Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Shellshock and more: Case studies on DDoS attacks and 
mitigation strategies in Asia Pacific & Japan (APJ) 
Ashvini Singha...
©2014 AKAMAI | FASTER FORWARDTM 
Agenda 
• Global Threat Landscape and Insights 
• Security incidents in Q3 
• ShellShock ...
©2014 AKAMAI | FASTER FORWARDTM 
Global View: Nature of DDOS Attacks 
Types of DDoS attacks and their relative distributio...
©2014 AKAMAI | FASTER FORWARDTM 
Protocols Targeted 
Protocols Targeted 
Top 5: WWW (HTTP), Microsoft DNS, 
Telnet, SSL (H...
©2014 AKAMAI | FASTER FORWARDTM 
DDOS Attacks by Geography and Sectors 
By region: Americas 
57%, Asia Pacific & 
Japan 25...
©2014 AKAMAI | FASTER FORWARDTM 
1. China 
2. Indonesia 
3. United States 
4. Taiwan 
5. India 
6. Russia 
7. Brazil 
8. S...
©2014 AKAMAI | FASTER FORWARDTM 
Incidents observed in Q3 
• ShellShock 
• Iptables 
• Large scale DDOS. 
• Numerous appli...
©2014 AKAMAI | FASTER FORWARDTM 
ShellShock 
• ShellShock 
Collection of Vulnerabilities in Bash (The Bourne again Shell)...
©2014 AKAMAI | FASTER FORWARDTM 
ShellShock 
• Mitigations 
 WAFs can block '() {‘ – effective against import of function...
©2014 AKAMAI | FASTER FORWARDTM 
IptabLes/IptabLex 
• A new botnet surfaced with command and control in Asia. Linked to tw...
©2014 AKAMAI | FASTER FORWARDTM 
Large Scale DDOS 
• APJ is becoming the biggest target for largest scale DDOS attacks. 
•...
Large Scale DDOS (Case Study 1- Major Stock Exchange in APJ) 
• Attack continued for 4 full days in August, 2014. 
• The s...
Large Scale DDOS (Case Study 1 - Major Stock Exchange in APJ) 
• Distributed with attack traffic originating from over 50 ...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 1 – Technical Details 
Multiple Attack Vectors 
• SYN flood against 80 & 443 
...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 1 – Security Monitor
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 1 – Geographic Distribution 
Attack Origins 
USA 
Germany 
France 
Italy 
Neth...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 1 – Attack Profile 
Profile 
• Attacking spanning for 4 days:- Between 18th – ...
Large Scale DDOS (Case Study 2 – Gaming customer in APJ) 
©2014 AKAMAI | FASTER FORWARDTM 
• Attack targeted one of the Ch...
Large Scale DDOS (Case Study 2 – Gaming customer in APJ) 
©2014 AKAMAI | FASTER FORWARDTM 
• 99% of attack traffic origina...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 2 – Gaming Microtransactions 
Multiple Attack Vectors 
• Flood of empty DNS re...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 2 – DNS Traffic Spike
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 2 – PCAP sample 
14:42:24.220078 IP xx.xx.xx.xx.63266 > xxx.xxx.xx.xx.80: Flag...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 3 - DDoS in APJ 
Attack Profile 
• Deny access to political website with DNS f...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 3 – Geographic Distribution 
CN BEIJING 
US ASHBURN 
US CHICAGO 
DE FRANKFURT ...
©2014 AKAMAI | FASTER FORWARDTM 
Case Study 3 – PCAP Sample 
15:46:43.702607 IP 67.xxx.xxx.xx8 > 184.yy.yyy.yy: ip-proto-2...
©2014 AKAMAI | FASTER FORWARDTM 
APJ DDoS Trends Late 2014 
2014Q1-Q2 to 2014Q2-Q3 
• Brute Force attacks (more in APJ) 
•...
Questions and Answers 
sales-singapore@akamai.com 
+65 6593 8717
sales-singapore@akamai.com 
+65 6593 8717
Upcoming SlideShare
Loading in …5
×

Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ)

3,313 views

Published on

A comprehensive study on distributed denial of service (DDoS) attacks in Asia - from Prolexic/Akamai, the world’s largest and most trusted DDoS mitigation service provider. Get data and insights into the Asian security landscape, including the most common types of DDoS attacks, industries and protocols targeted, and attack origins. Case studies on the now infamous Shellshock attack and other notable botnets include analysis of attack patterns, PCAP samples, and successful mitigation strategies.

