the Breakdown of Perimeter Defenses

Similar documents
DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Information Security Adaption: Survival In An Evolving Threat Landscape. Carl Herberger VP, Security Solutions, Radware

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Check Point DDoS Protector Introduction

Cisco Firepower with Radware DDoS Mitigation

A Survey of Defense Mechanisms Against DDoS Flooding A

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

haltdos - Web Application Firewall

Yuri Gushin & Alex Behar

Cyber War Chronicles Stories from the Virtual Trenches

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Enterprise D/DoS Mitigation Solution offering

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Intelligent and Secure Network

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Multi-vector DDOS Attacks

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

DDoS MITIGATION BEST PRACTICES

Chapter 10: Denial-of-Services

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Configuring attack detection and prevention 1

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Securing Your Amazon Web Services Virtual Networks

Securing Your Microsoft Azure Virtual Networks

Chapter 7. Denial of Service Attacks

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

IxLoad-Attack TM : Network Security Testing

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Comprehensive datacenter protection

Corrigendum 3. Tender Number: 10/ dated

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Configuring attack detection and prevention 1

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

The Barracuda Web Application Firewall Versus Anonymous. Best Practices for Planning and Defending Against Attacks by Anonymous.

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Check Point DDoS Protector Simple and Easy Mitigation

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Firewalls, Tunnels, and Network Intrusion Detection

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

2011 Global Application

PROTECTING INFORMATION ASSETS NETWORK SECURITY

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Silverline DDoS Protection. Filip Verlaeckt

2015 DDoS Attack Trends and 2016 Outlook

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

DDoS Detection&Mitigation: Radware Solution

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

The Barracuda Web Application Firewall Versus Anonymous. Best Practices for Planning and Defending Against Attacks by Anonymous.

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Arbor Solution Brief Arbor Cloud for Enterprises

Imma Chargin Mah Lazer

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Rethinking Perimeter Security: New Threats Require Real-Time Protection A DefensePro Technology Paper By Avi Chesla - VP, Security & Management

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

CSE 565 Computer Security Fall 2018

The Protocols that run the Internet

DDoS: Coordinated Attacks Analysis

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

SHARE THIS WHITEPAPER. Attack Mitigation Service Fully Managed Hybrid (Premise & Cloud) Cyber-Attack Mitigation Solution - Whitepaper

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Multidimensional Investigation of Source Port 0 Probing

Configuring Flood Protection

Cloudflare Advanced DDoS Protection

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Technical White Paper June 2016

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

Basic Concepts in Intrusion Detection

CIH

NIP6000 Next-Generation Intrusion Prevention System

Distributed Denial of Service (DDoS)

Trends in Denial of Service Attack Technology -or Oh, please, they aren t smart enough to do that

DDoS Introduction. We see things others can t. Pablo Grande.

I D C T E C H N O L O G Y S P O T L I G H T

Transcription:

WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses Carl W. Herberger Radware Session ID:SPO2-304 Session Classification: Sponsor Case Studies

Agenda DDoS/DoS Attacks Have Matured Recap Operation Payback Timeline Perimeter Defense Breakdowns New Learned Lessons 2

Main Presentation Take-Aways Denial of Service Attack Category A Preferred Weapon IsBroad RepresentingNearly Every Layer in Network Stack Is Deep Representing Nearly Every Protocol & Service Is Generally Misunderstood and Understudied 2009 2010 Have Seen a Dramatic Rise in Hacktivism Operation Payback Establish Numerous Lessons Perimeter Security Next Generation Open Air Market Model which requires the following: More Alerting Coverage More Deployed Perimeter Platforms Tighter Integration Instantly Normalize & Correlated Data Prioritization of Threats for Mitigation 3

DoS / DDoS Attacks Have Matured WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 4

Perimeter Security Attack Roundup Source: ISC2 Common Body Of Knowledge & OWASP 5

DoS / DDoS Attack Roundup Examples Source: ISC2 Common Body Of Knowledge & OWASP 6 TCP SYN TCP SYN+ACK Malware / Botnets TCP FIN TCP RESET TCP ACK TCP ACK+PSH TCP Fragment UDP ICMP IGMP HTTP Flood Brute Force Connection Floods

