Successfully reported this slideshow.

In the Line of Fire-the Morphology of Cyber Attacks


Published on

Dennis Ulse's Presentation from SecureWorld Expo Atlanta that discusses Availability-based threats; Attacks on U.S. banks and other popular attack patterns and trends.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

In the Line of Fire-the Morphology of Cyber Attacks

  1. 1. Briefing on RecentAttacks and AttackTrendsDennis UsleSecurity Solutions ArchitectDennisU@Radware.comMay 2013Radware Confidential Jan 2012
  2. 2. AGENDAAvailability-based threatsAttacks on the US banksOther popular attack patterns & trends
  3. 3. 2001 20102005AttackRiskTime© 2011, Radware, Ltd.Blaster2003CodeRed2001Nimda(Installed Trojan)2001Slammer(Attacking SQL sites)2003Vandalism and PublicityStorm(Botnet)2007Agobot(DoS Botnet)Srizbi(Botnet)2007Rustock(Botnet)2007Kracken(Botnet)20092010IMDDOS(Botnet)Financially MotivatedMar 2011 DDoSWordpress.comBlending MotivesMar 2011Codero DDoS /TwitterGoogle / TwitterAttacks2009Republicanwebsite DoS2004Estonia’s Web SitesDoS2007Georgia Web sitesDoS 2008July 2009Cyber AttacksUS & KoreaDec 2010OperationPaybackMar 2011NetbotDDoSMar 2011OperationPayback II“Hacktivism”LulzSecSony, CIA, FBIPeru,ChileAttacker’s Change in Motivation & Techniques“Worms”DDoS“Blend”3
  4. 4. The Security TrinityIntegrityAvailabilityConfidentialitySecurity Confidentiality,a mainstream adaptation of the“need to know” principle of themilitary ethic, restricts theaccess of information to thosesystems, processes andrecipients from which thecontent was intended to beexposed.Security Integrityin its broadest meaning refersto the trustworthiness ofinformation over its entirelife cycle.Security Availabilityis a characteristic that distinguishes information objectsthat have signaling and self-sustaining processes fromthose that do not, either because such functions haveceased (outage, an attack), or else because they lack suchfunctions .
  5. 5. Availability Based AttacksSlide 5Availability-based ThreatsNetwork Floods(Volumetric)ApplicationFloodsLow-and-SlowSingle-packetDoS
  6. 6. 2012 Attack Motivation - ERT SurveySlide 6Radware Confidential Jan 2012
  7. 7. Radware ERT SurveySlide 7Radware Confidential Jan 2012
  8. 8. 2012 Target Trend - ERT SurveySlide 8Radware Confidential Jan 2012
  9. 9. Attacks Campaigns DurationSlide 9Radware Confidential Jan 2012
  10. 10. Attack Duration Requires IT to Develop New SkillsWar Room Skills Are RequiredSlide 10Radware Confidential Jan 2012
  11. 11. Main Bottlenecks During DoS Attacks - ERT SurveySlide 11Radware Confidential Jan 2012
  12. 12. Attacks Traverse CDNs (Dynamic Object Attacks)Slide 12Radware Confidential Jan 2012
  13. 13. AGENDA2012 Availability-based threatsAttacks on the US banksOther popular attack patterns & trends
  14. 14. Overview• What triggered the recent US attacks?• Who was involved in implementing the attacks and name of the operation?• How long were the attacks and how many attack vectors were involved?• How the attacks work and their effects.• How can we prepare ourselves in the future?Slide 14Radware Confidential Jan 2012
  15. 15. What triggered the attacks on the US banks?• Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyptian born US residentcreated an anti-Islamic film.• Early September the publication of the „Innocence of Muslims‟ film on YouTubeinvokes demonstrations throughout the Muslim world.• The video was 14 minutes though a full length movie was released.Slide 15Radware Confidential Jan 2012
  16. 16. Protests Generated by the MovieSlide 16Radware Confidential Jan 2012
  17. 17. The Cyber ResponseSlide 17Radware Confidential Jan 2012
  18. 18. Who is the group behind the cyber response?• A hacker group called “Izz as-Din al-Qassam Cyber fighters”.• Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in thefight against the French, US and Zionist in the 1920‟s and 1930‟s.• The group claims not to be affiliated to any government or Anonymous.• This group claims to be independent, and it‟s goal is to defend Islam.Slide 18Radware Confidential Jan 2012
