Upload
imperva
View
1.500
Download
0
Tags:
Embed Size (px)
Citation preview
Deconstructing Application DoS Attacks
Tal Be’ery, Web Research TL, Imperva
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Introduction to Imperva’s Hacker Intelligence Initiative Denial of Service (DoS):
+ Definition and background + Attackers
– Hacktivists – Business related
+ Tools – JS LOIC – Slow HTTP
+ Mitigation – Non-mitigations – True mitigation
Summary of recommendations
Agenda
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Web Security Research Team Leader at Imperva
Holds MSc & BSc degree in CS/EE from TAU 10+ years of experience in IS domain Facebook “white hat” Speaker at RSA, BlackHat, AusCERT Columnist for securityweek.com
Presenter: Tal Be’ery, CISSP
© 2012 Imperva, Inc. All rights reserved.
Imperva’s Hacker Intelligence Initiative
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The Hacker Intelligence Initiative is focused on understanding how attackers operate in practice
+ A different approach from vulnerability research
Data set composition + ~50 real world applications + Anonymous Proxies
More than 18 months of data Powerful analysis system
+ Combines analytic tools with drill down capabilities
Hacker Intelligence Initiative (HII)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
HII - Motivation
Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity
Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content
Devise new defenses based on real data + Reduce guess work
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
HII Reports
Monthly reports based on data collection and analysis Drill down into specific incidents or attack types 2011 / 2012 reports
+ Remote File Inclusion + Search Engine Poisoning + The Convergence of Google and Bots + Anatomy of a SQLi Attack + Hacker Forums Statistics + Automated Hacking + Password Worst Practices + Dissecting Hacktivist Attacks + CAPTCHA Analysis
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
WAAR – Web Application Attack Report
Semi annual Based on aggregated analysis of 6 / 12 months of data Motivation
+ Pick-up trends + High level take outs + Create comparative measurements over time
© 2012 Imperva, Inc. All rights reserved.
Denial of Service: Definition and Background
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Denial of Service attack Wikipedia - “make a machine or network resource
unavailable to its intended users” Attacks data availability
Denial of Service: Definition
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Customers details Inventory Trade secrets Intellectual property Financial analysis
Data Drives Business
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Availability
Confidentiality Integrity
Data must remain: + Protected against unauthorized changes + Available + Confidential
Protecting Data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Confidentiality
Attacking confidentiality – leaking secret data + SQL injection + Careless employees
Hackers Are After Your Data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Integrity
Attacking integrity – changing sensitive data + SQL injection + Malicious insider
Hackers Are After Your Data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Availability
Attacking data availability + DoS attacks
Hackers Are After Your Data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker Forum Discussion Topics
DoS is Another Tool in the Hacker Toolbox
16%
22%
19%
10%
12%
12% 9%
spam dos/ddos SQL Injection zero-day shell code brute-force HTML Injection
Source: Imperva. Covers July 2010 -July 2011 across 600,000 discussions
© 2012 Imperva, Inc. All rights reserved.
Denial of Service: Attackers
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Who wants to put you out of business? Protesters
+ Hacktivists
Business related + Competitors + Racketeering
Attackers – Who Are They?
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
“Hacktivism (a portmanteau of hack and activism).”
Hacktivism: Definition
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
What/Who is Anonymous?
“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
What/Who is Anonymous?
“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008
“Anonymous is an umbrella for anyone to hack anything for any reason.”
—New York Times, 27 Feb 2012
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
One thing is for sure - they are hackers!
What/Who is Anonymous?
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Recruiting Over Social Media - 1
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Recruiting Over Social Media - 2
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Setting Up an Early Warning System
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Example
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Business Attackers - 1
DoS as a Service
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Business Attackers - 2
Where there is a demand, there will be supply…
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Business Attackers - 2
Where there is a demand, there will be supply…
© 2012 Imperva, Inc. All rights reserved.
