Your SlideShare is downloading. ×
0
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Deconstructing Application DoS Attacks

1,458

Published on

Denial of service (DoS) attacks continue to move up the stack from the network to the application level. Since many anti-DoS solutions focus on the lower layers, hackers are targeting specific Web …

Denial of service (DoS) attacks continue to move up the stack from the network to the application level. Since many anti-DoS solutions focus on the lower layers, hackers are targeting specific Web servers, such as IIS or Apache, or applications, such as SharePoint, in order to reduce the likelihood of attack detection. This presentation highlights the latest trends, techniques, and technologies deployed by hackers and provides security professionals with specific steps to mitigate this threat.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,458
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
69
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Deconstructing Application DoS AttacksTal Be’ery, Web Research TL, Imperva
  • 2. Agenda  Introduction to Imperva’s Hacker Intelligence Initiative  Denial of Service (DoS): + Definition and background + Attackers – Hacktivists – Business related + Tools – JS LOIC – Slow HTTP + Mitigation – Non-mitigations – True mitigation  Summary of recommendations © 2012 Imperva, Inc. All rights reserved.
  • 3. Presenter: Tal Be’ery, CISSP  Web Security Research Team Leader at Imperva  Holds MSc & BSc degree in CS/EE from TAU  10+ years of experience in IS domain  Facebook “white hat”  Speaker at RSA, BlackHat, AusCERT  Columnist for securityweek.com © 2012 Imperva, Inc. All rights reserved.
  • 4. Imperva’s Hacker Intelligence Initiative © 2012 Imperva, Inc. All rights reserved.
  • 5. Hacker Intelligence Initiative (HII)  The Hacker Intelligence Initiative is focused on understanding how attackers operate in practice + A different approach from vulnerability research  Data set composition + ~50 real world applications + Anonymous Proxies  More than 18 months of data  Powerful analysis system + Combines analytic tools with drill down capabilities © 2012 Imperva, Inc. All rights reserved.
  • 6. HII - Motivation  Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Devise new defenses based on real data + Reduce guess work © 2012 Imperva, Inc. All rights reserved.
  • 7. HII Reports  Monthly reports based on data collection and analysis  Drill down into specific incidents or attack types  2011 / 2012 reports + Remote File Inclusion + Search Engine Poisoning + The Convergence of Google and Bots + Anatomy of a SQLi Attack + Hacker Forums Statistics + Automated Hacking + Password Worst Practices + Dissecting Hacktivist Attacks + CAPTCHA Analysis © 2012 Imperva, Inc. All rights reserved.
  • 8. WAAR – Web Application Attack Report  Semi annual  Based on aggregated analysis of 6 / 12 months of data  Motivation + Pick-up trends + High level take outs + Create comparative measurements over time © 2012 Imperva, Inc. All rights reserved.
  • 9. Denial of Service: Definition and Background © 2012 Imperva, Inc. All rights reserved.
  • 10. Denial of Service: Definition  Denial of Service attack  Wikipedia - “make a machine or network resource unavailable to its intended users”  Attacks data availability © 2012 Imperva, Inc. All rights reserved.
  • 11. Data Drives Business  Customers details  Inventory  Trade secrets  Intellectual property  Financial analysis © 2012 Imperva, Inc. All rights reserved.
  • 12. Protecting Data  Data must remain: + Protected against unauthorized changes + Available Availability + Confidential Integrity Confidentiality © 2012 Imperva, Inc. All rights reserved.
  • 13. Hackers Are After Your Data  Attacking confidentiality – leaking secret data + SQL injection + Careless employees Confidentiality © 2012 Imperva, Inc. All rights reserved.
