WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses Carl W. Herberger Radware Session ID:SPO2-304 Session Classification: Sponsor Case Studies
Agenda DDoS/DoS Attacks Have Matured Recap Operation Payback Timeline Perimeter Defense Breakdowns New Learned Lessons 2
Main Presentation Take-Aways Denial of Service Attack Category A Preferred Weapon IsBroad RepresentingNearly Every Layer in Network Stack Is Deep Representing Nearly Every Protocol & Service Is Generally Misunderstood and Understudied 2009 2010 Have Seen a Dramatic Rise in Hacktivism Operation Payback Establish Numerous Lessons Perimeter Security Next Generation Open Air Market Model which requires the following: More Alerting Coverage More Deployed Perimeter Platforms Tighter Integration Instantly Normalize & Correlated Data Prioritization of Threats for Mitigation 3
DoS / DDoS Attacks Have Matured WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 4
Perimeter Security Attack Roundup Source: ISC2 Common Body Of Knowledge & OWASP 5
DoS / DDoS Attack Roundup Examples Source: ISC2 Common Body Of Knowledge & OWASP 6 TCP SYN TCP SYN+ACK Malware / Botnets TCP FIN TCP RESET TCP ACK TCP ACK+PSH TCP Fragment UDP ICMP IGMP HTTP Flood Brute Force Connection Floods
Notable 2009-2010 DoS / DDoS Attacks July 2009 - Low & Slow Attacks - Slowloris July 2009 MyDoom Over 50,000 Zombies August 2009 Twitter/Cyxymu DDoS Sept 2010 IMDDOS Commercial Botnet Sept 2010 Operation Payback (Nearly All DoS / DDoS Was Tried) Source: ISC2 Common Body Of Knowledge & OWASP 7 TCP SYN TCP SYN+ACK Malware / Botnets TCP FIN TCP RESET TCP ACK TCP ACK+PSH TCP Fragment UDP ICMP IGMP HTTP Flood Brute Force Connection Floods
Attacker s Change in Motivation & Techniques Vandalism and publicity Hacktivism Financially motivated Dec 2010 Operation Payback Attack Risk CodeRed (Defacing IIS web servers) Blaster 2001 (Attacking Microsoft web site) Nimda 2003 (Installed Trojan) 2001 Agobot Slammer (DoS Botnet) (Attacking SQL websites) 2003 Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2009 2010 IMDDOS (Botnet) July 2009 Cyber Attacks US & Korea Google / Twitter Attacks2009 Georgia Web sites DoS 2008 2001 2005 2010 8 Time
Attacker s Change in Motivation & Techniques Vandalism and publicity Hacktivism Financially motivated Dec 2010 Operation Payback Attack Risk CodeRed (Defacing IIS web servers) Blaster 2001 (Attacking Microsoft web site) Nimda 2003 (Installed Trojan) 2001 Agobot Slammer (DoS Botnet) (Attacking SQL websites) 2003 Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2009 2010 IMDDOS (Botnet) July 2009 Cyber Attacks US & Korea Google / Twitter Attacks2009 Georgia Web sites DoS 2008 2001 2005 2010 9 Time
Recap Operation Payback Timeline WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 10
Background In December 2010, WikiLeaks came under intense pressure to stop publishing secret United States t diplomatic cables. Corporations such as Amazon, PostFinance, MasterCard and Visa either stopped working with or froze donations to Wikileaks, apparently bowing to political pressure. 11
November 30 th (ish)2010: The Jester (th3jest3r) vs. Wikileaks New Release Arrest WikiLeaks Attacked Source: http://praetorianprefect.com/archives/2010 12
Early December (1 st 5 th ) 2010: Amazon and DNS providers drop Wikileaks.org New Service Release Providers Arrest WikiLeaks Cutoffs Attacked 13
December 4 th 6 th 2010: Payment Firms Prevent Financial Donations New Service Release Providers Financial Arrest WikiLeaks Cutoffs Firms Attacked Stonewall WikiLeaks 14
December 7 th, 2010: Anonymous launched Operation Payback Operation New Service Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaks Twitter & Facebook 15
Original Distributed Tool LOIC V 1.1.1.14 Dist by Praetox Tech for Stress Testing 16
Updated Version on Dec. 9 th No Download Distributed Attack Tool JS LOIC 17
December 11 th, 2010: Payback Reached Peak Participation ~7,000 New Service Operation Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaksTwitter & Facebook 7,000 LOIC Tool Users Source: http://praetorianprefect.com/archives/2010 18
Targets Were Defined & Coordinated Source: http://praetorianprefect.com/archives/2010 19
Operation Payback Initial Target Set Source: http://praetorianprefect.com/archives/2010 20
From the news 21
Throughout December, 2010: The Jester Attacks LOIC Nodes, Thwarts Attack by December 14th Operation New Service Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaksTwitter k & Facebook 7,000 LOIC Tool Users The Jester Attacks LOIC Users 22
New Anonymous Targets: The Jester Source: http://praetorianprefect.com/archives/2010 23
February, 2011: WikiLeaks Remains Up, Anonymous Promises More Attacks Coming.. 24
Breakdown Of Perimeter Defenses WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 25
Introducing AMS 26
