SlideShare una empresa de Scribd logo

In the Line of Fire-the Morphology of Cyber Attacks

Descargar como PPTX, PDF
Radware
Radware

David Hobbs’ Presentation from his series of presentations during SecureWorld that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.

TecnologíaNoticias y política
1 de 51
In the Line of Fire - The Morphology of Cyber-Attacks David Hobbs Director of Security Solutions Emergency Response Team DavidH@Radware.com April 2013 Radware Confidential Jan 2012
AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
Radware ERT Survey Slide 3Radware Confidential Jan 2012
2012 Attack Motivation - ERT Survey Slide 4Radware Confidential Jan 2012
2012 Target Trend - ERT Survey Slide 5Radware Confidential Jan 2012
Main Bottlenecks During DoS Attacks - ERT Survey Slide 6Radware Confidential Jan 2012
Attacks Campaigns Duration Slide 7Radware Confidential Jan 2012
Attack Duration Requires IT to Develop New Skills War Room Skills Are Required Slide 8Radware Confidential Jan 2012
Attacks Traverses CDNs (Dynamic Object Attacks) Slide 9Radware Confidential Jan 2012
AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
“Overview” • What triggered the recent US attacks? • Who was involved in implementing the attacks and name of the operation? • How long were the attacks and how many attack vectors were involved? • How the attacks work and their effects. • How can we prepare ourselves in the future? Slide 11Radware Confidential Jan 2012
“What triggered the attacks on the US banks?” • Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US resident created an anti Islam film. • Early September the publication of the „Innocence of Muslims‟ film on YouTube invokes demonstrations throughout the Muslim world. • The video was 14 minutes though a full length movie was released. Slide 12Radware Confidential Jan 2012
“Protests generated by the movie” Slide 13Radware Confidential Jan 2012
The Cyber Response Slide 14Radware Confidential Jan 2012
“Who is the group behind the cyber response?” • A hacker group called “Izz as-Din al-Qassam Cyber fighters”. • Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the fight against the French, US and Zionist in the 1920‟s and 1930‟s. • The group claims not to be affiliated to any government or Anonymous. • This group claims to be independent, and it‟s goal is to defend Islam. Slide 15Radware Confidential Jan 2012
“Operation Ababil launched!” • “Operation Ababil” is the codename of the operation launched on Septembetr18th 2012, by the group “Izz as-Din al-Qassam Cyber fighters” • The attackers announced they would attack “American and Zionist targets”. • “Ababil” translates to “swallow” from Persian. Until today the US thinks the Iranian government may be behind the operation. • The operations goal is to have “Youtube” remove the anti-muslim film from it‟s site. Until today the video has not been removed. Slide 16Radware Confidential Jan 2012
“The attack campaign in 2 phases” • The attack campaign was split into 2 phases, a pubic announcement was made in each phase. • The attacks lasted 10 days, from the 18th until the 28th of September. • Phase 1 - Targets > NYSE, BOA, JP Morgan. • Phase 2 – Targets > Wells Fargo, US Banks, PNC. Slide 17Radware Confidential Jan 2012 New York Stock Exchange
The Attack Vectors and Tactics! Slide 18
“Attack Vectors” • 5 Attack vectors were seen by the ERT team during Operation Ababil. 1. UDP garbage flood. 2. TCP SYN flood. 3. Mobile LOIC (Apache killer version). 4. HTTP Request flood. 5. ICMP Reply flood. (*Unconfirmed but reported on). *Note: Data is gathered by Radware as well as it‟s partners. Radware Confidential Jan 2012
“UDP Garbage Flood” • Targeted the DNS servers of the organizations, also HTTP. • Up to 1Gbps volume (Possibly higher). • All attacks were identical in content and in size (Packet structure). • UDP packets sent to port 53 and 80. • Customer attacked Sep 18th and on the 19th. Slide 20Radware Confidential Jan 2012
“Tactics used in the UDP garbage flood” • Internal DNS servers were targeted , at a high rate. • Web servers were also targeted, at a high rate. • Spoofed IP‟s (But kept to just a few, this is unusual). • ~ 1Gbps. • Lasted more than 7 hours initially but still continues... Packet structure Slide 21 Parameter Value Port 53 Value Port 80 Packet size 1358 Bytes Unknown Value in Garbage ‘A’ (0x41) characters repeated “/http1” (x2fx68x74x74x70x 31) - repetitive Radware Confidential Jan 2012
“DNS Garbage flood packet extract” • Some reports of a DNS reflective attack was underway seem to be incorrect. • The packets are considered “Malformed” DNS packets, no relevant DNS header. Slide 22Radware Confidential Jan 2012
“Attackers objective of the UDP Garbage flood” • Saturate bandwidth. • Attack will pass through firewall, since port is open. • Saturate session tables/CPU resources on any state -full device, L4 routing rules any router, FW session tables etc.. • Returning ICMP type 3 further saturate upstream bandwidth. • All combined will lead to a DoS situation if bandwidth and infrastructure cannot handle the volume or packet processing. Slide 23Radware Confidential Jan 2012
“TCP SYN flood” • Targeted Port 53, 80 and 443. • The rate was around 100Mbps with around 135K PPS. • This lasted from the Sep 18th for more than 3 days. Slide 24Radware Confidential Jan 2012
“SYN flood Packet extract” Slide 25 -All sources are spoofed. -Multiple SYN packets to port 443. Radware Confidential Jan 2012
