SlideShare uma empresa Scribd logo

Botnets at the Gate: Stopping Botnets and DDoS Attacks

Imperva
Imperva

Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack.

Tecnologia
1 de 11
Baixar para ler offline
White Paper Botnets at the Gate: Stopping Botnets and Distributed Denial of Service Attacks Over the past several years, botnets like BlackEnergy, Illusion, Pushdo, and Zeus have dominated news headlines. They have infiltrated millions of users’ computers and wrecked incalculable damage – unleashing powerful Denial of Service attacks, exposing national security secrets, and compromising individual victims’ credit card numbers and bank account credentials. Virtually all online users have been affected by botnets, either as hapless recipients of spam email or as frustrated users attempting to visit an unavailable Website. However, millions of users have suffered a much worse fate, recruited unknowingly into a botnet army. The numbers are staggering. The Bredolab botnet alone had infected over 30 million computers and sent an estimated 3.6 billion virus-laden emails every day in late 2009.1 As of early December 2010, over 5,400 botnet command and control servers were identified and active.2 This paper attempts to lift the veil on botnets and the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack. To help combat automated attacks, this paper proposes a number of security measures that include processes, technologies, and services. While organizations must heed the growing specter of botnets, there are a number of tools at their disposal that can mitigate botnet security threats. 1 “Dutch National Crime Squad announces takedown of dangerous botnet,” October 25, 2010, OpenBaar Ministerie 2 Shadowserver Foundation
Botnets at the Gate Introduction DatabaseFileWeb Millions of computers around the world are controlled by cybercriminals. These computers have been infected with software robots, or “bots”, that automatically connect to command and control servers. The command and control servers then instruct the bots to carry out illicit activity, such as performing denial of service attacks or harvesting application content. Building these networks of bots, or botnets, has become a lucrative business for botnet operators, who rent out their bots to the highest bidder. But before examining the botnet business model, we will investigate how they are formed. Botnet Propagation Botnet operators, also known as “bot farmers,” use a variety of different methods to build their networks of bots. Common methods include email viruses, Internet worms, drive-by downloads of malware, Trojans distributed on portable storage devices, and more. As a case in point, a sweeping report about the Koobface botnet3 reveals how its architects infected more than 2.9 million computers. The Koobface operators used social networking tactics on the world’s leading social network platforms – Facebook, Twitter, and MySpace – to spread the botnet malware.4 Koobface primarily targeted Facebook. Its main means of propagation was through fraudulent Facebook messages that enticed recipients to watch a video, such as an embarrassing video captured by a hidden camera. Once users clicked on an embedded link in the message, they would be taken to a compromised site hosting the malware. Then, when users tried to view the video, they would be instructed to update their Adobe Flash Player or download a new codec. Figure 1: A Christmas variant of a Koobface malware-hosted Web page5 3 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 4 Affected sites also included Bebo, Friendster, Fubar, Hi5, Live Journal Netlog, Tagged, and Yearbook 5 “Koobface botnet enters the Xmas season,” Zero Day blog Imperva White Paper < 2 >
Botnets at the Gate If users agreed to install the fake update, they would unwittingly download the Koobface malware. Then when DatabaseFileWeb these users logged into their Facebook accounts, the Koobface malware would send malicious messages to a new host of victims. In contrast, BredoLab, the largest known botnet to date, relied on email messages with malware attachments to compromise computers. When these attachments were opened by users, the malware would infect the users’ computers, turning them into zombies. While email was the main form of distribution, BredoLab’s operators also used drive-by downloads, downloading malware to users’ computers without the users’ knowledge. The techniques used to propagate Koobface and BredoLab are typical of the entire botnet industry: viruses, worms, and Trojans spread through application and system vulnerabilities or social engineering tactics. Botnet Communications After computers have been compromised with a botnet agent, the agents will automatically connect to botnet command and control servers. Bots have traditionally communicated with these servers using Internet Relay Chat (IRC), a real-time chat and instant messaging protocol. While botnets are synonymous with IRC, botnet operators are increasingly turning to Web-based communications because they are easier to set up and harder to detect. Web-based botnet kits often include user-friendly Web user interfaces, simplifying management. Today, botnet operators are even turning social networking sites into command and control channels, disseminating attack instructions through Twitter or Facebook accounts. In fact, recent research indicates that Web-based botnets now outnumber traditional IRC botnets by a factor of five.6 While IRC botnets are by no means dead, this shift illustrates the rapid evolution of botnet architectures as botnet operators attempt to stay ahead of authorities and ahead of one another. Botnet Development Botnet development also has evolved; instead of lone hackers laboring to develop botnet command and control servers, botnet operators increasingly rely on off-the-shelf botnet toolkits. Criminals with little to no programming experience can obtain kits such as BlackEnergy or Butterfly for as little as $700, make a few minor modifications, and then distribute their bot agents through online forums and Bit Torrents. Many of these botnet toolkits today even include graphical user interfaces, dashboards, and report statistics. Figure 2: A command and control interface for the Zeus botnet 6 “The Death of the IRC Botnet,” eSecurity Planet, November 18, 2010 Imperva White Paper < 3 >
