"A hacker’s view of DoS attacks" by David Robinson, BSides Canberra 2023

so let's start the next talk so grab you seat let's start the next talk we have uh David Robinson who will be talking about a hackers view on dos attack so let's welcome David to the

stage cool um hello everyone I'm Dave or carrot um I'm a hacker over at Z security over in Wellington also getting I've talked at bides camera before back at number two and helped run K kaon and done a bit of kakon as well um yeah so let's look at what we're going to look at today going to go over what is a denial surfice attack why people are going to want to perform denial surfice attacks what they're going to Target inside your organizations how they're going to go about actually identifying these targets and then we're going to look at how you can protect your systems and maybe prioritize and put together a little ordering of tasks into a plan if

you have to go back to work on Monday actually think about some of the stuff so just up front we'll get rid of get over some terminology so deny a service attack is a class of vulnerabilities where it stops users being able to use a system as as intended um going to use origin server a lot so when I say origin server I'm meaning the actual application server that's running a web application something that's generally protected behind say a Content distribution Network or CDN so when I say that it's something that CES data near the near the users than that might have some we protections some um denial service protections and that's going to be your

Cloud FL your Cloud front your eomis that type of thing um dos verse deny distributed deny service so dos is the overall class of vulnerability and a distributed doar service attack or dos is a specific subset of Dos attacks where many nodes AKA botnet are used to send the data or actually do their attack H it been distributed so what is a denial service attack so as I said you know when attack performs actions system unavailable to users these fall into two main categories volumetric and L seven protocol attacks so volumetric is a bit like a traffic Jame you just send more traffic more data than the infrastructure can handle it all clogs up nothing actually

happens and it's not necessarily always inbound traffic we an example were doing some Doss work with a customer a little while ago and it was actually the outbound we managed to saturate rather than the inbound in this case they had a cont distribution Network in front of their system um but they had this big image you know was over a megabyte if we just requested the image on its own it was fine that was being cached but if we added a get parameter so a question mark and then some random string as a random get parameter the CDN was going hey I haven't seen this before I better go and ask the or server and get the copy of

the image and pass that so what actually happened is we flooded the outbound pipe from the origin server out to the internet with these large images and because the get requests going in can be quite small and you know and then the the requests coming out were over a megabyte so we actually really clog things up that way so last seven protocol attacks this is when we exploited a weakness in the infrastructure or the application these can be quite attractive to attackers cuz they're going to be low low input for a high impact so for instance one request ties up resources that stop other requests happening um and these are quite hard to block because they're going to look like

legitimate traffic so it's going to be hard to filter out with sort of Dos scrubbing or other buzzwords because it's going to look like normal users using the system as intended so if you've ever had a performance test report today you may see hey we found this couple of slow Pages it doesn't really matter users don't really use these Pages don't worry about it it's got an expensive database query it's most probably not worth doing about it so yeah from a performance testing perspective and a user perspective yeah that most probably makes sense but as an attacker I'm going to see that and go yep that's what I want to hit over and over and over again

cuz that's cheering up CPU or Ram resources or something so it's going to be a good attack potentially and these can also take the form of crashes and infinite Loops so Z we have zip bombs which is a large file that compresses down really small so when some antivirus extracts it say in your mail Gateway or your file upload it consumes all the dis or consumes all the ram because this you know zip file of hundreds of kilobytes suddenly becomes gigabytes or terabytes of data simar this the bulian laughs recursive XML attack um lot of frame which now block it but hey we still find it from time to time so that little snippet of XML we've

got there will expand out to be about 3 gbes Once all the recursion has been followed through so which one are attackers going to use volumetric layer seven in a large attack they most going to use both because their attack has got a limited number of sort of bots in their bot net most likely so they want to get their best value for money they want to give you the most impact on the target with the least amount of resources on their behalf cuz they can make more money or if it's if that's what they're doing if they can attack more different targets so why would people perform a denial of service attack sort of got to start thinking

about the the motives the people are attacking are going to have particular motives so if it's sort of the ransom black white black male so this is the one where you might get an email saying hey if you don't pay us so many Bitcoins by Wednesday we're going to perform a denial of service attack against you in this case b indicates there is a business behind this they've got monthly kpis to achieve theyve got to bring in so many Bitcoins they've got to attack so many targets they've got Boards of directors and shareholders wanting dividends out of all their attacks they're performing so it's a business it's full capitalism yeah another thing a group may just