“Attackers objective of the TCP SYN floods” • SYN floods are a well known attack vector. • Can be used to distract from more targeted attacks. • The effect of the SYN flood if it slips through can devastate state-full devices quickly. This is done by filling up the session table. • All state-full device has some performance impact under such a flood. • Easy to implement. • Incorrect network architecture will quickly have issues. Slide 26Radware Confidential Jan 2012
“Mobile LOIC (Apache killer version)” • Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript. • This DDoS Tool does an HTTP GET flood. • The tool is designed to do HTTP floods. • We have no statistics on the exact traffic of mobile LOIC. Slide 27 *Suspected*Suspected Radware Confidential Jan 2012
“Mobile LOIC in a web browser” Slide 28Radware Confidential Jan 2012
“HTTP Request Flood” • Between 80K and 100K TPS (Transactions Per second) • Port 80 • Followed the same patterns in the GET request (Except for the Input parameter) • Dynamic user agent Slide 29Radware Confidential Jan 2012
“HTTP flood packet structure” • Sources worldwide (True sources most likely hidden). • User agent duplicated. • Attack time was short (No confirmed timeline) • Rates are unknown. • Dynamic Input parameters. GET Requests parameters Slide 30Radware Confidential Jan 2012
“HTTP flood packet parameters identified” Slide 31 HTTP Request Samples GET /financial-literacy/all-about-investing/etvs?2408b GET /financial-literacy/all-about-investing/bonds?4d094 GET /inside-the-exchange/visiting?aad95 GET / HTTP Request Samples DoCoMo/2.0 SH902i (compatible; Y!J-SRD/1.0; http://help.yahoo.co.jp/help/jp/search/indexing/indexing-27.html) Googlebot/2.1 ( http://www.googlebot.com/bot.html) IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030505 Mozilla Firebird/0.6 Opera/9.00 (Windows NT 5.1; U; en) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm) Radware Confidential Jan 2012
“Identified locations of attacking IP‟s” Slide 32 Worldwide! Radware Confidential Jan 2012
“Attackers objective of the HTTP flood” • Bypass CDN services by randomizing the input parameter and user agents. • Because of the double user agent there was an flaw in the programming behind the attacking tool. • Saturating and exhausting web server resources by keeping session table and web server connection limits occupied. • The attack takes more resources to implement than non connection orientated attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection. Slide 33Radware Confidential Jan 2012
Unconfirmed Vectors of attack Slide 34
“Unconfirmed attacks” • The following 2 attack vectors were reported to us by our customers however we have no data internally to indicate these attacks took place. • The data was either gathered through intelligence the customer had (IRC chat, Forums etc..) or something they suspected and reported to Radware but never provided logs for. • The 2 other vectors suspected are: – ICMP Reply Flood. – Dirt Jumper. Radware Confidential Jan 2012
“ICMP Reply flood” • This attack was gathered through Cisco logs at the customers site. • We have no statistics on the attack. Slide 36Radware Confidential Jan 2012
“ICMP Reply Flood explained” • ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP “Reply” (ICMP Type 0) packets. • This can also be from spoofed IP‟s (Sent packets, ICMP Type 8). • This saturates bandwidth on the servers up/down stream as well as CPU processing to process the ICMP packets and respond. • To do a replay flood you just spoof the SRC IP of the ICMP request. Slide 37Radware Confidential Jan 2012
“Dirt Jumper” • Dirt Jumper is a BOT currently at version 5. • Dirt jumper is used in various HTTP floods. • POST, GET and download floods are supported by the latest version of Dirt Jumper. • User Agent and Referrer randomization are supported too. Slide 38Radware Confidential Jan 2012
“Dirt Jumper C&C” Slide 39Radware Confidential Jan 2012
AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
Availability-based Threats Tree Slide 41 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Radware Confidential Jan 2012
Asymmetric Attacks Slide 42Radware Confidential Jan 2012
HTTP Reflection Attack Slide Website A Website B (Victim) Attacker HTTP GET Radware Confidential Jan 2012
Slide iframe, width=1, height=1 search.php HTTP Reflection Attack Example Radware Confidential Jan 2012
HTTPS – SSL Re Negotiation Attack Slide 45 THC-SSL DoS THC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof- of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other “low and slow” attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Radware Confidential Jan 2012
Low & Slow Slide 46 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Low-and-Slow Radware Confidential Jan 2012
Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection Saturation Slide 47Radware Confidential Jan 2012
R.U.D.Y (R-U-Dead-Yet) Slide 48 R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table and create a denial-of-service condition. Radware Confidential Jan 2012
Slowloris Slide 49 Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows). Radware Confidential Jan 2012
Radware Security Products Portfolio Slide 50 AppWall Web Application Firewall (WAF) DefensePro Network & Server attack prevention device APSolute Vision Management and security reporting & compliance
Thank You www.radware.com Radware Confidential Jan 2012

