DDoS Attacks & Defenses

Similar documents
DDos Monitoring System using Cloud AV AhnLab, Inc. SiHaeng Cho, Director of R & D Center

Korea s experience of massive DDoS attacks from Botnet

Complete Protection against Evolving DDoS Threats

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

The Hillstone and Trend Micro Joint Solution

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Radware s Behavioral Server Cracking Protection

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Information Security Threat Trends

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Current counter-measures and responses by CERTs

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Huawei Eudemon200E-N Next-Generation Firewall

Top tips for improved network security

Computer Security DD2395

Secure Your Mobile Workplace

Network Incident Report

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Using big data analytics to identify malicious content: a case study on spam s

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Countermeasures against Bots

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

Application Denial of Service Is it Really That Easy?

Stop DDoS Attacks in Minutes

Stop DDoS Attacks in Minutes

Botnet Detection by Abnormal IRC Traffic Analysis

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Denial of Service Attacks, What They are and How to Combat Them

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Innovations in Network Security

Studying Security Weaknesses of Android System

Get Started Guide - PC Tools Internet Security

A Critical Investigation of Botnet

User Documentation Web Traffic Security. University of Stavanger

SECURING APACHE : DOS & DDOS ATTACKS - II

GlobalSign Malware Monitoring

Modular Network Security. Tyler Carter, McAfee Network Security

BitDefender Client Security Workstation Security and Management

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Seminar Computer Security

Emerging Security Technological Threats

Stop Spam. Save Time.

Web 2.0 and Data Protection. Paul Tsang Security Consultant McAfee

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Cybersecurity Awareness. Part 1

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Integrated Protection for Systems. João Batista Territory Manager

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Cloud Services Prevent Zero-day and Targeted Attacks

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

OutbreakShield Effective and Immediate Protection against Virus Outbreaks

Trend Micro Hosted Security Stop Spam. Save Time.

Fighting Advanced Threats

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

CS 356 Lecture 16 Denial of Service. Spring 2013

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Xerox Next Generation Security: Partnering with McAfee White Paper

Protect Your Business and Customers from Online Fraud

isheriff CLOUD SECURITY

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Attacks from the Inside

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

How To Detect An Advanced Persistent Threat Through Big Data And Network Analysis

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

SECURING APACHE : DOS & DDOS ATTACKS - I

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Networking for Caribbean Development

BotNets- Cyber Torrirism

About Botnet, and the influence that Botnet gives to broadband ISP

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

The Microsoft JPEG Vulnerability and the Six New Content Security Requirements

Network Security Demonstration - Snort based IDS Integration -

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Emerging Trends in Fighting Spam

7.7 DDoS : Unknown Secrets and Botnet Counter-Attack. sionics & kaientt

Sophos Endpoint Security and Control Help. Product version: 11

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Transcription:

DDoS Attacks & Defenses DDOS(1/2) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable by flooding with useless traffic using large numbers of zombies growing g sophistication of attacks defense technologies struggling to cope 1

DDoS(2/2) http://caislab.kaist.ac.kr/77ddos/program.html 2

I. Overview of July 7 th DDoS Attack Introduction DDoS attack against Korea and US government and biz web sites caused system failure and connection delay Attack Overview Target Korea and US government and biz sites(bank, e-commerce and portal) Motivation : political propaganda, social disorder (still unknown and under LE investigation) Mechanism Propagate malware through online storage site Embed the predefined target and schedule in malware Typical IRC botnet : real-time connection with C&C servers - 12-3

I. Overview of July 7 th DDoS Attack Attacker Replace download SW with Malware Intermediary Host Block IP Update target site Zombie Army Target list Botnet Size: (over 150,000) Attack target TIME ZONE : GMT+9 (KST) 1 st Attack Phase 7 th Jul 18:00 26 targets Target list Online Storage 6 th July ~ 7 th July Self Destruction Code Malicious code infected Self destruction Self destruction Target list Target list 2 nd Attack Phase 8th Jul 18:00 16 targets IPs Blocked 8 th Jul DDoS 7 th Jul ~ 10 th Jul HDD Destruction 10 th Jul 00:00 ~ DDoS Attack 3 rd Attack Phase 9 th Jul 18:00 7 targets II. Details of July 7 th DDoS Attack Intermediary Hosts Zombie PC Online Storage Infection Initial Infection Code Attack Target Create DDOS Attack Code (+Target List) DDoS Attack Additional Codes flash.gif request Create Code Update Malicious Code hosting flash.gif download wversion.exe update Self Destruction HDD Destruction 4

II. Details of July 7 th DDoS Attack 해커 Attacker Online Storage Service Recruiting Zombie Malicious code upload (Replacing dedicate SW) Dedicated SW Recovered(normal) Distribution Server UpdatingMalware Service enlist Dedicated download SW install (Normal) Dedicated SW Mal-code install install (Normal) (tampered dedicate SW) Target list updated HDD destruction code Code update PC Users Dedicated download SW(normal) Malicious code infected (perfvwr.dll, wversion.exe, etc.) Target list update (uregvs.nls) flash.gif (wversion.exe) <NAME>XXXX UPDATE</NAME> <VERSION>1.0.0.1</VERSION> <URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL> <NAME>XXXX UPDATE</NAME> <VERSION>1.0.0.l</VERSION> <URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL> II. Details of July 7 th DDoS Attack Online Storage Dupdate3.exe DDoS code -> C:\WINDOWS\system32\ntdll.exe exe -> c:\windows\system32\wmiconf.dll -> c:\windows\system32\pxdrv.nls -> c:\windows\lastgood\system32\npptools.dll -> c:\windows\system32\packet.dll -> c:\windows\system32\wanpacket.dll -> c:\windows\system32\wpcap.dll -> c:\windows\system32\dllcache\npptools.dll -> c:\windows\system32\drivers\npf.sys y Additional -> c:\windows\system32\wmcfg.exe Code Dropper -> c:\windows\system32\wversion.exe -> c:\windows\system32\mstimer.dll HDD Destruction Code update 5

