Defcon-talk 11: The ping-pong phenomenon with p2p links
Defcon-talk 12: Hurricane Electric Free IPv6 Certification

Exploiting the LNK Vulnerability with Metasploit

(link fixed on 9-10)

DEFCON 17 (2009) Materials

Hijacking Web 2.0 Sites with SSLstrip and Slowloris--Hands-on Training

defcon-2009-bowne-and-hansen (204K)

sslstrip PowerPoint    Slowloris PDF    SSLstrip Instructions    Wall of Stripped Sheep    Slowloris Instructions

Hijacking Web 2.0 Sites with SSLstrip and Slowloris

Sam Bowne Instructor, City College San Francisco, Computer Networking and Information Technology Department

Many Websites mix secure and insecure content on the same page, like Facebook. This makes it possible to steal all the data entered on such a page easily, using Moxie Marlinspike's SSLstrip tool. I will explain and demonstrate this attack.

Slowloris is a very new layer 7 denial-of-service attack created by RSnake that stops Apache web servers completely with very low bandwidth--one packet every 2 seconds. The Apache developers were notified of this vulnerability and decided it was unimportant and not worth patching. I will explain and demonstrate this attack, and discuss various ways to protect your Apache servers.

I will provide complete instructions so that anyone can easily set up both these attacks on their own machines.

DEFCON 15 (2007) Materials

Teaching Hacking at College

defcon-2007-bowne (109K)

Last modified: 8-12-13