Deconstructing Application DoS Attacks

Deconstructing Application DoS Attacks

Tal Be’ery, Web Research TL, Imperva

© 2012 Imperva, Inc. All rights reserved.


Introduction to Imperva’s Hacker Intelligence Initiative Denial of Service (DoS):

+ Definition and background + Attackers

– Hacktivists – Business related

+ Tools – JS LOIC – Slow HTTP

+ Mitigation – Non-mitigations – True mitigation

Summary of recommendations

Agenda



Web Security Research Team Leader at Imperva

Holds MSc & BSc degree in CS/EE from TAU 10+ years of experience in IS domain Facebook “white hat” Speaker at RSA, BlackHat, AusCERT Columnist for securityweek.com

Presenter: Tal Be’ery, CISSP


Imperva’s Hacker Intelligence Initiative



The Hacker Intelligence Initiative is focused on understanding how attackers operate in practice

+ A different approach from vulnerability research

Data set composition + ~50 real world applications + Anonymous Proxies

More than 18 months of data Powerful analysis system

+ Combines analytic tools with drill down capabilities

Hacker Intelligence Initiative (HII)



HII - Motivation

Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity

Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content

Devise new defenses based on real data + Reduce guess work



HII Reports

Monthly reports based on data collection and analysis Drill down into specific incidents or attack types 2011 / 2012 reports

+ Remote File Inclusion + Search Engine Poisoning + The Convergence of Google and Bots + Anatomy of a SQLi Attack + Hacker Forums Statistics + Automated Hacking + Password Worst Practices + Dissecting Hacktivist Attacks + CAPTCHA Analysis



WAAR – Web Application Attack Report

Semi annual Based on aggregated analysis of 6 / 12 months of data Motivation

+ Pick-up trends + High level take outs + Create comparative measurements over time


Denial of Service: Definition and Background



Denial of Service attack Wikipedia - “make a machine or network resource

unavailable to its intended users” Attacks data availability

Denial of Service: Definition



Customers details Inventory Trade secrets Intellectual property Financial analysis

Data Drives Business



Availability

Confidentiality Integrity

Data must remain: + Protected against unauthorized changes + Available + Confidential

Protecting Data



Confidentiality

Attacking confidentiality – leaking secret data + SQL injection + Careless employees

Hackers Are After Your Data



Integrity

Attacking integrity – changing sensitive data + SQL injection + Malicious insider




Availability

Attacking data availability + DoS attacks




Hacker Forum Discussion Topics

DoS is Another Tool in the Hacker Toolbox

16%

22%

19%

10%

12%

12% 9%

spam dos/ddos SQL Injection zero-day shell code brute-force HTML Injection

Source: Imperva. Covers July 2010 -July 2011 across 600,000 discussions


Denial of Service: Attackers



Who wants to put you out of business? Protesters

+ Hacktivists

Business related + Competitors + Racketeering

Attackers – Who Are They?



“Hacktivism (a portmanteau of hack and activism).”

Hacktivism: Definition

http://en.wikipedia.org/wiki/Portmanteau

http://en.wikipedia.org/wiki/Hack_(computer_security)

http://en.wikipedia.org/wiki/Activism



What/Who is Anonymous?

“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008




“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008

“Anonymous is an umbrella for anyone to hack anything for any reason.”

—New York Times, 27 Feb 2012



One thing is for sure - they are hackers!




Recruiting Over Social Media - 1



Recruiting Over Social Media - 2



Setting Up an Early Warning System



Example



Business Attackers - 1

DoS as a Service




Where there is a demand, there will be supply…




Where there is a demand, there will be supply…


Denial of Service: Popular Tools



Hackers protect their identity By using…

+ TOR + Other anonymity services

– Anonymous proxies – Private VPN services – Hacked servers

Protecting True Identity

TOR 15%

Anonymity Services

57%

Other IPs 28%

Source: https://www.torproject.org/about/overview.html.en

https://www.torproject.org/about/overview.html.en



Low-Orbit Ion Canon (LOIC) Purpose - DDoS Windows desktop application, coded in C# UDP/TCP/HTTP flooding

Hacking Tools



LOIC downloads + 2011: 380K + 2012 (through October 14): 616K + Jan 2012 (megaupload takedown): 182K

LOIC Facts

For more: http://blog.imperva.com/2012/05/loicversary.html

http://blog.imperva.com/2012/05/loicversary.html



Decreasing costs + Application layer attacks are far more efficient + Less attackers to take down a site

The DoS security gap + Traditionally, the defense against DDoS was based

on dedicated devices operating at lower layers (TCP/IP). Inherent shortcomings:

– Don't decrypt SSL, – Don’t understand the HTTP protocol – Unaware of the web application.

DDoS is Moving Up the Stack

For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html

http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html



DaaS – DoS as a Service Application layer attacks Easy to participate – no download

+ Just point your browser to the JS-Loic page

Effective + Iterates up to 200 requests per second

Cross platform + Mobile device + Linux/Mac/PC

Javascript/Mobile/VM/JS LOIC



HTTP Referer header – indicates attack code source Fixed target URL

+ Carefully selected to create load on target server

A Parameter with some arbitrary changing value + To avoid caches along the way

A Parameter value "msg" with some hacktivist’s slogan www.target.com/search.php?q=a&id=61278641278&msg=

we+are+legion!

JS LOIC - Attack Characteristics



Hacktivists’ DoS in the Wild









Some More JS LOIC



Some More JS LOIC



“Dripping” HTTP POST parameter value byte by byte Generating a never ending request Exhausting the attacked server’s concurrent requests

pool Tools

+ RAILgun + SlowHTTPtest

Slow HTTP tools


DDoS: Mitigation



Anti-Virus is Irrelevant: Malware is NOT the MO

McAfee mea culpa

“The security industry may need to reconsider some of its fundamental assumptions, including

'Are we really protecting users and companies?’”

--McAfee, September 2011

Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss

http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss






















SDLC is Irrelevant: No Vulnerability

Traditionally, an attack is comprised of two elements + Vulnerability + Exploit

To mitigate, either (or even better both) + Repair the vulnerability – with SDLC + Stop the exploit – with a security device

In DoS – there’s no vulnerability!



IPS/NGFW is Irrelevant

Statefulness + Inspecting each request by itself is futile as each request is

benign per se + Only when accumulated within the right context (IP/ Application

Session / Application user) the attack’s true colors are exposed

True application awareness + Detecting unexpected parameters on request



Mitigation

WAF: Stateful, Decrypts SSL, understand HTTP, understand the application business logic to analyze the traffic, sifting out the

DoS traffic.



Mitigation: Stateful Rules

Customer was attacked with “large files” downloads from unauthenticated users

A specific rule was created:



Mitigation: Picking the Low Hanging Fruits

Some tools have small deviations from normal browsers + User agent + Missing headers + Headers order + Misspelled headers + Fixed value



Mitigation: Reputation Services

Sources intelligence + Malicious IPs + Anonymity services IPs

– TOR – Anonymous proxies



51

Blocking Traffic Based on Reputation

Real-time alerts and ability to block based on IP Reputation.



52





53




Summary and Recommendations



Summary

DoS is another tool in the hackers toolbox

DoS is going up the application stack

Mitigate application layer DoS attacks with WAF

Use community based anti-automation reputation services



Usage Audit

Access Control

Rights Management

Attack Protection

Reputation Controls

Virtual Patching

Imperva in 60 Seconds


Webinar Materials

57



Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609


Questions?

59

www.imperva.com

- CONFIDENTIAL -

Technology

Deconstructing Application DoS Attacks