dislike your organization for instance if you're a mining organization chances are there are some environmental groups who dislike what you're doing so they're going to attack you to sort of because they just dislike you and it can also be distraction so if I'm a attacker and I want to actually exfiltrate some data do a privilege escalation and I want to get the security team looking somewhere else I might launch a denial of service attack because it's noisy it's obvious it's going to get the the security team focused on the D service ATT while performed some other attacks in an organization so back in August 2020 the New Zealand Stock Exchange nzx had a long series of denial and service

attacks which went on for a few weeks uh this was one of the blackmail type ones there was a threat saying hey pass some Bitcoin or keep dossing you and because of the market was shut down and there was a lot of media coverage about it and they sort of ended up in a bit of Catch 22 cuz nidex said we're not going to pay the ransom and normally The Ransom companies if you don't pay after a couple of weeks or a week they're going to move on somewhere else because you're not going to make any money but because this was getting so much media coverage they had to keep on attacking because else they'd lose their their

credit and lose their threats if they know oh they'll just give up after a week don't need to worry about it that that R crew had to make sure that they kept going to so all the media coverage they could Point adless media coverage and the long ongoing D Serv attack as a badge of honor as a certificate say hey we actually know how to Dos well you better pay us money so how do you go about performing a denial service attack um so volumetric you're most probably going to need some sort of Bot net to send all the data you know there's lots of cheap devices IP modems routers on the internet with default

sreds you can have them send traffic icmp you know UDP TCP hdp um UDP can become quite inter interesting because it's reflective and it's also amplification so what I mean by that is reflective is because UDP doesn't have a handshake like TCP you could spoof The Source address so in this example we've got the botn net does a DNS look up instead of saying the source address of the botet n it says the source address is the target so when the DNS server responds it responds to the Target opposed to the botnet so that's reflection and then the botn net is going to be scaled out it's going to do requests on a whole range of domains

there be a whole range of DNS servers in the middle and then there's the target additionally there's amplification so a simple DNS Locker might be you know small 20 20 odd bytes and the responses can be up to 512 bytes so you've find the right responses you can get like a 20 times amplification so if you got one megabyte leaving your botonet you've actually got 20 megabytes hitting the Target and this can also be quite dangerous even if you're that reflective Target in the Middle where a customer a few years back who left a Ms SQL MP Port open to the internet and this port was used in a reflective attack and just over a weekend they received a multi

th000 aure Bill and they were weren't even the target of their attack they just happened to be uh innocent bystander um and they were just relaying as part of this attack luckily they talked to a Microsoft wrote The Bell off with a bit of a thing hey we won't do it again please because a m000 bill can ruin a small business so how do you go about making botnets well you look on the internet there's a bunch of stuff that hasn't been patched and updated in years 2013's people just put unpatched internet um integrated lights out Management Systems so you can directly access the server on online you know these things have bugs that allow access to them some

people just put ceds on the front page of their websites some people put printers on the internet with no passwords um or if that's all too complicated that's 2023 of course so there's as a there's as a service for everything including deny a service as a service so last seven attacks these are going to be a little bit more difficult CU it's not just volume so the first thing is you're going to need to find a vulnerability in the application or the network that you want to Target chances are you still might need a bot net cuz but the number of hosts are smaller but in some cases you don't even need a bought it we an engagement where a

customer had bought some denial service protection they wanted us to validate that it was all working correctly we spent 12 cents an hour for an E2 instance and took their system offline because their system was designed for volumetric attacks but we came along with the last seven attack so what would an attacker actually Target in an organization so like we had the motives before for these align also with their attackers goals so if it's the blackmail ones that want to disrupt business operations they want to cause pain to the business so they pay up because they just need to get business working again if it's that issue made Evia group they're going to do something that has

public relations they want to do something public facing in the hope that the media will cover it and when the media says such such a company had their site knocked offline with the Don service tech this organiz this issue motivator group claims responsibility because they don't like the company doing X Y and Z and if it's distraction you're most probably going to attack all the systems because you want to spread that security team thin and you want that security team looking at everything but your actual data XFL your privileg isulation or whatever you're doing so Target selections if you just a brocher website you know a static website that just lists an about page and a contact us page attacking that

what's really the point someone might need to use Google to look up your phone number it's not really affecting any business income business impact want something that has it's going to affect business operations so if you want to attack a website you most want to get to the origin server so even if they're using a cot distribution Network you want to find a way to get past that and down to the origin server so there's many different ways that we can find what the origin server is we've had customers who have put production behind a CDN but CDN cost money so to save money they didn't put test behind the CDN and don't know if

