0
Survival in an
Evolving Threat
Landscape
David Hobbs
Director of Security Solutions
Emergency Response Team
DavidH@Radware...
AGENDA
2012 Availability-based threats
Attacks on the us banks
Others 2012 popular attack patterns & trends
Radware ERT Survey
Slide 3Radware Confidential Jan 2012
2012 Attack Motivation - ERT Survey
Slide 4Radware Confidential Jan 2012
2012 Target Trend - ERT Survey
Slide 5Radware Confidential Jan 2012
Main Bottlenecks During DoS Attacks - ERT Survey
Slide 6Radware Confidential Jan 2012
Attacks Campaigns Duration
Slide 7Radware Confidential Jan 2012
Attack Duration Requires IT to Develop New Skills
War Room Skills Are Required
Slide 8Radware Confidential Jan 2012
Attacks Traverses CDNs (Dynamic Object Attacks)
Slide 9Radware Confidential Jan 2012
AGENDA
2012 Availability-based threats
Attacks on the us banks
Others 2012 popular attack patterns & trends
“Overview”
• What triggered the recent US attacks?
• Who was involved in implementing the attacks and name of the operatio...
“What triggered the attacks on the US banks?”
• Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US reside...
“Protests generated by the movie”
Slide 13Radware Confidential Jan 2012
The Cyber Response
Slide 14Radware Confidential Jan 2012
“Who is the group behind the cyber response?”
• A hacker group called “Izz as-Din al-Qassam Cyber fighters”.
• Izz as-Din ...
“Operation Ababil launched!”
• “Operation Ababil” is the codename of the operation launched on
Septembetr18th 2012, by the...
“The attack campaign in 2 phases”
• The attack campaign was split into 2 phases, a pubic announcement was made
in each pha...
The Attack
Vectors and Tactics!
Slide 18
“Attack Vectors”
• 5 Attack vectors were seen by the ERT team during Operation Ababil.
1. UDP garbage flood.
2. TCP SYN fl...
“UDP Garbage Flood”
• Targeted the DNS servers of the organizations, also HTTP.
• Up to 1Gbps volume (Possibly higher).
• ...
“Tactics used in the UDP garbage flood”
• Internal DNS servers were targeted , at a high rate.
• Web servers were also tar...
“DNS Garbage flood packet extract”
• Some reports of a DNS reflective attack was underway seem to be incorrect.
• The pack...
“Attackers objective of the UDP Garbage flood”
• Saturate bandwidth.
• Attack will pass through firewall, since port is op...
“TCP SYN flood”
• Targeted Port 53, 80 and 443.
• The rate was around 100Mbps with around 135K PPS.
• This lasted from the...
“SYN flood Packet extract”
Slide 25
-All sources are spoofed.
-Multiple SYN packets to port 443.
Radware Confidential Jan ...
“Attackers objective of the TCP SYN floods”
• SYN floods are a well known attack vector.
• Can be used to distract from mo...
“Mobile LOIC (Apache killer version)”
• Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and
Javascript....
“Mobile LOIC in a web browser”
Slide 28Radware Confidential Jan 2012
“HTTP Request Flood”
• Between 80K and 100K TPS (Transactions Per second)
• Port 80
• Followed the same patterns in the GE...
“HTTP flood packet structure”
• Sources worldwide (True sources most likely hidden).
• User agent duplicated.
• Attack tim...
“HTTP flood packet parameters identified”
Slide 31
HTTP Request Samples
GET /financial-literacy/all-about-investing/etvs?2...
“Identified locations of attacking IP‟s”
Slide 32
Worldwide!
Radware Confidential Jan 2012
“Attackers objective of the HTTP flood”
• Bypass CDN services by randomizing the input parameter and user agents.
• Becaus...
Unconfirmed Vectors of attack
Slide 34
“Breach”
Slide 35Radware Confidential Jan 2012
“Unconfirmed attacks”
• The following 2 attack vectors were reported to us by our customers however
we have no data intern...
“ICMP Reply flood”
• This attack was gathered through Cisco logs at the customers site.
• We have no statistics on the att...