For more information, visit: www.akamai.com

Published in: Internet
  • Be the first to comment

Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ)

  1. 1. Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ) Ashvini Singhal, Security Practice Manager Clark Shishido, Security Researcher (CSIRT)
  2. 2. ©2014 AKAMAI | FASTER FORWARDTM Agenda • Global Threat Landscape and Insights • Security incidents in Q3 • ShellShock • Iptables • Large scale DDOS • Case Studies • APJ DDoS Trends Late 2014 • Q&A
  3. 3. ©2014 AKAMAI | FASTER FORWARDTM Global View: Nature of DDOS Attacks Types of DDoS attacks and their relative distribution. Infrastructure layer: 89.29% (SYN 25.73%, UDP Fragment 13.41%, UDP Floods 11.24%, DNS 8.11%, NTP 7.35%) Source: PLXsert (Q2-2014)
  4. 4. ©2014 AKAMAI | FASTER FORWARDTM Protocols Targeted Protocols Targeted Top 5: WWW (HTTP), Microsoft DNS, Telnet, SSL (HTTPS), Microsoft SQL Server Source: Akamai State of the Internet Report (Q2-2014)
  5. 5. ©2014 AKAMAI | FASTER FORWARDTM DDOS Attacks by Geography and Sectors By region: Americas 57%, Asia Pacific & Japan 25%, EMEA 18% Source: Akamai State of the Internet Report (Q2 2014) By industry: Enterprise 30%, Commerce 29%, High Tech 15%, Media & Entertainment 15%, Public sector 11%
  6. 6. ©2014 AKAMAI | FASTER FORWARDTM 1. China 2. Indonesia 3. United States 4. Taiwan 5. India 6. Russia 7. Brazil 8. South Korea 9. Turkey 10. Romania Attack Sources Source: Akamai State of the Internet Report (Q2 2014)
  7. 7. ©2014 AKAMAI | FASTER FORWARDTM Incidents observed in Q3 • ShellShock • Iptables • Large scale DDOS. • Numerous application layer attacks on a daily basis (XSS, RFI, SQL Injection etc.)
  8. 8. ©2014 AKAMAI | FASTER FORWARDTM ShellShock • ShellShock Collection of Vulnerabilities in Bash (The Bourne again Shell) Shellshock exists in a feature of bash called "function importing”. • Started with one (CVE-2014-6271), grown to six in a week. • Attack Payload:- () { () { :; }; /bin/ping () { :;} ; echo shellshock" `which bash` () { :;}; /bin/bash -c "cat /etc/shadow"NULL NULL () { :;}; /usr/bin/wget • Attack tools became famous overnight https://shellshock.detectify.com http://shellshock.brandonpotter.com
  9. 9. ©2014 AKAMAI | FASTER FORWARDTM ShellShock • Mitigations  WAFs can block '() {‘ – effective against import of function.  Staying up-to-date on patches.  Switch to an alternate shell For SSH servers: Removing non-administrative users until the systems are patched. For Web Applications: CGI functionality which makes calls to a shell can be disabled entirely (short term measure) • Akamai customer Mitigations  Custom WAF rule.  Customer using KRS are protected against some attacks with Command Injection Risk group.  Siteshield – direct to origin attacks.  Akamai Platform protects some attack using HTTP normalization be default.
  10. 10. ©2014 AKAMAI | FASTER FORWARDTM IptabLes/IptabLex • A new botnet surfaced with command and control in Asia. Linked to two hardcoded IP addresses in China. • Causes volumetric DDOS attacks by executing DNS and SYN flood attacks. • Spread by compromising Linux based Web servers, using exploits of Apache Struts, Tomcat, Elasticsearch vulnerabilities. • Indicators: • Slow network. • presence of Linux ELF Binary file which create a copy of itself and name it, .IptabLes or .IptabLex. • /boot/.IptabLes and /boot/.IptabLex • Infecting popular Linux distributions such as Debian, Ubuntu, CentOS and RedHat. • Mitigation – Server hardening, Anti-virus, rate control. • Akamai Mitigation – Akamai PLXsert has created a YARA rule to detect and Bash command to clean the infection.
  11. 11. ©2014 AKAMAI | FASTER FORWARDTM Large Scale DDOS • APJ is becoming the biggest target for largest scale DDOS attacks. • Volume • 2012 – 25 Gbps attack not very common. • 2014 – 350 Gbps attack common and absolutely fatal to any organization. • Attacks heavily distributed in nature, difficult to block specific source. • More than 40 percent of all Q2 2014 DDoS attacks were initiated from Asia- Pacific countries • Cloud platform such as Akamai, are effective to block such large scale attacks.
  12. 12. Large Scale DDOS (Case Study 1- Major Stock Exchange in APJ) • Attack continued for 4 full days in August, 2014. • The stock exchange main domain targeted with 21 Billion requests and ©2014 AKAMAI | FASTER FORWARDTM cumulative bandwidth of ~19 TB. • Distributed with attack traffic originating from over 50 countries.