anyone sort of worked in the industry a b what are the chances that the production server and the test server are behind the same firewall running on the same host or using the same database would people say it's fairly High so you know so even if I attacked the test system I'd actually be attacking the production system as well CU it's the same as Net Connection the same CPU the same firewall the same Ram so you can get origin servers in other ways as well um so attacker is going to be scanning the internet to find things that aren't just the public websites the obvious things so had those screenshots before that's at ZX we've got a to

called flaming p one bit similar to Showdown with a bit of customization for what we best need it scans USP address space it edifies what's there it takes screenshots list what ports are open it's going to be fair to where to assume an attacker is going to be doing something similar to find all the nonobvious targets inside a business know for one thing you can do is you can find like Branch sites and Retail sites because people will put their fuel tanks online including how much leaders or any every tank at a track truck stop um Supermarket managers need to keep an eye on their supermarkets remotely and people need to buy pizzas without a password and change

all the prices without a password either um and Retail sites can be quite interesting because you got to assume chances are it's most only have one dig internet connection so even if that sort of monitoring stuff is there chances are that the point of sale where you can swipe your card do your pay wve it's most use the same internet connection so if you take that out what's the financial impact if a shop can't do sales for an hour a day a week there's a lot of you know a lot of financial impact that's really going to affect business operations so if you have sort of retail sites or something you know could an attacker easily identify these by what

you've left online and this flows on to remote access as well um become more priv over the last few years you know will people will brand up their VPN login pages of council's names and the fact that Scara so you know that's most probably some sensitive important stuff if they're calling it Scara people instead of using the default outlock web access page they'll brand it with their company name and their logo so when you're scanning IP address space and you see this pop up you know hey this is a this is the company I want to Target I've found their ow so and attacking remote accessing points is going to disrupt people working from home it's going to make

remote support more difficult so everything's down the sis admins can't log in to understand why stuff's down and you've also got to consider what traverses the same firewall as the VPN or the outlock web access cuz even if you don't take out a server directly it's still most we're using the same firewall the same internet connections these is going to be collateral damage with other business operations another way to find hosts in a system is certificate transparency so every time that a https certificate is issued it gets added to a public Ledger which you can look up so an attacker can use this to find hosts or subdomains that could be hosts if they resolve to

DNS that can become interesting if these aren't behind a CDN can be useful for identifying origin service for instance so here's an example from Google this is staic log for Google it actually goes on much longer but I had to trim it down so you actually had a chance of reading it on the screen but there's a whole bunch of different subdomains which you can then plump through the DNS lock up find out where they are also spidering a site so we went back to the earlier on said hey there's do performance tests you find slow queries so even if slow Pages if even if you're on a CDN the fact that one page is a lot slower than all the other pages

will most probably indicate that it's not being cased if it's not being C it's most probably having to go back to the origin server each time because it's a dynamic content or something like that so that's not case that can be a good Target you know sometimes spider insights is just a good indication that someone has spec their servers correctly cuz the number of times from my laptop I've accidentally taken SES down using burp or dur Buster with the default 10 threads is more than I can actually count um and even we've had examples where we've typed it we've done our naughty strings into a search dialogue box it's gone and broken the search in

some way and the whole site falls down again you know some of the stuff can be real easy and you find accidentally so emails and I'm not talking about email list in this case I'm talking about sign up emails password resets ones that are emails that actually coming out of the application itself email headers will list all the IP addresses of like every host involved and sending that email chances are some of the first IP addresses in that email headers are going to be the origin server of the web application so you can use that to potentially attack and find that origin server or some sort of Bypass or other servers to attack another thing is historical DNS

um so when DNS is will generally only tell you the current DNS records IP addresses for a host what some places are stor in historical DNS so you can go back and look at what previous IP addresses were for a particular domain this can be particularly interesting if a customer has or your target has recently moved behind find a CDN if you go back one or two IP addresses before it was actually CDN IP addresses that's most probably the origin server because it's quite common that when someone moves to a CDN they don't actually change the IP address of the origin server so you use that old IP address you're actually heading the origin server

again and those have all sort of been technical requirements and Technical attacks there's also regulatory requirements or and how businesses interact with different systems human to computer into faes and things like that so if we go back to the New Zealand Stock Exchange example it was only the website that was attacked the actual trading platform where people could trade and Sh sell shares was up all the time but they still actually had to Halt the market and stop trades because there's a regulatory requirement that particular Market documents needed to be accessible to all Market participants they were hosted on the website so when the website went down these documents weren't available to the participants they had to actually Hal the trading of