“ICMP Reply Flood explained”
• ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP
“Re...
“Dirt Jumper”
• Dirt Jumper is a BOT currently at version 5.
• Dirt jumper is used in various HTTP floods.
• POST, GET and...
“Dirt Jumper C&C”
Slide 40Radware Confidential Jan 2012
AGENDA
2012 Availability-based threats
Attacks on the us banks
Others 2012 popular attack patterns & trends
Availability-based Threats Tree
Slide 42
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-an...
Asymmetric Attacks
Slide 43Radware Confidential Jan 2012
HTTP Reflection Attack
Slide
Website A Website B
(Victim)
Attacker
HTTP
GET
Radware Confidential Jan 2012
Slide
iframe, width=1, height=1
search.php
HTTP Reflection Attack Example
Radware Confidential Jan 2012
HTTPS – SSL Re Negotiation Attack
Slide 46
THC-SSL DoS
THC-SSL DOS was developed by a hacking group called The Hacker‟s Ch...
Low & Slow
Slide 47
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
...
Low & Slow
• Slowloris
• Sockstress
• R.U.D.Y.
• Simultaneous Connection Saturation
Slide 48Radware Confidential Jan 2012
Slowloris
Slide 49
Slowloris
Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that ca...
R.U.D.Y (R-U-Dead-Yet)
Slide 50
R.U.D.Y. (R-U-Dead-Yet?)
R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denia...
Black hat 2013 - Universal DDoS Mitigation Bypass
The main idea behind this presentation was to demonstrate a new tool whi...
Black hat 2013 - Universal DDoS Mitigation Bypass
After complete w/ the long prolog they gave the specifications of the ne...
Black hat 2013 - Universal DDoS Mitigation Bypass
The perpetrators allege that the tool is technically indistinguishable f...
Challenge & Response Escalations
Slide
Radware Confidential Jan 2012
Script 302 Redirect
Challenge
JS Challenge Special Ch...
DefensePipe Operation Flow
Protected Online Services
DefensePro
AppWall
Protected Organization
DefensePipe
Scrubbing Cente...
Radware Security Products Portfolio
Slide 56
AppWall
Web Application Firewall (WAF)
DefensePro
Network & Server attack pre...
Thank You
www.radware.com
Radware Confidential Jan 2012
Upcoming SlideShare
Loading in...5
×

SecureWorld St. Louis: Survival in an Evolving Threat Landscape

626

Published on

David Hobbs’ presentation from SecureWorld Expo - St. Louis discusses availability-based threats; attacks on U.S. banks and other popular attack patterns & trends.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
626
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • -This pic is from the very beginning of the video, stating “There is an angry mob in the middle of the street”*Notes -  On September 9, 2012, an excerpt of the YouTube video was broadcast on Al-Nas TV, an Egyptian Islamist television station.[11][12]Demonstrations and violent protests against the film broke out on September 11 in Egypt and spread to other Arab and Muslim nations and some western countries.
  • -Libyan riots top left - http://www.foreignpolicy.com/articles/2012/09/14/why_the_embassy_riots_wont_stop.-Lebonon riots bottom left - http://au.ibtimes.com/articles_slideshows/384606/20120915/lebanon-protesters-destroy-kentucky-fried-chicken-and-hardees-over-innocence-of-muslims-film-photos.htm
  • Links about Izz as-Din al-Quassam The preacher - http://en.wikipedia.org/wiki/Izz_ad-Din_al-Qassam *Notes - The Levant includes most of modern Lebanon, Syria, Jordan, State of Palestine, Israel, Cyprus, Hatay Province of Turkey, some regions of northwestern Iraq and theSinai Peninsula.Links about the Cyber hacker group - http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/who-are-the-izz-ad-din-al-qassam-cyber-fightershttp://www.ehackingnews.com/2012/12/izz-ad-din-al-qassam-cyber-fighters.htmlPic from - http://www.standupamericaus.org/terror-jihad/cyber-fighters-of-izz-al-din-al-qassam-alert-to-banks-in-usa/
  • Links for translation of ababil - http://en.wikipedia.org/wiki/Ghods_AbabilThe pic from - http://en.wikipedia.org/wiki/File:Hirundo_abyssinica.jpgClaims of Iranian involvement -http://betabeat.com/2012/09/iran-possibly-behind-operation-ababil-cyber-attacks-against-financial-institutions/http://features.rr.com/article/0coOckreSy1vL?q=Bank+of+America
  • Data taken from internal doc.