Botnets at the Gate The Imperva Application Defense Center (ADC) discovered an off-the-shelf hacking toolkit that exemplifies DatabaseFileWeb today’s crimeware trends.7 While it was a phishing toolkit, it shares many similarities with current botnet toolkits. The toolkit offers a simple GUI dashboard and provides “cloud storage” for stolen credentials – completely automating all aspects of the criminal campaign. The credentials are ostensibly stored in a location that can only be accessed by the individual toolkit user. However, unbeknownst to toolkit users, the toolkit creator created a backdoor that provided full access to all of the stolen credentials. The toolkit has purportedly been downloaded over 200,000 times, providing the creator with countless user names and passwords. This toolkit illustrates today’s trends to automate cybercrime. And although this toolkit was distributed for free, it shows the profits that hackers can reap by developing off-the-shelf hacking tools. Botnet toolkits help build the botnet infrastructure – the botnet command and control servers. In addition, botnet development also includes the malware that infects computers and transforms them into zombies. And like botnet toolkits, a slew of malware toolkits have emerged to service the needs of botnet operators. To increase infection rates, malware developers must check that their malware won’t be detected by computer anti-virus software. Many malware scanning portals have sprung up to simplify this process. Malware scanning portals allow malware developers to test their malware against anti-virus software. For example, one commercial malware QA service, Virtest.com, allows malware developers to test their malware against 26 anti- virus engines. Sites like Virtest.com exemplify the “Industrialization of Hacking” that has transformed hacking into an efficient, scalable, and profitable enterprise. Figure 3: Malware scanning portal Virtest.com 7 For more information, see “An Inside Look at Hacker Business Models,” Noa Bar-Yosef, Security Week, October 19, 2010. Imperva White Paper < 4 >
Botnets at the Gate The Economics of Botnets DatabaseFileWeb Botnet ownership can be even more lucrative than botnet development. Botnets are a key component of the overall hacking “industry,” an industry estimated to garner $1 trillion per year.8 Botnet operators have multiple ways to capitalize on their botnet armies; perpetrating pay-per-click fraud and renting out botnets for distributed attacks are just two examples. The Koobface botnet owners netted over $2 million dollars in less than twelve months using pay-per-click and pay-per-install schemes.9 For operators renting out their botnets, the primary value of a botnet is its size. However, other factors can impact the money-making capabilities of a botnet, including the type of attack to be carried out, the target, and its geographic location. According to Imperva research, renting a botnet to spam one million emails ranges in cost from $150 to $200. A 24-hour DDoS attack can range from $50 to several thousand dollars for larger attacks. With so much money to be made, it is not surprising that botnets are increasing in size, number, and sophistication every year. Botnets as Weapons So far, this paper has profiled the spread, communications, development, and financial business model of botnets. However, the major concern for most organizations is the damage that can be wrought by botnets. Botnets can be used as instruments to carry out any number of malicious activities; sending spam email, logging keystrokes to capture online user credentials, scanning computer files for sensitive data, pay-per-click fraud, and distributed password cracking are just a few examples. One of the most dangerous botnet threat is the DDoS attack. Harnessing the aggregate power of thousands or tens of thousands of bots, DDoS attacks can inflict tremendous damage on Websites, slowing down or even completely disabling them. And DDoS attacks are not isolated, but a regular issue for many organizations. According to a recent survey of IT decision makers, 74% reported suffering one or more DDoS attacks in the past 12 months. Of these, 31% said that the attacks disrupted service.10 Whether the motivation is political, financial or just random, DDoS attacks can be extraordinarily costly for the targeted organizations. The Imperva ADC has tracked numerous application DDoS attacks conducted through botnets. They have also investigated underground forums and hacker sites to uncover new DDoS attack methods. Based on this research, this paper will examine application DDoS attacks and recommend mitigation techniques. 8 “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Joseph Menn, 2010 9 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 10 “The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Imperva White Paper < 5 >
Botnets at the Gate Application DDoS DatabaseFileWeb A Distributed Denial of Service (DDoS) attack is an attack initiated from multiple machines that is designed to disrupt normal operations. Traditional Denial of Service (DoS) attacks attempt to exploit server or application weaknesses to cause it to stop responding. DDoS attacks amplify the effects of DoS attacks by using thousands of machines to launch their assaults. These new attacks may not necessarily exploit vulnerabilities, they may just unleash a flood of requests, overwhelming the bandwidth and server processing power of the targeted site. The End Game for DDoS DDoS attacks have targeted a diverse range of organizations, from government institutions and banks, to social networking companies and even root name server operators. The motivations for DDoS attacks vary: financial, political, religious, entertainment, or even personal notoriety. Many organized cyber criminals use DDoS to extort money from online sites. Authorities convicted a Russian gang of blackmailing over 50 organizations, extracting over $4 million from British companies, typically online gambling sites.11 In 2008, a wave of DDoS attacks brought down 10 online gambling sites, also purportedly targets of extortion schemes. Hacktivism is another key motivation for DDoS attacks. Whether driven by national patriotism or the desire to squelch the opinions of an ideological foe, DDoS is the weapon on choice. Examples of hacktivism in action include DDoS attacks targeting Georgian Websites before the Ossetia War in 2008 and the Iranian government’s Website during the 2009 Iranian election protests. Government Websites representing the US, Korea, Myanmar, Estonia, and many others have been targeted. In fact, a persistent DDoS attack on Burmese Websites during the Burma’s 2010 national elections actually caused the entire country’s Internet connectivity to go down. More recently, WikiLeaks has found itself in the center of a DDoS hacktivism war. Hacktivists attacked the MasterCard, Visa and PayPal Websites in retaliation after these companies stopped processing donations to WikiLeaks. DDoS Botnets-for-Hire While the WikiLeaks-inspired “Operation Payback” attack used a combination of voluntary hackers and bots, almost all DDoS attacks are executed by criminal botnet services. DDoS rental fees typically start at $50 for small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners advertise their services, continually seeking to outclass their botnet brethren. Owners promote their services in underground forums and mailing lists. In the case of the powerful IMDDOS botnet, the owners actually set up a public Website to showcase their offering.12 On a message board, one botnet operator touted that his botnet offered “the best combination of quality and service” and special pricing for regular customers. Options included HTTP attacks, downloading flood, POST flood, and ping commands “tuned to perfection.”13 Like slick advertising executives, botnet operators and even bot malware creators promote their offerings with carefully fine-tuned messaging. DDoS 2.0 DDoS attacks traditionally are carried out by computer-based bots. The Imperva ADC uncovered a new breed of DDoS attacks in May 2010 that uses Web servers as payload-carrying bots. Imperva discovered a 300-server strong botnet that set a new standard for power, efficiency and stealth. Using a basic software program equipped with a dashboard and control panel, hackers could configure the IP, port, and duration of the attack. Hackers simply need to type the Website URL they wish to attack and then they can instantly disable targeted sites. 