War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

Similar documents
DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

The Presence and Future of Web Attacks

akamai s [state of the internet] / security

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Multi-vector DDOS Attacks

Intelligent and Secure Network

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Global DDoS Threat Landscape

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

AKAMAI CLOUD SECURITY SOLUTIONS

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Prolexic Attack Report Q4 2011

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Security Whitepaper. DNS Resource Exhaustion

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Cloudflare Advanced DDoS Protection

haltdos - Web Application Firewall

Additional Security Services on AWS

Imperva Incapsula Website Security

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

( ) 2016 NSFOCUS

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Cyber War Chronicles Stories from the Virtual Trenches

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Beyond Blind Defense: Gaining Insights from Proactive App Sec

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

Comprehensive datacenter protection

SUPERCHARGE YOUR DDoS PROTECTION STRATEGY

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

IBM Next Generation Intrusion Prevention System

Protect your apps and your customers against application layer attacks

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Govern every identity, Inspect every packet. Transform IT to the Department of YES

Advanced Techniques for DDoS Mitigation and Web Application Defense

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

DDoS MITIGATION BEST PRACTICES

Business Strategy Theatre

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Endpoint Protection : Last line of defense?

Imperva Incapsula Product Overview

The Interactive Guide to Protecting Your Election Website

DDoS Managed Security Services Playbook

Evidence-based protection of web resources a must under the GDPR. How the Akamai Intelligent Platform helps customers to mitigate risks

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Analisi degli attacchi DDOS e delle contromisure

Enterprise D/DoS Mitigation Solution offering

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Memcached amplification: lessons learned. Artyom Gavrichenkov

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

NINE MYTHS ABOUT. DDo S PROTECTION

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Smart Attacks require Smart Defence Moving Target Defence

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

RSA NetWitness Suite Respond in Minutes, Not Months

Building Resilience in a Digital Enterprise

RSA Web Threat Detection

Network Security Fundamentals

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Automating Security Response based on Internet Reputation

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Sucuri Technical Overview

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

An Aflac Case Study: Moving a Security Program from Defense to Offense

PROTECTING INFORMATION ASSETS NETWORK SECURITY

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Internet2 DDoS Mitigation Update

CABLE MSO AND TELCO USE CASE HANDBOOK

2015 DDoS Attack Trends and 2016 Outlook

Service Provider View of Cyber Security. July 2017

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Q WEB APPLICATION ATTACK STATISTICS

ENDPOINT SECURITY AND THE CLOUD: HOW TO APPLY PREDICTIVE ANALYTICS AND BIG DATA

Technical White Paper June 2016

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Global DDoS Threat Landscape

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Memcached amplification: lessons learned. Artyom Gavrichenkov

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Transcription:

War Stories from the Cloud: Rise of the Machines Matt Mosher Director Security Sales Strategy

The Akamai Intelligent Platform The Platform 175,000+ Servers 2,300+ Locations 750+ Cities 92 Countries 1,227+ Networks The Data 2 trillion hits per day 1 Billion unique IPv4 addresses seen quarterly 13+ trillion log lines per day 260+ terabytes of compressed daily logs 15-30% of all web traffic

In Q2 2015, DDoS attacks were less powerful, but longer and more frequent 350 300 250 Traditional DDoS attacks harness the scale of global botnets Newer attacks target protocol vulnerabilities to amplify size 320 270 240 SNMP (6x) 214 200 DNS (28x-54x) 190 CHARGEN (358x) 171 Gbps 150 NTP (556x) 144 Mpps 100 SSDP (125x) 68 79 82 69 89 50 0 48 45 39 38 29 18 22 11 8 11 15 2 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Q1 2015 Q2 2015

DDoS Mega Attacks > 100 Gbps in Q2 2015 Twelve megaattacks in Q2 2015 vs. six in Q2 2014. Most targeted Internet/Telecom. Two targeted Gaming.

DDoS Mega Attacks > 50 Mpps in Q2 2015 A 214 million packets per second (Mpps) DDoS attack was among the highest ever recorded. Such attacks can take out tier 1 routers, such as used by Internet service providers (ISPs).

