Presentation on theme: "DoS on Competitor Web Site. Phoenix has a “referral” from “Mr. Dobbs” ◦ Dobbs has threatened his girlfriend in the past ◦ Dobbs sent a “client” to Phoenix."— Presentation transcript:
Phoenix has a “referral” from “Mr. Dobbs” ◦ Dobbs has threatened his girlfriend in the past ◦ Dobbs sent a “client” to Phoenix with a reminder about his girlfriend Client ◦ Works for a computer parts company ◦ $9B annual revenues ◦ Asking that a whistleblower organization’s web site (www.thetruthusa.org) be down/inaccessible for a single day Organization intends to splash damaging information on a specific day (day before the earnings statement release) Client does not wish to have the company’s stock prices fall just prior to the earnings release
Recon ◦ Shows the site to be amateurish ◦ Google search indicates that HS students were allowed to get experience in designing and putting up the website Phoenix hopes for poor design, maintenance/security and lower bandwidth
Find an unprotected wireless network to perform the hack Use an anonymizer Make a DDoS attack using Freak88 DDoS tool Test the DDoS tool in lab Infect unprotected hosts with the Server.exe Trojan Horse Take control of the infected hosts and launch the DDoS on the target site
Download contains ◦ Clienttrinno.exe ◦ Server.exe ◦ Msbvm50.dll Client controls the boxes which have the Trojan server running on them ◦ Servers will issue to pings ◦ These boxes are referred to as “zombies” The more zombies in the field attacking the victim, the better for the attacker!
Shift from email phishing attacks to web based attacks ◦ Email filters are becoming more effective ◦ Web based attacks are more popular now because so much is being put into “business rich” web sites and browsers fail to handle such content Their primary function is to render web pages SQL injection Cross site scripting Inline frames CSS Ping attacks might be filtered ◦ Accomplish the same effect using a web based attack
Attack #1: Test Attack #2: The one that worked Gain access to Pawn Web site Lab test the hack Modify the Pawn site
Phoenix ◦ Sets up a victim machine ◦ Starts up Wireshark filtering ICMP traffic ◦ Fires up a server zombie on a machine ◦ Fires up the client software Dialog box allows attacker to “stack” the IP’s and ports of the zombie machines Indicates the IP of the victim Buttons: Connect, Disconnect, and “Takemout” ◦ Wireshark confirms ton of ICMP traffic
Just to be sure… ◦ Phoenix attempts to ping the webpage at www.thetruthusa.org www.thetruthusa.org Gets Timed Out results It turns out that the students have set up a PIX firewall to prevent pings to the web server!
Inline frames ◦ If small, but many, inline frames can be installed on a web page Each frame can load the web page from a site FORCE MULTIPLIER! If you can constantly refresh each frame… better still
The trick is now to find a web site with lots of bandwidth and lots of traffic Social engineer the web design company ◦ Phoenix needs write access to the server Modify the home page ◦ Add inline frames calling the target’s homepage If 10 frames are added, every time a user brings up the unknowing accomplice’s page, 10 HTML “get” requests are issued against the victime If you “refresh” the inline request every 5 seconds…
Phoenix poses as a potential client ◦ Speaks with developers and requests a demonstration ◦ Representative shows Phoenix how quickly a page can be added In doing so, the rep refers to a 3-ring binder for the information on sites (credentials, etc) Phoenix notes the location of the binder Phoenix bribes the cleaner to photocopy the contents of the 3-ring binder
Phoenix downloads the Pawn’s web page ◦ Inserts the inline frames and the meta tag ◦ FTP’s the altered page to the Pawn’s server
DDoS against the victim How long? ◦ Depends… If traffic is examined, requests for the page are coming from all over If IP is changed, the requests are made for URL and not IP… no effect! ◦ Someone would have to examine the pawn’s HTML within their page to spot the inline frames If reported to the pawn site, they might not notify the target that they were the unwitting accomplice Once the pawn replaces the modified page with the original Cached pages still might exist in browsers around the world…
Phoenix could have inserted a source pointer to a Trojan instead of the target’s URL ◦ If the pointer is to a keylogger, the pawn site could be made to appear as if they are infecting computers around the world What is the pawn company’s liability in this case?
Prevent disclosure of information via passive means ◦ Configure DNS not to reveal information (via registrar) ◦ Configure web server settings ◦ Don’t “advertise” information about the site or developers that nobody requires Even if removed from the web, historical pages might exist NETCRAFT might reveal information regardless…
ICMP ◦ Disable entry of Ping packets into the network from outside If required, then script a “block” from IP’s in the event that pings exceed a given number in a time period Might not be that effective in a DDoS attack…
Blocking DDoS attacks via web ◦ Create customize stack Costly (development and maintenance) Reserved for highly secured environments ◦ Rate limiting Bandwidth Connection limits ◦ Black hole filtering Send suspicious traffic to a nonexistent interface These are all counter to the reason the company site is up in the first place…
Review the web site hosting company’s policies and security statements Your company should authorize all changes ◦ One time passwords, maintained by your company Forces the developer to contact you for each modification
Physical access to information ◦ Paper format? ◦ Put onto encrypted electronic format, and then on a locked down workstation, which is physically protected Separation of duty Principle of least privilege