11 “Online Russian blackmail gang jailed for extorting $4m from gambling websites”, http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html 12 “Damballa Discovers New Wide-Spread Global Botnet Offering Commercial DDoS Services,” Damballa, September 2010 13 “BlackEnergy competitor – The ‘Darkness’ DDoS Bot,” Shadowserver calendar entry for December 5, 2010 Imperva White Paper < 6 >
Botnets at the Gate DatabaseFileWeb Figure 4: The user interface for managing DDoS attacks from Web servers. A single Web server could unleash the same damage as fifty or more PCs. With such powerful attack weapons at their command, it is not surprising that DDoS rental services keep increasing the strength of their attacks. The largest observed DDoS attack reached an all-time high of 49 Gbps in 2009.14 Advanced Application DDoS Attacks Many organizations witnessed an increase in application-based attacks in 2009 compared to previous years. While application-based attacks still only account for 26% of all DDoS attacks,14 they are more sophisticated and much more challenging to stop. There are several reasons why application-based attacks are the most dangerous type of DDoS. Network firewalls today can detect the majority of flood and network DoS attacks. Many ICMP and UDP flood attacks can also be identified using intelligent packet filtering and source and destination access control lists. However, application DDoS attacks usually bypass most traditional network security devices. Application DDoS exploit vulnerabilities in application servers or application business logic. For example, application DDoS attacks may simply flood a Web application server with seemingly legitimate requests designed to overwhelm Web application servers. An attacker may also attempt to exploit an application vulnerability, such as sending Web requests with extremely long URLs. More sophisticated attacks exploit business logic flaws. For example, if an application’s Website search mechanism is poorly written, it could require excessive processing by a back end database server. An application DDoS attack could exploit this vulnerability by performing thousands of search requests using wildcard search terms to overwhelm the back end application database. “Slowloris” emerged as a perilous application DDoS attack in 2009. This attack disrupts application service by exhausting web server connections. In the Slowloris attack, the attacker sends an incomplete HTTP header and then periodically sends header lines to keep the connection alive, but never sends the full header. Without requiring that much bandwidth, an attacker can open numerous connections and overwhelm the targeted Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks. 14 “Worldwide Infrastructure Security Report,” Arbor Networks, Volume V. Imperva White Paper < 7 >
Botnets at the Gate Application DDoS Mitigation Techniques DatabaseFileWeb There are a number of measures that organizations can undertake to mitigate the risks of a DDoS attack. Organizations with mission-critical Web applications can: » Over-provision bandwidth to absorb DDoS bandwidth peaks – Although this is one of the most common measures to alleviate DDoS attacks, it is also probably the most expensive. Allocating extra bandwidth can be an effective way to manage small-scale DDoS attacks, but it won’t solve advanced application attacks that target application vulnerabilities and flaws. » Implement black hole routing – When an attack occurs, the victim can work in conjunction with its ISP(s) to re-route DDoS traffic. There are two types of black hole routing: source-based and destination- based. With source based black hole routing, a null route is created to discard traffic from known malicious sources. This is effective if the DDoS attack is coming from a limited number of users. With destination-based black hole routing, the attack target is null routed, basically taking the Website offline. Obviously, this is a solution for ISPs and not for DDoS victims. » Secure Application and Server Management – If organizations’ development teams follow secure application coding best practices, they can prevent many buffer overflow attacks. In addition, system administrators should harden systems, apply the latest patches, and configure the Web server to close idle connections. » Apply application-level controls – Because application DDoS attacks mimic regular Web application traffic, they can be difficult to detect through typical network DDoS techniques. However, using a combination of application-level controls and anomaly detection, organizations can identify and stop malicious traffic. Measures include: • Detecting an excessive number of requests from a single source or user session – Automated attack sources almost always request Web pages more rapidly than standard users. • Recognizing known attack sources, such as malicious IP addresses, anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks. Because malicious sources constantly change, organizations should have an up-to-date list of active attack sources. • Identifying known bot agents – DDoS attacks are almost always performed by an automated client. Many of these client or bot agents have unique characteristics that differentiate them from regular Web browser agents. Tools that recognize bot agents can immediately stop many types of DDoS sources. • Implementing CAPTCHAs to block automated clients – CAPTCHAs can hinder automated DDoS attacks. However, bots are increasingly finding ways to circumvent CAPTCHAs. Up to 60 percent of bots can crash through CAPTCHAs, according to recent security research.15 Nevertheless, CAPTCHAs are still an effective defense against application DDoS attacks. • Distinguishing attributes, and aftermath, of a malicious request – Some DDoS attacks can be detected through known attack patterns or signatures. In addition, many malicious Web requests do not conform to HTTP protocol standards. For instance, the Slowloris DDoS attack included redundant HTTP headers. In addition, DDoS clients may request Web pages that do not exist. Attacks may also generate Web server errors or slow Web server response time. The aforementioned techniques are just a few of the measures that organizations can undertake to combat DDoS attacks. They should be combined with processes, such as developing an internal rapid response team that can quickly and adeptly analyze and address DDoS attacks. If organizations undertake effective security measures, they will be well equipped to fight application DDoS attacks. 15 “Botnets Target Websites with ‘Posers’,” Dark Reading, June 1, 2010. Imperva White Paper < 8 >