  • 14. Hackers Are After Your Data  Attacking integrity – changing sensitive data + SQL injection + Malicious insider Integrity © 2012 Imperva, Inc. All rights reserved.
  • 15. Hackers Are After Your Data  Attacking data availability + DoS attacks Availability © 2012 Imperva, Inc. All rights reserved.
  • 16. DoS is Another Tool in the Hacker Toolbox Hacker Forum Discussion Topics 9% 16% 12% spam dos/ddos 12% 22% SQL Injection zero-day 10% shell code 19% brute-force HTML InjectionSource:Imperva. Covers July 2010 -July 2011 across 600,000 discussions © 2012 Imperva, Inc. All rights reserved.
  • 17. Denial of Service: Attackers © 2012 Imperva, Inc. All rights reserved.
  • 18. Attackers – Who Are They?  Who wants to put you out of business?  Protesters + Hacktivists  Business related + Competitors + Racketeering © 2012 Imperva, Inc. All rights reserved.
  • 19. Hacktivism: Definition  “Hacktivism (a portmanteau of hack and activism).” © 2012 Imperva, Inc. All rights reserved.
  • 20. What/Who is Anonymous? “…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008 © 2012 Imperva, Inc. All rights reserved.
  • 21. What/Who is Anonymous? “…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008 “Anonymous is an umbrella for anyone to hack anything for any reason.” —New York Times, 27 Feb 2012 © 2012 Imperva, Inc. All rights reserved.
  • 22. What/Who is Anonymous?  One thing is for sure - they are hackers! © 2012 Imperva, Inc. All rights reserved.
  • 23. Recruiting Over Social Media - 1 © 2012 Imperva, Inc. All rights reserved.
  • 24. Recruiting Over Social Media - 2 © 2012 Imperva, Inc. All rights reserved.
  • 25. Setting Up an Early Warning System © 2012 Imperva, Inc. All rights reserved.
  • 26. Example © 2012 Imperva, Inc. All rights reserved.
  • 27. Business Attackers - 1  DoS as a Service © 2012 Imperva, Inc. All rights reserved.
  • 28. Business Attackers - 2  Where there is a demand, there will be supply… © 2012 Imperva, Inc. All rights reserved.
  • 29. Business Attackers - 2  Where there is a demand, there will be supply… © 2012 Imperva, Inc. All rights reserved.
  • 30. Denial of Service: Popular Tools © 2012 Imperva, Inc. All rights reserved.
  • 31. Protecting True Identity  Hackers protect their identity  By using… TOR 15% + TOR Other IPs 28% + Other anonymity services – Anonymous proxies Anonymity Services – Private VPN services 57% – Hacked servers Source: https://www.torproject.org/about/overview.html.en © 2012 Imperva, Inc. All rights reserved.
  • 32. Hacking Tools  Low-Orbit Ion Canon (LOIC)  Purpose - DDoS  Windows desktop application, coded in C#  UDP/TCP/HTTP flooding © 2012 Imperva, Inc. All rights reserved.
  • 33. LOIC Facts  LOIC downloads + 2011: 380K + 2012 (through October 14): 616K + Jan 2012 (megaupload takedown): 182KFor more:http://blog.imperva.com/2012/05/loicversary.html © 2012 Imperva, Inc. All rights reserved.
  • 34. DDoS is Moving Up the Stack  Decreasing costs + Application layer attacks are far more efficient + Less attackers to take down a site  The DoS security gap + Traditionally, the defense against DDoS was based on dedicated devices operating at lower layers (TCP/IP). Inherent shortcomings: – Dont decrypt SSL, – Don’t understand the HTTP protocol – Unaware of the web application. For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html © 2012 Imperva, Inc. All rights reserved.
  • 35. Javascript/Mobile/VM/JS LOIC  DaaS – DoS as a Service  Application layer attacks  Easy to participate – no download + Just point your browser to the JS-Loic page  Effective + Iterates up to 200 requests per second  Cross platform + Mobile device + Linux/Mac/PC © 2012 Imperva, Inc. All rights reserved.