Recomendados

SecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeSecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeRadware
 
Survival in an Evolving Threat Landscape
Survival in an Evolving Threat LandscapeSurvival in an Evolving Threat Landscape
Survival in an Evolving Threat LandscapeRadware
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksRadware
 
Briefing on Recent US Bank Attacks and 2012 Attack Trends
Briefing on Recent US Bank Attacks and 2012 Attack TrendsBriefing on Recent US Bank Attacks and 2012 Attack Trends
Briefing on Recent US Bank Attacks and 2012 Attack TrendsRadware
 
In the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksIn the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksRadware
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 

Recomendados

SecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeSecureWorld St. Louis: Survival in an Evolving Threat Landscape
SecureWorld St. Louis: Survival in an Evolving Threat LandscapeRadware
 
Survival in an Evolving Threat Landscape
Survival in an Evolving Threat LandscapeSurvival in an Evolving Threat Landscape
Survival in an Evolving Threat LandscapeRadware
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksRadware
 
Briefing on Recent US Bank Attacks and 2012 Attack Trends
Briefing on Recent US Bank Attacks and 2012 Attack TrendsBriefing on Recent US Bank Attacks and 2012 Attack Trends
Briefing on Recent US Bank Attacks and 2012 Attack TrendsRadware
 
In the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksIn the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksRadware
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistMyNOG
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)Radware
 
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)Radware
 

Más contenido relacionado

La actualidad más candente

Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistMyNOG
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 

La actualidad más candente (20)

Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data Exfiltration
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 

Destacado

What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)Radware
 
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)Radware
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security ServicesRadware
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
 