  • Pic taken from - http://news.yahoo.com/americas-failing-grade-cyber-attack-readiness-153640058--abc-news-topstories.html
  • -Taken from internal report.
  • -Taken from internal report.
  • Reflective attack - Attackers send forged requests of some type to a very large number of computers that will reply to the requests. Using spoofed SRC IP’s of the victim, which means all the replies will go to (and flood) the target.
  • -Stateful inspection in the DNS area is limited. Was in smartdefense at CP, but how many people use it?-The server is forced to respond with ICMP packets “Destination Unreachable” (ICMP type3 Code 3) for port closed when udp packet arrives.-Returning ICMP type 3 further saturate (Packet size in return will be close to received packet).
  • -Internal data.
  • -The SYN flood attack simply sends a high rate of SYN’s with spoofed IP’s and the server is left waiting for the ACK.-This means the attacker needs much fewer hosts to exhaust target machine because no session is actually kept alive on the “Attackers” side.-You exhaust the Backlog of the TCP stack (Linux default is 3mins and Win2k is 45 sec. for half open timeouts, these can be changed). So the server can no longer accept a new connection.-
  • -Another reported attack technique that was allegedly used during this campaign is a custom version of the Mobile LOIC tool (aka Mobile LOIC - Apache Killer) which is designed to exploit a known vulnerability in Apache servers – corresponding to CVE-2011-3192.-This attack tool targets Apache servers using Apache HTTP server versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19.
  • Target URL- Specifies the URL of the attacked target. Must start with http://. Requests per second-Specifies the number of desired requests to be sent per second. Append message-Specifies the content for the “msg” parameter to be sent within the URL of HTTP requests
  • Resource internal.
  • -This value is unique since it seems to contain a typo which is caused by placing the “User Agent:” string inside the user agent value itself.Resource internal.
  • Resource internal.
  • Resource internal.
  • Internal resources.
  • -Taken from Radware internal resources.
  • The image above shows how the agent controls the Botnet: The „Today‟ and „Online‟ shows the number of computers under its control, the „URLs‟ specify the URLs to be attacked, the „Flows‟ specify the attack vector and attack intensity, and the „Start‟ and „Stop‟ allows the agent to inflict pain and voluntarily stop it.
  • Identification: referrer (ask the audience)
  • Transcript of "SecureWorld St. Louis: Survival in an Evolving Threat Landscape"

    1. 1. Survival in an Evolving Threat Landscape David Hobbs Director of Security Solutions Emergency Response Team DavidH@Radware.com August 2013 Radware Confidential August 2013
    2. 2. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
    3. 3. Radware ERT Survey Slide 3Radware Confidential Jan 2012
    4. 4. 2012 Attack Motivation - ERT Survey Slide 4Radware Confidential Jan 2012
    5. 5. 2012 Target Trend - ERT Survey Slide 5Radware Confidential Jan 2012
    6. 6. Main Bottlenecks During DoS Attacks - ERT Survey Slide 6Radware Confidential Jan 2012
    7. 7. Attacks Campaigns Duration Slide 7Radware Confidential Jan 2012
    8. 8. Attack Duration Requires IT to Develop New Skills War Room Skills Are Required Slide 8Radware Confidential Jan 2012
    9. 9. Attacks Traverses CDNs (Dynamic Object Attacks) Slide 9Radware Confidential Jan 2012
    10. 10. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
    11. 11. “Overview” • What triggered the recent US attacks? • Who was involved in implementing the attacks and name of the operation? • How long were the attacks and how many attack vectors were involved? • How the attacks work and their effects. • How can we prepare ourselves in the future? Slide 11Radware Confidential Jan 2012
    12. 12. “What triggered the attacks on the US banks?” • Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US resident created an anti Islam film. • Early September the publication of the „Innocence of Muslims‟ film on YouTube invokes demonstrations throughout the Muslim world. • The video was 14 minutes though a full length movie was released. Slide 12Radware Confidential Jan 2012
