DDoS Attacks & Defenses

Size: px

Start display at page:

Download "DDoS Attacks & Defenses"

Marjory Richard
8 years ago
Views:

1 DDoS Attacks & Defenses DDOS(1/2) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable by flooding with useless traffic using large numbers of zombies growing g sophistication of attacks defense technologies struggling to cope 1

2 DDoS(2/2) 2

3 I. Overview of July 7 th DDoS Attack Introduction DDoS attack against Korea and US government and biz web sites caused system failure and connection delay Attack Overview Target Korea and US government and biz sites(bank, e-commerce and portal) Motivation : political propaganda, social disorder (still unknown and under LE investigation) Mechanism Propagate malware through online storage site Embed the predefined target and schedule in malware Typical IRC botnet : real-time connection with C&C servers

4 I. Overview of July 7 th DDoS Attack Attacker Replace download SW with Malware Intermediary Host Block IP Update target site Zombie Army Target list Botnet Size: (over 150,000) Attack target TIME ZONE : GMT+9 (KST) 1 st Attack Phase 7 th Jul 18:00 26 targets Target list Online Storage 6 th July ~ 7 th July Self Destruction Code Malicious code infected Self destruction Self destruction Target list Target list 2 nd Attack Phase 8th Jul 18:00 16 targets IPs Blocked 8 th Jul DDoS 7 th Jul ~ 10 th Jul HDD Destruction 10 th Jul 00:00 ~ DDoS Attack 3 rd Attack Phase 9 th Jul 18:00 7 targets II. Details of July 7 th DDoS Attack Intermediary Hosts Zombie PC Online Storage Infection Initial Infection Code Attack Target Create DDOS Attack Code (+Target List) DDoS Attack Additional Codes flash.gif request Create Code Update Malicious Code hosting flash.gif download wversion.exe update Self Destruction HDD Destruction 4

5 II. Details of July 7 th DDoS Attack 해커 Attacker Online Storage Service Recruiting Zombie Malicious code upload (Replacing dedicate SW) Dedicated SW Recovered(normal) Distribution Server UpdatingMalware Service enlist Dedicated download SW install (Normal) Dedicated SW Mal-code install install (Normal) (tampered dedicate SW) Target list updated HDD destruction code Code update PC Users Dedicated download SW(normal) Malicious code infected (perfvwr.dll, wversion.exe, etc.) Target list update (uregvs.nls) flash.gif (wversion.exe) <NAME>XXXX UPDATE</NAME> <VERSION> </VERSION> <URL> </URL> <NAME>XXXX UPDATE</NAME> <VERSION>1.0.0.l</VERSION> <URL> </URL> II. Details of July 7 th DDoS Attack Online Storage Dupdate3.exe DDoS code -> C:\WINDOWS\system32\ntdll.exe exe -> c:\windows\system32\wmiconf.dll -> c:\windows\system32\pxdrv.nls -> c:\windows\lastgood\system32\npptools.dll -> c:\windows\system32\packet.dll -> c:\windows\system32\wanpacket.dll -> c:\windows\system32\wpcap.dll -> c:\windows\system32\dllcache\npptools.dll -> c:\windows\system32\drivers\npf.sys y Additional -> c:\windows\system32\wmcfg.exe Code Dropper -> c:\windows\system32\wversion.exe -> c:\windows\system32\mstimer.dll HDD Destruction Code update 5

6 II. Details of July 7 th DDoS Attack HDDs in certain Zombie PCs destroyed Destroy all kind of document file and program source file (overwrite and encryption) Overwrite fixed disks MBR with specific value 008F1850 4D 65 6D 6F F E Memory of the In 008F E E dependence Day.. 008F F F F18A F18B UUUUUUUUUUUU 008F18C UUUUUUUUUUUUUUUU 008F18D UUUUUUUUUUUUUUUU 008F18E UUUUUUUUUUUUUUUU 008F18F UUUUUUUUUUUUUUUU 008F UUUUUUUUUUUUUUUU IV. Characteristics of July 7 th Attack Difficulties to respond Small amount of attack traffic generated from zombie Less than 50Kbps of network traffic per PC observed Various attack methods Small amount of UDP/ICMP flooding (about 4% of total attack traffic) Small amount of HTTP request (only 1 ~ 25Kbps of traffic measured) http get flooding varying agent information in the HTTP request header made difficult to filter at victim sites 6

