Survival in an Evolving Threat Landscape David Hobbs Director of Security Solutions Emergency Response Team DavidH@Radware.com May 2013 Radware Confidential May 2013 Attacks on the us banks Others 2012 popular attack patterns & trends AGENDA 2012 Availability-based threats Radware ERT Survey Radware Confidential Jan 2012 Slide 3 2012 Attack Motivation - ERT Survey Radware Confidential Jan 2012 Slide 4 2012 Target Trend - ERT Survey Radware Confidential Jan 2012 Slide 5 Main Bottlenecks During DoS Attacks - ERT Survey Radware Confidential Jan 2012 Slide 6 Attacks Campaigns Duration Radware Confidential Jan 2012 Slide 7 Attack Duration Requires IT to Develop New Skills War Room Skills Are Required Radware Confidential Jan 2012 Slide 8 Attacks Traverses CDNs (Dynamic Object Attacks) Radware Confidential Jan 2012 Slide 9 Attacks on the us banks Others 2012 popular attack patterns & trends AGENDA 2012 Availability-based threats “Overview” • • • • • What triggered the recent US attacks? Who was involved in implementing the attacks and name of the operation? How long were the attacks and how many attack vectors were involved? How the attacks work and their effects. How can we prepare ourselves in the future? Radware Confidential Jan 2012 Slide 11 “What triggered the attacks on the US banks?” • • • Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US resident created an anti Islam film. Early September the publication of the ‘Innocence of Muslims’ film on YouTube invokes demonstrations throughout the Muslim world. The video was 14 minutes though a full length movie was released. Radware Confidential Jan 2012 Slide 12 “Protests generated by the movie” Radware Confidential Jan 2012 Slide 13 The Cyber Response Radware Confidential Jan 2012 Slide 14 “Who is the group behind the cyber response?” • • • • A hacker group called “Izz as-Din al-Qassam Cyber fighters”. Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the fight against the French, US and Zionist in the 1920’s and 1930’s. The group claims not to be affiliated to any government or Anonymous. This group claims to be independent, and it’s goal is to defend Islam. Radware Confidential Jan 2012 Slide 15 “Operation Ababil launched!” • • • • “Operation Ababil” is the codename of the operation launched on Septembetr18th 2012, by the group “Izz as-Din al-Qassam Cyber fighters” The attackers announced they would attack “American and Zionist targets”. “Ababil” translates to “swallow” from Persian. Until today the US thinks the Iranian government may be behind the operation. The operations goal is to have “Youtube” remove the anti-muslim film from it’s site. Until today the video has not been removed. Radware Confidential Jan 2012 Slide 16 “The attack campaign in 2 phases” • • • • The attack campaign was split into 2 phases, a pubic announcement was made in each phase. The attacks lasted 10 days, from the 18th until the 28th of September. Phase 1 - Targets > NYSE, BOA, JP Morgan. Phase 2 – Targets > Wells Fargo, US Banks, PNC. New York Stock Exchange Radware Confidential Jan 2012 Slide 17 The Attack Vectors and Tactics! Slide 18 “Attack Vectors” • 1. 2. 3. 4. 5. 5 Attack vectors were seen by the ERT team during Operation Ababil. UDP garbage flood. TCP SYN flood. Mobile LOIC (Apache killer version). HTTP Request flood. ICMP Reply flood. (*Unconfirmed but reported on). *Note: Data is gathered by Radware as well as it’s partners. Radware Confidential Jan 2012 “UDP Garbage Flood” • • • • • Targeted the DNS servers of the organizations, also HTTP. Up to 1Gbps volume (Possibly higher). All attacks were identical in content and in size (Packet structure). UDP packets sent to port 53 and 80. Customer attacked Sep 18th and on the 19th. Radware Confidential Jan 2012 Slide 20 “Tactics used in the UDP garbage flood” • • • • • Internal DNS servers were targeted , at a high rate. Web servers were also targeted, at a high rate. Spoofed IP’s (But kept to just a few, this is unusual). ~ 1Gbps. Lasted more than 7 hours initially but still continues... Packet structure Parameter Value Port 53 Value Port 80 Packet size 1358 Bytes Unknown Value in Garbage ‘A’ (0x41) characters repeated “/http1” (\x2f\x68\x74\x74\x70\x 31) - repetitive Radware Confidential Jan 2012 Slide 21 “DNS Garbage flood packet extract” • • Some reports of a DNS reflective attack was underway seem to be incorrect. The packets are considered “Malformed” DNS packets, no relevant DNS header. Radware Confidential Jan 2012 Slide 22 “Attackers objective of the UDP Garbage flood” • • • • • Saturate bandwidth. Attack will pass through firewall, since port is open. Saturate session tables/CPU resources on any state -full device, L4 routing rules any router, FW session tables etc.. Returning ICMP type 3 further saturate upstream bandwidth. All combined will lead to a DoS situation if bandwidth and infrastructure cannot handle the volume or packet processing. Radware Confidential Jan 2012 Slide 23 “TCP SYN flood” • • • Targeted Port 53, 80 and 443. The rate was around 100Mbps with around 135K PPS. This lasted from the Sep 18th for more than 3 days. Radware Confidential Jan 2012 Slide 24 “SYN flood Packet extract” -All sources are spoofed. -Multiple SYN packets to port 443. Radware Confidential Jan 2012 Slide 25 “Attackers objective of the TCP SYN floods” • • • • • • SYN floods are a well known attack vector. Can be used to distract from more targeted attacks. The effect of the SYN flood if it slips through can devastate state-full devices quickly. This is done by filling up the session table. All state-full device has some performance impact under such a flood. Easy to implement. Incorrect network architecture will