Botnets at the Gate A Practical Approach to Mitigate Botnet and DDoS Threats DatabaseFileWeb Botnets have become enemy number one for most IT security departments. They are responsible for virtually every large-scale, distributed attack today, including spam email, phishing attacks, and screen scraping. Botnets also carry out automated Distributed Denial of Service (DDoS) attacks so powerful that they have brought down Twitter, Facebook, Yahoo, and Google. And almost three quarters of all organizations have suffered from a DDoS attack in the past twelve months. Detecting and mitigating botnet threats requires multiple tools and processes. One layer of defense is a Web Application Firewall (WAF). A WAF can monitor application activity for unusual activity, detect unexpected spikes in bandwidth, and block offending packets. With advanced Web application intelligence, a WAF can detect botnet activity and distinguish between legitimate Web traffic and attacks. The Imperva SecureSphere Web Application Firewall provides organizations with an ironclad defense against botnet threats and application DDoS attacks. SecureSphere offers unique detection techniques that can identify and stop automated attacks like DDoS. In addition, SecureSphere offers flexible customization, allowing organizations to fine tune security rules based on application-specific requirements. SecureSphere Protection against Application DDoS Imperva SecureSphere offers multiple layers of protection to identify botnet threats like application DDoS attacks. The SecureSphere fortifies Web applications using: » Automatic learning of applications and user behavior – Imperva’s patented Dynamic Profiling technology learns the structure and elements of protected Web applications. In addition, it profiles user interaction with the application. This allows SecureSphere to detect unusually long form field values, parameter tampering and session abuse. It also allows SecureSphere to identify requests to Web pages that do not exist, abnormal traffic flows and other atypical behavior. Most application DDoS attacks will generate profile violations that can be used alone or in conjunction with other identifiers to stop the attacks. » Protection against automated attacks through ThreatRadar – Imperva’s industry-first reputation- based security service recognizes known attack sources, such as malicious IPs, anonymous proxies, and TOR networks. ThreatRadar receives near real-time feeds of known bad users from global defense research organizations. These feeds are not just lists of known bots, but bots that are currently active and perpetrating attacks. With ThreatRadar, SecureSphere can stop a large percentage of malicious users even before they can execute an attack. » Bot agent detection – Bots are automated clients. They typically do not access Web sites using a standard Web agent, like Firefox or Internet Explorer. Instead, they use scripts or unique botnet browser agents. SecureSphere can identify and stop hundreds of the most common bot agents. In addition, SecureSphere can recognize unique characteristics of traffic activity indicative of botnet zombies. » HTTP protocol validation – SecureSphere detects traffic that does not conform to the HTTP RFC standard. This protocol validation quickly uncovers a significant portion of application DDoS attacks, buffer overflow attempts and evasion techniques. » Up-to-date Web attack signatures – SecureSphere identifies many known application DDoS attacks, including attacks to IIS, Apache, PHP, and Coldfusion, through attack signatures. Driven by research from the Imperva ADC, SecureSphere’s attack signatures offer comprehensive protection against the latest threats. Imperva White Paper < 9 >
Botnets at the Gate » Application error and response analysis – One of the main indicators of DDoS attacks is Web DatabaseFileWeb application errors and slow response times. SecureSphere can inspect outbound Web responses for error codes or code leakage. It can also monitor Web page response times, pinpointing requests that required excessive application processing. » Custom security rules – SecureSphere offers flexible policy configuration, enabling organizations to build security rules based on over two dozen match criteria. Security administrators can, for instance, block an attack if it observes many requests from a single IP address over a period of time and the requests generate application errors. SecureSphere can block the individual request or block the IP address, session, or user for a period of time. Figure 5: Configuring a custom security policy in SecureSphere » Real-time monitoring and analytics – For current analysis of attack trends, SecureSphere offers detailed security alerts. The alerts identify the source address, time of day, type and severity of the alert, the entire Web request, and a quick link to the policy that triggered the violation. In addition SecureSphere tracks the Web server response code and optionally the entire response for forensics investigations. Clear, comprehensive alerts provide IT security administrators instant visibility into DDoS attack sources. Imperva White Paper < 10 >
White Paper Developing a Defensive Strategy to Fight Botnets and Application DDoS Attacks Over the past several years, application attacks have become industrialized. Using off-the-shelf toolkits, automation techniques, and search engines, non-technical cyber criminals can build botnets of thousands or even millions of computers. Botnets can be a lucrative business for malware creators and botnet operators. Using botnets, depraved individuals can unleash destructive DDoS attacks on virtually any victim. To protect against the botnets and application DDoS attacks, organizations can rely on Imperva SecureSphere. The market-leading SecureSphere Web Application Firewall offers protection against a myriad of Web application threats, including SQL injection, XSS, CSRF, directory traversal, site reconnaissance, sensitive data leakage, and more. Imperva SecureSphere is trusted by organizations around the world to stop automated threats like botnet and application DDoS attacks. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BOTNETS-AT-THE-GATE-0111rev2

