Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Computer Security and Penetration Testing

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Registrars and Security Greg Rattray Chief Internet Security Advisor.

Phishing – Read Behind The Lines Veljko Pejović

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Lecture 15 Denial of Service Attacks

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Norman SecureSurf Protect your users when surfing the Internet.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Attacks on Computer Systems

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Application Firewall (WAF) RSA ® Conference 2013.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Akamai Technologies - Overview RSA ® Conference 2013.

APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor Craig Shue

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.

Drew Reinders | GSEC Principal Solutions Engineer Defending Your Castle.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Evil Code and how to defend against it CSCI 4300

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

Kona Security Solutions - Overview

DDoS Defense: Utilizing P2P architecture By Joshua Aslan Smith.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Denial-of-Service Attacks

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Real-time protection for web sites and web apps against ATTACKS

DNS Hijacking – KL Tech Meet-up - May 2015

ADVANCED PERSISTENT THREATS (APTs) - Simulation

AKAMAI INTELLIGENT PLATFORM™

Cross Site Request Forgery New Attacks and Defenses

Enterprise Class Security Scanner

Presentation transcript:

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT

©2013 AKAMAI | FASTER FORWARD TM Akamai CSIRT: What We Do Akamai Customer Security Incident Response Team: Incident Response for 30% of the web We only do web, DNS, and the infrastructure No: APT, endpoints, , Active Directory Lots of: Threat intelligence OSINT Coordination with peer CERT/CSIRT Discussions with policy-makers Customer outreach

©2013 AKAMAI | FASTER FORWARD TM Login Abuses

©2013 AKAMAI | FASTER FORWARD TM Login Abuses – TTPs and Defenses Rate controls to block fast moving scripts Attack relies on being able to check thousands of accounts quickly Blocking aggressive scripts prevents login exploitation Internal monitoring for changes to customer accounts address Shipping address Same on multiple accounts Geo blocklists for areas where there is no business Cuts down on the places attackers can launch from Do cloud server providers need to access your webpage? Custom rules to block User-Agent strings (or lack thereof) Attack scripts are often simple and will contain only “curl” or “wget” Sometimes none at all

©2013 AKAMAI | FASTER FORWARD TM Domain Hijacking Attackers gain credentials via phishing Attack can be against domain owner or registrar Domain maliciously redirected DNS settings updated at registrar Preventions include properly trained users against social engineering and domain locks

©2013 AKAMAI | FASTER FORWARD TM Domain Hijacking – TTPs and Countermeasures DNS Locking – Two Levels ClientUpdateProhibited ClientTransferProhibited ClientDeleteProhibited ServerUpdateProhibited ServerTransferProhibited ServerDeleteProhibited

©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots – TTPs and Countermeasures Reduce Efficiency Reduce Impact Client Validation Welcome Bots

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - TTPs Attack types are all across the board: DDoS SQL Injection Defacement/Cross-Site Scriping (XSS) Local File Include (LFI) Social Engineering In-person protests

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures DDoS – Rate Controls

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures DDoS – Rate Controls

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures SQL Injection – WAF Rules

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures Defacement/Cross Site Scripting (XSS) – WAF Rules

©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures Local File Include (LFI) – WAF Rules

©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks

©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks - Analysis Reflection: Uses UDP packets with forged source headers Attacker targets in intermediate server: DNS, NTP, etc Server replies to the forged source, sending traffic to the victim Victim does not know the source of the attack Amplification Attacker makes a query to the intermediate server The query is small but the answer is large The difference allows a small botnet to send lots of small queries and still hit with a lot of traffic

©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks - Analysis Amplification Factors: BitTorrent: 3.8 SNMP: 6.3 DNS: QOTD: CharGEN: NTP: 556.9

©2013 AKAMAI | FASTER FORWARD TM Flash Crowds vs. DDoS Both have large number of requests Flash crowd has low requests per source IP address DDoS has high requests per source IP address Other differentiators Referrers URL pattern User demographics Blacklists DDoS bot signatures Session tokens Responses differ greatly Block a malicious DDoS Allow a flash crowd

©2013 AKAMAI | FASTER FORWARD TM Flash Crowds

©2013 AKAMAI | FASTER FORWARD TM Questions?