It’s Not Just You! Your Site Looks Down From Here
Santo Hartono, ANZ Country ManagerMarch 2014
Latest Trends in Cyber Security
Radware Global Network and Application Security Report
Slide 3
Radware’s ERT 2013 Cases
• Unique visibility into attacks behavior
• Attacks monitored in real-time on a daily basis
• More than 300 cases analyzed– Customers identity remains
undisclosed
The Threat Landscape
DDoS is the most common attack method!
Attacks last longer
Government and Financial Services are the most attacked vectors
Multi-vector trend continues
Slide 4
DDoS Attacks Results
Public attention
3.5%
Results of one-second delay in Web page loading:
decrease in conversion rate
2.1% decrease in shopping cart size
9.4% decrease in page views
8.3% increase in bounce rate
Source: Strangeloop Networks, Case Study:The impact of HTML delay on mobile business metrics, November 2011
Slide 5
App Misuse
DDoS Attack Vectors
Large volume network flood attacks
Network Scan
Syn Floods
SSL Floods
“Low & Slow” DoS attacks
(e.g.Sockstress)
HTTP Floods
Brute Force
Slide 6
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
Connection Floods
2013 Attack Tools Trends
Attack Vectors Used
Slide 8
Reflective Amplification Attacks on the Rise
Slide 9
• Easier to create
• Based on UDP protocol– Targeted protocols: DNS, NTP, SNMP
– UDP connectionless nature enables to spoof the IP Address
• Key feature in creating reflective attack
• Obfuscates attacker real identity (IP address)
• Amplification affect: 8 – 650 times larger than originated message
DNS Based Attacks
• Most frequently used attack vector• Amplification affect
– Regular DNS replies - a normal reply is 3-4 times larger than the request
– Researched replies – can reach up to 10 times the original request
– Crafted replies – attacker compromises a DNS server and ensures requests are answered with the maximum DNS reply message (4096 bytes) - amplification factor of up to 100 times
Slide 10
• Nine day volumetric attack• First to break the ceiling of 100 Gbps
– Attack reached bandwidth of 300 Gbps
• Target: Anti-spam organization providing Internet service• Attacker: CyberBunker and Sven Olaf Kamphuis
Internet Service Provider
Notable Amplification Attack: Spamhaus
Slide 11
Harder to Detect: Web Stealth Attacks
Slide 12
• More than HTTP floods• Dynamic IP addresses
– High distributed attack– Attacks using Anonymizers / Proxy– Attacks passing CDNs
• Attacks that are being obfuscated by SSL• Attacks with the ability to pass C/R• Attacks that use low-traffic volume but saturate
servers’ resources
Attacks on Login Page are DestructiveCause a DB searchBased on SSLNo load-balancing yet
Web Stealth Attacks
Slide 13
Implications of Login Page Attacks
Slide 14
Login Page Attacks
Over 40% of organizations have experienced Login Page Attack in 2013
Slide 15
Behind the Scenes of Notable Attacks:
Operation Ababil
“Innocence of Muslims” Movie
July 12, 2012“Innocence of Muslims” trailer released on YouTube
September 11, 2012World-wide protest against the movie resulting in the deaths of 50 people
September 18, 2012Operation Ababil begins
Slide 17
Operation Ababil Background
July 12, 2012“Innocence of Muslims” trailer released on YouTube
September 11, 2012World-wide protest against the movie resulting in the deaths of 50 people
Slide 18
Operation Ababil
The cyber attack is an act to stop the
movie
First targetsBank of America
NYSE
Group name is “Izz ad-din Al Qassam cyber fighters”
Slide 19
Operation Ababil Timeline
Slide 20
Operation Ababil Target Organizations
Financial Service Providers
Slide 21
Operation Ababil Attack Vectors
Slide 22
Overcoming HTTP Challenges
Script 302 Redirect Challenge JS Challenge Special Challenge
Kamikaze Pass Not pass Not pass
Kamina Pass Not pass Not pass
Terminator Pass Pass Not pass
Kill’emAll Pass Pass Not pass
Slide 23
Attackers Shorten Time to Bypass Mitigation Tools
“Peace” Period
Pre-attackPhase
Post-attackPhase
Pre-attackPhase
Post-attackPhase
Slide 24
Fighting Cyber Attacks:
Best Practices
Building the Strategy
Slide 26
• DON’T assume that you’re not a target
• BUILD your protection strategy and tactics
• LEARN from the mistakes of others
Adding Tactics
Slide 27
• Don’t believe the DDoS protection propaganda – Test instead
• Understand the limitations of cloud-based scrubbing solutions
• Not all networking and security appliance solutions were created equal
You Can’t Defend Against Attacks You Can’t Detect
• Encrypted Low & Slow• Encrypted DoS Vulnerability• CDN/Proxy/Anonymizer attacks• Dynamic IP• Directed Attacks – Exploits• Scraping and Data Theft• Ajax and API attacks
Application
Server
Front End
Data Center
Perimeter
Slide 28
You Can’t Defend Against Attacks You Can’t Detect
• Network DDoS• SYN Floods• HTTP Floods
Application
Server
Front End
Data Center
Perimeter
Cloud
Scrubbing
Slide 29
Thank You