It’s Not Just You! Your Site Looks Down From Here

Santo Hartono, ANZ Country ManagerMarch 2014

Latest Trends in Cyber Security

Radware Global Network and Application Security Report

Slide 3

Radware’s ERT 2013 Cases

• Unique visibility into attacks behavior

• Attacks monitored in real-time on a daily basis

• More than 300 cases analyzed– Customers identity remains

undisclosed

The Threat Landscape

DDoS is the most common attack method!

Attacks last longer

Government and Financial Services are the most attacked vectors

Multi-vector trend continues

Slide 4

DDoS Attacks Results

Public attention

3.5%

Results of one-second delay in Web page loading:

decrease in conversion rate

2.1% decrease in shopping cart size

9.4% decrease in page views

8.3% increase in bounce rate

Source: Strangeloop Networks, Case Study:The impact of HTML delay on mobile business metrics, November 2011

Slide 5

App Misuse

DDoS Attack Vectors

Large volume network flood attacks

Network Scan

Syn Floods

SSL Floods

“Low & Slow” DoS attacks

(e.g.Sockstress)

HTTP Floods

Brute Force

Slide 6

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

Connection Floods

2013 Attack Tools Trends

Attack Vectors Used

Slide 8

Reflective Amplification Attacks on the Rise

Slide 9

• Easier to create

• Based on UDP protocol– Targeted protocols: DNS, NTP, SNMP

– UDP connectionless nature enables to spoof the IP Address

• Key feature in creating reflective attack

• Obfuscates attacker real identity (IP address)

• Amplification affect: 8 – 650 times larger than originated message

DNS Based Attacks

• Most frequently used attack vector• Amplification affect

– Regular DNS replies - a normal reply is 3-4 times larger than the request

– Researched replies – can reach up to 10 times the original request

– Crafted replies – attacker compromises a DNS server and ensures requests are answered with the maximum DNS reply message (4096 bytes) - amplification factor of up to 100 times

Slide 10

• Nine day volumetric attack• First to break the ceiling of 100 Gbps

– Attack reached bandwidth of 300 Gbps

• Target: Anti-spam organization providing Internet service• Attacker: CyberBunker and Sven Olaf Kamphuis

Internet Service Provider

Notable Amplification Attack: Spamhaus

Slide 11

Harder to Detect: Web Stealth Attacks

Slide 12

• More than HTTP floods• Dynamic IP addresses

– High distributed attack– Attacks using Anonymizers / Proxy– Attacks passing CDNs

• Attacks that are being obfuscated by SSL• Attacks with the ability to pass C/R• Attacks that use low-traffic volume but saturate

servers’ resources

Attacks on Login Page are DestructiveCause a DB searchBased on SSLNo load-balancing yet

Web Stealth Attacks

Slide 13

Implications of Login Page Attacks

Slide 14

Login Page Attacks

Over 40% of organizations have experienced Login Page Attack in 2013

Slide 15

Behind the Scenes of Notable Attacks:

Operation Ababil

“Innocence of Muslims” Movie

July 12, 2012“Innocence of Muslims” trailer released on YouTube

September 11, 2012World-wide protest against the movie resulting in the deaths of 50 people

September 18, 2012Operation Ababil begins

Slide 17

Operation Ababil Background

July 12, 2012“Innocence of Muslims” trailer released on YouTube

September 11, 2012World-wide protest against the movie resulting in the deaths of 50 people

Slide 18

Operation Ababil

The cyber attack is an act to stop the

movie

First targetsBank of America

NYSE

Group name is “Izz ad-din Al Qassam cyber fighters”

Slide 19

Operation Ababil Timeline

Slide 20

Operation Ababil Target Organizations

Financial Service Providers

Slide 21

Operation Ababil Attack Vectors

Slide 22

Overcoming HTTP Challenges

Script 302 Redirect Challenge JS Challenge Special Challenge

Kamikaze Pass Not pass Not pass

Kamina Pass Not pass Not pass

Terminator Pass Pass Not pass

Kill’emAll Pass Pass Not pass

Slide 23

Attackers Shorten Time to Bypass Mitigation Tools

“Peace” Period

Pre-attackPhase

Post-attackPhase

Pre-attackPhase

Post-attackPhase

Slide 24

Fighting Cyber Attacks:

Best Practices

Building the Strategy

Slide 26

• DON’T assume that you’re not a target

• BUILD your protection strategy and tactics

• LEARN from the mistakes of others

Adding Tactics

Slide 27

• Don’t believe the DDoS protection propaganda – Test instead

• Understand the limitations of cloud-based scrubbing solutions

• Not all networking and security appliance solutions were created equal

You Can’t Defend Against Attacks You Can’t Detect

• Encrypted Low & Slow• Encrypted DoS Vulnerability• CDN/Proxy/Anonymizer attacks• Dynamic IP• Directed Attacks – Exploits• Scraping and Data Theft• Ajax and API attacks

Application

Server

Front End

Data Center

Perimeter

Slide 28

You Can’t Defend Against Attacks You Can’t Detect

• Network DDoS• SYN Floods• HTTP Floods

Application

Server

Front End

Data Center

Perimeter

Cloud

Scrubbing

Slide 29

Thank You