Protest2012.7Caused by a film clipAttack2012.9.18Cyber Fighters set up DDoS attack to Banks of the U.S.Named as “Operation Ababil”2 Phases Phase 1, 5 weeks (9.18-10.23)Phase 2, 7 weeks (12.10-1.28)Pause/Resume2013.1.29 attacks pause2013.3.5 attacks resume
Huge VolumeLong TimeMultiple Attack MethodsMultiple Targets1. Web Servers as Zombie2. Numerous Zombies3. Dozens of G1. Network Layer：TCP/UDP/ICMP Flood2. Application Layer：HTTP/DNS Flood1. Several months2. APT alike1. Dozens of finance institutes2. ISPsDDoS
Zombies are Web Server!! • Vulnerable admin passwords• Software Vulnerabilities TimThumb of WordPress Joomla
WebHostingIDC1IDC2ISP1ISP2Internet1. Protocol Analysis•Protocol Validation by RFC Check2. Access Control List• Layer 4 ACL• Conn-Exhaustion ACL• URL ACL3. Reputation List• White/Black List• Dynamic Prioritizing4. Layer 4 Flood Mitigation•Source/destination IP address check/verification• Various mitigation algorithms5. Layer 7 Flood Mitigation• Various mitigation algorithms•Pattern Matching6: Rate Limit•Restricts traffic and ensures the critical business.1G10G40G100G400GThe capability to stop DDoS is fundamental,usually implemented at backbone andprovided as part of infrastructure services.
1. Network Access Control 2. TCP Flood Protection 3. HTTP Termination4. SSL Decryption5. Data Normalization6. HTTP Flood Protection7. HTTP Validation 8. HTTP Access Control9. Web Server and Plug-inProtection10. Rule-BasedProtection•Crawler•XSS•SQL Injection•LDAP Injection•SSI Command Injection•XPath Injection•Command LineInjection•Path Traverse•Remote File Inclusion11. Behavior-BasedProtection•Illegal File Upload•Illegal Download•Information Disclosure•Leech•CSRF•Scanning•Cookie Hijacking12. CustomizedProtection Mechanism•White List•Smart Patch•Custom Security•Exception PolicyWeb hacking protection, e.g. WAF, is usuallyimplemented at access layer and provided asvalue added services.WebHostingIDC1IDC2ISP1ISP2Internet1G10G40G100G400G
WAFADSADSADS ADS ADSADS ADS ADS ADS ADS ADS ADS ADS ADS ADSADS ADS ADS ADS ADS ADS ADS ADS ADS ADS ADS ADS ADS … Dedicated Anti-DDoS System for large DDoS attacks Dedicated WAF for Web hackings and small volumeDDoS attacks. Manual operations are needed to transit betweenthem, when attackers change the gameWebHostingIDC1IDC2ISP1ISP2Internet1G10G40G100G400GSecurity as a ServiceSecurity as a ServiceSecurity as a Service
Web DB AppClean CenterNTAADS-MADSWAF1Webhacking3Large volumeDDoS attack2Small volumeDDoS attack1. Web SecurityEngine2. Anti-DDoSModule3. DDoS AttackMitigation SystemNetworkBenefits1. Mitigation of DDoS and Webhacking as a whole2. Agility to respond when theattacker changes the way theyattack3. Cost-efficiency throughcollabration and automation