II. Details of July 7 th DDoS Attack HDDs in certain Zombie PCs destroyed Destroy all kind of document file and program source file (overwrite and encryption) Overwrite fixed disks MBR with specific value 008F1850 4D 65 6D 6F 72 79 20 6F 66 20 74 68 65 20 49 6E Memory of the In 008F1860 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 00 00 dependence Day.. 008F1870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 008F1890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 008F18A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 008F18B0 00 00 00 00 55 55 55 55 55 55 55 55 55 55 55 55...UUUUUUUUUUUU 008F18C0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18D0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18E0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18F0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F1900 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU IV. Characteristics of July 7 th Attack Difficulties to respond Small amount of attack traffic generated from zombie Less than 50Kbps of network traffic per PC observed Various attack methods Small amount of UDP/ICMP flooding (about 4% of total attack traffic) Small amount of HTTP request (only 1 ~ 25Kbps of traffic measured) http get flooding varying agent information in the HTTP request header made difficult to filter at victim sites 6

IV. Characteristics of July 7 th Attack Exploits Online Storage Service S/W Replace the download S/W with Malware Suspicious situation has monitored but could not analyze abused host Became zombie regardless of security patch installed All PCs installed file download software are infected by malware through software update procedure DDos Monitoring System using Cloud AV 2009.09.30 AhnLab, Inc. SiHaeng Cho, Director of R & D Center 7

Malicious Code Evolution Aggravating into crime Financial motives/organized Targeted attacks Quick & easy to produce variation Zero-Day attack Financial motive Quick infection Curiosity, self-display Slow infection Curiosity, self-display Files Virus Boot Virus LAN Macro Virus Script Virus Internet Worm Spyware Spam Phishing BotNet Rootkit Internet Trojans Social engineering technique Complicated & sophisticated Diversifying y g distribution methods WEB, P2P, USB Multimedia service 15 ~ 1995 1996 ~ 2000 2001 ~2005 2006 ~ 7.7 DDoS Attack Flow msiexec1.exe (main) Win-Trojan/Downloader.374651 Create A certain IP address pxdrv.nls(encrypted File) Service Provider Create _S3.tmp (wmiconf.dll) Malware Win-Trojan/Agent.67072.DL _S4.tmp (wpcap.dll) File Download (Update Target Host) msiexec1.exe msiexec9.exe Win-Trojan/Agent.xxxx _S5.tmp (packet.dll) Create DDoS Attack!!! (30 Threads/Sites) _S6.tmp (wanpacket.dll) _S7.tmp (npf.sys) _S8.tmp (npptools.dll) uregvs.nls BinImage/Host Attack URL/Time/Type If msvcr90.dll exists, _S9.tmp (wmcfg.exe) Malware Win-Trojan/Mydoom.88064 wversion.exe (1st) Win32/Mydoom.worm.33764 Download flash.gif BinImage/Destroyer Create wversion.exe (Dropper) Win-Trojan/Destroyer. 40960 Create wversion.exe (2nd) Win-Trojan/Destroyer.37264 09.07.10 00AM Disk Data Damage mstimer.dll Win32/Mydoom.worm.45056.D SPAM Mail Sending 16 8

DDoS Attack Evolution 17 Recent DDoS Attack Highlights Criticality of Client Security Anti-DDoS protection alone cannot defeat DDoS attack attempts. A new form of compound attack Compound attack, unlike conventional type of attack, frustrates simple anti-ddos protection arrangement DDoS attack is no longer distinguishable from normal traffic Intelligent attack Scheduler built in malicious codes renders defense ineffective, unless malicious codes are fully analyzed DDoS codes wait in complete ambush even after infection before launching attack at once Damage HW in addition to turning PC into Zombie Defense is not possible unless malicious code designed to damage HW is fixed or prevented from being downloaded in advance Early action intended to keep PC from being turned into Zombie in advance is essential 18 9

DDoS Monitoring System 1 Detect abnormal network traffic from a specific file DDoS Monitoring Center 3 Analyze in real time Analyze program information Analyze reputation system 2 Monitor identical events Analyze file activity trend Analyze behavior-based activity Analyze inter-file relation Analyze malicious code Risk information collector distribution path 4 Apply analysis results in real time Early DDoS propagation warning Preemptive DDoS defense Prevent propagation of Zombie PCs Authorities/ ISPs Businesses 19 DDoS Monitoring System Capabilities Detect malicious codes - Analyze program information - Analyze reputation system - Analyze file activity trend - Analyze behavior-based activity - Analyze inter-file relation Statistics-based processing - If network traffic exceeds predefined DDoS threshold, but, whether a file contains malicious codes or not cannot be determined, statistics-base processing is utilized (Ex.: network traffic generated in multiple clients for the same destination exceeds Predefined threshold) File path tracking - Analyze traffic statistics including entity causing network traffic, destination and traffic volume - Trace file distribution path 20 10

DDoS Monitoring System Advantages Respond to unknown malicious codes - Employ a variety of diagnostic technologies - Enable real time response prior to vaccine engine update Reduce diagnostic error rate - Reduce diagnostic error rate by determining existence of malicious code in reference to AhnLab Smart Defense Database - Reduce error rate by analyzing on the basis of behavior & statistics Real time update benefits - Update information on new malicious code real time to keep Zombie PCs from multiplying 21 11

12

13

14

15

16

17

18

19

20

21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information