6. DDOS Events
• 2014-‐1-‐5
DDOS
against
EA,
Blizzard
• 2014-‐6-‐20
DDOS
against
Hong
Kong
PopVote,
an
online
voRng
system
7. Hong Kong DDOS aAack
• Before
the
voRng,
the
small
DDOS
a<ack
has
occurs
• The
a<ack
flow
is
2nd
place
in
the
history
• About
300
Gbps
• Some
big
internet
companies
cooperate
to
against
this
DDOS
a<ack
• Amazon
• Google
• CloudFlare
8. Hong Kong DDOS aAack
• Amazon’s
AWS
terminate
it’s
cloud
service
to
Honk
Kong
due
to
the
massive
network
flow
• Google
try
to
employ
Project
Shield
to
handle
the
DDOS,
but
finally
fails
• Because
a<ack
flow
already
affect
other
service
of
google
• The
voRng
deadline
extend
from
3
days
to
10
days
• CloudFlare
successful
protect
the
voRng
system
from
DDOS,
the
a<ack
stop
immediate
ager
voRng
result
announce
• But
how?
9. NTP ReflecGon AAack
• NTP
as
a
new
a<ack
vector
of
DDOS
• Similar
to
tradiRonal
DNS
amplificaRon
a<ack
• Start
from
2014
10. AAack Technique
• CEO
of
CloudFlare
said
it
is
a
“Kitchen
Sink
A<ack”
• DNS
AmplificaRon
A<ack
-‐>
100
Gbps
• NTP
AmplificaRon
A<ack
-‐>
300
Gbps
• Botnet
• SYN
Flood
-‐>
hundred
million
connecRons
per
second
• ApplicaRon
layer
a<ack,
HTTP/HTTPS
flood
a<ack
• DNS
Flood
A<ack
-‐>
2.5
hundred
million
connecRons
per
second
• How
CloudFlare
handle
such
massive
a<ack
flow
11. How CloudFlare defense the DDOS
• Global
Anycast
Network
• Unicast:
One
Machine,
One
IP
• Anycast:
Many
Machines,
One
IP
• Separate
the
a<ack
flow
• Hidden
origin
IP
of
real
service
• Separate
IP
by
protocols
• NTP
requests
cannot
reach
HTTP
server
• Early
filter
the
flow
at
the
edge
of
your
infrastructure
12. Some Interest Topic
• TesRng
if
certain
protocols(applicaRon)
may
surfer
from
DOS
a<ack
• Service
that
allocate
more
resource
in
server
than
in
the
client
• The
service
not
check
the
idenRty/original
of
request
especial
for
UDP
• The
service
response
more
data
than
request
• How
can
we
against
DDOS
• Can
SDN
help?
• Does
DNSSEC
also
suffers
from
DOS
a<ack?
• DNSSEC
response
more
data
than
DNS
14. IOT Security
• What
is
IOT?
• Every
devices
not
PC
are
things
• Currently,
a<ack
to
IOT
is
starRng
from
router
• Widely
deploy,
less
protecRon
15. Router Backdoor
• First
router
backdoor
discovered
in
2013
• D-‐Link
router
can
be
remote
accessed
by
a
magic
string
“xmlset_roodkcableoj28840ybRde”
• edit
by
048820
joel
backdoor.
• TP-‐Link
IP
camera
have
several
vulnerabiliRes
which
allow
remote
access
• All
of
Netgear,
Linksys
and
Cisco
routers
contain
backdoor
16. PoS RAM Scraper Malware
• POS(point-‐of-‐sale,銷售櫃台系統)
• Steal
user’s
credit
card
informaRon
• On
December
19,
2013,
Target
announced
a
data
breach
affecRng
40
million
in-‐store
whose
credit
and
debit
card
informaRon
was
stolen
17. Botnet in IOT
• Bad
guys
are
launching
denial
of
service
a<acks
from
Windows
and
Linux
boxes
and
in
a
sign
of
desperaRon
even
fridges,
freezers
and
Raspberry
Pi
• 215
gigabits
per
second
and
150
million
packets
per
second
18. Ransomware in IOT
• Ransomware
is
a
type
of
malware
which
restricts
access
to
the
computer
system
that
it
infects
• Demands
a
ransom
paid
to
the
creator
of
the
malware
in
order
for
the
restricRon
to
be
removed.
• Synolock
is
one
of
famous
ransomware
19. Hacking into Internet Connected Light Bulbs
• The
LIFX
light
bulb
is
a
“WiFi
enabled
mulR-‐color,
energy
efficient
LED
light
bulb”
that
can
be
controlled
from
a
smartphone
• The
bulbs
are
connected
in
the
form
of
mesh
network
• Only
one
bulb
will
connect
to
the
wifi
network.