  19. 19. Operation Ababil launched!• “Operation Ababil” is the codename of the operation launched on September18th 2012, by the group Izz as-Din al-Qassam Cyber fighters• The attackers announced they would attack “American and Zionist targets.”• “Ababil” translates to “Swallow” from Persian. Until today the US thinks theIranian government may be behind the operation.• The goal of the operation is to have YouTube remove the anti-Islamic film fromits site. Until today the video has not been removed.Slide 19Radware Confidential Jan 2012
  20. 20. The AttackVectors and Tactics!Slide 20
  21. 21. Initial attack campaign in 2 phases• The attack campaign was split into 2 phases, a pubic announcement was made in each phase.• The attacks lasted 10 days, from the 18th until the 28th of September.• Phase 1 - Targets > NYSE, BOA, JP Morgan.• Phase 2 – Targets > Wells Fargo, US Banks, PNC.• Phase 3 - Targets > PNC, Fifth Third Bancorp, J.M.Chase, U.S.Bank, UnionBank, Bank ofAmerica, Citibank, BB&T and Capitalone.Slide 21Radware Confidential Jan 2012
  22. 22. Attack Vectors• 5 Attack vectors were seen by the ERT team during Operation Ababil.1. UDP garbage flood.2. TCP SYN flood.3. Mobile LOIC (Apache killer version.)4. HTTP Request flood.5. ICMP Reply flood. (*Unconfirmed but reported on.)6. Booters.*Note: Data is gathered by Radware as well as it‟s partners.Radware Confidential Jan 2012
  23. 23. BootersSlide 23A Booter is a tool used for taking down/booting offwebsites and servers.Booters introduce high volumetric (server based) attacksand slow-rate attack vectors as a one stop shop.
  24. 24. UDP Garbage Flood• Targeted the DNS servers of the organizations, also HTTP.• 1Gb + in volume.• All attacks were identical in content and in size (Packet structure).• UDP packets sent to port 53 and 80.• Customers attacked Sep 18th and on the 19th.Slide 24Radware Confidential Jan 2012
  25. 25. Tactics used in the UDP Garbage Flood• Internal DNS servers were targeted , at a high rate.• Web servers were also targeted, at a high rate.• Spoofed IP‟s (But kept to just a few, this is unusual.)• ~ 1Gbps.• Lasted more than 7 hours initially but still continues...Packet structureSlide 25Parameter Value Port 53 Value Port 80Packet size 1358 Bytes UnknownValue in Garbage ‘A’ (0x41) charactersrepeated“/http1”(x2fx68x74x74x70x31) - repetitiveRadware Confidential Jan 2012
  26. 26. DNS Garbage Flood packet extract• Some reports of a DNS reflective attack was underway seem to be incorrect.• The packets are considered “Malformed” DNS packets, no relevant DNSheader.Slide 26Radware Confidential Jan 2012
  27. 27. Attackers objective of the UDP Garbage Flood• Saturate bandwidth.• Attack will pass through firewall, since port is open.• Saturate session tables/CPU resources on any state -full device, L4 routingrules any router, FW session tables etc.• Returning ICMP type 3 further saturate upstream bandwidth.• All combined will lead to a DoS situation if bandwidth and infrastructure cannothandle the volume or packet processing.Slide 27Radware Confidential Jan 2012
  28. 28. TCP SYN Flood• Targeted Port 53, 80 and 443.• The rate was around 100Mbps with around 135K PPS.• This lasted for more than 3 days.Slide 28Radware Confidential Jan 2012
  29. 29. SYN Flood Packet extractSlide 29-All sources are spoofed.-Multiple SYN packets to port 443.Radware Confidential Jan 2012
  30. 30. Attackers objective of the TCP SYN Floods• SYN floods are a well known attack vector.• Can be used to distract from more targeted attacks.• The effect of the SYN flood if it slips through can devastate state-full devicesquickly. This is done by filling up the session table.• All state-full device has some performance impact under such a flood.• Easy to implement.• Incorrect network architecture will quickly have issues.Slide 30Radware Confidential Jan 2012
  31. 31. Mobile LOIC (Apache killer version)• Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML andJavascript.• This DDoS Tool does an HTTP GET flood.• The tool is designed to do HTTP floods.• We have no statistics on the exact traffic of mobile LOIC.Slide 31*Suspected*SuspectedRadware Confidential Jan 2012
  32. 32. Mobile LOIC in a web browserSlide 32Radware Confidential Jan 2012
