Presentation is loading. Please wait.

Presentation is loading. Please wait.

Briefing on Recent Attacks and Attack Trends Dennis Usle Security Solutions Architect May 2013 Radware Confidential Jan 2012.

Similar presentations


Presentation on theme: "Briefing on Recent Attacks and Attack Trends Dennis Usle Security Solutions Architect May 2013 Radware Confidential Jan 2012."— Presentation transcript:

1 Briefing on Recent Attacks and Attack Trends Dennis Usle Security Solutions Architect May 2013 Radware Confidential Jan 2012

2 AGENDA Availability-based threats Attacks on the US banks Other popular attack patterns & trends Availability-based threats Attacks on the US banks Other popular attack patterns & trends

3 Attack Risk Time © 2011, Radware, Ltd. Blaster 2003 CodeRed 2001 Nimda (Installed Trojan) 2001 Slammer (Attacking SQL sites) 2003 Vandalism and Publicity Storm (Botnet) 2007 Agobot (DoS Botnet) Srizbi (Botnet) 2007 Rustock (Botnet) 2007 Kracken (Botnet) IMDDOS (Botnet) Financially Motivated Mar 2011 DDoS Wordpress.com Blending Motives Mar 2011 Codero DDoS / Twitter Google / Twitter Attacks2009 Republican website DoS 2004 Estonias Web Sites DoS 2007 Georgia Web sites DoS 2008 July 2009 Cyber Attacks US & Korea Dec 2010 Operation Payback Mar 2011 Netbot DDoS Mar 2011 Operation Payback II Hacktivism LulzSec Sony, CIA, FBI Peru, Chile Attackers Change in Motivation & Techniques Worms DDoS Blend 3

4 The Security Trinity Integrity Availability Confidentiality Security Confidentiality, a mainstream adaptation of the need to know principle of the military ethic, restricts the access of information to those systems, processes and recipients from which the content was intended to be exposed. Security Confidentiality, a mainstream adaptation of the need to know principle of the military ethic, restricts the access of information to those systems, processes and recipients from which the content was intended to be exposed. Security Integrity in its broadest meaning refers to the trustworthiness of information over its entire life cycle. Security Integrity in its broadest meaning refers to the trustworthiness of information over its entire life cycle. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining processes from those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining processes from those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions.

5 Availability Based Attacks Slide 5 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS

6 2012 Attack Motivation - ERT Survey Slide 6 Radware Confidential Jan 2012

7 Radware ERT Survey Slide 7 Radware Confidential Jan 2012

8 2012 Target Trend - ERT Survey Slide 8 Radware Confidential Jan 2012

9 Attacks Campaigns Duration Slide 9 Radware Confidential Jan 2012

10 Attack Duration Requires IT to Develop New Skills War Room Skills Are Required Slide 10 Radware Confidential Jan 2012

11 Main Bottlenecks During DoS Attacks - ERT Survey Slide 11 Radware Confidential Jan 2012

12 Attacks Traverse CDNs (Dynamic Object Attacks) Slide 12 Radware Confidential Jan 2012

13 AGENDA 2012 Availability-based threats Attacks on the US banks Other popular attack patterns & trends 2012 Availability-based threats Attacks on the US banks Other popular attack patterns & trends

14 Overview What triggered the recent US attacks? Who was involved in implementing the attacks and name of the operation? How long were the attacks and how many attack vectors were involved? How the attacks work and their effects. How can we prepare ourselves in the future? Slide 14 Radware Confidential Jan 2012

15 What triggered the attacks on the US banks? Nakoula Basseley Nakoula (Alias- Sam Bacile), an Egyptian born US resident created an anti-Islamic film. Early September the publication of the Innocence of Muslims film on YouTube invokes demonstrations throughout the Muslim world. The video was 14 minutes though a full length movie was released. Slide 15 Radware Confidential Jan 2012

16 Protests Generated by the Movie Slide 16 Radware Confidential Jan 2012

17 The Cyber Response Slide 17 Radware Confidential Jan 2012

18 Who is the group behind the cyber response? A hacker group called Izz as-Din al-Qassam Cyber fighters. Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the fight against the French, US and Zionist in the 1920s and 1930s. The group claims not to be affiliated to any government or Anonymous. This group claims to be independent, and its goal is to defend Islam. Slide 18 Radware Confidential Jan 2012

