1. Cyber Security
Robin Hoods and Criminals
Ziv Ichilov
DefensePro Product Manager, Radware
ICTExpo Helsinki, April 2012
2. Breaking News
Anonymous has taken down the following this week
• Central Intelligence Agency (CIA)
• Department of Justice (DOJ)
• Federal Bureau of Investigation (FBI)
• National Aeronautics and Space Administration (NASA)
• Secret Intelligence Service (MI6)
2
3. AGEND
DoS – What is it about?
2011 DoS Attacks
Robin Hoods or Criminals
Protect Yourself – What is Missing?
Radware Attack Mitigation System
4. AGENDA
DoS – What is it about?
2011 DoS Attacks
Robin Hoods or Criminals
Protect Yourself – What is Missing?
Radware Attack Mitigation System
5. DoS – Originators and Goals
• Hacktivisim
– Gain Public Attention
• Protestors
• Cyber Crime
– Extortion
• Criminals
– Business Affairs
• Competition
– Data Theft
• DoS for Covering Surreptitious Attacks (criminals)
• Cyber War
– Country Level Attacks
– Business / Military Intelligence
– “Real” Critical Infrastructure Paralysis
5
6. DoS – Digital Sit-in or Crime
• Protest – Digital Sit-in
“A sit-in or sit-down is a form of direct action that involves one or more persons
nonviolently occupying an area for a protest, often to promote political, social, or
economic change.” Wikipedia
“There’s no such thing as a DDoS attack. A DDoS is a protest, it’s a digital sit-it. It is
no different than physically occupying a space. It’s not a crime, it’s speech.
Nothing was malicious, there was no malware, no Trojans. This was merely a
digital sit-in. It is no different from occupying the Woolworth’s lunch counter in the
civil rights era” Jay Leiderman (sept 2011, TPM)
6
7. DoS – How does it Look
• Simple Way
– Excessive or specially crafted traffic causing network/server/application
resources misuse, thus preventing legitimate traffic to reach its destination
and limits the service providing, generated by tools, humans or both.
Can be based on Volume / Rate / Vulnerability Exploitation
• Detailed
– Layer 3 Floods –
targeting the network equipment, and the actual pipe capacity
– Layer 4 Floods –
targeting the servers (physical or virtual), their stack resources
– Layer 7 Floods –
targeting real applications and services
7
8. DoS – Effects
• Direct Effects
– Embarrassing nuisance and inconvenience
– Revenue and reputation loss
• Side Effect
– Immediate Data Loss
– Penetration to the Organization
• Long Term Effect
– Infection – Involuntary Be Harness to Future Attacks
8
9. AGENDA
DoS – What is it about?
2011 DoS Attacks
Robin Hoods or Criminals
Protect Yourself – What is Missing?
Radware Attack Mitigation System
10. Size does not matter!
– Most organization may never experience an intense attack
– Less intensive application attacks can cause more damage than network
attacks
The impact of application flood attacks
are much more severe than network
flood attacks
76 percent of the
attacks surveyed were
under 1Gbps
76% of attacks are below 1Gbps
10
12. Which Elements Are Bottlenecks For DDoS?
Internet link
Stateful devices are
is saturated
vulnerable to DDoS
(27% of the
(36% of the attacks)
attacks)
12
15. AGENDA
DoS – What is it about?
2011 DoS Attacks
Robin Hoods or Criminals
Protect Yourself – What is Missing?
Radware Attack Mitigation System
16. Robin Hoods or Criminals?
• SONY Example
– Massive DoS attack taking down the PlayStation
network for hours
– Initiated after filing a sue against hacker who broke
PS3 protection mechanism
– During attack CC data of millions of users was stolen
– Anonymous involvement was partially denied
16
17. Robin Hoods or Criminals?
• Sic Semper Tyrannis
– Long campaign against the Vatican web infrastructure
– Started with a failed attempt to hack Vatican systems and databases
– Continued as a massive DoS attack lasting for days, in repeating waves
17
18. Robin Hoods or Criminals?
• Russian Presidential Elections
– During elections time in Russia, first Duma and then for Presidency ...
– DDoS attacks on protestors blogs, parties websites, reporting websites etc.
““It can’t be long before we observe a DDoS attack between two political parties based
on one and the same botnet.” Eugene Kaspersky (blog)
18
19. Robin Hoods or Criminals?
• The Israeli Case
January 3rd
Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers
and other personal sensitive information.
January 16th
0xOmar and the Pro-Palestinian “Nightmare” hacker group sends an email
to the Jerusalem Post, threatening to attack EL-AL website.
EL-AL, Tel-Aviv Stock Exchange, First International Bank of Israel and
Discount Bank websites are attacked and are unavailable for hours.
January 17th
Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s
Stock Exchanges websites
January 18th
More Israeli websites targeted: Bank of Israel website under attack
19
20. Robin Hoods or Criminals?
• The Israeli Case
In the following weeks, dozens of Israeli web sites were attacked by
Pro-Palestinian hacker groups
A Cyber War emerged
20
21. Robin Hoods or Criminals?
"One man's terrorist is another man's freedom fighter." ?
• DoS activity is considered today as illegal activity in most of the world
• DoS attacks are used for launching surreptitious attack
• Well known examples for criminal hacktivism
21
22. AGENDA
DoS – What is it about?
2011 DoS Attacks
Robin Hoods or Criminals
Protect Yourself – What is Missing?
Radware Attack Mitigation System
23. What is Missing
What We Have?
• Most of DDoS/DoS Attack Types are Known
– Network floods, SYN floods, GET floods, Invite floods, etc.
• Protection Methodologies are Known
– Rate limit, Black list/haul, Authentication (Challenge), Behavioral Analysis, etc.
• High Performance Mitigation Devices Exist
23
24. What is Missing
What is Missing?
• Intelligence
– In detection – application data consideration
– In identification of attackers – smart algorithms and authentication methods
– In mitigation – real-time dynamic filtering
• Capabilities
– Dealing with new challenges – further analysis, secured traffic, etc.
– Experienced Human Touch – for visibility and expertise
• Cooperation
– On premises always-on immediate detection (including layer 7)
– In-the-Cloud detection & mitigation for high rate attacks (link saturation)
– More than Anti-DoS protection devices – WAF/NG-FW/IPS/Etc.
24
25. What is Missing? – Exmaple
Israel Attacks Example – Attackers Distribution
• Usage of bots reduces Geo-IP importance d
25
26. DDoS Attack Tools Become Prevalent
Public Attacks
LOIC Mobile LOIC webLOIC
Inner Circle Attacks
Network Application Low & Slow Vulnerability based
Flood
UDP floods Dynamic HTTP floods Slowloris Intrusion attempts
SYN floods HTTPS floods Pyloris SQL Injections
Fragmented floods R.U.D.Y #RefRef
FIN+ACK floods XerXes
26
Orchestrated by a Brazilian guy Havittaja, these attacks were for the lulz, but also for public attention to arrested Anonymous supporters participating in last 24 months attacks, mainly in the UK and the US.
What happens after the Backend server clogs depends on the type of CDN service provided, two options here:Static content still provided by CDN, dynamic content unavailable2. Service is not provided at all when backend server is not responsive