quickly have issues. Radware Confidential Jan 2012 Slide 26 “Mobile LOIC (Apache killer version)” • • • • Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript. This DDoS Tool does an HTTP GET flood. The tool is designed to do HTTP floods. We have no statistics on the exact traffic of mobile LOIC. *Suspected *Suspected Radware Confidential Jan 2012 Slide 27 “Mobile LOIC in a web browser” Radware Confidential Jan 2012 Slide 28 “HTTP Request Flood” • • • • Between 80K and 100K TPS (Transactions Per second) Port 80 Followed the same patterns in the GET request (Except for the Input parameter) Dynamic user agent Radware Confidential Jan 2012 Slide 29 “HTTP flood packet structure” • • • • • Sources worldwide (True sources most likely hidden). User agent duplicated. Attack time was short (No confirmed timeline) Rates are unknown. Dynamic Input parameters. GET Requests parameters Radware Confidential Jan 2012 Slide 30 “HTTP flood packet parameters identified” HTTP Request Samples GET /financial-literacy/all-about-investing/etvs?2408b GET /financial-literacy/all-about-investing/bonds?4d094 GET /inside-the-exchange/visiting?aad95 GET / HTTP Request Samples DoCoMo/2.0 SH902i (compatible; Y!J-SRD/1.0; http://help.yahoo.co.jp/help/jp/search/indexing/indexing-27.html) Googlebot/2.1 ( http://www.googlebot.com/bot.html) IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030505 Mozilla Firebird/0.6 Opera/9.00 (Windows NT 5.1; U; en) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm) Radware Confidential Jan 2012 Slide 31 “Identified locations of attacking IP’s” Worldwide! Radware Confidential Jan 2012 Slide 32 “Attackers objective of the HTTP flood” • • • • Bypass CDN services by randomizing the input parameter and user agents. Because of the double user agent there was an flaw in the programming behind the attacking tool. Saturating and exhausting web server resources by keeping session table and web server connection limits occupied. The attack takes more resources to implement than non connection orientated attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection. Radware Confidential Jan 2012 Slide 33 Unconfirmed Vectors of attack Slide 34 “Unconfirmed attacks” • • • The following 2 attack vectors were reported to us by our customers however we have no data internally to indicate these attacks took place. The data was either gathered through intelligence the customer had (IRC chat, Forums etc..) or something they suspected and reported to Radware but never provided logs for. The 2 other vectors suspected are: – ICMP Reply Flood. – Dirt Jumper. Radware Confidential Jan 2012 “ICMP Reply flood” • • This attack was gathered through Cisco logs at the customers site. We have no statistics on the attack. Radware Confidential Jan 2012 Slide 36 “ICMP Reply Flood explained” • • • • ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP “Reply” (ICMP Type 0) packets. This can also be from spoofed IP’s (Sent packets, ICMP Type 8). This saturates bandwidth on the servers up/down stream as well as CPU processing to process the ICMP packets and respond. To do a replay flood you just spoof the SRC IP of the ICMP request. Radware Confidential Jan 2012 Slide 37 “Dirt Jumper” • • • • Dirt Jumper is a BOT currently at version 5. Dirt jumper is used in various HTTP floods. POST, GET and download floods are supported by the latest version of Dirt Jumper. User Agent and Referrer randomization are supported too. Radware Confidential Jan 2012 Slide 38 “Dirt Jumper C&C” Radware Confidential Jan 2012 Slide 39 Attacks on the us banks Others 2012 popular attack patterns & trends AGENDA 2012 Availability-based threats Availability-based Threats Tree Availabilitybased Threats Network Floods (Volumetric) Application Floods ICMP Flood Web Flood UPD Flood HTTPS DNS Low-and-Slow Single-packet DoS SMTP SYN Flood Radware Confidential Jan 2012 Slide 41 Asymmetric Attacks Radware Confidential Jan 2012 Slide 42 HTTP Reflection Attack Attacker Website A Website B (Victim) HTTP GET Radware Confidential Jan 2012 Slide 43 HTTP Reflection Attack Example iframe, width=1, height=1 search.php Radware Confidential Jan 2012 Slide 44 HTTPS – SSL Re Negotiation Attack THC-SSL DoS THC-SSL DOS was developed by a hacking group called The Hacker’s Choice (THC), as a proofof-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other “low and slow” attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Radware Confidential Jan 2012 Slide 45 Low & Slow Availabilitybased Threats Network Floods (Volumetric) Application Floods ICMP Flood Web Flood UPD Flood HTTPS DNS Low-and-Slow Single-packet DoS SMTP SYN Flood Radware Confidential Jan 2012 Slide 46 Low & Slow • • • • Slowloris Sockstress R.U.D.Y. Simultaneous Connection Saturation Radware Confidential Jan 2012 Slide 47 R.U.D.Y (R-U-Dead-Yet) R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and create a denial-of-service condition. Radware Confidential Jan 2012 Slide 48 Slowloris Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows). Radware Confidential Jan 2012 Slide 49 DefensePipe Operation Flow ISP ERT with the customer decide to divert the traffic Volumetric DDoS attack On-premise AMS that blocks the mitigates the Internet attack pipe Clean traffic Defense Messaging DefensePros DefensePro © Radware 2013 AppWall Protected Online Services Protected Organization Sharing essential information for attack mitigation DefensePipe Scrubbing Center Radware Security Products Portfolio DefensePro Network & Server attack prevention device AppWall Web Application Firewall (WAF) APSolute Vision Management and security reporting & compliance Slide 51 Thank You www.radware.com Radware Confidential Jan 2012