Most Commonly DDoS ed Verticals Q1 2015 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Top 10 Source Countries for DDoS Attacks in Q2 2015 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. ****Non-spoofed attacking IP addresses by source country

Web Application Attack Vectors, Q2 2015 SQLi and LFI were the most prevalent attack vectors over HTTP.

Attacks Over HTTPS, Q2 2015 Shellshock accounted for 49% of web application attacks in Q2, largely due to a persistent, multi-week campaign against a single customer. Shellshock attacks shifted the balance of attacks to HTTPS (56%). Last quarter, only 9% of attacks were over HTTPS.

Top 10 Source Countries for Web Application Attacks, Q2 2015

Top 10 Target Countries for Web Application Attacks, Q2 2015

Web Application Attacks by Industry, Q2 2015 Data excludes Shellshock, which primarily targeted a single financial services organization. 95% of the Shellshock attacks were directed at the one company.

Leveraging Big Data to Understand Attacks The following slides are based on a real events on January 5 th 2014. Akamai, we are under attack!...

Ad-Hoc Attack Analysis An attempt to exploit an old (2007) WordPress Remote File Inclusion vulnerability. The victim application was running ASP.NET GET /wp-content/wordtube-button.php?wppath=http://www.google.com/humans.txt? HTTP/1.1 Host: www.vulnerable.site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) Attacked parameter : Malicious payload: wppath http://www.google.com/humans.txt

What Else Did This Attacker Do On This Site? Same attacker Sent 2122 different RFI exploit attempts

34 different sites were attacked by the same attacker with a total of 24,301 attacks

Was There Similar Activity Going On At The Same Time? Attacks originated from a botnet containing 272 attacking machines 1696 victim applications were targeted 1,358,980 attacks were launched during the campaign The campaign lasted for 2 weeks

Security Big Data at Akamai: Cloud Security Intelligence 20 Terabytes of daily attack data 2 Petabytes of security data stored Up to 90 days retention 600K log lines/sec. indexed by 30 dimensions 8000 queries daily scanning terabytes of Benefits Unrivaled Web Security visibility Perform WAF accuracy analysis on any customer at any time Detect new attacks, including 0-day and quickly issue new protections A powerful web security research tool Improve WAF Accuracy Behavioral analytics platform data

Behavioral Analytics & The Akamai Intelligent Platform Cloud Security Intelligence www.customer.site

Proactive Security using Behavioral Analytics DATA SOURCES Kona WAF Triggers HEURISTICS Attack Patterns Client Behavior Akamai Logs WAF Light CSI Platform Application Profiling NAT Detection Akamai Logs Behavioral IPs False Positive Reduction

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Risk score decay

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 1549 SQL injection attempts w/37 unique payloads

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 691 SQL injection attempts w/18 unique payloads

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 232 SQL injection attempts w/9 unique payloads

Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

Risk Score Update ever hour Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

A Year in the Life of a Botnet In January 2014 we published a blog on a global botnet: https://blogs.akamai.com/2014/01/analyzing-a-malicious-botnet-attack-campaign-through-thesecurity-big-data-prism.html Exploiting Joomla Content Editor vulnerability to install backdoors Began as a single event analysis of the exploit Zoomed out and discovered an entire botnet mining the web for vulnerable Joomla servers

A Truly Global Botnet Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

And a Very Active Botnet 43,000 malicious HTTP requests seen over the month 2008 different web applications were targeted

10 months later, the Botnet lives on In Nov. 2014, the team began a 3 month follow on analysis The botnet now contains 1037 members. All members are compromised public Web servers, mostly running Joomla and WordPress CMS The Botnet has targeted more than 7800 applications over the period Note the data is only based on Akamai customers probably targeted many more applications

Active Members Over Time

New Botnet Members Over Time

Activity Duration of Botnet Members and Evolution On average, Joomla botnet members spurted malicious traffic over 29 days. To compare, compromised web servers running other Web platforms, were maliciously active for 10 days on average. The reason for the difference between Joomla and the rest of the servers is unclear Likely related to the massive exploitation of the Joomla vulnerability The Botnet evolved over time to attempt to also exploit other vulnerabilities: Remote File Inclusion (RFI) on the TimThumb image resizer WordPress module Remote Code Execution (RCE) on the Open Flash Chart library

