Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Robin Hoods And Criminals


Published on

April 2012 - DoS, DDoS, Cyber Crime and What can be done.

  • Be the first to comment

  • Be the first to like this

Robin Hoods And Criminals

  1. 1. Cyber Security Robin Hoods and CriminalsZiv IchilovDefensePro Product Manager, RadwareICTExpo Helsinki, April 2012
  2. 2. Breaking NewsAnonymous has taken down the following this week• Central Intelligence Agency (CIA)• Department of Justice (DOJ)• Federal Bureau of Investigation (FBI)• National Aeronautics and Space Administration (NASA)• Secret Intelligence Service (MI6) 2
  3. 3. AGENDDoS – What is it about?2011 DoS AttacksRobin Hoods or CriminalsProtect Yourself – What is Missing?Radware Attack Mitigation System
  4. 4. AGENDADoS – What is it about?2011 DoS AttacksRobin Hoods or CriminalsProtect Yourself – What is Missing?Radware Attack Mitigation System
  5. 5. DoS – Originators and Goals• Hacktivisim – Gain Public Attention • Protestors• Cyber Crime – Extortion • Criminals – Business Affairs • Competition – Data Theft • DoS for Covering Surreptitious Attacks (criminals)• Cyber War – Country Level Attacks – Business / Military Intelligence – “Real” Critical Infrastructure Paralysis 5
  6. 6. DoS – Digital Sit-in or Crime• Protest – Digital Sit-in “A sit-in or sit-down is a form of direct action that involves one or more persons nonviolently occupying an area for a protest, often to promote political, social, or economic change.” Wikipedia “There’s no such thing as a DDoS attack. A DDoS is a protest, it’s a digital sit-it. It is no different than physically occupying a space. It’s not a crime, it’s speech. Nothing was malicious, there was no malware, no Trojans. This was merely a digital sit-in. It is no different from occupying the Woolworth’s lunch counter in the civil rights era” Jay Leiderman (sept 2011, TPM) 6
  7. 7. DoS – How does it Look• Simple Way – Excessive or specially crafted traffic causing network/server/application resources misuse, thus preventing legitimate traffic to reach its destination and limits the service providing, generated by tools, humans or both. Can be based on Volume / Rate / Vulnerability Exploitation• Detailed – Layer 3 Floods – targeting the network equipment, and the actual pipe capacity – Layer 4 Floods – targeting the servers (physical or virtual), their stack resources – Layer 7 Floods – targeting real applications and services 7
  8. 8. DoS – Effects• Direct Effects – Embarrassing nuisance and inconvenience – Revenue and reputation loss• Side Effect – Immediate Data Loss – Penetration to the Organization• Long Term Effect – Infection – Involuntary Be Harness to Future Attacks 8
  9. 9. AGENDADoS – What is it about?2011 DoS AttacksRobin Hoods or CriminalsProtect Yourself – What is Missing?Radware Attack Mitigation System
  10. 10. Size does not matter! – Most organization may never experience an intense attack – Less intensive application attacks can cause more damage than network attacks The impact of application flood attacks are much more severe than network flood attacks 76 percent of the attacks surveyed were under 1Gbps76% of attacks are below 1Gbps 10
  11. 11. Network Attacks and Application Attacks Coexist 11
  12. 12. Which Elements Are Bottlenecks For DDoS?Internet link Stateful devices areis saturated vulnerable to DDoS(27% of the (36% of the attacks) attacks) 12
  13. 13. More Organization Are Threatened by DoS 13
  14. 14. Anonymous Attacks Grow 14
  15. 15. AGENDADoS – What is it about?2011 DoS AttacksRobin Hoods or CriminalsProtect Yourself – What is Missing?Radware Attack Mitigation System
  16. 16. Robin Hoods or Criminals?• SONY Example – Massive DoS attack taking down the PlayStation network for hours – Initiated after filing a sue against hacker who broke PS3 protection mechanism – During attack CC data of millions of users was stolen – Anonymous involvement was partially denied 16