Nursing case study Appendectomy
Nursing case study AppendectomyNursing case study Appendectomy
Nursing case study Appendectomypinoy nurze
 

Destacado (6)

What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)What’s the Cost of a Cyber Attack (Infographic)
What’s the Cost of a Cyber Attack (Infographic)
 
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security Services
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)Cyber Security Through the Eyes of the C-Suite (Infographic)
Cyber Security Through the Eyes of the C-Suite (Infographic)
 
Nursing case study Appendectomy
Nursing case study AppendectomyNursing case study Appendectomy
Nursing case study Appendectomy
 

Similar a In the Line of Fire-the Morphology of Cyber Attacks

Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
6 security130123
6 security1301236 security130123
6 security130123ARCFIRE ICT
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 

Similar a In the Line of Fire-the Morphology of Cyber Attacks (20)

Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service Security
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
6 security130123
6 security1301236 security130123
6 security130123
 
6 security130123
6 security1301236 security130123
6 security130123
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 

Más de Radware

Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware
 
The Expanding Role and Importance of Application Delivery Controllers [Resear...
The Expanding Role and Importance of Application Delivery Controllers [Resear...The Expanding Role and Importance of Application Delivery Controllers [Resear...
The Expanding Role and Importance of Application Delivery Controllers [Resear...Radware
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]Radware
 
The Real Cost of Slow Time vs Downtime
The Real Cost of Slow Time vs DowntimeThe Real Cost of Slow Time vs Downtime
The Real Cost of Slow Time vs DowntimeRadware
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Radware ERT Threat Alert: Shellshock Bash
Radware ERT Threat Alert: Shellshock BashRadware ERT Threat Alert: Shellshock Bash
Radware ERT Threat Alert: Shellshock BashRadware
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
 
Mobile Web Stress: Understanding the Neurological Impact of Poor Performance
Mobile Web Stress: Understanding the Neurological Impact of Poor PerformanceMobile Web Stress: Understanding the Neurological Impact of Poor Performance
Mobile Web Stress: Understanding the Neurological Impact of Poor PerformanceRadware
 
Emotional Engagement and Brand Perception
Emotional Engagement and Brand PerceptionEmotional Engagement and Brand Perception
Emotional Engagement and Brand PerceptionRadware
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarRadware
 
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...Radware
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksRadware
 
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...Radware
 
Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Radware
 
Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks
Stock Exchanges in the Line of Fire-Morphology of Cyber AttacksStock Exchanges in the Line of Fire-Morphology of Cyber Attacks
Stock Exchanges in the Line of Fire-Morphology of Cyber AttacksRadware
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumRadware
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
2012 Global Application and Network Security Report
2012 Global Application and Network Security Report2012 Global Application and Network Security Report
2012 Global Application and Network Security ReportRadware
 
2011 Global Application and Network Security Report
2011 Global Application and Network Security Report2011 Global Application and Network Security Report
2011 Global Application and Network Security ReportRadware
 

Más de Radware (20)

Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
 
The Expanding Role and Importance of Application Delivery Controllers [Resear...
The Expanding Role and Importance of Application Delivery Controllers [Resear...The Expanding Role and Importance of Application Delivery Controllers [Resear...
The Expanding Role and Importance of Application Delivery Controllers [Resear...
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
 
The Real Cost of Slow Time vs Downtime
The Real Cost of Slow Time vs DowntimeThe Real Cost of Slow Time vs Downtime
The Real Cost of Slow Time vs Downtime
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
Radware ERT Threat Alert: Shellshock Bash
Radware ERT Threat Alert: Shellshock BashRadware ERT Threat Alert: Shellshock Bash
Radware ERT Threat Alert: Shellshock Bash
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
 
Mobile Web Stress: Understanding the Neurological Impact of Poor Performance
Mobile Web Stress: Understanding the Neurological Impact of Poor PerformanceMobile Web Stress: Understanding the Neurological Impact of Poor Performance
Mobile Web Stress: Understanding the Neurological Impact of Poor Performance
 
Emotional Engagement and Brand Perception
Emotional Engagement and Brand PerceptionEmotional Engagement and Brand Perception
Emotional Engagement and Brand Perception
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
 
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber Attacks
 
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...
 
Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...
 
Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks
Stock Exchanges in the Line of Fire-Morphology of Cyber AttacksStock Exchanges in the Line of Fire-Morphology of Cyber Attacks
Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the Equilibrium
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
 
2012 Global Application and Network Security Report
2012 Global Application and Network Security Report2012 Global Application and Network Security Report
2012 Global Application and Network Security Report
 
2011 Global Application and Network Security Report
2011 Global Application and Network Security Report2011 Global Application and Network Security Report
2011 Global Application and Network Security Report
 

Último

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

In the Line of Fire-the Morphology of Cyber Attacks

  • 1. In the Line of Fire - The Morphology of Cyber-Attacks David Hobbs Director of Security Solutions Emergency Response Team DavidH@Radware.com April 2013 Radware Confidential Jan 2012
  • 2. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
  • 3. Radware ERT Survey Slide 3Radware Confidential Jan 2012
  • 4. 2012 Attack Motivation - ERT Survey Slide 4Radware Confidential Jan 2012
  • 5. 2012 Target Trend - ERT Survey Slide 5Radware Confidential Jan 2012
  • 6. Main Bottlenecks During DoS Attacks - ERT Survey Slide 6Radware Confidential Jan 2012
  • 7. Attacks Campaigns Duration Slide 7Radware Confidential Jan 2012
  • 8. Attack Duration Requires IT to Develop New Skills War Room Skills Are Required Slide 8Radware Confidential Jan 2012
  • 9. Attacks Traverses CDNs (Dynamic Object Attacks) Slide 9Radware Confidential Jan 2012
  • 10. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
  • 11. “Overview” • What triggered the recent US attacks? • Who was involved in implementing the attacks and name of the operation? • How long were the attacks and how many attack vectors were involved? • How the attacks work and their effects. • How can we prepare ourselves in the future? Slide 11Radware Confidential Jan 2012
  • 12. “What triggered the attacks on the US banks?” • Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US resident created an anti Islam film. • Early September the publication of the „Innocence of Muslims‟ film on YouTube invokes demonstrations throughout the Muslim world. • The video was 14 minutes though a full length movie was released. Slide 12Radware Confidential Jan 2012
  • 13. “Protests generated by the movie” Slide 13Radware Confidential Jan 2012
  • 14. The Cyber Response Slide 14Radware Confidential Jan 2012
  • 15. “Who is the group behind the cyber response?” • A hacker group called “Izz as-Din al-Qassam Cyber fighters”. • Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the fight against the French, US and Zionist in the 1920‟s and 1930‟s. • The group claims not to be affiliated to any government or Anonymous. • This group claims to be independent, and it‟s goal is to defend Islam. Slide 15Radware Confidential Jan 2012
  • 16. “Operation Ababil launched!” • “Operation Ababil” is the codename of the operation launched on Septembetr18th 2012, by the group “Izz as-Din al-Qassam Cyber fighters” • The attackers announced they would attack “American and Zionist targets”. • “Ababil” translates to “swallow” from Persian. Until today the US thinks the Iranian government may be behind the operation. • The operations goal is to have “Youtube” remove the anti-muslim film from it‟s site. Until today the video has not been removed. Slide 16Radware Confidential Jan 2012
  • 17. “The attack campaign in 2 phases” • The attack campaign was split into 2 phases, a pubic announcement was made in each phase. • The attacks lasted 10 days, from the 18th until the 28th of September. • Phase 1 - Targets > NYSE, BOA, JP Morgan. • Phase 2 – Targets > Wells Fargo, US Banks, PNC. Slide 17Radware Confidential Jan 2012 New York Stock Exchange
  • 18. The Attack Vectors and Tactics! Slide 18
