Mais conteúdo relacionado Semelhante a Deconstructing Application DoS Attacks (20) Deconstructing Application DoS Attacks2. Agenda
Introduction to Imperva’s Hacker Intelligence Initiative
Denial of Service (DoS):
+ Definition and background
+ Attackers
– Hacktivists
– Business related
+ Tools
– JS LOIC
– Slow HTTP
+ Mitigation
– Non-mitigations
– True mitigation
Summary of recommendations
© 2012 Imperva, Inc. All rights reserved.
3. Presenter: Tal Be’ery, CISSP
Web Security Research Team Leader at
Imperva
Holds MSc & BSc degree in CS/EE from TAU
10+ years of experience in IS domain
Facebook “white hat”
Speaker at RSA, BlackHat, AusCERT
Columnist for securityweek.com
© 2012 Imperva, Inc. All rights reserved.
5. Hacker Intelligence Initiative (HII)
The Hacker Intelligence Initiative is focused
on understanding how attackers operate in
practice
+ A different approach from vulnerability research
Data set composition
+ ~50 real world applications
+ Anonymous Proxies
More than 18 months of data
Powerful analysis system
+ Combines analytic tools with drill down capabilities
© 2012 Imperva, Inc. All rights reserved.
6. HII - Motivation
Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Devise new defenses based on real data
+ Reduce guess work
© 2012 Imperva, Inc. All rights reserved.
7. HII Reports
Monthly reports based on data collection and analysis
Drill down into specific incidents or attack types
2011 / 2012 reports
+ Remote File Inclusion
+ Search Engine Poisoning
+ The Convergence of Google and Bots
+ Anatomy of a SQLi Attack
+ Hacker Forums Statistics
+ Automated Hacking
+ Password Worst Practices
+ Dissecting Hacktivist Attacks
+ CAPTCHA Analysis
© 2012 Imperva, Inc. All rights reserved.
8. WAAR – Web Application Attack Report
Semi annual
Based on aggregated analysis of 6 / 12 months of data
Motivation
+ Pick-up trends
+ High level take outs
+ Create comparative measurements over time
© 2012 Imperva, Inc. All rights reserved.
10. Denial of Service: Definition
Denial of Service attack
Wikipedia - “make a machine or network resource
unavailable to its intended users”
Attacks data availability
© 2012 Imperva, Inc. All rights reserved.
11. Data Drives Business
Customers details
Inventory
Trade secrets
Intellectual property
Financial analysis
© 2012 Imperva, Inc. All rights reserved.
12. Protecting Data
Data must remain:
+ Protected against unauthorized changes
+ Available Availability
+ Confidential
Integrity Confidentiality
© 2012 Imperva, Inc. All rights reserved.
13. Hackers Are After Your Data
Attacking confidentiality – leaking secret data
+ SQL injection
+ Careless employees
Confidentiality
© 2012 Imperva, Inc. All rights reserved.
14. Hackers Are After Your Data
Attacking integrity – changing sensitive data
+ SQL injection
+ Malicious insider
Integrity
© 2012 Imperva, Inc. All rights reserved.
15. Hackers Are After Your Data
Attacking data availability
+ DoS attacks
Availability
© 2012 Imperva, Inc. All rights reserved.
16. DoS is Another Tool in the Hacker Toolbox
Hacker Forum Discussion Topics
9% 16%
12% spam
dos/ddos
12% 22% SQL Injection
zero-day
10% shell code
19% brute-force
HTML Injection
Source:
Imperva. Covers July 2010 -July 2011 across 600,000 discussions
© 2012 Imperva, Inc. All rights reserved.
18. Attackers – Who Are They?
Who wants to put you out of business?
Protesters
+ Hacktivists
Business related
+ Competitors
+ Racketeering
© 2012 Imperva, Inc. All rights reserved.
19. Hacktivism: Definition
“Hacktivism (a portmanteau of hack and activism).”
© 2012 Imperva, Inc. All rights reserved.
20. What/Who is Anonymous?
“…the first Internet-based superconsciousness.”
—Chris Landers. Baltimore City Paper, April 2, 2008
© 2012 Imperva, Inc. All rights reserved.
21. What/Who is Anonymous?
“…the first Internet-based superconsciousness.”
—Chris Landers. Baltimore City Paper, April 2, 2008
“Anonymous is an umbrella for anyone to hack anything for
any reason.”
—New York Times, 27 Feb 2012
© 2012 Imperva, Inc. All rights reserved.
22. What/Who is Anonymous?
One thing is for sure - they are hackers!
© 2012 Imperva, Inc. All rights reserved.
25. Setting Up an Early Warning System
© 2012 Imperva, Inc. All rights reserved.
26. Example
© 2012 Imperva, Inc. All rights reserved.
28. Business Attackers - 2
Where there is a demand, there will be supply…
© 2012 Imperva, Inc. All rights reserved.
29. Business Attackers - 2
Where there is a demand, there will be supply…
© 2012 Imperva, Inc. All rights reserved.