19 Operation Ababil launched! Operation Ababil is the codename of the operation launched on September 18 th 2012, by the group Izz as-Din al-Qassam Cyber fighters The attackers announced they would attack American and Zionist targets. Ababil translates to Swallow from Persian. Until today the US thinks the Iranian government may be behind the operation. The goal of the operation is to have YouTube remove the anti-Islamic film from its site. Until today the video has not been removed. Slide 19 Radware Confidential Jan 2012

20 The Attack Vectors and Tactics! Slide 20

21 Initial attack campaign in 2 phases The attack campaign was split into 2 phases, a pubic announcement was made in each phase. The attacks lasted 10 days, from the 18 th until the 28 th of September. Phase 1 - Targets > NYSE, BOA, JP Morgan. Phase 2 – Targets > Wells Fargo, US Banks, PNC. Phase 3 - Targets > PNC, Fifth Third Bancorp, J.M.Chase, U.S.Bank, UnionBank, Bank of America, Citibank, BB&T and Capitalone. Slide 21 Radware Confidential Jan 2012

22 Attack Vectors 5 Attack vectors were seen by the ERT team during Operation Ababil. 1.UDP garbage flood. 2.TCP SYN flood. 3.Mobile LOIC (Apache killer version.) 4.HTTP Request flood. 5.ICMP Reply flood. (*Unconfirmed but reported on.) 6.Booters. *Note: Data is gathered by Radware as well as its partners. Radware Confidential Jan 2012

23 Booters Slide 23 A Booter is a tool used for taking down/booting off websites and servers. Booters introduce high volumetric (server based) attacks and slow-rate attack vectors as a one stop shop.

24 UDP Garbage Flood Targeted the DNS servers of the organizations, also HTTP. 1Gb + in volume. All attacks were identical in content and in size (Packet structure). UDP packets sent to port 53 and 80. Customers attacked Sep 18 th and on the 19 th. Slide 24 Radware Confidential Jan 2012

25 Tactics used in the UDP Garbage Flood Internal DNS servers were targeted, at a high rate. Web servers were also targeted, at a high rate. Spoofed IPs (But kept to just a few, this is unusual.) ~ 1Gbps. Lasted more than 7 hours initially but still continues... Packet structure Slide 25 ParameterValue Port 53Value Port 80 Packet size1358 BytesUnknown Value in GarbageA (0x41) characters repeated /http1 (\x2f\x68\x74\x74\x70\x 31) - repetitive Radware Confidential Jan 2012

26 DNS Garbage Flood packet extract Some reports of a DNS reflective attack was underway seem to be incorrect. The packets are considered Malformed DNS packets, no relevant DNS header. Slide 26 Radware Confidential Jan 2012

27 Attackers objective of the UDP Garbage Flood Saturate bandwidth. Attack will pass through firewall, since port is open. Saturate session tables/CPU resources on any state -full device, L4 routing rules any router, FW session tables etc. Returning ICMP type 3 further saturate upstream bandwidth. All combined will lead to a DoS situation if bandwidth and infrastructure cannot handle the volume or packet processing. Slide 27 Radware Confidential Jan 2012

28 TCP SYN Flood Targeted Port 53, 80 and 443. The rate was around 100Mbps with around 135K PPS. This lasted for more than 3 days. Slide 28 Radware Confidential Jan 2012

29 SYN Flood Packet extract Slide 29 -All sources are spoofed. -Multiple SYN packets to port 443. Radware Confidential Jan 2012

30 Attackers objective of the TCP SYN Floods SYN floods are a well known attack vector. Can be used to distract from more targeted attacks. The effect of the SYN flood if it slips through can devastate state-full devices quickly. This is done by filling up the session table. All state-full device has some performance impact under such a flood. Easy to implement. Incorrect network architecture will quickly have issues. Slide 30 Radware Confidential Jan 2012

31 Mobile LOIC (Apache killer version) Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript. This DDoS Tool does an HTTP GET flood. The tool is designed to do HTTP floods. We have no statistics on the exact traffic of mobile LOIC. Slide 31 *Suspected Radware Confidential Jan 2012

32 Mobile LOIC in a web browser Slide 32 Radware Confidential Jan 2012

33 HTTP Request Flood Between 80K and 100K TPS (Transactions Per second.) Port 80. Followed the same patterns in the GET request (Except for the Input parameter.) Dynamic user agent. Slide 33 Radware Confidential Jan 2012