Denial of Service: Popular Tools
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hackers protect their identity By using…
+ TOR + Other anonymity services
– Anonymous proxies – Private VPN services – Hacked servers
Protecting True Identity
TOR 15%
Anonymity Services
57%
Other IPs 28%
Source: https://www.torproject.org/about/overview.html.en
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Low-Orbit Ion Canon (LOIC) Purpose - DDoS Windows desktop application, coded in C# UDP/TCP/HTTP flooding
Hacking Tools
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
LOIC downloads + 2011: 380K + 2012 (through October 14): 616K + Jan 2012 (megaupload takedown): 182K
LOIC Facts
For more: http://blog.imperva.com/2012/05/loicversary.html
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Decreasing costs + Application layer attacks are far more efficient + Less attackers to take down a site
The DoS security gap + Traditionally, the defense against DDoS was based
on dedicated devices operating at lower layers (TCP/IP). Inherent shortcomings:
– Don't decrypt SSL, – Don’t understand the HTTP protocol – Unaware of the web application.
DDoS is Moving Up the Stack
For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
DaaS – DoS as a Service Application layer attacks Easy to participate – no download
+ Just point your browser to the JS-Loic page
Effective + Iterates up to 200 requests per second
Cross platform + Mobile device + Linux/Mac/PC
Javascript/Mobile/VM/JS LOIC
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
HTTP Referer header – indicates attack code source Fixed target URL
+ Carefully selected to create load on target server
A Parameter with some arbitrary changing value + To avoid caches along the way
A Parameter value "msg" with some hacktivist’s slogan www.target.com/search.php?q=a&id=61278641278&msg=
we+are+legion!
JS LOIC - Attack Characteristics
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacktivists’ DoS in the Wild
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacktivists’ DoS in the Wild
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacktivists’ DoS in the Wild
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Some More JS LOIC
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Some More JS LOIC
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
“Dripping” HTTP POST parameter value byte by byte Generating a never ending request Exhausting the attacked server’s concurrent requests
pool Tools
+ RAILgun + SlowHTTPtest
Slow HTTP tools
© 2012 Imperva, Inc. All rights reserved.
DDoS: Mitigation
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Anti-Virus is Irrelevant: Malware is NOT the MO
McAfee mea culpa
“The security industry may need to reconsider some of its fundamental assumptions, including
'Are we really protecting users and companies?’”
--McAfee, September 2011
Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
SDLC is Irrelevant: No Vulnerability
Traditionally, an attack is comprised of two elements + Vulnerability + Exploit
To mitigate, either (or even better both) + Repair the vulnerability – with SDLC + Stop the exploit – with a security device
In DoS – there’s no vulnerability!
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
IPS/NGFW is Irrelevant
Statefulness + Inspecting each request by itself is futile as each request is
benign per se + Only when accumulated within the right context (IP/ Application
Session / Application user) the attack’s true colors are exposed
True application awareness + Detecting unexpected parameters on request
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mitigation
WAF: Stateful, Decrypts SSL, understand HTTP, understand the application business logic to analyze the traffic, sifting out the
DoS traffic.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mitigation: Stateful Rules
Customer was attacked with “large files” downloads from unauthenticated users
A specific rule was created:
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mitigation: Picking the Low Hanging Fruits
Some tools have small deviations from normal browsers + User agent + Missing headers + Headers order + Misspelled headers + Fixed value
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mitigation: Reputation Services
Sources intelligence + Malicious IPs + Anonymity services IPs
– TOR – Anonymous proxies
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
51
Blocking Traffic Based on Reputation
Real-time alerts and ability to block based on IP Reputation.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
52
Blocking Traffic Based on Reputation
Real-time alerts and ability to block based on IP Reputation.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
53
Blocking Traffic Based on Reputation
Real-time alerts and ability to block based on IP Reputation.
© 2012 Imperva, Inc. All rights reserved.
Summary and Recommendations
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Summary
DoS is another tool in the hackers toolbox
DoS is going up the application stack
Mitigate application layer DoS attacks with WAF
Use community based anti-automation reputation services
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Usage Audit
Access Control
Rights Management
Attack Protection
Reputation Controls
Virtual Patching
Imperva in 60 Seconds
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
57
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2012 Imperva, Inc. All rights reserved.
Questions?
59
www.imperva.com
- CONFIDENTIAL -