• This
“master”
bulb
receives
commands
from
the
smart
phone,
and
broadcasts
them
to
all
other
bulbs
over
an
802.15.4
6LoWPAN
wireless
mesh
network.
20. Hacking into Internet Connected Light Bulbs
• How
a<acker
hack
bulbs
• Protocol
Analysis
• Obtaining
the
Firmware
• Reversing
the
Firmware(to
find
key)
• Re-‐Implement
the
communicaRon
protocols
• As
result,
a<acker
can
control
the
bulbs
within
the
range
of
6LoWPAN
wireless
network
21. First IOT Security Conference
•
Hacked
Successful
• Smart
Phone
• Door
Lock
• Smart
Band
• Smart
Plug
22. Research Issue of IOT
• Explosion
of
Android/Linux
malware
• Security
must
be
consider
when
designing
API/
protocols.
• Backdoor
analysis
and
sogware
vulnerability
will
be
important
topic
for
IOT
• Firmware
analysis
• Different
instrucRon
set(arm/mips)
24. PLEAD AAack Target TW Government
• Trend
Micro
discovers
the
a<ack
to
TW
• Named
as
PLEAD
• Use
fishing
email
as
first
step
of
a<ack
25. RTLO obfuscated
• The
malicious
file
is
zipped
with
7z
• RTLO
is
“Right
to
Leg
override”
• xxx.[RTLO]fdp.scr
-‐>
xxx.rcs.pdf
• Ager
executable
trigger,
an
fake
ppt
file
is
dropped
and
displayed.
26. APT with Social Network
• An
APT
target
Tibet
organizaRon
• Use
twi<er
to
send
malicious
link
to
vicRm
• The
link
contain
an
exploit
to
Adobe
Flash
SWF
• CVE-‐2013-‐0634
27. Use Legal Website for C&C
• Use
legal
website
as
C&C
channel
• h=p://blog.sina.com[.]cn/rss/2050950612.xml
28. Other Example Use Social Network
• Decode
the
content
of
blog
to
retrieve
updated
malware
29. Regin Malware
• Designed
by
NSA
and
GCHQ(英國政府通訊總部)
• A<ack
procedure
are
divided
into
several
stage
• To
ensure
every
situaRon
is
suitable
for
a<ack
• Highly
modulaRon
• Clear
previous
stage
trace
30. Invisible Malicious File
• Most
malicious
files
are
not
land
in
disk
• NTFS
Extended
A<ributes
• Hidden
in
Registry(Config
file
in
Windows)
• Store
in
un-‐parRRoned
part
of
hard
disk
• Customize
File
System(VFSes)
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file
again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted.
Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
32. Sony Hack
• Sony
Pictures
is
hacked
11/24
• The
informaRon
infrastructure
are
crash
• 15232
user
private
informaRon
is
leak(SSN)
• Many
internal
private
data
leak
• The
hackers
called
themselves
the
"Guardians
of
Peace"
or
"GOP”
• Demanded
the
cancellaRon
of
the
planned
release
of
the
film
The
Interview
33. Kill AnGvirus First
• One
of
Backdoor
BKDR64_WIPALL.F
is
used
to
kill
McAfee
• KProcessHacker
to
wipe
out
process
of
AnRvirus
in
memory
35. KHNP(Korea Hydro and Nuclear
Power) hacked
• KHNP
is
responsible
for
maintain
23
nuclear
power
plants
in
Korea
• The
technique
documents
of
nuclear
power
and
the
staff
personal
informaRon
are
leak
• A<acker
ask
Korea
government
to
close
3
nuclear
power
plants
• The
malicious
e-‐mails
are
send
to
staff
of
KHNP
• 3000+
users
• 5000+
emails
• The
malware
are
triggered
in
12/10
• Hacker
expose
informaRon
in
facebook,
twi<er
36. Customize 0 day aAack
• Use
the
special
file
format
used
in
Korea(hwp)
• Just
like
.doc
or
.r
37. Use Online Free Service
• To
avoid
being
traced,
free
online
services
are
used
38. DestrucGve AcGvity
• A<acker
wipe
out
all
the
disk
• To
avoid
invesRgaRon
• To
make
data
unavailable
• Rewrite
MBR
39. Research Issue of APT
• Most
APT
may
not
leave
the
malware
in
hard
disk
• Some
backdoor
will
mix
the
code
of
legal
applicaRon
• Similarity-‐based
detecRon
may
not
efficient
• Current
IDS/IPS
is
not
sufficient
to
address
the
problem
of
social
network
• How
to
trace
the
original
compromise
point