34 HTTP flood packet structure Sources worldwide (True sources most likely hidden.) User agent duplicated. Dynamic Input parameters. GET Requests parameters Slide 34 Radware Confidential Jan 2012

35 Attackers objective of the HTTP flood Bypass CDN services by randomizing the input parameter and user agents. Because of the double user agent there was an flaw in the programming behind the attacking tool. Saturating and exhausting web server resources by keeping session table and web server connection limits occupied. The attack takes more resources to implement than non connection orientated attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection. Slide 35 Radware Confidential Jan 2012

36 Identified locations of attacking IPs Slide 36 Worldwide! Radware Confidential Jan 2012

37 AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends

38 Availability-based Threats Tree Slide 38 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood Web Flood DNS SMTP HTTPS Radware Confidential Jan 2012

39 Asymmetric Attacks Slide 39 Radware Confidential Jan 2012

40 HTTP Reflection Attack Slide 40 Website A Website B (Victim) Attacker HTTP GET Radware Confidential Jan 2012

41 Slide 41 iframe, width=1, height=1 search.php HTTP Reflection Attack Example Radware Confidential Jan 2012

42 HTTPS – SSL Re Negotiation Attack Slide 42 THC-SSL DoS THC-SSL DOS was developed by a hacking group called The Hackers Choice (THC), as a proof- of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other low and slow attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Radware Confidential Jan 2012

43 Low & Slow Slide 43 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood Web Flood DNS SMTP HTTPS Low-and-Slow Radware Confidential Jan 2012

44 Low & Slow Slowloris Sockstress R.U.D.Y. Simultaneous Connection Saturation Slide 44 Radware Confidential Jan 2012

45 R.U.D.Y (R-U-Dead-Yet) Slide 45 R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album Are You Dead Yet? It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the servers connection table and create a denial-of-service condition. Radware Confidential Jan 2012

46 Slowloris Slide 46 Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker RSnake that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows). Radware Confidential Jan 2012

47 Black hat Universal DDoS Mitigation Bypass The main idea behind this presentation was to demonstrate a new tool which is combined with Captcha solving and JavaScript engine. They covered the types and world of DDoS attack like - Volumetric – Packet rate based and Bit-rate based. Non Volumetric – Protocol and Application-based (Apache killer, Slowloris, Rudy, SMURF) Blended – all of the above together – very common and effective. After showing the different attack vectors they have covered the current known (to them) mitigation techniques – non-vendor specific: Traffic policing (simple rate limit) Proactive resource release (Mostly for low&slow attacks) B/W listing Resource isolation (Across different AS) Secure CDN Slide 47 Radware Confidential Jan 2012

48 Black hat Universal DDoS Mitigation Bypass After complete w/ the long prolog they gave the specifications of the new tool – Killem All 1.0 The tool will support the following features - Auth bypass (including re-authentication every X seconds capability) HTTP redirect HTTP cookie JavaScript Captcha According to the presenters the strengths of the tool are - True TCP behavior Believable and random HTTP headers (Including the GET request itself) JavaScript engine Captcha solving Random payload Tunable post authentication traffic model. Slide 48 Radware Confidential Jan 2012

49 Black hat Universal DDoS Mitigation Bypass The perpetrators allege that the tool is technically indistinguishable from human. They say it was tested successfully against both anti-DDoS devices and Services, they mentioned by name only CloudFlare and Akamai. They have concluded the session saying that DDoS is very expensive and that current solutions are falling behind. Slide 49 Radware Confidential Jan 2012

50 Challenge & Response Escalations Slide 50 Radware Confidential Jan 2012 Script302 Redirect Challenge JS ChallengeSpecial Challenge (6.09) KamikazePassNot pass KaminaPassNot pass TerminatorPass Not pass Here are the results Kamikaze and Kamina will not pass DefensePro JS Challenge. Terminator will pass both 302 and JS, however, we have been prepared for this and have released a set of new challenges which it will not pass. To our knowledge the only tool in the world who can currently handle these attacks.

51 Radware Security Products Portfolio Slide 51 AppWall Web Application Firewall (WAF) DefensePro Network & Server attack prevention device APSolute Vision Management and security reporting & compliance

52 Thank You Radware Confidential Jan 2012


Download ppt "Briefing on Recent Attacks and Attack Trends Dennis Usle Security Solutions Architect May 2013 Radware Confidential Jan 2012."

Similar presentations


Ads by Google