  • 36. JS LOIC - Attack Characteristics  HTTP Referer header – indicates attack code source  Fixed target URL + Carefully selected to create load on target server  A Parameter with some arbitrary changing value + To avoid caches along the way  A Parameter value "msg" with some hacktivist’s slogan www.target.com/search.php?q=a&id=61278641278&msg= we+are+legion! © 2012 Imperva, Inc. All rights reserved.
  • 37. Hacktivists’ DoS in the Wild © 2012 Imperva, Inc. All rights reserved.
  • 38. Hacktivists’ DoS in the Wild © 2012 Imperva, Inc. All rights reserved.
  • 39. Hacktivists’ DoS in the Wild © 2012 Imperva, Inc. All rights reserved.
  • 40. Some More JS LOIC © 2012 Imperva, Inc. All rights reserved.
  • 41. Some More JS LOIC © 2012 Imperva, Inc. All rights reserved.
  • 42. Slow HTTP tools  “Dripping” HTTP POST parameter value byte by byte  Generating a never ending request  Exhausting the attacked server’s concurrent requests pool  Tools + RAILgun + SlowHTTPtest © 2012 Imperva, Inc. All rights reserved.
  • 43. DDoS: Mitigation © 2012 Imperva, Inc. All rights reserved.
  • 44. Anti-Virus is Irrelevant: Malware is NOT the MO McAfee mea culpa “The security industry may need to reconsider some of its fundamental assumptions, including Are we really protecting users and companies?’” --McAfee, September 2011 Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss © 2012 Imperva, Inc. All rights reserved.
  • 45. SDLC is Irrelevant: No Vulnerability  Traditionally, an attack is comprised of two elements + Vulnerability + Exploit  To mitigate, either (or even better both) + Repair the vulnerability – with SDLC + Stop the exploit – with a security device  In DoS – there’s no vulnerability! © 2012 Imperva, Inc. All rights reserved.
  • 46. IPS/NGFW is Irrelevant  Statefulness + Inspecting each request by itself is futile as each request is benign per se + Only when accumulated within the right context (IP/ Application Session / Application user) the attack’s true colors are exposed  True application awareness + Detecting unexpected parameters on request © 2012 Imperva, Inc. All rights reserved.
  • 47. Mitigation WAF: Stateful, Decrypts SSL, understand HTTP, understand the application business logic to analyze the traffic, sifting out the DoS traffic. © 2012 Imperva, Inc. All rights reserved.
  • 48. Mitigation: Stateful Rules  Customer was attacked with “large files” downloads from unauthenticated users  A specific rule was created: © 2012 Imperva, Inc. All rights reserved.
  • 49. Mitigation: Picking the Low Hanging Fruits  Some tools have small deviations from normal browsers + User agent + Missing headers + Headers order + Misspelled headers + Fixed value © 2012 Imperva, Inc. All rights reserved.
  • 50. Mitigation: Reputation Services  Sources intelligence + Malicious IPs + Anonymity services IPs – TOR – Anonymous proxies © 2012 Imperva, Inc. All rights reserved.
  • 51. Blocking Traffic Based on Reputation Real-time alerts and ability to block based on IP Reputation. 51 © 2012 Imperva, Inc. All rights reserved.
  • 52. Blocking Traffic Based on Reputation Real-time alerts and ability to block based on IP Reputation. 52 © 2012 Imperva, Inc. All rights reserved.
  • 53. Blocking Traffic Based on Reputation Real-time alerts and ability to block based on IP Reputation. 53 © 2012 Imperva, Inc. All rights reserved.
  • 54. Summary and Recommendations © 2012 Imperva, Inc. All rights reserved.
  • 55. Summary DoS is another tool in the hackers toolbox DoS is going up the application stack Mitigate application layer DoS attacks with WAF Use community based anti-automation reputation services © 2012 Imperva, Inc. All rights reserved.
  • 56. Imperva in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control © 2012 Imperva, Inc. All rights reserved.
  • 57. Webinar Materials57 © 2012 Imperva, Inc. All rights reserved.
  • 58. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2012 Imperva, Inc. All rights reserved.
  • 59. Questions?59 © 2012 Imperva, Inc. All rights reserved.
  • 60. www.imperva.com- CONFIDENTIAL -

×