Longevity of Members Comparing the active Botnet members from 9 months ago to now 43 of the botnet members were also maliciously active 9 months ago. 4% of botnet members have not been cleaned up for 9 months Surprising, given that: The botnet targets a 3-year old vulnerability. Vulnerable web servers should have been upgraded with newer software ages ago The awareness for the usage of this vulnerability in the wild. This is not the first publication of a JCE vulnerability exploitation The botnet activity is visible and loud, targeting many applications across the Internet, making it easy to be detected.

Bots on the Akamai Platform How many bots does Akamai see IN ONE DAY? 8.01 BILLION Bot requests in 24-hours Avoid data theft and downtime by extending the security perimeter outside Data the Collected data-center and protect from increasing frequency, scale and sophistication of web attacks. April 1-2, 2015 Total Requests: 85,475,034,620 Bots were 9.4% of all requests

Bots on the Akamai Platform 24% Other Bots 42% 8.01 Crawlers, Spiders & Scrapers Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, 6% scale and sophistication of web attacks. Billion requests API Engines 26% Search engines & site indexers 1% Security scanning

Bots on the Akamai Platform 42% 8.01 Crawlers, Spiders & Scrapers 24% Other Bots Avoid data theft and downtime by extending the 24% Content Scrapers security perimeter outside the data-center and 7% Advertising protect from increasing frequency, 6% scale and 3% Data Aggregators sophistication of web attacks. Billion requests Crawlers, Spiders & Scrapers: API Engines 2% Web Archivers 2% Website Monitors 1% SEO Analyzers 26% 1% Social Media Search engines & site indexers 1% Security scanning

Bots The Akamai Viewpoint 24% Other Bots 42% 8.01 Crawlers, Spiders & Scrapers Common bot challenges Avoid data theft and downtime by extending the security perimeter outside the data-center and Stolen intellectual property protect from increasing frequency, 6% scale and Increased sophistication price of competition web attacks. API Engines Billion Additional requests bandwidth costs IT infrastructure overhead 26% DDoS and application downtime Search engines & site indexers 1% Security scanning

Bots The Akamai Viewpoint 8.01 Billion requests Avoid data theft and downtime by extending the Bot security management perimeter outside needs the data-center and Bot protect detection from and increasing identification frequency, scale and sophistication of web attacks. Advanced bot responses Report on bot activity and mitigations applied Policies to enab le business-level protection

Summary Bot Behavior Looking at botnets behavior over time we see a clear trend of increase in the number of attacked application per day and HTTP transactions per day. These botnets are not static in size, and tend to grow over time. Most of the bot machines in this attack came from the US and Europe While Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. geographic-based protections are futile, the fact that the majority of malicious bots were Internet facing web servers means that their IP address is static. The ability to identify globally distributed malicious botnets based on behavioral analysis of multi-site security data can become a game changer in the battle for web application security Correlating cross-domain attack information can help in the prediction of the next targets and therefore reduce risk to other applications that are still not under attack Akamai's threat research team sees an increase in botnet-based attacks, which makes use of application-layer vulnerabilities as their primary weapon (as opposed to DDoS botnets)

Bot Manager Product Concept Allow customers to manage the load on their infrastructure from Bots and protect their Web content from being scraped Human Bot Slow Down Detect if human or not Avoid data theft and downtime by extending the security perimeter Manage Good outside and the Bad data-center Bot Traffic and protect from increasing frequency, scale and Business Oriented Policies Apply sophistication of web attacks. actions based on importance of the traffic to business: o Slow it down o Feed fake / stale data o Challenge it o Deny it o Etc.

Closing Thoughts Bots and automation are an increasing problem for the web Simply exposing a botnet and it s tactics has little impact Shutting down members of a Botnet only causes it to breed faster Effective detection requires many techniques, but especially behavioral analytics Effective mitigation requires a variety of responses that keep the bot unaware that they have been detected

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback