Presentation from Dennis Usle during TakeDownCon in Huntsville, AL that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.
4. The Security Trinity
Integrity
Availability
Confidentiality
Security Confidentiality,
a mainstream adaptation of the
“need to know” principle of the
military ethic, restricts the
access of information to those
systems, processes and
recipients from which the
content was intended to be
exposed.
Security Integrity
in its broadest meaning refers
to the trustworthiness of
information over its entire
life cycle.
Security Availability
is a characteristic that distinguishes information objects
that have signaling and self-sustaining processes from
those that do not, either because such functions have
ceased (outage, an attack), or else because they lack such
functions .
5. Availability Based Attacks
Slide 5
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
14. Overview
• What triggered the recent US attacks?
• Who was involved in implementing the attacks and name of the operation?
• How long were the attacks and how many attack vectors were involved?
• How the attacks work and their effects.
• How can we prepare ourselves in the future?
Slide 14Radware Confidential Jan 2012
15. What triggered the attacks on the US banks?
• Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyptian born US resident
created an anti-Islamic film.
• Early September the publication of the „Innocence of Muslims‟ film on YouTube
invokes demonstrations throughout the Muslim world.
• The video was 14 minutes though a full length movie was released.
Slide 15Radware Confidential Jan 2012
18. Who is the group behind the cyber response?
• A hacker group called “Izz as-Din al-Qassam Cyber fighters”.
• Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the
fight against the French, US and Zionist in the 1920‟s and 1930‟s.
• The group claims not to be affiliated to any government or Anonymous.
• This group claims to be independent, and it‟s goal is to defend Islam.
Slide 18Radware Confidential Jan 2012
19. Operation Ababil launched!
• “Operation Ababil” is the codename of the operation launched on September
18th 2012, by the group Izz as-Din al-Qassam Cyber fighters
• The attackers announced they would attack “American and Zionist targets.”
• “Ababil” translates to “Swallow” from Persian. Until today the US thinks the
Iranian government may be behind the operation.
• The goal of the operation is to have YouTube remove the anti-Islamic film from
its site. Until today the video has not been removed.
Slide 19Radware Confidential Jan 2012
21. Initial attack campaign in 2 phases
• The attack campaign was split into 2 phases, a pubic announcement was made in each phase.
• The attacks lasted 10 days, from the 18th until the 28th of September.
• Phase 1 - Targets > NYSE, BOA, JP Morgan.
• Phase 2 – Targets > Wells Fargo, US Banks, PNC.
• Phase 3 - Targets > PNC, Fifth Third Bancorp, J.M.Chase, U.S.Bank, UnionBank, Bank of
America, Citibank, BB&T and Capitalone.
Slide 21Radware Confidential Jan 2012
22. Attack Vectors
• 5 Attack vectors were seen by the ERT team during Operation Ababil.
1. UDP garbage flood.
2. TCP SYN flood.
3. Mobile LOIC (Apache killer version.)
4. HTTP Request flood.
5. ICMP Reply flood. (*Unconfirmed but reported on.)
6. Booters.
*Note: Data is gathered by Radware as well as it‟s partners.
Radware Confidential Jan 2012
23. Booters
Slide 23
A Booter is a tool used for taking down/booting off
websites and servers.
Booters introduce high volumetric (server based) attacks
and slow-rate attack vectors as a one stop shop.
24. UDP Garbage Flood
• Targeted the DNS servers of the organizations, also HTTP.
• 1Gb + in volume.
• All attacks were identical in content and in size (Packet structure).
• UDP packets sent to port 53 and 80.
• Customers attacked Sep 18th and on the 19th.
Slide 24Radware Confidential Jan 2012
25. Tactics used in the UDP Garbage Flood
• Internal DNS servers were targeted , at a high rate.
• Web servers were also targeted, at a high rate.
• Spoofed IP‟s (But kept to just a few, this is unusual.)
• ~ 1Gbps.
• Lasted more than 7 hours initially but still continues...
Packet structure
Slide 25
Parameter Value Port 53 Value Port 80
Packet size 1358 Bytes Unknown
Value in Garbage ‘A’ (0x41) characters
repeated
“/http1”
(x2fx68x74x74x70x
31) - repetitive
Radware Confidential Jan 2012
26. DNS Garbage Flood packet extract
• Some reports of a DNS reflective attack was underway seem to be incorrect.
• The packets are considered “Malformed” DNS packets, no relevant DNS
header.
Slide 26Radware Confidential Jan 2012
27. Attackers objective of the UDP Garbage Flood
• Saturate bandwidth.
• Attack will pass through firewall, since port is open.
• Saturate session tables/CPU resources on any state -full device, L4 routing
rules any router, FW session tables etc.
• Returning ICMP type 3 further saturate upstream bandwidth.
• All combined will lead to a DoS situation if bandwidth and infrastructure cannot
handle the volume or packet processing.
Slide 27Radware Confidential Jan 2012
28. TCP SYN Flood
• Targeted Port 53, 80 and 443.
• The rate was around 100Mbps with around 135K PPS.
