With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments.
In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks.
Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit: http://www.radware.com/ert-report-2013/
The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense
1. The Art of Cyber War
Werner Thalmeier – Security Evangelist
2. The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,
a high-ranking military general, strategist and tactician. It is commonly
known to be the definitive work on military strategy and tactics, and for the
last two thousand years has remained the most important military
dissertation in Asia. It has had an influence on Eastern and Western military
thinking, business tactics, legal strategy and beyond. Leaders as diverse as
Mao Zedong and General Douglas MacArthur have drawn inspiration from
the work.
Many of its conclusions remain valid today in the cyber warfare era.
孫子兵法
3. 3
知彼知己,百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Notable DDoS Attacks in the Last 12 Months
4. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
5. Volumetric attacks Network & Stateful attacks Application attacks
App Misuse
5
Attackers Deploy Multi-vulnerability Attack Campaigns
High Bandwidth or PPS
Network flood attacks
Network Scan
Syn Floods
SSL Floods
HTTP Floods
Brute
Force
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
SQL
Injection
Cross Site
Scripting
Intrusions
“Low & Slow” DoS
attacks (e.g.Sockstress)
More than 50% of 2013 attack campaigns
had more than 5 attack vectors.
Source: Radware 2013 ERT Report
6. 6
Hacktivism – Move To Campaign-APT Oriented
• Complex: More than seven different attack vectors at once
• Blending: Both network and application attacks
• Target-eering: Select the most appropriate target, attack tools
• Resourcing: Advertise, invite, coerce anyone capable
• Testing: Perform short “proof-firing” prior to the attack
• Timeline: Establish the most painful time period for his victim
7. Sophistication
20132010 2011 2012
• Duration: 3 Days
• 4 attack vectors
• Attack target: Visa, MasterCard
• Duration: 3 Days
• 5 attack vectors
• Attack target: HKEX
• Duration: 20 Days
• More than 7 attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
7
故善战者,立于不败之地
The good fighters of old, first put themselves beyond the possibility of defeat.
8. Slide
8
The Threat Landscape
DDoS is the most common
attack method.
Attacks last longer.
Government and Financial Services
are the most attacked sectors. Multi-vector trend continues.
9. 9
You don’t control all of your critical
business systems.
Understand your vulnerabilities in the
distributed, outsourced world.
没有战略,战术是之前失败的噪音
漏洞
Vulnerability
10. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
11. Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single
entity by direct
communication.
Examples:
Trin00, TFN, Trinity
Botnets
Stealthy malicious
software installed
mostly on personal
computers without the
owner’s consent;
controlled by a single
entity through indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
Voluntary Botnets
Many users, at times
part of a Hacktivist
group, willingly share
their personal
computers. Using
predetermined and
publicly available attack
tools and methods,
with an optional remote
control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers
generate the same
impact as hundreds of
clients.
11
20121998 - 2002 1998 - Present 2010 - Present
不戰而屈人之兵,善之善者也
To subdue the enemy without fighting is the acme of skill
12. 12
R.U.D.Y.
• Exploits a design weakness that became public in Nov 2010
• A slow rate attack tool that can cause DoS with a relatively low amount of traffic
generated
• Instead of sending the entire HTTP Post request at once, it sends one byte every 10
seconds making the connection last forever. It does it in parallel again and again over
numerous connections until the server’s resources are exhausted.
13. 兵者 詭道也
13
Tool: Kill ‘em All 1.0
• Harnesses techniques such as Authentication
Bypass, HTTP redirect, HTTP cookie and
JavaScript
• True TCP behavior, believable and random HTTP
headers, JavaScript engine, random payload,
tunable post authentication traffic model
• Defeats current anti-DDoS solutions that detect
malformed traffic, traffic profiling, rate
limiting, source verification, Javascript and
CAPTCHA-based authentication mechanisms
• Creators allege that the tool is technically
indistinguishable from legitimate human traffic
Tested: Arbor PeakFlow TMS, Akamai,
Cloudflare, NSFocus Anti-DDoS
System
All warfare is based on
deception.
16. 16
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Attackers: Cyber Fighters of Izz ad-Din al-Qassam
Result: Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.
行軍: Operation Ababil
17. 17
行軍: Operation Ababil
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.
HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page
downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by
consuming 15x more CPU in order to process the encrypted attack traffic.