Notable 2009-2010 DoS / DDoS Attacks July 2009 - Low & Slow Attacks - Slowloris July 2009 MyDoom Over 50,000 Zombies August 2009 Twitter/Cyxymu DDoS Sept 2010 IMDDOS Commercial Botnet Sept 2010 Operation Payback (Nearly All DoS / DDoS Was Tried) Source: ISC2 Common Body Of Knowledge & OWASP 7 TCP SYN TCP SYN+ACK Malware / Botnets TCP FIN TCP RESET TCP ACK TCP ACK+PSH TCP Fragment UDP ICMP IGMP HTTP Flood Brute Force Connection Floods

Attacker s Change in Motivation & Techniques Vandalism and publicity Hacktivism Financially motivated Dec 2010 Operation Payback Attack Risk CodeRed (Defacing IIS web servers) Blaster 2001 (Attacking Microsoft web site) Nimda 2003 (Installed Trojan) 2001 Agobot Slammer (DoS Botnet) (Attacking SQL websites) 2003 Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2009 2010 IMDDOS (Botnet) July 2009 Cyber Attacks US & Korea Google / Twitter Attacks2009 Georgia Web sites DoS 2008 2001 2005 2010 8 Time

Attacker s Change in Motivation & Techniques Vandalism and publicity Hacktivism Financially motivated Dec 2010 Operation Payback Attack Risk CodeRed (Defacing IIS web servers) Blaster 2001 (Attacking Microsoft web site) Nimda 2003 (Installed Trojan) 2001 Agobot Slammer (DoS Botnet) (Attacking SQL websites) 2003 Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2009 2010 IMDDOS (Botnet) July 2009 Cyber Attacks US & Korea Google / Twitter Attacks2009 Georgia Web sites DoS 2008 2001 2005 2010 9 Time

Recap Operation Payback Timeline WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 10

Background In December 2010, WikiLeaks came under intense pressure to stop publishing secret United States t diplomatic cables. Corporations such as Amazon, PostFinance, MasterCard and Visa either stopped working with or froze donations to Wikileaks, apparently bowing to political pressure. 11

November 30 th (ish)2010: The Jester (th3jest3r) vs. Wikileaks New Release Arrest WikiLeaks Attacked Source: http://praetorianprefect.com/archives/2010 12

Early December (1 st 5 th ) 2010: Amazon and DNS providers drop Wikileaks.org New Service Release Providers Arrest WikiLeaks Cutoffs Attacked 13

December 4 th 6 th 2010: Payment Firms Prevent Financial Donations New Service Release Providers Financial Arrest WikiLeaks Cutoffs Firms Attacked Stonewall WikiLeaks 14

December 7 th, 2010: Anonymous launched Operation Payback Operation New Service Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaks Twitter & Facebook 15

Original Distributed Tool LOIC V 1.1.1.14 Dist by Praetox Tech for Stress Testing 16

Updated Version on Dec. 9 th No Download Distributed Attack Tool JS LOIC 17

December 11 th, 2010: Payback Reached Peak Participation ~7,000 New Service Operation Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaksTwitter & Facebook 7,000 LOIC Tool Users Source: http://praetorianprefect.com/archives/2010 18

Targets Were Defined & Coordinated Source: http://praetorianprefect.com/archives/2010 19

Operation Payback Initial Target Set Source: http://praetorianprefect.com/archives/2010 20

From the news 21

Throughout December, 2010: The Jester Attacks LOIC Nodes, Thwarts Attack by December 14th Operation New Service Payback Release Providers Financial Launched Arrest WikiLeaks Cutoffs Firms Attacked Stonewall Via WikiLeaksTwitter k & Facebook 7,000 LOIC Tool Users The Jester Attacks LOIC Users 22

New Anonymous Targets: The Jester Source: http://praetorianprefect.com/archives/2010 23

February, 2011: WikiLeaks Remains Up, Anonymous Promises More Attacks Coming.. 24

Breakdown Of Perimeter Defenses WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 25

Introducing AMS 26

Radware Operation Payback ERT Post-Mortem Analysis Operation Payback Network DDoS attacks: High PPS attacks: extremely high SYN flood and UDP flood attack rates (up to 8M packets per second) hit victim sites. Oversized UDP frames in an intent to consume bandwidth Fragmented and corrupted UDP frames in an intent to consume more resources on application i delivery equipment Connection flood attacks: target the TCP stack resources; TCP raw data transmission (long stream of ASCII data) to ports 443 (HTTPS) and 80 (HTTP) Operation Payback Application DDoS attacks: HTTP page request floods targeting crafted URLs (GETs/PUTs) Crafted Layer7 TCP attacks such as SlowLoris HTTP data floods 27

