Sample Presentation_x0003_Title Placed Here_x0003
Download
Report
Transcript Sample Presentation_x0003_Title Placed Here_x0003
Briefing on Recent
Attacks and Attack
Trends
Dennis Usle
Security Solutions Architect
[email protected]
May 2013
Radware Confidential Jan 2012
Attacks on the US banks
Other popular attack patterns & trends
AGENDA
Availability-based threats
Attacker’s Change in Motivation & Techniques
Vandalism and Publicity
Financially Motivated
LulzSec
Sony, CIA, FBI
Mar 2011
Dec 2010 Netbot
Operation DDoS
Payback
“Hacktivism”
Blending Motives
Attack
Risk
Kracken
Srizbi (Botnet)
(Botnet) 2009
Rustock 2007
(Botnet)
2007
DDoS
CodeRed
2001
Storm
(Botnet)
2007
“Worms” Blaster
2003
Nimda
(Installed Trojan)
2001
Agobot
Slammer
(DoS Botnet)
(Attacking SQL sites)
2003
Republican
website DoS
2004
2001
2005
© 2011, Radware, Ltd.
2010
IMDDOS
(Botnet)
“Blend”
Mar 2011
Peru,
Chile
Codero DDoS /
Twitter
July 2009
Cyber Attacks
US & Korea
Google / Twitter
Estonia’s Web Sites Attacks2009
DoS
2007
Mar 2011
Operation
Payback II
Mar 2011 DDoS
Wordpress.com
Georgia Web sites
DoS 2008
2010
Time
3
The Security Trinity
Security Confidentiality,
a mainstream adaptation of the
“need to know” principle of the
military ethic, restricts the
access of information to those
systems, processes and
recipients from which the
content was intended Confidentiality
to be
exposed.
Security Integrity
in its broadest meaning refers
to the trustworthiness of
information over its entire
Integrity
life cycle.
Security Availability
is a characteristic that distinguishes information objects
that have signaling and self-sustaining
processes from
Availability
those that do not, either because such functions have
ceased (outage, an attack), or else because they lack such
functions .
Availability Based Attacks
Availabilitybased Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
Slide 5
2012 Attack Motivation - ERT Survey
Radware Confidential Jan 2012
Slide 6
Radware ERT Survey
Radware Confidential Jan 2012
Slide 7
2012 Target Trend - ERT Survey
Radware Confidential Jan 2012
Slide 8
Attacks Campaigns Duration
Radware Confidential Jan 2012
Slide 9
Attack Duration Requires IT to Develop New Skills
War Room Skills Are Required
Radware Confidential Jan 2012
Slide 10
Main Bottlenecks During DoS Attacks - ERT Survey
Radware Confidential Jan 2012
Slide 11
Attacks Traverse CDNs (Dynamic Object Attacks)
Radware Confidential Jan 2012
Slide 12
Attacks on the US banks
Other popular attack patterns & trends
AGENDA
2012 Availability-based threats
Overview
•
•
•
•
•
What triggered the recent US attacks?
Who was involved in implementing the attacks and name of the operation?
How long were the attacks and how many attack vectors were involved?
How the attacks work and their effects.
How can we prepare ourselves in the future?
Radware Confidential Jan 2012
Slide 14
What triggered the attacks on the US banks?
•
•
•
Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyptian born US resident
created an anti-Islamic film.
Early September the publication of the ‘Innocence of Muslims’ film on YouTube
invokes demonstrations throughout the Muslim world.
The video was 14 minutes though a full length movie was released.
Radware Confidential Jan 2012
Slide 15
Protests Generated by the Movie
Radware Confidential Jan 2012
Slide 16
The Cyber Response
Radware Confidential Jan 2012
Slide 17
Who is the group behind the cyber response?
•
•
•
•
A hacker group called “Izz as-Din al-Qassam Cyber fighters”.
Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the
fight against the French, US and Zionist in the 1920’s and 1930’s.
The group claims not to be affiliated to any government or Anonymous.
This group claims to be independent, and it’s goal is to defend Islam.
Radware Confidential Jan 2012
Slide 18
Operation Ababil launched!
•
•
•
•
“Operation Ababil” is the codename of the operation launched on September
18th 2012, by the group Izz as-Din al-Qassam Cyber fighters
The attackers announced they would attack “American and Zionist targets.”
“Ababil” translates to “Swallow” from Persian. Until today the US thinks the
Iranian government may be behind the operation.
The goal of the operation is to have YouTube remove the anti-Islamic film from
its site. Until today the video has not been removed.
Radware Confidential Jan 2012
Slide 19
The Attack
Vectors and Tactics!
Slide 20
Initial attack campaign in 2 phases
•
•
•
•
•
The attack campaign was split into 2 phases, a pubic announcement was made in each phase.
The attacks lasted 10 days, from the 18th until the 28th of September.