31. Protecting True Identity
Hackers protect their identity
By using… TOR
15%
+ TOR
Other IPs
28%
+ Other anonymity services
– Anonymous proxies Anonymity
Services
– Private VPN services 57%
– Hacked servers
Source:
https://www.torproject.org/about/overview.html.en
© 2012 Imperva, Inc. All rights reserved.
32. Hacking Tools
Low-Orbit Ion Canon (LOIC)
Purpose - DDoS
Windows desktop application, coded in C#
UDP/TCP/HTTP flooding
© 2012 Imperva, Inc. All rights reserved.
33. LOIC Facts
LOIC downloads
+ 2011: 380K
+ 2012 (through October 14): 616K
+ Jan 2012 (megaupload takedown): 182K
For more:
http://blog.imperva.com/2012/05/loicversary.html
© 2012 Imperva, Inc. All rights reserved.
34. DDoS is Moving Up the Stack
Decreasing costs
+ Application layer attacks are far more efficient
+ Less attackers to take down a site
The DoS security gap
+ Traditionally, the defense against DDoS was based
on dedicated devices operating at lower layers
(TCP/IP). Inherent shortcomings:
– Don't decrypt SSL,
– Don’t understand the HTTP protocol
– Unaware of the web application.
For more:
http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html
© 2012 Imperva, Inc. All rights reserved.
35. Javascript/Mobile/VM/JS LOIC
DaaS – DoS as a Service
Application layer attacks
Easy to participate – no download
+ Just point your browser to the JS-Loic page
Effective
+ Iterates up to 200 requests per second
Cross platform
+ Mobile device
+ Linux/Mac/PC
© 2012 Imperva, Inc. All rights reserved.
36. JS LOIC - Attack Characteristics
HTTP Referer header – indicates attack code source
Fixed target URL
+ Carefully selected to create load on target server
A Parameter with some arbitrary changing value
+ To avoid caches along the way
A Parameter value "msg" with some hacktivist’s slogan
www.target.com/search.php?q=a&id=61278641278&msg=
we+are+legion!
© 2012 Imperva, Inc. All rights reserved.
40. Some More JS LOIC
© 2012 Imperva, Inc. All rights reserved.
41. Some More JS LOIC
© 2012 Imperva, Inc. All rights reserved.
42. Slow HTTP tools
“Dripping” HTTP POST parameter value byte by byte
Generating a never ending request
Exhausting the attacked server’s concurrent requests
pool
Tools
+ RAILgun
+ SlowHTTPtest
© 2012 Imperva, Inc. All rights reserved.
44. Anti-Virus is Irrelevant: Malware is NOT the MO
McAfee mea culpa
“The security industry
may need to reconsider
some of its fundamental
assumptions, including
'Are we really protecting
users and companies?’”
--McAfee, September 2011
Source:
http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss
© 2012 Imperva, Inc. All rights reserved.
45. SDLC is Irrelevant: No Vulnerability
Traditionally, an attack is comprised of two elements
+ Vulnerability
+ Exploit
To mitigate, either (or even better both)
+ Repair the vulnerability – with SDLC
+ Stop the exploit – with a security device
In DoS – there’s no vulnerability!
© 2012 Imperva, Inc. All rights reserved.
46. IPS/NGFW is Irrelevant
Statefulness
+ Inspecting each request by itself is futile as each request is
benign per se
+ Only when accumulated within the right context (IP/ Application
Session / Application user) the attack’s true colors are exposed
True application awareness
+ Detecting unexpected parameters on request
© 2012 Imperva, Inc. All rights reserved.
47. Mitigation
WAF: Stateful, Decrypts SSL, understand
HTTP, understand the application business
logic to analyze the traffic, sifting out the
DoS traffic.
© 2012 Imperva, Inc. All rights reserved.
48. Mitigation: Stateful Rules
Customer was attacked with “large files” downloads from
unauthenticated users
A specific rule was created:
© 2012 Imperva, Inc. All rights reserved.
49. Mitigation: Picking the Low Hanging Fruits
Some tools have small deviations from normal browsers
+ User agent
+ Missing headers
+ Headers order
+ Misspelled headers
+ Fixed value
© 2012 Imperva, Inc. All rights reserved.
50. Mitigation: Reputation Services
Sources intelligence
+ Malicious IPs
+ Anonymity services IPs
– TOR
– Anonymous proxies
© 2012 Imperva, Inc. All rights reserved.
51. Blocking Traffic Based on Reputation
Real-time alerts and ability to block
based on IP Reputation.
51 © 2012 Imperva, Inc. All rights reserved.
52. Blocking Traffic Based on Reputation
Real-time alerts and ability to block
based on IP Reputation.
52 © 2012 Imperva, Inc. All rights reserved.
53. Blocking Traffic Based on Reputation
Real-time alerts and ability to block
based on IP Reputation.
53 © 2012 Imperva, Inc. All rights reserved.
55. Summary
DoS is another tool in the hackers toolbox
DoS is going up the application stack
Mitigate application layer DoS attacks with WAF
Use community based anti-automation
reputation services
© 2012 Imperva, Inc. All rights reserved.
56. Imperva in 60 Seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control
© 2012 Imperva, Inc. All rights reserved.
58. Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Join Group
Recording Link
© 2012 Imperva, Inc. All rights reserved.