• This lasted for more than 3 days.
Slide 28Radware Confidential Jan 2012
29. SYN Flood Packet extract
Slide 29
-All sources are spoofed.
-Multiple SYN packets to port 443.
Radware Confidential Jan 2012
30. Attackers objective of the TCP SYN Floods
• SYN floods are a well known attack vector.
• Can be used to distract from more targeted attacks.
• The effect of the SYN flood if it slips through can devastate state-full devices
quickly. This is done by filling up the session table.
• All state-full device has some performance impact under such a flood.
• Easy to implement.
• Incorrect network architecture will quickly have issues.
Slide 30Radware Confidential Jan 2012
31. Mobile LOIC (Apache killer version)
• Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and
Javascript.
• This DDoS Tool does an HTTP GET flood.
• The tool is designed to do HTTP floods.
• We have no statistics on the exact traffic of mobile LOIC.
Slide 31
*Suspected*Suspected
Radware Confidential Jan 2012
32. Mobile LOIC in a web browser
Slide 32Radware Confidential Jan 2012
33. HTTP Request Flood
• Between 80K and 100K TPS (Transactions Per second.)
• Port 80.
• Followed the same patterns in the GET request (Except for the Input
parameter.)
• Dynamic user agent.
Slide 33Radware Confidential Jan 2012
34. HTTP flood packet structure
• Sources worldwide (True sources most likely hidden.)
• User agent duplicated.
• Dynamic Input parameters.
GET Requests parameters
Slide 34Radware Confidential Jan 2012
35. Attackers objective of the HTTP flood
• Bypass CDN services by randomizing the input parameter and user agents.
• Because of the double user agent there was an flaw in the programming behind
the attacking tool.
• Saturating and exhausting web server resources by keeping session table and
web server connection limits occupied.
• The attack takes more resources to implement than non connection orientated
attacks like TCP SYN floods and UDP garbage floods. This is because of the
need to establish a connection.
Slide 35Radware Confidential Jan 2012
38. Availability-based Threats Tree
Slide 38
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
UPD
Flood
ICMP
Flood
SYN
Flood
Web
Flood
DNS SMTP
HTTPS
Radware Confidential Jan 2012
42. HTTPS – SSL Re Negotiation Attack
Slide 42
THC-SSL DoS
THC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof-
of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other
“low and slow” attacks, requires only a small number of packets to cause denial-of-service for a
fairly large server. It works by initiating a regular SSL handshake and then immediately requesting
for the renegotiation of the encryption key, constantly repeating this server resource-intensive
renegotiation request until all server resources have been exhausted.
Radware Confidential Jan 2012
43. Low & Slow
Slide 43
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
UPD
Flood
ICMP
Flood
SYN
Flood
Web
Flood
DNS SMTP
HTTPS
Low-and-Slow
Radware Confidential Jan 2012
45. R.U.D.Y (R-U-Dead-Yet)
Slide 45
R.U.D.Y. (R-U-Dead-Yet?)
R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and
named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form
field submissions. By injecting one byte of information into an application POST field at a time and then
waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing
(this behavior is necessary in order to allow web servers to support users with slower connections). Since
R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating
simultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table and
create a denial-of-service condition.
Radware Confidential Jan 2012
46. Slowloris
Slide 46
Slowloris
Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow
HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny
chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to
arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests.
Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based
systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of
Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows).
Radware Confidential Jan 2012
47. Radware Security Products Portfolio
Slide 47
AppWall
Web Application Firewall (WAF)
DefensePro
Network & Server attack prevention device
APSolute Vision
Management and security reporting &
compliance
Radware breaks down the security model into three categories: Confidentiality, Integrity and Availability.Think of it as follows:Confidentiality: A compromise here results in the theft or destruction of business-critical information or customer dataIntegrity: Often linked to confidentiality but damage to a businesses systems obviously can have a major impact. An extreme example that you might have heard of would be the Stuxnet virus that was designed to damage the centrifuge machines used in Iran to purify nuclear material.Availability: The ability for your business to operate. Denial of Service attacks target this dimension – designed purely to disrutp business operation.
Here we have the 4 Primary Categories of Availability Based Threats, Network & Application Floods, Low & Slow and Single Packet DOS. The pie charts below illustrate actual use of these attack vectors based on ERT Case history. Over the past few years Application layer attacks have become a significant threat, with Web/SSL and DNS being the fast growing vectors.
Based on the Radware Global Security Survey of the industry 57% of attacks have unknown motive. 22% of attacks have an ideological/hacktivist motive.
80% of respondents believe they are not protected and businesses will be impacted by DDOS attacks.
While Gaming, Ecommerce maintain risk. Government,Financial Institutions take the biggest shift toward bullseye! These are VERY Likely targets for 2013.
Attack Campaigns are becoming more and more persistent, with 23% of attacks lasting more than one week!