7 IV. Characteristics of July 7 th Attack Exploits Online Storage Service S/W Replace the download S/W with Malware Suspicious situation has monitored but could not analyze abused host Became zombie regardless of security patch installed All PCs installed file download software are infected by malware through software update procedure DDos Monitoring System using Cloud AV AhnLab, Inc. SiHaeng Cho, Director of R & D Center 7

8 Malicious Code Evolution Aggravating into crime Financial motives/organized Targeted attacks Quick & easy to produce variation Zero-Day attack Financial motive Quick infection Curiosity, self-display Slow infection Curiosity, self-display Files Virus Boot Virus LAN Macro Virus Script Virus Internet Worm Spyware Spam Phishing BotNet Rootkit Internet Trojans Social engineering technique Complicated & sophisticated Diversifying y g distribution methods WEB, P2P, USB Multimedia service 15 ~ ~ ~ ~ 7.7 DDoS Attack Flow msiexec1.exe (main) Win-Trojan/Downloader Create A certain IP address pxdrv.nls(encrypted File) Service Provider Create _S3.tmp (wmiconf.dll) Malware Win-Trojan/Agent DL _S4.tmp (wpcap.dll) File Download (Update Target Host) msiexec1.exe msiexec9.exe Win-Trojan/Agent.xxxx _S5.tmp (packet.dll) Create DDoS Attack!!! (30 Threads/Sites) _S6.tmp (wanpacket.dll) _S7.tmp (npf.sys) _S8.tmp (npptools.dll) uregvs.nls BinImage/Host Attack URL/Time/Type If msvcr90.dll exists, _S9.tmp (wmcfg.exe) Malware Win-Trojan/Mydoom wversion.exe (1st) Win32/Mydoom.worm Download flash.gif BinImage/Destroyer Create wversion.exe (Dropper) Win-Trojan/Destroyer Create wversion.exe (2nd) Win-Trojan/Destroyer AM Disk Data Damage mstimer.dll Win32/Mydoom.worm D SPAM Mail Sending 16 8

9 DDoS Attack Evolution 17 Recent DDoS Attack Highlights Criticality of Client Security Anti-DDoS protection alone cannot defeat DDoS attack attempts. A new form of compound attack Compound attack, unlike conventional type of attack, frustrates simple anti-ddos protection arrangement DDoS attack is no longer distinguishable from normal traffic Intelligent attack Scheduler built in malicious codes renders defense ineffective, unless malicious codes are fully analyzed DDoS codes wait in complete ambush even after infection before launching attack at once Damage HW in addition to turning PC into Zombie Defense is not possible unless malicious code designed to damage HW is fixed or prevented from being downloaded in advance Early action intended to keep PC from being turned into Zombie in advance is essential 18 9

10 DDoS Monitoring System 1 Detect abnormal network traffic from a specific file DDoS Monitoring Center 3 Analyze in real time Analyze program information Analyze reputation system 2 Monitor identical events Analyze file activity trend Analyze behavior-based activity Analyze inter-file relation Analyze malicious code Risk information collector distribution path 4 Apply analysis results in real time Early DDoS propagation warning Preemptive DDoS defense Prevent propagation of Zombie PCs Authorities/ ISPs Businesses 19 DDoS Monitoring System Capabilities Detect malicious codes - Analyze program information - Analyze reputation system - Analyze file activity trend - Analyze behavior-based activity - Analyze inter-file relation Statistics-based processing - If network traffic exceeds predefined DDoS threshold, but, whether a file contains malicious codes or not cannot be determined, statistics-base processing is utilized (Ex.: network traffic generated in multiple clients for the same destination exceeds Predefined threshold) File path tracking - Analyze traffic statistics including entity causing network traffic, destination and traffic volume - Trace file distribution path 20 10

11 DDoS Monitoring System Advantages Respond to unknown malicious codes - Employ a variety of diagnostic technologies - Enable real time response prior to vaccine engine update Reduce diagnostic error rate - Reduce diagnostic error rate by determining existence of malicious code in reference to AhnLab Smart Defense Database - Reduce error rate by analyzing on the basis of behavior & statistics Real time update benefits - Update information on new malicious code real time to keep Zombie PCs from multiplying 21 11

12 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

DDos Monitoring System using Cloud AV. 2009.09.30 AhnLab, Inc. SiHaeng Cho, Director of R & D Center

DDos Monitoring System using Cloud AV 2009.09.30 AhnLab, Inc. SiHaeng Cho, Director of R & D Center Table of Contents I. Recent Security Threat Trend II. III. Security Industry Response & Issues AhnLab