18. 18
行軍: Operation Ababil
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
22 Events
1 Event
2010 2011 2012 2013
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
Source: Analysis Intelligence
Event Correlation: Iranian Linked Cyber Attacks
19. 19
Don’t assume that you’re not a target.
Draw up battle plans. Learn from the
mistakes of others.
没有战略,战术是之前失败的噪音
目标
Target
20. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
21. Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
21
0
5
10
15
20
25
30
35
Internet Pipe Firewall IPS / DSS ADC Server SQL Server
2011
2012
2013
Volumetric attacks Network & Session attacks Application attacks
不可胜在己
Being unconquerable lies within yourself.
22. 22
不可胜在己
DoS Defense Component
Vulnerability
Exploitation
Network Flood
Infrastructure
Exhaustion
Target Exhaustion
Network Devices No No Some Some
Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.
Firewall & Network Equipment No No Some Some
NIPS or WAF Security Appliances Yes No No, part of problem No
Anti-DoS Box (Stand-Alone) No No Yes Yes
ISP-Side Tools No Yes Rarely Rarely
Anti-Dos Appliances (ISP Connected) No Yes Yes Yes
Anti-DoS Specialty Provider No Yes Yes Yes
Content Delivery Network No Yes Yes Limited
23. 23
Analyst View
• With the prevalence and duration of attacks on the rise, organizations need to
take steps to protect their infrastructure from the advanced methods being
employed. Despite the fact that volumetric-based attacks will remain the most
common, more advanced hybrid attacks that include application layer and
encrypted traffic in addition to volumetric methods will also grow, spurring
growth in the use of on-premise equipment.
I D C T E C H N O L O G Y S P O T L I G H T - Optimizing DDoS Mitigation Using Hybrid Approaches
• Gartner expects high-bandwidth DDoS attacks to continue and to increase in
frequency in 2013. Gartner also expects that at least 25% of DDoS attacks will
be application-based, in which attackers send targeted commands to
applications to tax CPU and memory and make the application unavailable.
GARTNER
27. 27
Don’t believe the propaganda.
Understand the limitations of solutions.
Not all networking and security solutions
are created equal.
没有战略,战术是之前失败的噪音
宣传
Propaganda
28. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
29. 29
兵之情主速
Speed is the essence of war
AttackDegreeAxis
Attack Area
Suspicious
Area
Normal
Area
30. 30
兵之情主速
T H E S E C U R I T Y G A P
Attacker has time to bypass automatic mitigation.
Target does not possess required defensive skills.
31. 31
You can’t defend against attacks you can’t
detect.
Know your limitations.
Enlist forces that have expertise to help
you fight.
没有战略,战术是之前失败的噪音
检测
Detection
32. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
33. 33
故兵貴勝,不貴久
• Web Attacks
• Application Misuse
• Connection Floods
• Brute Force
• Directory Traversals
• Injections
• Scraping & API Misuse
Detection: Application Attacks
34. 34
Attack Mitigation Network: Low & Slow, SSL Encrypted
Botnet
E n t e r p r i s e
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
故兵貴勝,不貴久
35. 35
故兵貴勝,不貴久
What is essential in war is victory, not prolonged operations.
• Envelope Attacks – Device Overload
• Directed Attacks - Exploits
• Intrusions – Mis-Configurations
• Localized Volume Attacks
• Low & Slow Attacks
• SSL Floods
Detection: Encrypted / Non-Volumetric Attacks
36. 36
Attack Mitigation Network: Application Exploits
Botnet
E n t e r p r i s e
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack
signatures
故兵貴勝,不貴久
38. 38
Botnet
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks
E n t e r p r i s e
故兵貴勝,不貴久
Attack
signatures
39. App MisuseApp Misuse
Slide
39
Layered Lines Of Defense
Large volume
network flood
attacks
Network Scan
Syn Floods
SSL Floods
“Low & Slow” DoS
attacks
(e.g.Sockstress)
HTTP Floods
Brute
Force
DoS protection
Behavioral analysis SSL protection
IPS
WAF
Cloud DDoS protection
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
Volumetric attacks Network & Stateful attacks Application attacks
41. 41
Aligned forces will make the difference
Protecting your data is not the same as
protecting your business.
True security necessitates data protection,
system integrity and operational availability.
没有战略,战术是之前失败的噪音
可用性
Protection