Trends in Web Attacks

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Trends in Web Attacks

Arthur [email protected]



Talk Overview

• History of (web) attacks• DDOS attacks and economics• Botnets• Phishing• Why do we care about this anyway?



A Taxonomy

• Defacement• Resource stealing• Denial of Service/DDOS



History



Prehistory

• Before the web• ftp (anonymous ftp uploads)• gopher• backdoors



Why?

• Curiosity• Status• ‘Fame’

• Disk space was expensive!



Morris Worm

• 1988• Not web based!• First self spreading worm



Early Web

• Individual attacks

• Mainly motivated as before



Trinoo/Stachledract

• 1999• First large scale DDOS tool• University of York was among the victims!



Code Red/Nimbda

• 2001• Caused extensive problems (network

traffic/instability)• First really big worm



SQLSlammer

• 2003• Attacked Microsoft SQL Server• Fastest spreading worm ever• How many of your web sites rely on a

database?



Misc Stuff

• Also at this time:• MS Frontpage extensions

• Edit your webpage remotely…oh, but so can other people.



Digression

• Zone-h defacement archive demo



Witty Worm

• 2003• First worm aimed directly at a web server

• MS IIS• Followed by Sasser



Moving to webapps

• First php worm - 2004• Attacked phpBB

• It’s now most common to attack applications not webservers themselves



Pure web worms

• 2006• MySpace worm

• Spread only within MySpace profiles• A ‘Web 2.0’ worm?



Distributed Denial of Service

‘Nice website you’ve got there. Shame if anything happened to it’



DDOS - Why bother?

• It’s not about the frame• Sometimes it’s about Money



DDOS II

• How it works

• Targets• Gambling• Porn• Anyone with money



Botnets

0wning the internet for fun and profit



Botnets

• Botnets are sets of machines, all controlled by a ‘bot herder’

• Often machines are infected when visiting a website

• Largest botnet found so far had > 1,000,000 machines in it



Botnet example

• Demo of botnet from UK Honeynet data



Phishing

There’s one born every minute



Phishing

• Different types:• 401 scams• Bank scams

• Some of these are very realistic• Banks don’t always help themselves



Phishing 2

• Example of a phishing attack from UK Honeynet data



Am I bovered?

Or, why this affects web managers



How have things changed?

• Attacks often less personal, but bigger• DDOS attacks can be too big to resist• Web servers valuable as a way of

spreading exploit code• It’s not about fame anymore, but money



How does this affect you?

• Reputational loss• Potential for damages if you can’t show

due care• Copyright violations on your servers• DDOS attacks against you



What can we do?

• Follow best practice• Occams razor - don’t multiply servers!• Code audit/review/pen-testing• Network design (DMZs, firewalls etc)



Questions?

Technology

Trends in Web Attacks