Operation Payback: Major Perimeter Defense Breakdowns High rate attacks Security tools themselves crashed under the load and improper placement Low and slow DoS/DDoS attacks Easily go under the radar of traditional security solution (if you define low rate thresholds you raise the false positive ratio and the opposite) Today s application DDoS attacks are well integrated into legitimate forms of business delivery models wreaking havoc with distinguishing the difference between legitimate and illegitimate traffic 28

Why were Operation Payback attacks so challenging? Attacks High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris 29 Impacts Equipment Bottlenecks Consume network bandwidth Consume resources Memory / Processing Consume TCP stack resources - Processing Consume server resources Memory / Processing

Protection from Attack Campaigns (Multi-Vulnerability) Is Difficult Attack Types High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris 30 Protection Needed Network-Level anti-dos Anti-DoS / DDoS Anti-DoS / DDoS IPS In front of Firewall NBA In front of Firewall IPS In front of Firewall

Modern Security Data Center Architecture Is Inadequate For Perimeter Protection Public Internet 1st The rising tide of distributed denial of service attacks (DDoS) is being made much worse by a tendency to mis-deploy firewalls and intrusion prevention systems (IPS) in front of servers During Private 2010, nearly 1st half of all respondents had experienced a failure Internet of their firewall or IPS due to DDoS, something that t could have been avoided Arbor Networks Survey of 111 Global Service Providers, Comments Published by John E. Dunn, Feb 01, 2010 Tech World 31

Current Architecture Has Lead to Inadequate Security Solutions Current Deployment Problems Include 32

Attack Campaigns Require Alerts, Correlation, Prioritization in All Perimeter Regimes!!! Network & DoS/DDoS flood attacks Application Based Attacks Zero-Day Malware propagation & scans Intrusion Activities Clean Environment NBA - Network-Based Behavioral Protections NBA - Application-Based Behavioral Protections NBA Source -Based Behavioral Protections IPS - Signature-Based Protections Reputation Engine 33

New Lessons Learned WikiLeak s Operation Payback and the Breakdown of Perimeter Defenses 34

New Lessons From Operation Payback: Cyber retaliation: DDoS has become a new tool for angry mobs or overzealous activists Use of social media networks for quick distribution of malicious tools Previously unqualified attackers/profiles (no signature profiles available) volunteer in an attack campaign Bundled, multi layered DDoS attack structure (UDP, TCP, HTTP, Slow, Fast, Connection Oriented, Malformed Packets, etc) Multi Vector: Unquantifiable scalability (any attacker from anywhere) 35

In addition, Multi-Vector Attacks Are On the Rise...Protection is Not Attack Vector Solution Bot malware spread Scanning or Single IP Vulnerability Attacks Social Engineering Attacks (Fraud, Phishing, Bot Command, Control messages, etc) IPS or Network Behavior Analysis IPS or Reputational Engine No single protection tool can handle today s multi-vector t threats t Application flooding - HTTP page flood attack Network Behavior Analysis Network flooding - SYN/UDP/ICMP flood attack DoS Protection 36

How to Improve Perimeter Security? Next Generation Defense: Deploy a series of perimeter security alerting and mitigating technologies designed to handle multivulnerability and multi origin threats (e.g. attack campaigns) in real time. The idea is to accomplish the following: Increase overall quality of coverage of attack categories with of best in breed perimeter alerting technologies (IPS, NBA, DoS, WAF, Anti Fraud) at the Perimeter s edge Unify and normalize alerting data for improved correlation Engineer agile solutions. E.g. limit human interactions and required decisions to only extreme situations. 37

Recap - Main Presentation Take-Aways Denial of Service Attack Category IsBroad RepresentingNearly Every Layer in Network Stack Is Deep Representing Nearly Every Protocol & Service Is Generally Misunderstood and Understudied 2009 2010 Have Seen a Dramatic Rise in Hacktivism Operation Payback Establish Numerous Lessons Perimeter Security an Open Air Market Model which requires the following: More Alerting Coverage More Deployed Perimeter Platforms Tighter Integration Instantly Normalize & Correlated Data Prioritization of Threats for Mitigation 38

Thank You Carl W. Herberger V.P., Security Solutions 610.529.6229 Carl.Herberger@Radware.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback