in the line of fire - the morphology of cyber-attacks
DESCRIPTION
Presentation from Dennis Usle during TakeDownCon in Huntsville, AL that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.TRANSCRIPT
Slide 1
In the Line of Fire – the Morphology of Cyber-Attacks
Dennis UsleSecurity Solutions [email protected]
AGEN
DAAvailability-based threats
Attacks on the US banks
Other popular attack patterns & trends
2001 20102005
Attack Risk
Time
© 2011, Radware, Ltd.
Blaster2003
CodeRed2001
Nimda(Installed Trojan)
2001Slammer
(Attacking SQL sites)2003
Vandalism and Publicity
Storm(Botnet)
2007
Agobot(DoS Botnet)
Srizbi(Botnet)
2007Rustock(Botnet)
2007
Kracken(Botnet)
2009
2010IMDDOS(Botnet)
Financially Motivated
Mar 2011 DDoSWordpress.com
Blending Motives
Mar 2011Codero DDoS /
Google / Twitter Attacks2009
Republican website DoS
2004
Estonia’s Web SitesDoS2007
Georgia Web sitesDoS 2008
July 2009 Cyber Attacks
US & Korea
Dec 2010Operation Payback
Mar 2011Netbot DDoS
Mar 2011Operation Payback II
“Hacktivism”
LulzSecSony, CIA, FBI
Peru, Chile
Attacker’s Change in Motivation & Techniques
“Worms”
DDoS
“Blend”
3
The Security Trinity
Integrity
Availability
Confidentiality
Security Confidentiality,a mainstream adaptation of the “need to know” principle of the military ethic, restricts the access of information to those systems, processes and recipients from which the content was intended to be exposed.
Security Integrityin its broadest meaning refers to the trustworthiness of information over its entire life cycle.
Security Availabilityis a characteristic that distinguishes information objects that have signaling and self-sustaining processes from those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions .
Availability Based Attacks
Slide 5
Availability-based Threats
Network Floods (Volumetric)
Application Floods
Low-and-SlowSingle-packet
DoS
2012 Attack Motivation - ERT Survey
Slide 6Radware Confidential Jan 2012
Radware ERT Survey
Slide 7Radware Confidential Jan 2012
2012 Target Trend - ERT Survey
Slide 8Radware Confidential Jan 2012
Attacks Campaigns Duration
Slide 9Radware Confidential Jan 2012
Attack Duration Requires IT to Develop New Skills
War Room Skills Are Required
Slide 10Radware Confidential Jan 2012
Main Bottlenecks During DoS Attacks - ERT Survey
Slide 11Radware Confidential Jan 2012
Attacks Traverse CDNs (Dynamic Object Attacks)
Slide 12Radware Confidential Jan 2012
AGEN
DA2012 Availability-based threats
Attacks on the US banks
Other popular attack patterns & trends
Overview
• What triggered the recent US attacks?• Who was involved in implementing the attacks and name of the operation?• How long were the attacks and how many attack vectors were involved?• How the attacks work and their effects.• How can we prepare ourselves in the future?
Slide 14Radware Confidential Jan 2012
What triggered the attacks on the US banks?
• Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyptian born US resident created an anti-Islamic film.
• Early September the publication of the ‘Innocence of Muslims’ film on YouTube invokes demonstrations throughout the Muslim world.
• The video was 14 minutes though a full length movie was released.
Slide 15Radware Confidential Jan 2012
Protests Generated by the Movie
Slide 16Radware Confidential Jan 2012
The Cyber Response
Slide 17Radware Confidential Jan 2012
Who is the group behind the cyber response?
• A hacker group called “Izz as-Din al-Qassam Cyber fighters”.• Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the
fight against the French, US and Zionist in the 1920’s and 1930’s.• The group claims not to be affiliated to any government or Anonymous.• This group claims to be independent, and it’s goal is to defend Islam.
Slide 18Radware Confidential Jan 2012
Operation Ababil launched!
• “Operation Ababil” is the codename of the operation launched on September 18th 2012, by the group Izz as-Din al-Qassam Cyber fighters
• The attackers announced they would attack “American and Zionist targets.”• “Ababil” translates to “Swallow” from Persian. Until today the US thinks the
Iranian government may be behind the operation.• The goal of the operation is to have YouTube remove the anti-Islamic film from
its site. Until today the video has not been removed.
Slide 19Radware Confidential Jan 2012
The Attack
Vectors and Tactics!
Slide 20
Initial attack campaign in 2 phases
• The attack campaign was split into 2 phases, a pubic announcement was made in each phase.• The attacks lasted 10 days, from the 18th until the 28th of September.• Phase 1 - Targets > NYSE, BOA, JP Morgan.• Phase 2 – Targets > Wells Fargo, US Banks, PNC.• Phase 3 - Targets > PNC, Fifth Third Bancorp, J.M.Chase, U.S.Bank, UnionBank, Bank of
America, Citibank, BB&T and Capitalone.
Slide 21Radware Confidential Jan 2012
Attack Vectors
• 5 Attack vectors were seen by the ERT team during Operation Ababil.
1. UDP garbage flood.
2. TCP SYN flood.
3. Mobile LOIC (Apache killer version.)
4. HTTP Request flood.
5. ICMP Reply flood. (*Unconfirmed but reported on.)
6. Booters.
*Note: Data is gathered by Radware as well as it’s partners.
Radware Confidential Jan 2012
Booters
Slide 23
A Booter is a tool used for taking down/booting off websites and servers.
Booters introduce high volumetric (server based) attacks and slow-rate attack vectors as a one stop shop.
UDP Garbage Flood
• Targeted the DNS servers of the organizations, also HTTP.• 1Gb + in volume.• All attacks were identical in content and in size (Packet structure).• UDP packets sent to port 53 and 80.• Customers attacked Sep 18th and on the 19th.
Slide 24Radware Confidential Jan 2012
Tactics used in the UDP Garbage Flood
• Internal DNS servers were targeted , at a high rate.• Web servers were also targeted, at a high rate.• Spoofed IP’s (But kept to just a few, this is unusual.)• ~ 1Gbps.• Lasted more than 7 hours initially but still continues...
Packet structure
Slide 25
Parameter Value Port 53 Value Port 80
Packet size 1358 Bytes Unknown
Value in Garbage ‘A’ (0x41) characters repeated
“/http1”(\x2f\x68\x74\x74\x70\x31) - repetitive
Radware Confidential Jan 2012
DNS Garbage Flood packet extract
• Some reports of a DNS reflective attack was underway seem to be incorrect.• The packets are considered “Malformed” DNS packets, no relevant DNS
header.
Slide 26Radware Confidential Jan 2012
Attackers objective of the UDP Garbage Flood
• Saturate bandwidth.• Attack will pass through firewall, since port is open.• Saturate session tables/CPU resources on any state -full device, L4 routing
rules any router, FW session tables etc.• Returning ICMP type 3 further saturate upstream bandwidth.• All combined will lead to a DoS situation if bandwidth and infrastructure cannot
handle the volume or packet processing.
Slide 27Radware Confidential Jan 2012
TCP SYN Flood
• Targeted Port 53, 80 and 443.• The rate was around 100Mbps with around 135K PPS.• This lasted for more than 3 days.
Slide 28Radware Confidential Jan 2012
SYN Flood Packet extract
Slide 29
-All sources are spoofed.-Multiple SYN packets to port 443.
Radware Confidential Jan 2012
Attackers objective of the TCP SYN Floods
• SYN floods are a well known attack vector.• Can be used to distract from more targeted attacks.• The effect of the SYN flood if it slips through can devastate state-full devices
quickly. This is done by filling up the session table.• All state-full device has some performance impact under such a flood.• Easy to implement.• Incorrect network architecture will quickly have issues.
Slide 30Radware Confidential Jan 2012
Mobile LOIC (Apache killer version)
• Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript.
• This DDoS Tool does an HTTP GET flood.• The tool is designed to do HTTP floods.• We have no statistics on the exact traffic of mobile LOIC.
Slide 31
*Suspected*Suspected
Radware Confidential Jan 2012
Mobile LOIC in a web browser
Slide 32Radware Confidential Jan 2012
HTTP Request Flood
• Between 80K and 100K TPS (Transactions Per second.)• Port 80.• Followed the same patterns in the GET request (Except for the Input
parameter.)• Dynamic user agent.
Slide 33Radware Confidential Jan 2012
HTTP flood packet structure
• Sources worldwide (True sources most likely hidden.)• User agent duplicated.• Dynamic Input parameters.
GET Requests parameters
Slide 34Radware Confidential Jan 2012
Attackers objective of the HTTP flood
• Bypass CDN services by randomizing the input parameter and user agents.• Because of the double user agent there was an flaw in the programming behind
the attacking tool.• Saturating and exhausting web server resources by keeping session table and
web server connection limits occupied.• The attack takes more resources to implement than non connection orientated
attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection.
Slide 35Radware Confidential Jan 2012
Identified locations of attacking IPs
Slide 36
Worldwide!
Radware Confidential Jan 2012
AGEN
DA2012 Availability-based threats
Attacks on the us banks
Others 2012 popular attack patterns & trends
Availability-based Threats Tree
Slide 38
Availability-based Threats
Network Floods (Volumetric)
Application Floods
Low-and-SlowSingle-packet
DoS
UPD Flood
ICMP Flood
SYN Flood
WebFlood
DNS SMTP
HTTPS
Radware Confidential Jan 2012
Asymmetric Attacks
Slide 39Radware Confidential Jan 2012
HTTP Reflection Attack
Slide 40
Website A Website B(Victim)
Attacker
HTTPGET
Radware Confidential Jan 2012
Slide 41
iframe, width=1, height=1
search.php
HTTP Reflection Attack Example
Radware Confidential Jan 2012
HTTPS – SSL Re Negotiation Attack
Slide 42
THC-SSL DoSTHC-SSL DOS was developed by a hacking group called The Hacker’s Choice (THC), as a proof-of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other “low and slow” attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted.
Radware Confidential Jan 2012
Low & Slow
Slide 43
Availability-based Threats
Network Floods (Volumetric)
Application Floods
Low-and-SlowSingle-packet
DoS
UPD Flood
ICMP Flood
SYN Flood
WebFlood
DNS SMTP
HTTPS
Low-and-Slow
Radware Confidential Jan 2012
Low & Slow
• Slowloris• Sockstress• R.U.D.Y.• Simultaneous Connection Saturation
Slide 44Radware Confidential Jan 2012
R.U.D.Y (R-U-Dead-Yet)
Slide 45
R.U.D.Y. (R-U-Dead-Yet?)R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and create a denial-of-service condition.
Radware Confidential Jan 2012
Slowloris
Slide 46
SlowlorisSlowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests.Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows).
Radware Confidential Jan 2012
Radware Security Products Portfolio
Slide 47
AppWallWeb Application Firewall (WAF)
DefenseProNetwork & Server attack prevention device
APSolute VisionManagement and security reporting & compliance
Thank Youwww.radware.com
Radware Confidential Jan 2012