shares and there's also collateral damage so if you use a service provider a web host to host some of your systems what happens if one of their other the service providers customers gets attacked have they actually isolated each customer does each customer have dedicated internet connections what happens you know do you have your own firewalls are there own web servers you know what's the dam what's the collateral damage if one of your service providers gets attacked so a little story for collateral damage is we had a doing another denal service test for a customer they had a site that was behind a CDN we tested that site it was all right you know it was Cent correctly

doing what it should do you know we wanted to have something to include in the report so we said hey you've got some other sites that aren't behind the CDN can we just test those quickly see what happens if we attack those and we found out that those sites weren't using a CDN so when we attack those we're going directly to the data center and we filled up that pipe and when we filled up that pipe between the internet and the data center it actually knocked off this that site which was behind a CDN because the traffic it was a shared internet connection filled up and other things fell over as well so you got to think about

protecting everything um and that wasn't just a shared link for that customer from the internet to the data center the service provider only had one internet link between the between the internet and the data center so when we actually attacked our customer we also took off all the service providers other customers as well that was an interesting one for the service provider to explain so now you may be worrying about your systems your organizations we'll look at how can actually go about protecting your systems so for a start you need to know what you have um if you have Shadow it there's a chance that the attacker is actually going to know more about your

infrastructure your organization than you do because you can't defend what you don't know about and even if there are systems related to your organization that you don't know about they can call still call systems cuz they might you know this system might still or to your central or there might be a business process that requires this Shadow it and it's still associated with your business so there's still the reputational damage if it does get targeted so everything's bad everything's vulnerable so web content we just use a CDN right problem solved hopefully from what we've discussed so far you realize CD in isn't some magical cure all so putting a CDN firewall web server isn't actually going to stop

everything you actually need to start thinking about is your content cable we have that example of the big images going out because they hadn't sort of configured it to ignore the G parameters on images uh how are you going to handle dynamic in user sessions CU Dynamic by Nature means that the database or the web application is actually going to have to be doing some work user sessions have to be authenticated how yet you're going to handle that with the CDN have you ticked all the right tick boxes do your origin servers only allow requests from the CDN who can Purge and expire documents case in the CDN had an example of a customer who had

a CDN they hadn't actually locked it down correctly and the CDN had some bad defaults that you could actually Purge pages from anywhere on the internet so we could make a request takes about 3 second coming from the CDN we just issued a purge request from any old IP address the CDN goes cool I'll Purge that for you it's all good Subs Quest takes a lot longer but it's cached again now so it's all nice and fast but this is going to be an interesting one to debug cuz if you're the S admin and you look at the web server logs and you're going there's just a lot more requests coming in for the page something but it's coming from

our normal customers you know that cuz that actual Purge request has been controlled and worked on just by the CDN itself and not actually coming back to the origin server so they don't actually see their attack happening unless you're actually monitoring your CDN logs as well you know um Can people still find your origin server you know did you move to a CDN and never changed the IP address of your server so you can just look at the DNS history get that IP address out uh this is something that you can find in certificate transparency like origin. dd. example.com and even if you can even if you block all the traffic coming to your origin

server is a firewall doing deny requests that's still consuming CPU resources packet you know the internet pipes only so big if that's getting too close to the actual origin server where that filtering and work has been done it may take the your server down regardless so you know and if your web server goes down even with the CDN the CDN is really good at throwing you under the bus they say that you're all right they say the cdns all right and they say it's the web server that has the issue they bad so they'll throw you under the bus quite happily to keep their brand reputation or hunky dory so you need to make sure that even

if you got a CDN you still need to think about how you protect your web server um Denis and main registrations a lot of mitigations and a lot of systems just require DNS these days you know there's the proverbial it's broken it's DNS so you got to make sure that your public facing DNS is scalable for denial service attacks we sort of got past the days where you can just use your domain regist couple of name servers you do need a DS provider that has multiple points of presence worldwide ideally in Australia and New Zealand so it stays nice and quick allows you to change things quickly um so we look at a denial of