    13. 13. “Protests generated by the movie” Slide 13Radware Confidential Jan 2012
    14. 14. The Cyber Response Slide 14Radware Confidential Jan 2012
    15. 15. “Who is the group behind the cyber response?” • A hacker group called “Izz as-Din al-Qassam Cyber fighters”. • Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the fight against the French, US and Zionist in the 1920‟s and 1930‟s. • The group claims not to be affiliated to any government or Anonymous. • This group claims to be independent, and it‟s goal is to defend Islam. Slide 15Radware Confidential Jan 2012
    16. 16. “Operation Ababil launched!” • “Operation Ababil” is the codename of the operation launched on Septembetr18th 2012, by the group “Izz as-Din al-Qassam Cyber fighters” • The attackers announced they would attack “American and Zionist targets”. • “Ababil” translates to “swallow” from Persian. Until today the US thinks the Iranian government may be behind the operation. • The operations goal is to have “Youtube” remove the anti-muslim film from it‟s site. Until today the video has not been removed. Slide 16Radware Confidential Jan 2012
    17. 17. “The attack campaign in 2 phases” • The attack campaign was split into 2 phases, a pubic announcement was made in each phase. • The attacks lasted 10 days, from the 18th until the 28th of September. • Phase 1 - Targets > NYSE, BOA, JP Morgan. • Phase 2 – Targets > Wells Fargo, US Banks, PNC. Slide 17Radware Confidential Jan 2012 New York Stock Exchange
    18. 18. The Attack Vectors and Tactics! Slide 18
    19. 19. “Attack Vectors” • 5 Attack vectors were seen by the ERT team during Operation Ababil. 1. UDP garbage flood. 2. TCP SYN flood. 3. Mobile LOIC (Apache killer version). 4. HTTP Request flood. 5. ICMP Reply flood. (*Unconfirmed but reported on). *Note: Data is gathered by Radware as well as it‟s partners. Radware Confidential Jan 2012
    20. 20. “UDP Garbage Flood” • Targeted the DNS servers of the organizations, also HTTP. • Up to 1Gbps volume (Possibly higher). • All attacks were identical in content and in size (Packet structure). • UDP packets sent to port 53 and 80. • Customer attacked Sep 18th and on the 19th. Slide 20Radware Confidential Jan 2012
    21. 21. “Tactics used in the UDP garbage flood” • Internal DNS servers were targeted , at a high rate. • Web servers were also targeted, at a high rate. • Spoofed IP‟s (But kept to just a few, this is unusual). • ~ 1Gbps. • Lasted more than 7 hours initially but still continues... Packet structure Slide 21 Parameter Value Port 53 Value Port 80 Packet size 1358 Bytes Unknown Value in Garbage ‘A’ (0x41) characters repeated “/http1” (x2fx68x74x74x70x 31) - repetitive Radware Confidential Jan 2012
    22. 22. “DNS Garbage flood packet extract” • Some reports of a DNS reflective attack was underway seem to be incorrect. • The packets are considered “Malformed” DNS packets, no relevant DNS header. Slide 22Radware Confidential Jan 2012
    23. 23. “Attackers objective of the UDP Garbage flood” • Saturate bandwidth. • Attack will pass through firewall, since port is open. • Saturate session tables/CPU resources on any state -full device, L4 routing rules any router, FW session tables etc.. • Returning ICMP type 3 further saturate upstream bandwidth. • All combined will lead to a DoS situation if bandwidth and infrastructure cannot handle the volume or packet processing. Slide 23Radware Confidential Jan 2012
    24. 24. “TCP SYN flood” • Targeted Port 53, 80 and 443. • The rate was around 100Mbps with around 135K PPS. • This lasted from the Sep 18th for more than 3 days. Slide 24Radware Confidential Jan 2012
    25. 25. “SYN flood Packet extract” Slide 25 -All sources are spoofed. -Multiple SYN packets to port 443. Radware Confidential Jan 2012
    26. 26. “Attackers objective of the TCP SYN floods” • SYN floods are a well known attack vector. • Can be used to distract from more targeted attacks. • The effect of the SYN flood if it slips through can devastate state-full devices quickly. This is done by filling up the session table. • All state-full device has some performance impact under such a flood. • Easy to implement. • Incorrect network architecture will quickly have issues. Slide 26Radware Confidential Jan 2012