  • 19. “Attack Vectors” • 5 Attack vectors were seen by the ERT team during Operation Ababil. 1. UDP garbage flood. 2. TCP SYN flood. 3. Mobile LOIC (Apache killer version). 4. HTTP Request flood. 5. ICMP Reply flood. (*Unconfirmed but reported on). *Note: Data is gathered by Radware as well as it‟s partners. Radware Confidential Jan 2012
  • 20. “UDP Garbage Flood” • Targeted the DNS servers of the organizations, also HTTP. • Up to 1Gbps volume (Possibly higher). • All attacks were identical in content and in size (Packet structure). • UDP packets sent to port 53 and 80. • Customer attacked Sep 18th and on the 19th. Slide 20Radware Confidential Jan 2012
  • 21. “Tactics used in the UDP garbage flood” • Internal DNS servers were targeted , at a high rate. • Web servers were also targeted, at a high rate. • Spoofed IP‟s (But kept to just a few, this is unusual). • ~ 1Gbps. • Lasted more than 7 hours initially but still continues... Packet structure Slide 21 Parameter Value Port 53 Value Port 80 Packet size 1358 Bytes Unknown Value in Garbage ‘A’ (0x41) characters repeated “/http1” (x2fx68x74x74x70x 31) - repetitive Radware Confidential Jan 2012
  • 22. “DNS Garbage flood packet extract” • Some reports of a DNS reflective attack was underway seem to be incorrect. • The packets are considered “Malformed” DNS packets, no relevant DNS header. Slide 22Radware Confidential Jan 2012
  • 23. “Attackers objective of the UDP Garbage flood” • Saturate bandwidth. • Attack will pass through firewall, since port is open. • Saturate session tables/CPU resources on any state -full device, L4 routing rules any router, FW session tables etc.. • Returning ICMP type 3 further saturate upstream bandwidth. • All combined will lead to a DoS situation if bandwidth and infrastructure cannot handle the volume or packet processing. Slide 23Radware Confidential Jan 2012
  • 24. “TCP SYN flood” • Targeted Port 53, 80 and 443. • The rate was around 100Mbps with around 135K PPS. • This lasted from the Sep 18th for more than 3 days. Slide 24Radware Confidential Jan 2012
  • 25. “SYN flood Packet extract” Slide 25 -All sources are spoofed. -Multiple SYN packets to port 443. Radware Confidential Jan 2012
  • 26. “Attackers objective of the TCP SYN floods” • SYN floods are a well known attack vector. • Can be used to distract from more targeted attacks. • The effect of the SYN flood if it slips through can devastate state-full devices quickly. This is done by filling up the session table. • All state-full device has some performance impact under such a flood. • Easy to implement. • Incorrect network architecture will quickly have issues. Slide 26Radware Confidential Jan 2012
  • 27. “Mobile LOIC (Apache killer version)” • Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and Javascript. • This DDoS Tool does an HTTP GET flood. • The tool is designed to do HTTP floods. • We have no statistics on the exact traffic of mobile LOIC. Slide 27 *Suspected*Suspected Radware Confidential Jan 2012
  • 28. “Mobile LOIC in a web browser” Slide 28Radware Confidential Jan 2012
  • 29. “HTTP Request Flood” • Between 80K and 100K TPS (Transactions Per second) • Port 80 • Followed the same patterns in the GET request (Except for the Input parameter) • Dynamic user agent Slide 29Radware Confidential Jan 2012
  • 30. “HTTP flood packet structure” • Sources worldwide (True sources most likely hidden). • User agent duplicated. • Attack time was short (No confirmed timeline) • Rates are unknown. • Dynamic Input parameters. GET Requests parameters Slide 30Radware Confidential Jan 2012
  • 31. “HTTP flood packet parameters identified” Slide 31 HTTP Request Samples GET /financial-literacy/all-about-investing/etvs?2408b GET /financial-literacy/all-about-investing/bonds?4d094 GET /inside-the-exchange/visiting?aad95 GET / HTTP Request Samples DoCoMo/2.0 SH902i (compatible; Y!J-SRD/1.0; http://help.yahoo.co.jp/help/jp/search/indexing/indexing-27.html) Googlebot/2.1 ( http://www.googlebot.com/bot.html) IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;) Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030505 Mozilla Firebird/0.6 Opera/9.00 (Windows NT 5.1; U; en) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm) Radware Confidential Jan 2012
