Transcript Document

It’s Not Just You!
Your Site Looks Down From Here
Latest Trends in Cyber Security
Santo Hartono, ANZ Country Manager
March 2014
Radware Global Network and
Application Security Report
Radware’s ERT 2013 Cases
•
Unique visibility into attacks behavior
•
Attacks monitored in real-time on a
daily basis
•
More than 300 cases analyzed
– Customers identity remains
undisclosed
Slide 3
The Threat Landscape
DDoS is the most common
attack method!
Attacks last longer
Government and Financial Services
are the most attacked vectors
Multi-vector trend continues
Slide 4
DDoS Attacks Results
Public attention
Results of one-second delay in
Web page loading:
3.5%
2.1%
9.4%
8.3%
decrease in conversion rate
decrease in shopping cart size
decrease in page views
increase in bounce rate
Source: Strangeloop Networks, Case Study:
The impact of HTML delay on mobile business metrics, November 2011
Slide 5
DDoS Attack Vectors
SSL Floods
HTTP Floods
Large volume network
flood attacks
Syn Floods
Connection
Floods
“Low & Slow” DoS
attacks
(e.g.Sockstress)
App Misuse
Brute Force
Network
Scan
Internet Pipe
Firewall
IPS/IDS
ADC
Attacked Server
SQL Server
Slide 6
2013 Attack Tools Trends
Attack Vectors Used
Slide 8
Reflective Amplification Attacks on the Rise
• Easier to create
• Based on UDP protocol
– Targeted protocols: DNS, NTP, SNMP
– UDP connectionless nature enables to spoof the IP Address
•
•
Key feature in creating reflective attack
•
Obfuscates attacker real identity (IP address)
Amplification affect: 8 – 650 times larger than originated message
Slide 9
DNS Based Attacks
•
•
Most frequently used attack vector
Amplification affect
– Regular DNS replies - a normal reply is 3-4 times larger than the request
– Researched replies – can reach up to 10 times the original request
– Crafted replies – attacker compromises a DNS server and ensures requests are
answered with the maximum DNS reply message (4096 bytes) - amplification factor
of up to 100 times
Slide 10
Notable Amplification Attack: Spamhaus
•
•
Nine day volumetric attack
First to break the ceiling of 100 Gbps
– Attack reached bandwidth of 300 Gbps
•
•
Target: Anti-spamInternet
organization providing
Internet
service
Service
Provider
Attacker: CyberBunker and Sven Olaf Kamphuis
Slide 11
Harder to Detect: Web Stealth Attacks
•
•
More than HTTP floods
Dynamic IP addresses
– High distributed attack
– Attacks using Anonymizers / Proxy
– Attacks passing CDNs
•
•
•
Attacks that are being obfuscated by SSL
Attacks with the ability to pass C/R
Attacks that use low-traffic volume but saturate
servers’ resources
Slide 12
Web Stealth Attacks
Attacks on Login Page
are Destructive
Cause a DB search
Based on SSL
No load-balancing yet
Slide 13
Implications of Login Page Attacks
Slide 14
Login Page Attacks
Over 40% of organizations have
experienced Login Page Attack in 2013
Slide 15
Behind the Scenes of Notable Attacks:
Operation Ababil
“Innocence of Muslims” Movie
July 12, 2012
“Innocence of Muslims”
trailer released on YouTube
September 11, 2012
World-wide protest against the movie resulting in
the deaths of 50 people
September 18, 2012
Operation Ababil begins
Slide 17
Operation Ababil Background
July 12, 2012
“Innocence of Muslims”
trailer released on YouTube
September 11, 2012
World-wide protest against the movie resulting in
the deaths of 50 people
Slide 18
Operation Ababil
The cyber attack is
an act to stop the
movie
Group name is “Izz ad-din Al
Qassam cyber fighters”
First targets
Bank of America
NYSE
Slide 19
Operation Ababil Timeline
Slide 20
Operation Ababil Target Organizations
Financial Service Providers
Slide 21
Operation Ababil Attack Vectors
Slide 22
Overcoming HTTP Challenges
302 Redirect
Challenge
JS Challenge
Special Challenge
Kamikaze
Pass
Not pass
Not pass
Kamina
Pass
Not pass
Not pass
Terminator
Pass
Pass
Not pass
Kill’emAll
Pass
Pass
Not pass
Script
Slide 23
Attackers Shorten Time to Bypass Mitigation Tools
“Peace” Period
Pre-attack
Phase
Post-attack
Phase
Pre-attack
Phase
Post-attack
Phase
Slide 24
Fighting Cyber Attacks:
Best Practices
Building the Strategy
• DON’T assume that you’re not a target
• BUILD your protection strategy and tactics
• LEARN from the mistakes of others
Slide 26
Adding Tactics
• Don’t believe the DDoS protection propaganda – Test instead
• Understand the limitations of cloud-based scrubbing solutions
• Not all networking and security appliance solutions were
created equal
Slide 27
You Can’t Defend Against Attacks You Can’t Detect
• Encrypted Low & Slow
• Encrypted DoS Vulnerability
• CDN/Proxy/Anonymizer attacks
• Dynamic IP
• Directed Attacks – Exploits
• Scraping and Data Theft
• Ajax and API attacks
Slide 28
You Can’t Defend Against Attacks You Can’t Detect
• Network DDoS
• SYN Floods
• HTTP Floods
Slide 29
Thank You