    27. 27. “Mobile LOIC (Apache killer version)” • Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript. • This DDoS Tool does an HTTP GET flood. • The tool is designed to do HTTP floods. • We have no statistics on the exact traffic of mobile LOIC. Slide 27 *Suspected*Suspected Radware Confidential Jan 2012
    28. 28. “Mobile LOIC in a web browser” Slide 28Radware Confidential Jan 2012
    29. 29. “HTTP Request Flood” • Between 80K and 100K TPS (Transactions Per second) • Port 80 • Followed the same patterns in the GET request (Except for the Input parameter) • Dynamic user agent Slide 29Radware Confidential Jan 2012
    30. 30. “HTTP flood packet structure” • Sources worldwide (True sources most likely hidden). • User agent duplicated. • Attack time was short (No confirmed timeline) • Rates are unknown. • Dynamic Input parameters. GET Requests parameters Slide 30Radware Confidential Jan 2012
    31. 31. “HTTP flood packet parameters identified” Slide 31 HTTP Request Samples GET /financial-literacy/all-about-investing/etvs?2408b GET /financial-literacy/all-about-investing/bonds?4d094 GET /inside-the-exchange/visiting?aad95 GET / HTTP Request Samples DoCoMo/2.0 SH902i (compatible; Y!J-SRD/1.0; http://help.yahoo.co.jp/help/jp/search/indexing/indexing-27.html) Googlebot/2.1 ( http://www.googlebot.com/bot.html) IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030505 Mozilla Firebird/0.6 Opera/9.00 (Windows NT 5.1; U; en) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm) Radware Confidential Jan 2012
    32. 32. “Identified locations of attacking IP‟s” Slide 32 Worldwide! Radware Confidential Jan 2012
    33. 33. “Attackers objective of the HTTP flood” • Bypass CDN services by randomizing the input parameter and user agents. • Because of the double user agent there was an flaw in the programming behind the attacking tool. • Saturating and exhausting web server resources by keeping session table and web server connection limits occupied. • The attack takes more resources to implement than non connection orientated attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection. Slide 33Radware Confidential Jan 2012
    34. 34. Unconfirmed Vectors of attack Slide 34
    35. 35. “Breach” Slide 35Radware Confidential Jan 2012
    36. 36. “Unconfirmed attacks” • The following 2 attack vectors were reported to us by our customers however we have no data internally to indicate these attacks took place. • The data was either gathered through intelligence the customer had (IRC chat, Forums etc..) or something they suspected and reported to Radware but never provided logs for. • The 2 other vectors suspected are: – ICMP Reply Flood. – Dirt Jumper. Radware Confidential Jan 2012
    37. 37. “ICMP Reply flood” • This attack was gathered through Cisco logs at the customers site. • We have no statistics on the attack. Slide 37Radware Confidential Jan 2012
    38. 38. “ICMP Reply Flood explained” • ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP “Reply” (ICMP Type 0) packets. • This can also be from spoofed IP‟s (Sent packets, ICMP Type 8). • This saturates bandwidth on the servers up/down stream as well as CPU processing to process the ICMP packets and respond. • To do a replay flood you just spoof the SRC IP of the ICMP request. Slide 38Radware Confidential Jan 2012
    39. 39. “Dirt Jumper” • Dirt Jumper is a BOT currently at version 5. • Dirt jumper is used in various HTTP floods. • POST, GET and download floods are supported by the latest version of Dirt Jumper. • User Agent and Referrer randomization are supported too. Slide 39Radware Confidential Jan 2012
    40. 40. “Dirt Jumper C&C” Slide 40Radware Confidential Jan 2012
    41. 41. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
    42. 42. Availability-based Threats Tree Slide 42 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Radware Confidential Jan 2012
    43. 43. Asymmetric Attacks Slide 43Radware Confidential Jan 2012