  • 32. “Identified locations of attacking IP‟s” Slide 32 Worldwide! Radware Confidential Jan 2012
  • 33. “Attackers objective of the HTTP flood” • Bypass CDN services by randomizing the input parameter and user agents. • Because of the double user agent there was an flaw in the programming behind the attacking tool. • Saturating and exhausting web server resources by keeping session table and web server connection limits occupied. • The attack takes more resources to implement than non connection orientated attacks like TCP SYN floods and UDP garbage floods. This is because of the need to establish a connection. Slide 33Radware Confidential Jan 2012
  • 34. Unconfirmed Vectors of attack Slide 34
  • 35. “Unconfirmed attacks” • The following 2 attack vectors were reported to us by our customers however we have no data internally to indicate these attacks took place. • The data was either gathered through intelligence the customer had (IRC chat, Forums etc..) or something they suspected and reported to Radware but never provided logs for. • The 2 other vectors suspected are: – ICMP Reply Flood. – Dirt Jumper. Radware Confidential Jan 2012
  • 36. “ICMP Reply flood” • This attack was gathered through Cisco logs at the customers site. • We have no statistics on the attack. Slide 36Radware Confidential Jan 2012
  • 37. “ICMP Reply Flood explained” • ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP “Reply” (ICMP Type 0) packets. • This can also be from spoofed IP‟s (Sent packets, ICMP Type 8). • This saturates bandwidth on the servers up/down stream as well as CPU processing to process the ICMP packets and respond. • To do a replay flood you just spoof the SRC IP of the ICMP request. Slide 37Radware Confidential Jan 2012
  • 38. “Dirt Jumper” • Dirt Jumper is a BOT currently at version 5. • Dirt jumper is used in various HTTP floods. • POST, GET and download floods are supported by the latest version of Dirt Jumper. • User Agent and Referrer randomization are supported too. Slide 38Radware Confidential Jan 2012
  • 39. “Dirt Jumper C&C” Slide 39Radware Confidential Jan 2012
  • 40. AGENDA 2012 Availability-based threats Attacks on the us banks Others 2012 popular attack patterns & trends
  • 41. Availability-based Threats Tree Slide 41 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Radware Confidential Jan 2012
  • 42. Asymmetric Attacks Slide 42Radware Confidential Jan 2012
  • 43. HTTP Reflection Attack Slide Website A Website B (Victim) Attacker HTTP GET Radware Confidential Jan 2012
  • 44. Slide iframe, width=1, height=1 search.php HTTP Reflection Attack Example Radware Confidential Jan 2012
  • 45. HTTPS – SSL Re Negotiation Attack Slide 45 THC-SSL DoS THC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof- of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other “low and slow” attacks, requires only a small number of packets to cause denial-of-service for a fairly large server. It works by initiating a regular SSL handshake and then immediately requesting for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Radware Confidential Jan 2012
  • 46. Low & Slow Slide 46 Availability- based Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS UPD Flood ICMP Flood SYN Flood Web Flood DNS SMTP HTTPS Low-and-Slow Radware Confidential Jan 2012
  • 47. Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection Saturation Slide 47Radware Confidential Jan 2012
  • 48. R.U.D.Y (R-U-Dead-Yet) Slide 48 R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table and create a denial-of-service condition. Radware Confidential Jan 2012
  • 49. Slowloris Slide 49 Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows). Radware Confidential Jan 2012
  • 50. Radware Security Products Portfolio Slide 50 AppWall Web Application Firewall (WAF) DefensePro Network & Server attack prevention device APSolute Vision Management and security reporting & compliance