Recomendados

BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 

Recomendados

BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarImperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Mais conteúdo relacionado

Mais de Imperva

How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarImperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 

Mais de Imperva (20)

How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall Webinar
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
 

Último

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Último (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Botnets at the Gate: Stopping Botnets and DDoS Attacks

  • 1. White Paper Botnets at the Gate: Stopping Botnets and Distributed Denial of Service Attacks Over the past several years, botnets like BlackEnergy, Illusion, Pushdo, and Zeus have dominated news headlines. They have infiltrated millions of users’ computers and wrecked incalculable damage – unleashing powerful Denial of Service attacks, exposing national security secrets, and compromising individual victims’ credit card numbers and bank account credentials. Virtually all online users have been affected by botnets, either as hapless recipients of spam email or as frustrated users attempting to visit an unavailable Website. However, millions of users have suffered a much worse fate, recruited unknowingly into a botnet army. The numbers are staggering. The Bredolab botnet alone had infected over 30 million computers and sent an estimated 3.6 billion virus-laden emails every day in late 2009.1 As of early December 2010, over 5,400 botnet command and control servers were identified and active.2 This paper attempts to lift the veil on botnets and the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack. To help combat automated attacks, this paper proposes a number of security measures that include processes, technologies, and services. While organizations must heed the growing specter of botnets, there are a number of tools at their disposal that can mitigate botnet security threats. 1 “Dutch National Crime Squad announces takedown of dangerous botnet,” October 25, 2010, OpenBaar Ministerie 2 Shadowserver Foundation
  • 2. Botnets at the Gate Introduction DatabaseFileWeb Millions of computers around the world are controlled by cybercriminals. These computers have been infected with software robots, or “bots”, that automatically connect to command and control servers. The command and control servers then instruct the bots to carry out illicit activity, such as performing denial of service attacks or harvesting application content. Building these networks of bots, or botnets, has become a lucrative business for botnet operators, who rent out their bots to the highest bidder. But before examining the botnet business model, we will investigate how they are formed. Botnet Propagation Botnet operators, also known as “bot farmers,” use a variety of different methods to build their networks of bots. Common methods include email viruses, Internet worms, drive-by downloads of malware, Trojans distributed on portable storage devices, and more. As a case in point, a sweeping report about the Koobface botnet3 reveals how its architects infected more than 2.9 million computers. The Koobface operators used social networking tactics on the world’s leading social network platforms – Facebook, Twitter, and MySpace – to spread the botnet malware.4 Koobface primarily targeted Facebook. Its main means of propagation was through fraudulent Facebook messages that enticed recipients to watch a video, such as an embarrassing video captured by a hidden camera. Once users clicked on an embedded link in the message, they would be taken to a compromised site hosting the malware. Then, when users tried to view the video, they would be instructed to update their Adobe Flash Player or download a new codec. Figure 1: A Christmas variant of a Koobface malware-hosted Web page5 3 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 4 Affected sites also included Bebo, Friendster, Fubar, Hi5, Live Journal Netlog, Tagged, and Yearbook 5 “Koobface botnet enters the Xmas season,” Zero Day blog Imperva White Paper < 2 >
  • 3. Botnets at the Gate If users agreed to install the fake update, they would unwittingly download the Koobface malware. Then when DatabaseFileWeb these users logged into their Facebook accounts, the Koobface malware would send malicious messages to a new host of victims. In contrast, BredoLab, the largest known botnet to date, relied on email messages with malware attachments to compromise computers. When these attachments were opened by users, the malware would infect the users’ computers, turning them into zombies. While email was the main form of distribution, BredoLab’s operators also used drive-by downloads, downloading malware to users’ computers without the users’ knowledge. The techniques used to propagate Koobface and BredoLab are typical of the entire botnet industry: viruses, worms, and Trojans spread through application and system vulnerabilities or social engineering tactics. Botnet Communications After computers have been compromised with a botnet agent, the agents will automatically connect to botnet command and control servers. Bots have traditionally communicated with these servers using Internet Relay Chat (IRC), a real-time chat and instant messaging protocol. While botnets are synonymous with IRC, botnet operators are increasingly turning to Web-based communications because they are easier to set up and harder to detect. Web-based botnet kits often include user-friendly Web user interfaces, simplifying management. Today, botnet operators are even turning social networking sites into command and control channels, disseminating attack instructions through Twitter or Facebook accounts. In fact, recent research indicates that Web-based botnets now outnumber traditional IRC botnets by a factor of five.6 While IRC botnets are by no means dead, this shift illustrates the rapid evolution of botnet architectures as botnet operators attempt to stay ahead of authorities and ahead of one another. Botnet Development Botnet development also has evolved; instead of lone hackers laboring to develop botnet command and control servers, botnet operators increasingly rely on off-the-shelf botnet toolkits. Criminals with little to no programming experience can obtain kits such as BlackEnergy or Butterfly for as little as $700, make a few minor modifications, and then distribute their bot agents through online forums and Bit Torrents. Many of these botnet toolkits today even include graphical user interfaces, dashboards, and report statistics. Figure 2: A command and control interface for the Zeus botnet 6 “The Death of the IRC Botnet,” eSecurity Planet, November 18, 2010 Imperva White Paper < 3 >