Phase 1 - Targets > NYSE, BOA, JP Morgan.
Phase 2 – Targets > Wells Fargo, US Banks, PNC.
Phase 3 - Targets > PNC, Fifth Third Bancorp, J.M.Chase, U.S.Bank, UnionBank, Bank of
America, Citibank, BB&T and Capitalone.
Radware Confidential Jan 2012
Slide 21
Attack Vectors
•
1.
2.
3.
4.
5.
6.
5 Attack vectors were seen by the ERT team during Operation Ababil.
UDP garbage flood.
TCP SYN flood.
Mobile LOIC (Apache killer version.)
HTTP Request flood.
ICMP Reply flood. (*Unconfirmed but reported on.)
Booters.
*Note: Data is gathered by Radware as well as it’s partners.
Radware Confidential Jan 2012
Booters
A Booter is a tool used for taking down/booting off
websites and servers.
Booters introduce high volumetric (server based) attacks
and slow-rate attack vectors as a one stop shop.
Slide 23
UDP Garbage Flood
•
•
•
•
•
Targeted the DNS servers of the organizations, also HTTP.
1Gb + in volume.
All attacks were identical in content and in size (Packet structure).
UDP packets sent to port 53 and 80.
Customers attacked Sep 18th and on the 19th.
Radware Confidential Jan 2012
Slide 24
Tactics used in the UDP Garbage Flood
•
•
•
•
•
Internal DNS servers were targeted , at a high rate.
Web servers were also targeted, at a high rate.
Spoofed IP’s (But kept to just a few, this is unusual.)
~ 1Gbps.
Lasted more than 7 hours initially but still continues...
Packet structure
Parameter
Value Port 53
Value Port 80
Packet size
1358 Bytes
Unknown
Value in Garbage
‘A’ (0x41) characters
repeated
“/http1”
(\x2f\x68\x74\x74\x70\x
31) - repetitive
Radware Confidential Jan 2012
Slide 25
DNS Garbage Flood packet extract
•
•
Some reports of a DNS reflective attack was underway seem to be incorrect.
The packets are considered “Malformed” DNS packets, no relevant DNS
header.
Radware Confidential Jan 2012
Slide 26
Attackers objective of the UDP Garbage Flood
•
•
•
•
•
Saturate bandwidth.
Attack will pass through firewall, since port is open.
Saturate session tables/CPU resources on any state -full device, L4 routing
rules any router, FW session tables etc.
Returning ICMP type 3 further saturate upstream bandwidth.
All combined will lead to a DoS situation if bandwidth and infrastructure cannot
handle the volume or packet processing.
Radware Confidential Jan 2012
Slide 27
TCP SYN Flood
•
•
•
Targeted Port 53, 80 and 443.
The rate was around 100Mbps with around 135K PPS.
This lasted for more than 3 days.
Radware Confidential Jan 2012
Slide 28
SYN Flood Packet extract
-All sources are spoofed.
-Multiple SYN packets to port 443.
Radware Confidential Jan 2012
Slide 29
Attackers objective of the TCP SYN Floods
•
•
•
•
•
•
SYN floods are a well known attack vector.
Can be used to distract from more targeted attacks.
The effect of the SYN flood if it slips through can devastate state-full devices
quickly. This is done by filling up the session table.
All state-full device has some performance impact under such a flood.
Easy to implement.
Incorrect network architecture will quickly have issues.
Radware Confidential Jan 2012
Slide 30
Mobile LOIC (Apache killer version)
•
•
•
•
Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and
Javascript.
This DDoS Tool does an HTTP GET flood.
The tool is designed to do HTTP floods.
We have no statistics on the exact traffic of mobile LOIC.
*Suspected *Suspected
Radware Confidential Jan 2012
Slide 31
Mobile LOIC in a web browser
Radware Confidential Jan 2012
Slide 32
HTTP Request Flood
•
•
•
•
Between 80K and 100K TPS (Transactions Per second.)
Port 80.
Followed the same patterns in the GET request (Except for the Input
parameter.)
Dynamic user agent.
Radware Confidential Jan 2012
Slide 33
HTTP flood packet structure
•
•
•
Sources worldwide (True sources most likely hidden.)
User agent duplicated.
Dynamic Input parameters.
GET Requests parameters
Radware Confidential Jan 2012
Slide 34
Attackers objective of the HTTP flood
•
•
•
•
Bypass CDN services by randomizing the input parameter and user agents.
Because of the double user agent there was an flaw in the programming behind
the attacking tool.
Saturating and exhausting web server resources by keeping session table and
web server connection limits occupied.
The attack takes more resources to implement than non connection orientated
attacks like TCP SYN floods and UDP garbage floods. This is because of the
need to establish a connection.
Radware Confidential Jan 2012
Slide 35
Identified locations of attacking IPs
Worldwide!