Notas del editor

  1. -This pic is from the very beginning of the video, stating “There is an angry mob in the middle of the street”*Notes -  On September 9, 2012, an excerpt of the YouTube video was broadcast on Al-Nas TV, an Egyptian Islamist television station.[11][12]Demonstrations and violent protests against the film broke out on September 11 in Egypt and spread to other Arab and Muslim nations and some western countries.
  2. -Libyan riots top left - http://www.foreignpolicy.com/articles/2012/09/14/why_the_embassy_riots_wont_stop.-Lebonon riots bottom left - http://au.ibtimes.com/articles_slideshows/384606/20120915/lebanon-protesters-destroy-kentucky-fried-chicken-and-hardees-over-innocence-of-muslims-film-photos.htm
  3. Links about Izz as-Din al-Quassam The preacher - http://en.wikipedia.org/wiki/Izz_ad-Din_al-Qassam *Notes - The Levant includes most of modern Lebanon, Syria, Jordan, State of Palestine, Israel, Cyprus, Hatay Province of Turkey, some regions of northwestern Iraq and theSinai Peninsula.Links about the Cyber hacker group - http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/who-are-the-izz-ad-din-al-qassam-cyber-fightershttp://www.ehackingnews.com/2012/12/izz-ad-din-al-qassam-cyber-fighters.htmlPic from - http://www.standupamericaus.org/terror-jihad/cyber-fighters-of-izz-al-din-al-qassam-alert-to-banks-in-usa/
  4. Links for translation of ababil - http://en.wikipedia.org/wiki/Ghods_AbabilThe pic from - http://en.wikipedia.org/wiki/File:Hirundo_abyssinica.jpgClaims of Iranian involvement -http://betabeat.com/2012/09/iran-possibly-behind-operation-ababil-cyber-attacks-against-financial-institutions/http://features.rr.com/article/0coOckreSy1vL?q=Bank+of+America
  5. Data taken from internal doc.
  6. Pic taken from - http://news.yahoo.com/americas-failing-grade-cyber-attack-readiness-153640058--abc-news-topstories.html
  7. -Taken from internal report.
  8. -Taken from internal report.
  9. Reflective attack - Attackers send forged requests of some type to a very large number of computers that will reply to the requests. Using spoofed SRC IP’s of the victim, which means all the replies will go to (and flood) the target.
  10. -Stateful inspection in the DNS area is limited. Was in smartdefense at CP, but how many people use it?-The server is forced to respond with ICMP packets “Destination Unreachable” (ICMP type3 Code 3) for port closed when udp packet arrives.-Returning ICMP type 3 further saturate (Packet size in return will be close to received packet).
  11. -Internal data.
  12. -The SYN flood attack simply sends a high rate of SYN’s with spoofed IP’s and the server is left waiting for the ACK.-This means the attacker needs much fewer hosts to exhaust target machine because no session is actually kept alive on the “Attackers” side.-You exhaust the Backlog of the TCP stack (Linux default is 3mins and Win2k is 45 sec. for half open timeouts, these can be changed). So the server can no longer accept a new connection.-
  13. -Another reported attack technique that was allegedly used during this campaign is a custom version of the Mobile LOIC tool (aka Mobile LOIC - Apache Killer) which is designed to exploit a known vulnerability in Apache servers – corresponding to CVE-2011-3192.-This attack tool targets Apache servers using Apache HTTP server versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19.
  14. Target URL- Specifies the URL of the attacked target. Must start with http://. Requests per second-Specifies the number of desired requests to be sent per second. Append message-Specifies the content for the “msg” parameter to be sent within the URL of HTTP requests
  15. Resource internal.
  16. -This value is unique since it seems to contain a typo which is caused by placing the “User Agent:” string inside the user agent value itself.Resource internal.
  17. Resource internal.
  18. Resource internal.
  19. Internal resources.
  20. -Taken from Radware internal resources.
  21. The image above shows how the agent controls the Botnet: The „Today‟ and „Online‟ shows the number of computers under its control, the „URLs‟ specify the URLs to be attacked, the „Flows‟ specify the attack vector and attack intensity, and the „Start‟ and „Stop‟ allows the agent to inflict pain and voluntarily stop it.
  22. Identification: referrer (ask the audience)