  • 4. Botnets at the Gate The Imperva Application Defense Center (ADC) discovered an off-the-shelf hacking toolkit that exemplifies DatabaseFileWeb today’s crimeware trends.7 While it was a phishing toolkit, it shares many similarities with current botnet toolkits. The toolkit offers a simple GUI dashboard and provides “cloud storage” for stolen credentials – completely automating all aspects of the criminal campaign. The credentials are ostensibly stored in a location that can only be accessed by the individual toolkit user. However, unbeknownst to toolkit users, the toolkit creator created a backdoor that provided full access to all of the stolen credentials. The toolkit has purportedly been downloaded over 200,000 times, providing the creator with countless user names and passwords. This toolkit illustrates today’s trends to automate cybercrime. And although this toolkit was distributed for free, it shows the profits that hackers can reap by developing off-the-shelf hacking tools. Botnet toolkits help build the botnet infrastructure – the botnet command and control servers. In addition, botnet development also includes the malware that infects computers and transforms them into zombies. And like botnet toolkits, a slew of malware toolkits have emerged to service the needs of botnet operators. To increase infection rates, malware developers must check that their malware won’t be detected by computer anti-virus software. Many malware scanning portals have sprung up to simplify this process. Malware scanning portals allow malware developers to test their malware against anti-virus software. For example, one commercial malware QA service, Virtest.com, allows malware developers to test their malware against 26 anti- virus engines. Sites like Virtest.com exemplify the “Industrialization of Hacking” that has transformed hacking into an efficient, scalable, and profitable enterprise. Figure 3: Malware scanning portal Virtest.com 7 For more information, see “An Inside Look at Hacker Business Models,” Noa Bar-Yosef, Security Week, October 19, 2010. Imperva White Paper < 4 >
  • 5. Botnets at the Gate The Economics of Botnets DatabaseFileWeb Botnet ownership can be even more lucrative than botnet development. Botnets are a key component of the overall hacking “industry,” an industry estimated to garner $1 trillion per year.8 Botnet operators have multiple ways to capitalize on their botnet armies; perpetrating pay-per-click fraud and renting out botnets for distributed attacks are just two examples. The Koobface botnet owners netted over $2 million dollars in less than twelve months using pay-per-click and pay-per-install schemes.9 For operators renting out their botnets, the primary value of a botnet is its size. However, other factors can impact the money-making capabilities of a botnet, including the type of attack to be carried out, the target, and its geographic location. According to Imperva research, renting a botnet to spam one million emails ranges in cost from $150 to $200. A 24-hour DDoS attack can range from $50 to several thousand dollars for larger attacks. With so much money to be made, it is not surprising that botnets are increasing in size, number, and sophistication every year. Botnets as Weapons So far, this paper has profiled the spread, communications, development, and financial business model of botnets. However, the major concern for most organizations is the damage that can be wrought by botnets. Botnets can be used as instruments to carry out any number of malicious activities; sending spam email, logging keystrokes to capture online user credentials, scanning computer files for sensitive data, pay-per-click fraud, and distributed password cracking are just a few examples. One of the most dangerous botnet threat is the DDoS attack. Harnessing the aggregate power of thousands or tens of thousands of bots, DDoS attacks can inflict tremendous damage on Websites, slowing down or even completely disabling them. And DDoS attacks are not isolated, but a regular issue for many organizations. According to a recent survey of IT decision makers, 74% reported suffering one or more DDoS attacks in the past 12 months. Of these, 31% said that the attacks disrupted service.10 Whether the motivation is political, financial or just random, DDoS attacks can be extraordinarily costly for the targeted organizations. The Imperva ADC has tracked numerous application DDoS attacks conducted through botnets. They have also investigated underground forums and hacker sites to uncover new DDoS attack methods. Based on this research, this paper will examine application DDoS attacks and recommend mitigation techniques. 8 “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Joseph Menn, 2010 9 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 10 “The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Imperva White Paper < 5 >
  • 6. Botnets at the Gate Application DDoS DatabaseFileWeb A Distributed Denial of Service (DDoS) attack is an attack initiated from multiple machines that is designed to disrupt normal operations. Traditional Denial of Service (DoS) attacks attempt to exploit server or application weaknesses to cause it to stop responding. DDoS attacks amplify the effects of DoS attacks by using thousands of machines to launch their assaults. These new attacks may not necessarily exploit vulnerabilities, they may just unleash a flood of requests, overwhelming the bandwidth and server processing power of the targeted site. The End Game for DDoS DDoS attacks have targeted a diverse range of organizations, from government institutions and banks, to social networking companies and even root name server operators. The motivations for DDoS attacks vary: financial, political, religious, entertainment, or even personal notoriety. Many organized cyber criminals use DDoS to extort money from online sites. Authorities convicted a Russian gang of blackmailing over 50 organizations, extracting over $4 million from British companies, typically online gambling sites.11 In 2008, a wave of DDoS attacks brought down 10 online gambling sites, also purportedly targets of extortion schemes. Hacktivism is another key motivation for DDoS attacks. Whether driven by national patriotism or the desire to squelch the opinions of an ideological foe, DDoS is the weapon on choice. Examples of hacktivism in action include DDoS attacks targeting Georgian Websites before the Ossetia War in 2008 and the Iranian government’s Website during the 2009 Iranian election protests. Government Websites representing the US, Korea, Myanmar, Estonia, and many others have been targeted. In fact, a persistent DDoS attack on Burmese Websites during the Burma’s 2010 national elections actually caused the entire country’s Internet connectivity to go down. More recently, WikiLeaks has found itself in the center of a DDoS hacktivism war. Hacktivists attacked the MasterCard, Visa and PayPal Websites in retaliation after these companies stopped processing donations to WikiLeaks. DDoS Botnets-for-Hire While the WikiLeaks-inspired “Operation Payback” attack used a combination of voluntary hackers and bots, almost all DDoS attacks are executed by criminal botnet services. DDoS rental fees typically start at $50 for small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners advertise their services, continually seeking to outclass their botnet brethren. Owners promote their services in underground forums and mailing lists. In the case of the powerful IMDDOS botnet, the owners actually set up a public Website to showcase their offering.12 On a message board, one botnet operator touted that his botnet offered “the best combination of quality and service” and special pricing for regular customers. Options included HTTP attacks, downloading flood, POST flood, and ping commands “tuned to perfection.”13 Like slick advertising executives, botnet operators and even bot malware creators promote their offerings with carefully fine-tuned messaging. DDoS 2.0 DDoS attacks traditionally are carried out by computer-based bots. The Imperva ADC uncovered a new breed of DDoS attacks in May 2010 that uses Web servers as payload-carrying bots. Imperva discovered a 300-server strong botnet that set a new standard for power, efficiency and stealth. Using a basic software program equipped with a dashboard and control panel, hackers could configure the IP, port, and duration of the attack. Hackers simply need to type the Website URL they wish to attack and then they can instantly disable targeted sites. 11 “Online Russian blackmail gang jailed for extorting $4m from gambling websites”, http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html 12 “Damballa Discovers New Wide-Spread Global Botnet Offering Commercial DDoS Services,” Damballa, September 2010 13 “BlackEnergy competitor – The ‘Darkness’ DDoS Bot,” Shadowserver calendar entry for December 5, 2010 Imperva White Paper < 6 >
  • 7. Botnets at the Gate DatabaseFileWeb Figure 4: The user interface for managing DDoS attacks from Web servers. A single Web server could unleash the same damage as fifty or more PCs. With such powerful attack weapons at their command, it is not surprising that DDoS rental services keep increasing the strength of their attacks. The largest observed DDoS attack reached an all-time high of 49 Gbps in 2009.14 Advanced Application DDoS Attacks Many organizations witnessed an increase in application-based attacks in 2009 compared to previous years. While application-based attacks still only account for 26% of all DDoS attacks,14 they are more sophisticated and much more challenging to stop. There are several reasons why application-based attacks are the most dangerous type of DDoS. Network firewalls today can detect the majority of flood and network DoS attacks. Many ICMP and UDP flood attacks can also be identified using intelligent packet filtering and source and destination access control lists. However, application DDoS attacks usually bypass most traditional network security devices. Application DDoS exploit vulnerabilities in application servers or application business logic. For example, application DDoS attacks may simply flood a Web application server with seemingly legitimate requests designed to overwhelm Web application servers. An attacker may also attempt to exploit an application vulnerability, such as sending Web requests with extremely long URLs. More sophisticated attacks exploit business logic flaws. For example, if an application’s Website search mechanism is poorly written, it could require excessive processing by a back end database server. An application DDoS attack could exploit this vulnerability by performing thousands of search requests using wildcard search terms to overwhelm the back end application database. “Slowloris” emerged as a perilous application DDoS attack in 2009. This attack disrupts application service by exhausting web server connections. In the Slowloris attack, the attacker sends an incomplete HTTP header and then periodically sends header lines to keep the connection alive, but never sends the full header. Without requiring that much bandwidth, an attacker can open numerous connections and overwhelm the targeted Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks. 14 “Worldwide Infrastructure Security Report,” Arbor Networks, Volume V. Imperva White Paper < 7 >
  • 8. Botnets at the Gate Application DDoS Mitigation Techniques DatabaseFileWeb There are a number of measures that organizations can undertake to mitigate the risks of a DDoS attack. Organizations with mission-critical Web applications can: » Over-provision bandwidth to absorb DDoS bandwidth peaks – Although this is one of the most common measures to alleviate DDoS attacks, it is also probably the most expensive. Allocating extra bandwidth can be an effective way to manage small-scale DDoS attacks, but it won’t solve advanced application attacks that target application vulnerabilities and flaws. » Implement black hole routing – When an attack occurs, the victim can work in conjunction with its ISP(s) to re-route DDoS traffic. There are two types of black hole routing: source-based and destination- based. With source based black hole routing, a null route is created to discard traffic from known malicious sources. This is effective if the DDoS attack is coming from a limited number of users. With destination-based black hole routing, the attack target is null routed, basically taking the Website offline. Obviously, this is a solution for ISPs and not for DDoS victims. » Secure Application and Server Management – If organizations’ development teams follow secure application coding best practices, they can prevent many buffer overflow attacks. In addition, system administrators should harden systems, apply the latest patches, and configure the Web server to close idle connections. » Apply application-level controls – Because application DDoS attacks mimic regular Web application traffic, they can be difficult to detect through typical network DDoS techniques. However, using a combination of application-level controls and anomaly detection, organizations can identify and stop malicious traffic. Measures include: • Detecting an excessive number of requests from a single source or user session – Automated attack sources almost always request Web pages more rapidly than standard users. • Recognizing known attack sources, such as malicious IP addresses, anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks. Because malicious sources constantly change, organizations should have an up-to-date list of active attack sources. • Identifying known bot agents – DDoS attacks are almost always performed by an automated client. Many of these client or bot agents have unique characteristics that differentiate them from regular Web browser agents. Tools that recognize bot agents can immediately stop many types of DDoS sources. • Implementing CAPTCHAs to block automated clients – CAPTCHAs can hinder automated DDoS attacks. However, bots are increasingly finding ways to circumvent CAPTCHAs. Up to 60 percent of bots can crash through CAPTCHAs, according to recent security research.15 Nevertheless, CAPTCHAs are still an effective defense against application DDoS attacks. • Distinguishing attributes, and aftermath, of a malicious request – Some DDoS attacks can be detected through known attack patterns or signatures. In addition, many malicious Web requests do not conform to HTTP protocol standards. For instance, the Slowloris DDoS attack included redundant HTTP headers. In addition, DDoS clients may request Web pages that do not exist. Attacks may also generate Web server errors or slow Web server response time. The aforementioned techniques are just a few of the measures that organizations can undertake to combat DDoS attacks. They should be combined with processes, such as developing an internal rapid response team that can quickly and adeptly analyze and address DDoS attacks. If organizations undertake effective security measures, they will be well equipped to fight application DDoS attacks. 15 “Botnets Target Websites with ‘Posers’,” Dark Reading, June 1, 2010. Imperva White Paper < 8 >