  17. 17. Robin Hoods or Criminals?• Sic Semper Tyrannis – Long campaign against the Vatican web infrastructure – Started with a failed attempt to hack Vatican systems and databases – Continued as a massive DoS attack lasting for days, in repeating waves 17
  18. 18. Robin Hoods or Criminals?• Russian Presidential Elections – During elections time in Russia, first Duma and then for Presidency ... – DDoS attacks on protestors blogs, parties websites, reporting websites etc. ““It can’t be long before we observe a DDoS attack between two political parties based on one and the same botnet.” Eugene Kaspersky (blog) 18
  19. 19. Robin Hoods or Criminals?• The Israeli CaseJanuary 3rd Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information.January 16th 0xOmar and the Pro-Palestinian “Nightmare” hacker group sends an email to the Jerusalem Post, threatening to attack EL-AL website. EL-AL, Tel-Aviv Stock Exchange, First International Bank of Israel and Discount Bank websites are attacked and are unavailable for hours.January 17th Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s Stock Exchanges websitesJanuary 18th More Israeli websites targeted: Bank of Israel website under attack 19
  20. 20. Robin Hoods or Criminals?• The Israeli Case In the following weeks, dozens of Israeli web sites were attacked by Pro-Palestinian hacker groups A Cyber War emerged 20
  21. 21. Robin Hoods or Criminals?"One mans terrorist is another mans freedom fighter." ?• DoS activity is considered today as illegal activity in most of the world• DoS attacks are used for launching surreptitious attack• Well known examples for criminal hacktivism 21
  22. 22. AGENDADoS – What is it about?2011 DoS AttacksRobin Hoods or CriminalsProtect Yourself – What is Missing?Radware Attack Mitigation System
  23. 23. What is MissingWhat We Have?• Most of DDoS/DoS Attack Types are Known – Network floods, SYN floods, GET floods, Invite floods, etc.• Protection Methodologies are Known – Rate limit, Black list/haul, Authentication (Challenge), Behavioral Analysis, etc.• High Performance Mitigation Devices Exist 23
  24. 24. What is MissingWhat is Missing?• Intelligence – In detection – application data consideration – In identification of attackers – smart algorithms and authentication methods – In mitigation – real-time dynamic filtering• Capabilities – Dealing with new challenges – further analysis, secured traffic, etc. – Experienced Human Touch – for visibility and expertise• Cooperation – On premises always-on immediate detection (including layer 7) – In-the-Cloud detection & mitigation for high rate attacks (link saturation) – More than Anti-DoS protection devices – WAF/NG-FW/IPS/Etc. 24
  25. 25. What is Missing? – ExmapleIsrael Attacks Example – Attackers Distribution • Usage of bots reduces Geo-IP importance d 25
  26. 26. DDoS Attack Tools Become Prevalent Public Attacks LOIC Mobile LOIC webLOIC Inner Circle AttacksNetwork Application Low & Slow Vulnerability based FloodUDP floods Dynamic HTTP floods Slowloris Intrusion attemptsSYN floods HTTPS floods Pyloris SQL InjectionsFragmented floods R.U.D.Y #RefRefFIN+ACK floods XerXes 26
  27. 27. Attack Mitigation System
  28. 28. Radware Attack Mitigation System (AMS) 31
  29. 29. Radware end-to-end mitigation solution On-premises protection against: • Application DDoS attacks • SSL based attacks Internet • Low & Slow attacksSSL attacks ISP Core Network Protection NBA Anti-DoS IPS In-the-cloud Anti-DoS Service Attack Mitigation System Anti-DoS Attack Mitigation System In-the cloud protection against: Customer site • Volumetric bandwidth attacks 32
  30. 30. Thank youZiv Ichilov zivi@radware.comDefensePro Product Manager, Radware