Customer Cases Andreas Nordenadler, Sales Manager
CERT-XX Attacks May 19 th and onward
AGENDA Motivation Attack Campaign Timeline Attack Vectors Summary
Motivation
Operation OpXX May 3 rd 2012 - Department of Telecom XX publicly orders all ISPs to block access to file sharing sites like Vimeo, The Pirate Bay, Torrentz etc. Anonymous XX and other hacktivists being against any internet censorship, react immediately Multiple DoS/DDoS attacks against XX Government sites - Supreme Court, All XX Congress Committee and more. Slide 6
CERT-XX is targeted Newspaper XX publishes that CERT-XX is mandated to write reports on the attacks May 19 th, Anonymous targets CERT-XX and start a three-day attack campaign CERT-XX, Computer Emergency Response Team XX, is the national nodal agency for responding to computer security incidents as and when they occur. Slide 7
Attack Timeline
Thursday May 17 th - before the attacks Day 0 Thu May 17 th 12:00 Department of Telecom orders ISP s to block file sharing. Supreme Court, All XX Congress Committee and others were hit by a DDoS attack 16:00 Preliminary contact is made by Radware XX engineers with CERT with respect to this threat Radware XX initiates contact with CERT-XX Slide 9
Attack begins and causes outage Saturday May 19 th - Day I Day 1 Sat May 19th 10:00 CERT-XX website is taken down by Anonymous. The site is down for 4 ½ hours. ERT Invoked, DP mitigates the attack Radware XX installs new DP-ODS2 device at ISP 14:30 16:15 20:00 CERT-XX contacts Radware XX personnel Radware XX engineers arrive on site. ERT receives first heads-up. Existing DefensePro AS4 4.X on CERT-XX site mitigates the HTTP flood and TCP-REST attack successfully. New DefensePro ODS2 device is installed at ISP to protect the pipe main raison for downtime. ERT mitigates the attack 22:00 ERT connects to the device, configures it and mitigates the attack. Slide 10
Sun May 20 th - Day II Day2 Sunday May 20 th 10: 00-17:00 Attack s intensify, higher rate of HTTP Floods and PSH+ACK garbage floods ERT continuously monitors and optimizes protections on DefensePro per new attack vectors. Attack Mitigated by DefensePro and ERT Slide 11
Mon May 21 st - Day III Day3 Mon May 21 st 10: 00-17:00 Attacks continue. DefensePro automatically mitigates the attacks. Attacks Mitigated by DefensePro Slide 12
Attack Continues Mitigation is Automatic No ERT invocation The End (so far) Slide 13
Attack Vectors
Attack Vector I: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Vector Impact Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake ~120 PPS from a single attacker Bandwidth saturation of the pipe and IPS to crash Port 80 traverses the security devices along the way Out-of-state (OOS) IPS Signatures Garbage Data Slide 15
Attack Vector II: HOIC HTTP Flood Attack Vector Description Vector Impact Mitigation HOIC HTTP Flood HTTP requests (including references) loops every ~30-60 secs HTTP header values changes between sources (use of a booster) Exhaust web server resources as well as bandwidth. JS web cookies Blacklist Slide 16
Attack Vector III: Slowloris Attack Vector Description Vector Impact Mitigation Slowloris attack Slow HTTP DoS tool sending incomplete HTTP requests Sends one CRLF at the end of HTTP requests headers (instead of two) Very little computing resources required on attacker s side Web server time out IPS Signatures Slide 17
Attack Vector IV: Network Scans Attack Vector Description Vector Impact Mitigation TCP, UDP, ICMP Network Scans Network Scans intended to identify hosts and services Exhaust web server resources as well as bandwidth. Anti-Scanning Protection ICMP Scans UDP Scans TCP Scans detected by DP Slide 18
Attacks seen in Vision Sonar Green: Intrusion attack (slowloris) Pink: DDoS attacks (SYN Floods) White: Packet anomalies -non RFC compliant or Out of state packets.