  33. 33. HTTP Request Flood• Between 80K and 100K TPS (Transactions Per second.)• Port 80.• Followed the same patterns in the GET request (Except for the Inputparameter.)• Dynamic user agent.Slide 33Radware Confidential Jan 2012
  34. 34. HTTP flood packet structure• Sources worldwide (True sources most likely hidden.)• User agent duplicated.• Dynamic Input parameters.GET Requests parametersSlide 34Radware Confidential Jan 2012
  35. 35. Attackers objective of the HTTP flood• Bypass CDN services by randomizing the input parameter and user agents.• Because of the double user agent there was an flaw in the programming behindthe attacking tool.• Saturating and exhausting web server resources by keeping session table andweb server connection limits occupied.• The attack takes more resources to implement than non connection orientatedattacks like TCP SYN floods and UDP garbage floods. This is because of theneed to establish a connection.Slide 35Radware Confidential Jan 2012
  36. 36. Identified locations of attacking IPsSlide 36Worldwide!Radware Confidential Jan 2012
  37. 37. AGENDA2012 Availability-based threatsAttacks on the us banksOthers 2012 popular attack patterns & trends
  38. 38. Availability-based Threats TreeSlide 38Availability-based ThreatsNetwork Floods(Volumetric)ApplicationFloodsLow-and-SlowSingle-packetDoSUPDFloodICMPFloodSYNFloodWebFloodDNS SMTPHTTPSRadware Confidential Jan 2012
  39. 39. Asymmetric AttacksSlide 39Radware Confidential Jan 2012
  40. 40. HTTP Reflection AttackSlideWebsite A Website B(Victim)AttackerHTTPGETRadware Confidential Jan 2012
  41. 41. Slideiframe, width=1, height=1search.phpHTTP Reflection Attack ExampleRadware Confidential Jan 2012
  42. 42. HTTPS – SSL Re Negotiation AttackSlide 42THC-SSL DoSTHC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof-of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other“low and slow” attacks, requires only a small number of packets to cause denial-of-service for afairly large server. It works by initiating a regular SSL handshake and then immediately requestingfor the renegotiation of the encryption key, constantly repeating this server resource-intensiverenegotiation request until all server resources have been exhausted.Radware Confidential Jan 2012
  43. 43. Low & SlowSlide 43Availability-based ThreatsNetwork Floods(Volumetric)ApplicationFloodsLow-and-SlowSingle-packetDoSUPDFloodICMPFloodSYNFloodWebFloodDNS SMTPHTTPSLow-and-SlowRadware Confidential Jan 2012
  44. 44. Low & Slow• Slowloris• Sockstress• R.U.D.Y.• Simultaneous Connection SaturationSlide 44Radware Confidential Jan 2012
  45. 45. R.U.D.Y (R-U-Dead-Yet)Slide 45R.U.D.Y. (R-U-Dead-Yet?)R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz andnamed after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long formfield submissions. By injecting one byte of information into an application POST field at a time and then waiting,R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (thisbehavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y.causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiatingsimultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table andcreate a denial-of-service condition.Radware Confidential Jan 2012
  46. 46. SlowlorisSlide 46SlowlorisSlowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slowHTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tinychunk until just before the server would time out the request), the server is forced to continue to wait for the headers toarrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests.Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-basedsystems which allow for more connections to be opened in parallel to a target server (although a GUI Python version ofSlowloris dubbed PyLoris was able to overcome this limiting factor on Windows).Radware Confidential Jan 2012
  47. 47. Radware Security Products PortfolioSlide 47AppWallWeb Application Firewall (WAF)DefenseProNetwork & Server attack prevention deviceAPSolute VisionManagement and security reporting &compliance
  48. 48. Thank Youwww.radware.comRadware Confidential Jan 2012