    44. 44. HTTP Reflection Attack Slide Website A Website B (Victim) Attacker HTTP GET Radware Confidential Jan 2012
    45. 45. Slide iframe, width=1, height=1 search.php HTTP Reflection Attack Example Radware Confidential Jan 2012
    46. 46. HTTPS – SSL Re Negotiation Attack Slide 46 THC-SSL DoS THC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof- of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other “low and slow” attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Radware Confidential Jan 2012
    47. 47. Low & Slow Slide 47 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Low-and-Slow Radware Confidential Jan 2012
    48. 48. Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection Saturation Slide 48Radware Confidential Jan 2012
    49. 49. Slowloris Slide 49 Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows). Radware Confidential Jan 2012
    50. 50. R.U.D.Y (R-U-Dead-Yet) Slide 50 R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table and create a denial-of-service condition. Radware Confidential Jan 2012
    51. 51. Black hat 2013 - Universal DDoS Mitigation Bypass The main idea behind this presentation was to demonstrate a new tool which is combined with Captcha solving and JavaScript engine. They covered the types and world of DDoS attack like - • Volumetric – Packet rate based and Bit-rate based. • Non Volumetric – Protocol and Application-based (Apache killer, Slowloris, Rudy, SMURF) • Blended – all of the above together – very common and effective. After showing the different attack vectors they have covered the current known (to them) mitigation techniques – non-vendor specific: • Traffic policing (simple rate limit) • Proactive resource release (Mostly for low&slow attacks) • B/W listing • Resource isolation (Across different AS) • Secure CDN Slide 51Radware Confidential Jan 2012
    52. 52. Black hat 2013 - Universal DDoS Mitigation Bypass After complete w/ the long prolog they gave the specifications of the new tool – Kill’em All 1.0 • The tool will support the following features - • Auth bypass (including re-authentication every X seconds capability) • HTTP redirect • HTTP cookie • JavaScript • Captcha According to the presenters the strengths of the tool are - • True TCP behavior • Believable and random HTTP headers (Including the GET request itself) • JavaScript engine • Captcha solving • Random payload • Tunable post authentication traffic model. Slide 52Radware Confidential Jan 2012
    53. 53. Black hat 2013 - Universal DDoS Mitigation Bypass The perpetrators allege that the tool is technically indistinguishable from human. • They say it was tested successfully against both anti-DDoS devices and Services, they mentioned by name only CloudFlare and Akamai. • They have concluded the session saying that DDoS is very expensive and that current solutions are falling behind. Slide 53Radware Confidential Jan 2012
    54. 54. Challenge & Response Escalations Slide Radware Confidential Jan 2012 Script 302 Redirect Challenge JS Challenge Special Challenge (6.09) Kamikaze Pass Not pass Not pass Kamina Pass Not pass Not pass Terminator Pass Pass Not pass Here are the results Kamikaze and Kamina will not pass DefensePro JS Challenge. Terminator will pass both 302 and JS, however, we have been prepared for this and have developed a set of new challenges which it will not pass. They are available at version 6.09.00 (current DP release). To our knowledge the only tool in the world who can currently handle Terminator.
    55. 55. DefensePipe Operation Flow Protected Online Services DefensePro AppWall Protected Organization DefensePipe Scrubbing Center DefensePros Defense Messaging ISP Volumetric DDoS attack that blocks the Internet pipe ERT with the customer decide to divert the traffic Clean traffic Sharing essential information for attack mitigation On-premise AMS mitigates the attack ©Radware2013
    56. 56. Radware Security Products Portfolio Slide 56 AppWall Web Application Firewall (WAF) DefensePro Network & Server attack prevention device APSolute Vision Management and security reporting & compliance
    57. 57. Thank You www.radware.com Radware Confidential Jan 2012
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×