service Doss um who do you think would win a laptop running a DNS subdomain Brute Force tool or a top level domain you may guess by the fact that I'm talking about it it most probably is the laptop that won this case one of my colleagues was trying to Brute Force some subdomains for a particular organization that using one of the tools that used a range of recursive DNS servers to sort of do the work to speed it up problem was is in doing that we actually overloaded the top level domain and those domain servers stopped responding for more than just our customer oops that was a great you know the guy was doing good work it was his first

week we had to really look after him after doing that but he's all good now so in h to make make sure we do move DNS outside making sure it's Cloud scale these days CU everything should be Cloud scale right and if you are working with DNS domain registrations make sure you actually consolidate everything in one place instead of using you know Dave at company name to sign up and I use my credit card I use my email account to sign up for the domain Maybe it's better to go and use uh group a Shar inbox a group inbox because if I'm on leave or leave the organization you miss the domain you your your domain renewal emails all of a

sudden you lose your domain um or you need to update something and you go oh it's registered by this we don't have the password for it make sure we you know that people aren't just go willy-nilly registering domain setting up the DNS make sure the whole team actually knows how to get into it if they need to get into it also got to start thinking about how you design your application your architecture need to make sure that you're making the best use of CAS Technologies dos medication Technologies and anything that is not cable should ideally be behind a login a capture a rate limiting technique that's actually applied out at the CDN Edge so it's not coming all the way back to the

origin server and if you do Implement some multi-tier architecture make sure you don't have L 7 bottlenecks so we're the customer who was quite proud of themselves cuz they horizontally scaled their web teer their databases were Auto scale those was all cool except they had this Java application and they couldn't quite figure out how to horizontally scale it and it was handling the session management the logons some business logic some state so pretty much everything but said I no it it it's currently working fine it should be fine we're scaling everything else that should help it along uh what happened was it actually makes it worse cuz previously the actual the constrained web teer and the

constrained databases were sort of all in equilibrium and sort of controlled the performance now that with the all the scaling you've got on your other tears that just meant that more data could be pumped at the Java application faster and it just went Splat uh so you got to make sure everything's sort of in Balance when you do things so if you look at the layer seven stuff you need to make sure that you can conduct uh detailed performance test against all your websites and your infrastructure um so you make sure you actually Tes your Networks you're testing your firewalls it's not just your websites and it's important there's the vpns there's the outlock web access

if you're still using that um so you understand what your performance bottlenecks are cuz it's hard for wafts or dos scrubbing to block and mitigate last s attack it's going to look like legitimate requests legitimate traffic it's going to look like normal usage of your systems so this may all sound really hard you know can you actually do an app that's actually good where recent job you know we got called in to do some work for their denial service aspect of it you know it was all new infrastructure so they had some benefits there was no DNS history to worry about in the design they went okay we're going to make sure we use a CDM that's

some W some dos scrubbing where they're going to have a load balancing tear we're going to make sure we Auto scale all the web app and the databases and that can scale up and scale down asquire so I it's sort of all Cloud they've actually thought about it all they got the right limitations in place they thought about the flow so whether it was non-cable content they had a capture so is on the log on form but they tuned it so the first time you used the log on form there was no capture but if you tried too many times it would Shar a capture to try and slow things down um they were using jots for

their authentication and they actually configured their CDN such that um if there was a jot on the request the CDN would actually check that the jot was still valid in time and also signed by the right thing and then only pass it on if it wasn't if it was out of date or wasn't signed would actually just redirect them to the log on page right at the CD new so none of that actual validation of knowing easily knowing bad logons would actually go back to the origin server directly and before we came into do the Doss testing they'd already done full performance testing they tested their scaling they tested without scaling they had all their monitoring in place they

knew how their application worked and what was going on in the application so we came along and did the Dos test it was all good we couldn't find anything CU they actually thought about it and they architected it they designed it they' implemented it all well so it can be done just require some time and some thought ahead of time so other application Dimensions to consider 404 Pages they it's a 404 page it's just not found that should not be a problem because there's no page there's no code running for that right so you we had that example way back at the start where I said we took a website off for 12 cents an

hour we were just asking for 404 Pages um cuz the cdns are really good at C in all the pages that have been requested problem is is infinitely a 404 Pages you know those aren't going to be in the CDN so it's going to have to go back to the origin server and the origin service says oh no that's a 404 pass that on problem was in this particular content content management system CMS they had it set up such that it was going to to before returning a 404 it had to check the pages table it had to check the tags table it had to check the redirections table it had to check the sections table it had to check the users

table the news table and I think it was going through different 11 different tables before it could actually return a 404 so that just totally swamp the database when you actually request a 404 page so you need to make sure that your CDN is 404 aware so you tell it these are the valid endpoints these are the valid URLs anything else is going to be a 404 don't send it back to the the origin server just 404 on the first request um if you got Branch sites just why are they on the internet directly you don't need to publish to the world how much fuel you got in your fuel tank just set up a sight to sight

