Trends in Web Attacks Arthur Clune [email_address]

Talk Overview History of (web) attacks DDOS attacks and economics Botnets Phishing Why do we care about this anyway?

History of (web) attacks

DDOS attacks and economics

Botnets

Phishing

Why do we care about this anyway?

A Taxonomy Defacement Resource stealing Denial of Service/DDOS

Defacement

Resource stealing

Denial of Service/DDOS

History

Prehistory Before the web ftp (anonymous ftp uploads) gopher backdoors

Before the web

ftp (anonymous ftp uploads)

gopher

backdoors

Why? Curiosity Status ‘Fame’ Disk space was expensive!

Curiosity

Status

‘Fame’

Disk space was expensive!

Morris Worm 1988 Not web based! First self spreading worm

1988

Not web based!

First self spreading worm

Early Web Individual attacks Mainly motivated as before

Individual attacks

Mainly motivated as before

Trinoo/Stachledract 1999 First large scale DDOS tool University of York was among the victims!

1999

First large scale DDOS tool

University of York was among the victims!

Code Red/Nimbda 2001 Caused extensive problems (network traffic/instability) First really big worm

2001

Caused extensive problems (network traffic/instability)

First really big worm

SQLSlammer 2003 Attacked Microsoft SQL Server Fastest spreading worm ever How many of your web sites rely on a database?

2003

Attacked Microsoft SQL Server

Fastest spreading worm ever

How many of your web sites rely on a database?

Misc Stuff Also at this time: MS Frontpage extensions Edit your webpage remotely…oh, but so can other people.

Also at this time:

MS Frontpage extensions

Edit your webpage remotely…oh, but so can other people.

Digression Zone-h defacement archive demo

Zone-h defacement archive demo

Witty Worm 2003 First worm aimed directly at a web server MS IIS Followed by Sasser

2003

First worm aimed directly at a web server

MS IIS

Followed by Sasser

Moving to webapps First php worm - 2004 Attacked phpBB It’s now most common to attack applications not webservers themselves

First php worm - 2004

Attacked phpBB

It’s now most common to attack applications not webservers themselves

Pure web worms 2006 MySpace worm Spread only within MySpace profiles A ‘Web 2.0’ worm?

2006

MySpace worm

Spread only within MySpace profiles

A ‘Web 2.0’ worm?

Distributed Denial of Service ‘Nice website you’ve got there. Shame if anything happened to it’

DDOS - Why bother? It’s not about the frame Sometimes it’s about Money

It’s not about the frame

Sometimes it’s about Money

DDOS II How it works Targets Gambling Porn Anyone with money

How it works

Targets

Gambling

Porn

Anyone with money

Botnets 0wning the internet for fun and profit

Botnets Botnets are sets of machines, all controlled by a ‘bot herder’ Often machines are infected when visiting a website Largest botnet found so far had > 1,000,000 machines in it

Botnets are sets of machines, all controlled by a ‘bot herder’

Often machines are infected when visiting a website

Largest botnet found so far had > 1,000,000 machines in it

Botnet example Demo of botnet from UK Honeynet data

Demo of botnet from UK Honeynet data

Phishing There’s one born every minute

Phishing Different types: 401 scams Bank scams Some of these are very realistic Banks don’t always help themselves

Different types:

401 scams

Bank scams

Some of these are very realistic

Banks don’t always help themselves

Phishing 2 Example of a phishing attack from UK Honeynet data

Example of a phishing attack from UK Honeynet data

Am I bovered? Or, why this affects web managers

How have things changed? Attacks often less personal, but bigger DDOS attacks can be too big to resist Web servers valuable as a way of spreading exploit code It’s not about fame anymore, but money

Attacks often less personal, but bigger

DDOS attacks can be too big to resist

Web servers valuable as a way of spreading exploit code

It’s not about fame anymore, but money

How does this affect you? Reputational loss Potential for damages if you can’t show due care Copyright violations on your servers DDOS attacks against you

Reputational loss

Potential for damages if you can’t show due care

Copyright violations on your servers

DDOS attacks against you

What can we do? Follow best practice Occams razor - don’t multiply servers! Code audit/review/pen-testing Network design (DMZs, firewalls etc)

Follow best practice

Occams razor - don’t multiply servers!

Code audit/review/pen-testing

Network design (DMZs, firewalls etc)

Questions?