Summary
Full Spectrum Technology to mitigate multi vector attack BODS Out-of-State SYN Protection IPS Signatures DME (DoS Mitigation Engine) Blocks 2M PPS ERT Quick security deployment Detect new attack vectors Detect new weak point: Router, DefensePro Sizing Slide 21
Business Impact CERT-XX Original Budget 1 DP AS4 Budget Change After the Attack 2 DP ODS3 1 Vision Slide 22
Public Conclusions from CERT-XX, Countermeasures Slide 23
Scandinavian Hosting Company Slide 25
WikiLeaks Revenge Attacks
Background In December 2010, WikiLeaks came under intense pressure to stop publishing secret United States diplomatic cables. Corporations such as Amazon, PostFinance, MasterCard and Visa either stopped working with or froze donations to Wikileaks, apparently bowing to political pressure. Slide 27
Operation Payback In response, members of the Anonymous group (people behind Operation Payback) made available a relatively simple to-use tool to quickly direct a Distributed Denial-of-Service (DDoS) attack against any company that was perceived to be conspiring against Wikileaks. Most of the targeted sites experienced major service disruptions resulting in multi-hour business outages. Slide 28
Operation Payback Initial Target Set 29
From the news Slide 30
Distributing attack tools and coordination Send updates Coordinator Twitter LOIC attack tool Internet Hactivist Slide 31
Coordinated attacks Coordinator LOIC Attack Tool LOIC Attack Tool Internet Public Web Servers LOIC Attack Tool LOIC Attack Tool Legitimate User Slide 32
Multi-vector attacks Network DDoS attacks: High PPS SYN flood and UDP flood attack (up to 8M packets-persecond) Oversized UDP frames Connection flood attacks LOIC Attack Tool Application DDoS attacks: HTTP page request floods HTTP data floods SlowLoris LOIC Attack Tool Internet Public Web Servers LOIC Attack Tool LOIC Attack Tool Legitimate User Slide 33
Why are the attacks so challenging Attack High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris Impact Equipment Bottlenecks Consume network bandwidth Consume equipment resources Consume TCP stack resources Consume server resources Slide 34
Mapping protection measures Attack High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks Protection DoS Protection DoS Protection DoS protection IPS HTTP page flood attacks Slowloris NBA No single protection tool can IPS handle today s emerging network threats Slide 35
Anti-DoS for MSSPs
Deployment: Scrubbing Center Unique capabilities for Scrubbing Center deployments: Full coverage against all type of DoS attacks: Packet & BW attacks Application DDoS attacks Directed DoS attacks Best SLA: Time to protect - immediate (in seconds) Multi-tenant reporting engine Management & SEM Attack Mitigation System Slide 37
MSSP Customer Case Business Requirements Offer value-added DDoS Protection for their hosted data center customers Why AMS? Best & proven coverage against all type of DDoS attacks Most accurate attacks detection and mitigation Advanced reporting per customer About the customer A major telecommunications provider in North America Over $15 billion revenue (2010) Slide 38
Floods Managed Security Service Providers MSSP Solutions Radware Proprietary Slide 39
MSSP Landscape MSSP The Service Provider Angle - Many new and sophisticated attacks (application and network) impact famous companies. Business impact is very clear! - Customer awareness no need to educate, risks understood - Customers (even large enterprise) can t afford and/or don t understand how to cope - Business opportunity for the service providers! Network-based service. How to guarantee SLA? MSSP The Customer Angle - Require portal-based access, dedicated reports and real-time alerts. False positives! Slide 40
Deployment: Out-of-path Scrubbing Center Unique capabilities for Scrubbing Center deployments: Full coverage against all type of DoS attacks: Packet & BW attacks Application DDoS attacks Directed attacks Best SLA: Time to protect - immediate (in seconds) Multi-tenant reporting engine Management & SEM Attack Mitigation System Slide 41
MSSP Radware s Unique Value Proposition Differentiated protection Superior attacks coverage SSL HTTP DNS Application floods/direct attacks WAF Transparent (wire) out-of-path deployment Key point - bgp redirection and GRE/LSP backhaul MSSP Multi-tenant reporting Best cost performance ratio in the industry ERT (Emergency Response Team)! Slide 42
ERT Case Studies Cyber Attacks
Robin Hoods or Criminals? SONY Example Massive DoS attack taking down the PlayStation network for hours Initiated after filing a sue against hacker who broke PS3 protection mechanism During attack CC data of millions of users was stolen Anonymous involvement was partially denied 44
Robin Hoods or Criminals? Sic Semper Tyrannis Long campaign against the Vatican web infrastructure Started with a failed attempt to hack Vatican systems and databases Continued as a massive DoS attack lasting for days, in repeating waves 45
Robin Hoods or Criminals? Russian Presidential Elections During elections time in Russia, first Duma and then for Presidency... DDoS attacks on protestors blogs, parties websites, reporting websites etc. It can t be long before we observe a DDoS attack between two political parties based on one and the same botnet. Eugene Kaspersky (blog) 46
Course Of Events January 3 rd Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information. January 16 th Early Morning 0xOmar and the Pro-Palestinian Nightmare hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website. 9:30 AM EL-AL, Tel-Aviv Stock Exchange, First International Bank of Israel and Discount Bank websites are attacked and are unavailable for hours. January 17 th Israeli hacker group IDF-Team retaliates by attacking Saudi and UAE s Stock Exchanges websites January 18 th More Israeli websites targeted: Bank of Israel website under attack 47
Israeli sites under attack In the following weeks, dozens of Israeli web sites were attacked by Pro- Palestinian hacker groups A Cyber War emerged 48
Verified Attackers Conclusions: Attacks were highly distributed Generated by an international collective or a Botnet Geo-IP blocking renders useless 49
Aftermath Major banks, and government sites were actively protected by Radware AMS and ERT To fully protect online businesses you need: DDoS Protection from the service provider Based on Radware AMS To remove volumetric network attacks On-premises Anti-DoS and Behavioral Analysis Based on Radware AMS Remove the application flood attacks and directed DoS attacks 50
Radware end-to-end mitigation solution fighting the DDoS threat 51
Thank You www.radware.com