  • 9. Botnets at the Gate A Practical Approach to Mitigate Botnet and DDoS Threats DatabaseFileWeb Botnets have become enemy number one for most IT security departments. They are responsible for virtually every large-scale, distributed attack today, including spam email, phishing attacks, and screen scraping. Botnets also carry out automated Distributed Denial of Service (DDoS) attacks so powerful that they have brought down Twitter, Facebook, Yahoo, and Google. And almost three quarters of all organizations have suffered from a DDoS attack in the past twelve months. Detecting and mitigating botnet threats requires multiple tools and processes. One layer of defense is a Web Application Firewall (WAF). A WAF can monitor application activity for unusual activity, detect unexpected spikes in bandwidth, and block offending packets. With advanced Web application intelligence, a WAF can detect botnet activity and distinguish between legitimate Web traffic and attacks. The Imperva SecureSphere Web Application Firewall provides organizations with an ironclad defense against botnet threats and application DDoS attacks. SecureSphere offers unique detection techniques that can identify and stop automated attacks like DDoS. In addition, SecureSphere offers flexible customization, allowing organizations to fine tune security rules based on application-specific requirements. SecureSphere Protection against Application DDoS Imperva SecureSphere offers multiple layers of protection to identify botnet threats like application DDoS attacks. The SecureSphere fortifies Web applications using: » Automatic learning of applications and user behavior – Imperva’s patented Dynamic Profiling technology learns the structure and elements of protected Web applications. In addition, it profiles user interaction with the application. This allows SecureSphere to detect unusually long form field values, parameter tampering and session abuse. It also allows SecureSphere to identify requests to Web pages that do not exist, abnormal traffic flows and other atypical behavior. Most application DDoS attacks will generate profile violations that can be used alone or in conjunction with other identifiers to stop the attacks. » Protection against automated attacks through ThreatRadar – Imperva’s industry-first reputation- based security service recognizes known attack sources, such as malicious IPs, anonymous proxies, and TOR networks. ThreatRadar receives near real-time feeds of known bad users from global defense research organizations. These feeds are not just lists of known bots, but bots that are currently active and perpetrating attacks. With ThreatRadar, SecureSphere can stop a large percentage of malicious users even before they can execute an attack. » Bot agent detection – Bots are automated clients. They typically do not access Web sites using a standard Web agent, like Firefox or Internet Explorer. Instead, they use scripts or unique botnet browser agents. SecureSphere can identify and stop hundreds of the most common bot agents. In addition, SecureSphere can recognize unique characteristics of traffic activity indicative of botnet zombies. » HTTP protocol validation – SecureSphere detects traffic that does not conform to the HTTP RFC standard. This protocol validation quickly uncovers a significant portion of application DDoS attacks, buffer overflow attempts and evasion techniques. » Up-to-date Web attack signatures – SecureSphere identifies many known application DDoS attacks, including attacks to IIS, Apache, PHP, and Coldfusion, through attack signatures. Driven by research from the Imperva ADC, SecureSphere’s attack signatures offer comprehensive protection against the latest threats. Imperva White Paper < 9 >
  • 10. Botnets at the Gate » Application error and response analysis – One of the main indicators of DDoS attacks is Web DatabaseFileWeb application errors and slow response times. SecureSphere can inspect outbound Web responses for error codes or code leakage. It can also monitor Web page response times, pinpointing requests that required excessive application processing. » Custom security rules – SecureSphere offers flexible policy configuration, enabling organizations to build security rules based on over two dozen match criteria. Security administrators can, for instance, block an attack if it observes many requests from a single IP address over a period of time and the requests generate application errors. SecureSphere can block the individual request or block the IP address, session, or user for a period of time. Figure 5: Configuring a custom security policy in SecureSphere » Real-time monitoring and analytics – For current analysis of attack trends, SecureSphere offers detailed security alerts. The alerts identify the source address, time of day, type and severity of the alert, the entire Web request, and a quick link to the policy that triggered the violation. In addition SecureSphere tracks the Web server response code and optionally the entire response for forensics investigations. Clear, comprehensive alerts provide IT security administrators instant visibility into DDoS attack sources. Imperva White Paper < 10 >
  • 11. White Paper Developing a Defensive Strategy to Fight Botnets and Application DDoS Attacks Over the past several years, application attacks have become industrialized. Using off-the-shelf toolkits, automation techniques, and search engines, non-technical cyber criminals can build botnets of thousands or even millions of computers. Botnets can be a lucrative business for malware creators and botnet operators. Using botnets, depraved individuals can unleash destructive DDoS attacks on virtually any victim. To protect against the botnets and application DDoS attacks, organizations can rely on Imperva SecureSphere. The market-leading SecureSphere Web Application Firewall offers protection against a myriad of Web application threats, including SQL injection, XSS, CSRF, directory traversal, site reconnaissance, sensitive data leakage, and more. Imperva SecureSphere is trusted by organizations around the world to stop automated threats like botnet and application DDoS attacks. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com. Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-BOTNETS-AT-THE-GATE-0111rev2