Radware Operation Payback ERT Post-Mortem Analysis Operation Payback Network DDoS attacks: High PPS attacks: extremely high SYN flood and UDP flood attack rates (up to 8M packets per second) hit victim sites. Oversized UDP frames in an intent to consume bandwidth Fragmented and corrupted UDP frames in an intent to consume more resources on application i delivery equipment Connection flood attacks: target the TCP stack resources; TCP raw data transmission (long stream of ASCII data) to ports 443 (HTTPS) and 80 (HTTP) Operation Payback Application DDoS attacks: HTTP page request floods targeting crafted URLs (GETs/PUTs) Crafted Layer7 TCP attacks such as SlowLoris HTTP data floods 27
Operation Payback: Major Perimeter Defense Breakdowns High rate attacks Security tools themselves crashed under the load and improper placement Low and slow DoS/DDoS attacks Easily go under the radar of traditional security solution (if you define low rate thresholds you raise the false positive ratio and the opposite) Today s application DDoS attacks are well integrated into legitimate forms of business delivery models wreaking havoc with distinguishing the difference between legitimate and illegitimate traffic 28
Why were Operation Payback attacks so challenging? Attacks High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris 29 Impacts Equipment Bottlenecks Consume network bandwidth Consume resources Memory / Processing Consume TCP stack resources - Processing Consume server resources Memory / Processing
Protection from Attack Campaigns (Multi-Vulnerability) Is Difficult Attack Types High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris 30 Protection Needed Network-Level anti-dos Anti-DoS / DDoS Anti-DoS / DDoS IPS In front of Firewall NBA In front of Firewall IPS In front of Firewall
Modern Security Data Center Architecture Is Inadequate For Perimeter Protection Public Internet 1st The rising tide of distributed denial of service attacks (DDoS) is being made much worse by a tendency to mis-deploy firewalls and intrusion prevention systems (IPS) in front of servers During Private 2010, nearly 1st half of all respondents had experienced a failure Internet of their firewall or IPS due to DDoS, something that t could have been avoided Arbor Networks Survey of 111 Global Service Providers, Comments Published by John E. Dunn, Feb 01, 2010 Tech World 31
Current Architecture Has Lead to Inadequate Security Solutions Current Deployment Problems Include 32
Attack Campaigns Require Alerts, Correlation, Prioritization in All Perimeter Regimes!!! Network & DoS/DDoS flood attacks Application Based Attacks Zero-Day Malware propagation & scans Intrusion Activities Clean Environment NBA - Network-Based Behavioral Protections NBA - Application-Based Behavioral Protections NBA Source -Based Behavioral Protections IPS - Signature-Based Protections Reputation Engine 33
New Lessons Learned WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 34
New Lessons From Operation Payback: Cyber retaliation: DDoS has become a new tool for angry mobs or overzealous activists Use of social media networks for quick distribution of malicious tools Previously unqualified attackers/profiles (no signature profiles available) volunteer in an attack campaign Bundled, multi layered DDoS attack structure (UDP, TCP, HTTP, Slow, Fast, Connection Oriented, Malformed Packets, etc) Multi Vector: Unquantifiable scalability (any attacker from anywhere) 35
In addition, Multi-Vector Attacks Are On the Rise...Protection is Not Attack Vector Solution Bot malware spread Scanning or Single IP Vulnerability Attacks Social Engineering Attacks (Fraud, Phishing, Bot Command, Control messages, etc) IPS or Network Behavior Analysis IPS or Reputational Engine No single protection tool can handle today s multi-vector t threats t Application flooding - HTTP page flood attack Network Behavior Analysis Network flooding - SYN/UDP/ICMP flood attack DoS Protection 36
How to Improve Perimeter Security? Next Generation Defense: Deploy a series of perimeter security alerting and mitigating technologies designed to handle multivulnerability and multi origin threats (e.g. attack campaigns) in real time. The idea is to accomplish the following: Increase overall quality of coverage of attack categories with of best in breed perimeter alerting technologies (IPS, NBA, DoS, WAF, Anti Fraud) at the Perimeter s edge Unify and normalize alerting data for improved correlation Engineer agile solutions. E.g. limit human interactions and required decisions to only extreme situations. 37
Recap - Main Presentation Take-Aways Denial of Service Attack Category IsBroad RepresentingNearly Every Layer in Network Stack Is Deep Representing Nearly Every Protocol & Service Is Generally Misunderstood and Understudied 2009 2010 Have Seen a Dramatic Rise in Hacktivism Operation Payback Establish Numerous Lessons Perimeter Security an Open Air Market Model which requires the following: More Alerting Coverage More Deployed Perimeter Platforms Tighter Integration Instantly Normalize & Correlated Data Prioritization of Threats for Mitigation 38
Thank You Carl W. Herberger V.P., Security Solutions 610.529.6229 Carl.Herberger@Radware.com