Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

Published byKurtis Atwood Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC."— Presentation transcript:

1 © 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC

2 © 2015 Imperva, Inc. All rights reserved. About Imperva Founded in November 2002 by Shlomo Kramer, Amichai Shulman and Mickey Boodaei ~700 employees. R&D center in Tel-Aviv SecureSphere protects web applications, databases, file access, cloud applications Went public in 2011

3 © 2015 Imperva, Inc. All rights reserved. Outline BitTorrent Introduction BitTorrent DDoS Collateral DDoS For Conspiracy Lovers Conclusions 3

4 © 2015 Imperva, Inc. All rights reserved. Introduction The BitTorrent Protocol 1 4

5 © 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol Wikipedia: “BitTorrent is a protocol for the practice of peer-to-peer file sharing that is used to distribute large amounts of data over the Internet” Allows simultaneous download from multiple peers Orchestrated by a central ‘tracker’ server – Every download requires tracker communication (over HTTP) – Holds the file peer sources information Based on ‘.torrent’ files – Contain the data files names and the tracker servers – Available on the internet in popular web sites – Anyone can create/edit and upload a file

6 © 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol – Content Discovery WWW Torrent file

7 © 2015 Imperva, Inc. All rights reserved. WWW Tracker server Peers Torrent file BitTorrent SW The BitTorrent Protocol – Content Delivery

8 © 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol BitTorrent DDoS 2 8

9 © 2015 Imperva, Inc. All rights reserved. BitTorrent DDoS Target: the so-called ‘tracker’ servers Vulnerability: open source Torrent files Very effective distribution

10 © 2015 Imperva, Inc. All rights reserved. Attack method Create a popular torrent Add the targeted server as a ‘tracker’ Every user downloading the file will address the target server Requests to servers are continuous, with a default interval 10

11 © 2015 Imperva, Inc. All rights reserved. BitTorrent File

12 © 2015 Imperva, Inc. All rights reserved. Triggering the Research We use an attack data monitoring system We perform regular scans for anomalies Major abnormal activity to one of our customers

13 © 2015 Imperva, Inc. All rights reserved. The Traffic Attributes Unusually high number of requests User-Agent: mostly ‘BitTorrent’ URL: announce/announce.php IP: many different IP sources, most from China Host header: mostly variations of the Pirate Bay

14 © 2015 Imperva, Inc. All rights reserved. The Attack

15 © 2015 Imperva, Inc. All rights reserved. An Example Day Total number of requests that day: ~130,000. 90% with an HTTP host header of pirate bay. Almost 10% were with ‘appspot’ host 95% of the requests had ‘Bittorrent’ as their user agent. The other 5% also had different Torrent UA’s Very distributed (9000 source IPs)

16 © 2015 Imperva, Inc. All rights reserved. Host Header Distribution

17 © 2015 Imperva, Inc. All rights reserved. 17 Why does a standard web server, receive that many BitTorrent requests, intended for a whole other host?

18 © 2015 Imperva, Inc. All rights reserved. Collateral DDoS The Great Firewall of China 3 18

19 © 2015 Imperva, Inc. All rights reserved. The Great Firewall of China The cyber nickname for the Chinese government censorship program The program censors many western web applications –Facebook, Twitter etc. –And also: Pirate Bay, Appspot Blocking method: – DNS filtering and Redirection – Specifically: Returning random IP addresses for blocked hosts Result: Innocent web servers experiencing unexplained traffic from random Chinese clients

20 © 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario DNS server BlockedHost.com? Random IP of Innocent.com: 10.20.30.40 Great Firewall of China

21 © 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario DNS server BlockedHost.com? Random IP of Innocent.com: 10.20.30.40 Great Firewall of China

22 © 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario 22 BlockedHost.com Innocent.com

23 © 2015 Imperva, Inc. All rights reserved. Pirate Bay Not so much:

24 © 2015 Imperva, Inc. All rights reserved. Collateral DDoS The new Chinese policy, meant to block unwanted hosts, caused a very effective DDoS attack on innocent web applications

25 © 2015 Imperva, Inc. All rights reserved. For Conspiracy Lovers Really Collateral? 4 25

26 © 2015 Imperva, Inc. All rights reserved. For Conspiracy Lovers But wait! The pirate bay has stopped tracking torrents in 2009 (!) Why is it still so popular? The conspiracy theory: this is a Russian attack, originating in China, covered up as a BitTorrent DDoS attack

27 © 2015 Imperva, Inc. All rights reserved. Why Would You Say That? A web admin testifying that once he blocked Russia the attack stopped He also claims that returning a 404 response did not stop the requester Suspicious User Agent distribution and value (95% percent ‘BitTorrent’) Pirate Bay is long dead as a tracker Protocol discrepancies Attack target is a food conglomerate, prone to DDoS attacks

28 © 2015 Imperva, Inc. All rights reserved. Conclusions Server admins don’t care about the attack origins (BitTorrent DDoS, Chinese FW or Russian attack) They are experiencing an aggressive DDoS attack DDoS issues, unlike traditional web server vulnerabilities, cannot be prevented by smart coding and configuration Solution must be external! In this case: the WAF product identified the attack for several reasons, and prevented the damage Web server admins/developers didn’t need to do anything!

29

Download ppt "© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC."

Similar presentations

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.
Web Content Control Application Providing Secure & Reliable Internet Access December 2010.

Web Content Control Application Providing Secure & Reliable Internet Access December 2010.
The BitTorrent Protocol

The BitTorrent Protocol
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
BitTorrent Join the swarm! BY: Joe Petruska. What is BitTorrent? a peer-to-peer file sharing protocol used for distributing large amounts of data.

BitTorrent Join the swarm! BY: Joe Petruska. What is BitTorrent? a peer-to-peer file sharing protocol used for distributing large amounts of data.
BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.

DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Presented by Stephen Kozy. Presentation Outline Definition and explanation Comparison and Examples Advantages and Disadvantages Illegal and Legal uses.

Presented by Stephen Kozy. Presentation Outline Definition and explanation Comparison and Examples Advantages and Disadvantages Illegal and Legal uses.
Part 1: Overview of Web Systems Part 2: Peer-to-Peer Systems Internet Computing Workshop Tom Chothia.

Part 1: Overview of Web Systems Part 2: Peer-to-Peer Systems Internet Computing Workshop Tom Chothia.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

Similar presentations

Ads by Google