Radware Confidential Jan 2012
Slide 36
Attacks on the us banks
Others 2012 popular attack patterns & trends
AGENDA
2012 Availability-based threats
Availability-based Threats Tree
Availabilitybased Threats
Network Floods
(Volumetric)
Application
Floods
ICMP
Flood
Web
Flood
UPD
Flood
HTTPS
DNS
Low-and-Slow
Single-packet
DoS
SMTP
SYN
Flood
Radware Confidential Jan 2012
Slide 38
Asymmetric Attacks
Radware Confidential Jan 2012
Slide 39
HTTP Reflection Attack
Attacker
Website A
Website B
(Victim)
HTTP
GET
Radware Confidential Jan 2012
Slide 40
HTTP Reflection Attack Example
iframe, width=1, height=1
search.php
Radware Confidential Jan 2012
Slide 41
HTTPS – SSL Re Negotiation Attack
THC-SSL DoS
THC-SSL DOS was developed by a hacking group called The Hacker’s Choice (THC), as a proofof-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other
“low and slow” attacks, requires only a small number of packets to cause denial-of-service for a
fairly large server. It works by initiating a regular SSL handshake and then immediately requesting
for the renegotiation of the encryption key, constantly repeating this server resource-intensive
renegotiation request until all server resources have been exhausted.
Radware Confidential Jan 2012
Slide 42
Low & Slow
Availabilitybased Threats
Network Floods
(Volumetric)
Application
Floods
ICMP
Flood
Web
Flood
UPD
Flood
HTTPS
DNS
Low-and-Slow
Single-packet
DoS
SMTP
SYN
Flood
Radware Confidential Jan 2012
Slide 43
Low & Slow
•
•
•
•
Slowloris
Sockstress
R.U.D.Y.
Simultaneous Connection Saturation
Radware Confidential Jan 2012
Slide 44
R.U.D.Y (R-U-Dead-Yet)
R.U.D.Y. (R-U-Dead-Yet?)
R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and
named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form
field submissions. By injecting one byte of information into an application POST field at a time and then waiting,
R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this
behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y.
causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating
simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and
create a denial-of-service condition.
Radware Confidential Jan 2012
Slide 45
Slowloris
Slowloris
Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow
HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny
chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to
arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests.
Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based
systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of
Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows).
Radware Confidential Jan 2012
Slide 46
Black hat 2013 - Universal DDoS Mitigation Bypass
The main idea behind this presentation was to demonstrate a new tool which is
combined with Captcha solving and JavaScript engine.
They covered the types and world of DDoS attack like • Volumetric – Packet rate based and Bit-rate based.
• Non Volumetric – Protocol and Application-based (Apache killer, Slowloris,
Rudy, SMURF)
• Blended – all of the above together – very common and effective.
After showing the different attack vectors they have covered the current known (to
them) mitigation techniques – non-vendor specific:
• Traffic policing (simple rate limit)
• Proactive resource release (Mostly for low&slow attacks)
• B/W listing
• Resource isolation (Across different AS)
• Secure CDN
Radware Confidential Jan 2012
Slide 47
Black hat 2013 - Universal DDoS Mitigation Bypass
After complete w/ the long prolog they gave the specifications of the new tool
– Kill’em All 1.0
•
•
•
•
•
•
The tool will support the following features Auth bypass (including re-authentication every X seconds capability)
HTTP redirect
HTTP cookie
JavaScript
Captcha
According to the presenters the strengths of the tool are • True TCP behavior
• Believable and random HTTP headers (Including the GET request itself)
• JavaScript engine
• Captcha solving
• Random payload
• Tunable post authentication traffic model.
Radware Confidential Jan 2012
Slide 48
Black hat 2013 - Universal DDoS Mitigation Bypass
The perpetrators allege that the tool is technically indistinguishable from human.
•
They say it was tested successfully against both anti-DDoS devices and
Services, they mentioned by name only CloudFlare and Akamai.
•
They have concluded the session saying that DDoS is very expensive and that
current solutions are falling behind.
Radware Confidential Jan 2012
Slide 49
Challenge & Response Escalations
Script
Kamikaze
Kamina
Terminator
302 Redirect
Challenge
Pass
Pass
Pass
JS Challenge
Not pass
Not pass
Pass
Special Challenge
(6.09)
Not pass
Not pass
Not pass
Here are the results
Kamikaze and Kamina will not pass DefensePro JS Challenge. Terminator
will pass both 302 and JS, however, we have been prepared for this and
have released a set of new challenges which it will not pass. To our
knowledge the only tool in the world who can currently handle these
attacks.
Radware Confidential Jan 2012
Slide 50
Radware Security Products Portfolio
DefensePro
Network & Server attack prevention device
AppWall
Web Application Firewall (WAF)
APSolute Vision
Management and security reporting &
compliance
Slide 51
Thank You
www.radware.com
Radware Confidential Jan 2012