Shift from 2 Security Phases to 3Pre Attack – audit, vuln scanning, pen tests, etc.Post Attack - forensics, process adjustments, preparation, etc.NEW Phase Cyber War Room24/7Trained under fire (war games, etc)Coverage
SIZE
We are going to take a look at the attacks on the US Banks. We’ll review the attack source, motivation, duration, attack vectors and preparation.
-This pic is from the very beginning of the video, stating “There is an angry mob in the middle of the street”*Notes - On September 9, 2012, an excerpt of the YouTube video was broadcast on Al-Nas TV, an Egyptian Islamist television station.[11][12]Demonstrations and violent protests against the film broke out on September 11 in Egypt and spread to other Arab and Muslim nations and some western countries.
-Libyan riots top left - http://www.foreignpolicy.com/articles/2012/09/14/why_the_embassy_riots_wont_stop.-Lebonon riots bottom left - http://au.ibtimes.com/articles_slideshows/384606/20120915/lebanon-protesters-destroy-kentucky-fried-chicken-and-hardees-over-innocence-of-muslims-film-photos.htm
Links about Izz as-Din al-Quassam The preacher - http://en.wikipedia.org/wiki/Izz_ad-Din_al-Qassam *Notes - The Levant includes most of modern Lebanon, Syria, Jordan, State of Palestine, Israel, Cyprus, Hatay Province of Turkey, some regions of northwestern Iraq and theSinai Peninsula.Links about the Cyber hacker group - http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/who-are-the-izz-ad-din-al-qassam-cyber-fightershttp://www.ehackingnews.com/2012/12/izz-ad-din-al-qassam-cyber-fighters.htmlPic from - http://www.standupamericaus.org/terror-jihad/cyber-fighters-of-izz-al-din-al-qassam-alert-to-banks-in-usa/
Claim to have no current ties to Anonymous Collective nor any Nation State.Goal is to have the Anti-Muslim Video taken off of YouTubeAbabil (Persian) translates to Swallow Links for translation of ababil - http://en.wikipedia.org/wiki/Ghods_AbabilThe pic from - http://en.wikipedia.org/wiki/File:Hirundo_abyssinica.jpgClaims of Iranian involvement -http://betabeat.com/2012/09/iran-possibly-behind-operation-ababil-cyber-attacks-against-financial-institutions/http://features.rr.com/article/0coOckreSy1vL?q=Bank+of+America
Pic taken from - http://news.yahoo.com/americas-failing-grade-cyber-attack-readiness-153640058--abc-news-topstories.html
Data taken from internal doc.Phase 3 OpAbabil – Announced March 5th (ongoing) and expected to last 11 weeks. While Phase 3 is not in my presentation today . Encrypted Attacks are a BIG problem for the current protection in place.
-Taken from internal report.
-Taken from internal report.
Reflective attack - Attackers send forged requests of some type to a very large number of computers that will reply to the requests. Using spoofed SRC IP’s of the victim, which means all the replies will go to (and flood) the target.
-Stateful inspection in the DNS area is limited. Was in smartdefense at CP, but how many people use it?-The server is forced to respond with ICMP packets “Destination Unreachable” (ICMP type3 Code 3) for port closed when udp packet arrives.-Returning ICMP type 3 further saturate (Packet size in return will be close to received packet).
-Internal data.
-The SYN flood attack simply sends a high rate of SYN’s with spoofed IP’s and the server is left waiting for the ACK.-This means the attacker needs much fewer hosts to exhaust target machine because no session is actually kept alive on the “Attackers” side.-You exhaust the Backlog of the TCP stack (Linux default is 3mins and Win2k is 45 sec. for half open timeouts, these can be changed). So the server can no longer accept a new connection.-
-Another reported attack technique that was allegedly used during this campaign is a custom version of the Mobile LOIC tool (aka Mobile LOIC - Apache Killer) which is designed to exploit a known vulnerability in Apache servers – corresponding to CVE-2011-3192.-This attack tool targets Apache servers using Apache HTTP server versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19.
Target URL- Specifies the URL of the attacked target. Must start with http://. Requests per second-Specifies the number of desired requests to be sent per second. Append message-Specifies the content for the “msg” parameter to be sent within the URL of HTTP requests
Resource internal.
-This value is unique since it seems to contain a typo which is caused by placing the “User Agent:” string inside the user agent value itself.Resource internal.
Internal resources.
Resource internal.
Trend toward assymetricatacks with obvious reason. The attacker is required to utilize few resources while exhausting the target by sending small requests which result in large and or cpu intensive replies.
Identification: referrer (ask the audience)Iframe attack can be used to amplify a DDoS any site. For example, using the attack LOIC iframe (JavaScript) to amplify the attack.
RUDY or ARE YOU DEAD YET exploits the HTTP POST method by sending POST with long form field submission. It injects one byte of data then waiting causes application threads to await for never ending posts to perform processing.
Slowloris sends very slow HTTP Requests. The HTTP headers ares sent in tiny chunks as slowly as possible while the server si forced to wait for the headers to arrive. This causes many connections to be built up on the target server. Slowloris is cross platform, except for Windows due to a socket limitation (~130). Pyloris was developed to enable running on windows with a Python GUI).