  13. 13. Large Scale DDOS (Case Study 1 - Major Stock Exchange in APJ) • Distributed with attack traffic originating from over 50 countries. ©2014 AKAMAI | FASTER FORWARDTM • Full attack blocked by Rate controls Bot rule group blocking Curl/Wget requests.
  14. 14. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Technical Details Multiple Attack Vectors • SYN flood against 80 & 443 • Cachebusting • www.$CUST.com/$staticstring/search.jsp?q=a • User-Agents • User-Agent: Wget/1.12 (linux-gnu) • User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
  15. 15. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Security Monitor
  16. 16. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Geographic Distribution Attack Origins USA Germany France Italy Netherlands United Kingdom Canada China Poland Romania Spain Brazil Japan Sweden Turkey Finland Belgium Czech Republic Hungary Portugal Costa Rica Russian Federation Greece India Lithuania Slovenia Nicaragua Austria Azerbaijan Thailand Australia Ghana Hong Kong Switzerland Latvia Norway Serbia Bulgaria Croatia Denmark Iran Ukraine Kyrgyzstan Argentina Kenya Trinidad and Tobago Algeria Ireland Singapore
  17. 17. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Attack Profile Profile • Attacking spanning for 4 days:- Between 18th – 22nd August, 2014 • The domain targeted with ~21 Billion requests • Edge Bandwidth Utilization during these 4 days reached ~17.5 TB • This attack was highly distributed with requests origination from over 50 countries • Blocked by Rate controls and an application layer rule to detect wget/curl requests
  18. 18. Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • Attack targeted one of the China’s gaming website. • Attackers persisted for over 2 weeks and tried DDOS every 2nd day. • Over 19 Billion Hits, with cumulative Bandwidth utilization of ~20 TB.
  19. 19. Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • 99% of attack traffic originated from ASIA. • Attack Patterns Specific User-agent (bots, older browser) Attacking base pages with randomizing query string parameters. • Mitigation Rate controls. IP Blocks. Custom rules for specific signatures WAF application layer rules. China 90% Taiwan Vietna 2% m 3% South Korea 2% Hong Kong 1% Malays ia 1M%oroc co <1%
  20. 20. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – Gaming Microtransactions Multiple Attack Vectors • Flood of empty DNS requests • SYN attacks to port 80/443 • Cache Busting •GET method for / and /images/bg.gif?=<query> • Spoofing User-Agents • User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) • User-Agent: Mozilla/4.0
  21. 21. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – DNS Traffic Spike
  22. 22. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – PCAP sample 14:42:24.220078 IP xx.xx.xx.xx.63266 > xxx.xxx.xx.xx.80: Flags [S], seq 1874991005:1874992216, win 61045, length 1211 0x0000: 0065 0800 4500 04e3 9d17 4000 f606 c5a6 .e..E.....@..... 0x0010: 175c 4b5d 728d 4810 f722 0050 6fc2 179d .K]r.H..".Po... 0x0020: 0000 0000 5002 ee75 2089 0000 0000 0000 ....P..u........ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
  23. 23. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 - DDoS in APJ Attack Profile • Deny access to political website with DNS flood • Brute force • No Spoofing • Waves of attacks
  24. 24. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – Geographic Distribution CN BEIJING US ASHBURN US CHICAGO DE FRANKFURT CN LHASA CN GUANGZHOU CN BEIJING CN SHANGHAI HK HONGKONG CN HANGZHOU CN GUANGZHOU NL AMSTERDAM CN GUANGZHOU NL AMSTERDAM FR TOULOUSE NL AMSTERDAM US SCOTTSDALE RU MOSCOW GB LONDON CN SHANGHAI CN SHANGHAI US ASHBURN DE FRANKFURT US SANJOSE US DALLAS JP OSAKA US MIAMI DE FRANKFURT
  25. 25. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – PCAP Sample 15:46:43.702607 IP 67.xxx.xxx.xx8 > 184.yy.yyy.yy: ip-proto-255 1052 0x0000: 4500 0430 056d 0000 7aff 89f2 43c6 b812 E..0.m..z...C... 0x0010: b855 f841 4500 041c 0000 0000 8011 0000 .U.AE........... 0x0020: 386b 2335 b855 f841 1fab 0050 0408 0000 8k#5.U.A...P.... 0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA ... (more of the same. 1052 bytes of IP payload)
  26. 26. ©2014 AKAMAI | FASTER FORWARDTM APJ DDoS Trends Late 2014 2014Q1-Q2 to 2014Q2-Q3 • Brute Force attacks (more in APJ) • Less spoofing • Multiple attack vectors • Managed botnet • Multiple Waves • Changing Tactics
  27. 27. Questions and Answers sales-singapore@akamai.com +65 6593 8717
  28. 28. sales-singapore@akamai.com +65 6593 8717

×