VPN to your head office so you can check it from your own network and also why isn't just reporting it back centrally to your Splunk or your seam or something all these statuses so it's not actually publicly on these Deb so people can find these retail or Branch sites so we need to make sure we are protecting all the branch sites as well um monitor all the things Monitor and collect statistics on your systems today know what normal looks like cuz there's examples where an industry segment Market segment has a couple of players who are attacked by denal service attack the other people in the same Market segment look at their logs and start panicking because they think

they're under a denial of service attack as well because the others are and then they find out after like run into my trying to figure out what's going on they feel they find out that this is actual normal usage but because they they've never actually looked at their logs looked at their systems their loads ahead of but ahead of time they didn't actually know what normal would look like so they jump to the conclusion that a a lot of service attack and when you are monitoring you need to make sure you monitor externally it's no good monitoring from the Ser having a monitoring server one one rack below the server you're monitoring cuz that's only going most probably as far

as the switch it's always going to be good cuz it's a switch it's most probably got like a 10 gig link between them it's all fine you need to make sure that your your monitoring path does include all the r ERS the firewalls your internet connections as well so you got to make sure you're doing some level of monitoring from outside your organization so you can actually check that the whole path that your data and your customers are using is actually being monitored as well so there's no you don't find any bot necks or attacks further up in your systems and also make sure you monitor your dis space you know at the start of most

engagements we most probably run a little in map scan see what ports are open see if there's anything interesting to Target problem was is this customer had their file set up to log all the deniers you know this after a little bit filled up all the dis problem was was their F wall was configured such that when the dis filled up it denied all requests inbound outbound normally allowed uh this resulted in an outage the customer rang up complained about what did we do we said there's a highrisk finding that anyone who can download in map and type in your IP address is going to knock your organization offline you better go fix that um make sure you test and do

simulations do your tabletops you know it's not just the technical side make sure you check your incident play box as well so we were doing a deny service test for another customer and this was sort of a hybrid actual technical let's throw data at them traffic at them and also look at their processes and sort of a tabletop exercise as well so we started off sent them a few you know 5 10 gab of traffic you know their thing was what they their ISP was meant to detect this and then ring them up and say hey do you want us to turn on the Dos scrubbing for for you problem was was a few years back our

customer had changed help disc providers they told they thought they told all their RPS and told them hey can you make sure you we're now using this help disc provider please make sure this is the new phone number please make sure everything has it problem was of course the ISP hadn't actually updated some of their internal knowledge base so when they detected it they'll ringing up the old help desk that help desk went they're not a customer why are you ringing up and properly hang up so it took a lot longer than expected because the people at thep then had to like Tryon sales reps to find the current contact details for our customer and find everything

else out so what this sort of story illustrates is it's not just the technical side you also need to make sure that all your processes your play box are also up to-date tested working and some of your mitigations involve cross party boundaries and you need to make sure that the points of contact and the integration Points phone numbers emails and such are all up to date and working as you expect so starting to sort of wrap it up maybe you started to think what sort of systems in your business are critical would really affect your business or your customers and thinking we you might need to think about some protection for those so maybe you've also got some idea

of what your threats are you may a little bit of plan to defend them possibly quite likely not quite sure you may be feeling a little bit overwhelmed and you're going oh mind there's a lot of work to do on Monday deep breath slow down um first thing you do is you need to make sure you do things in sensible order um we've on the ZX website got a maturity model for denial service preparation um it does have this it has a blog post which goes with it has a nice little infographic um don't worry about reading it you can get it from the website or um I'll go in the right direction it roughly distills down to

first step is you need to figure out what you have to defend what your attacker what attackers are going to attack in your organization need to plan how you're going to defend each one of these assets or each group of assets you need to make sure you put the defenses in place and need to make start monitoring and doing simulations around it all um so thank you all for coming uh thanks for the bsides crew for accepting my tour putting on a great conference hopefully it's going to be a great weekend the ZX team for bouncing ideas off giving me content for this talk um yeah so thank you all um I'm not sure if there's time for questions if

not I'm going to be around the con for the rest of the weekend happy to chat about all the stuff or hit me up online um thank you all [Applause]