With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments. In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks. Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit: http://www.radware.com/ert-report-2013/

1. The Art of Cyber War
Werner Thalmeier – Director Security Solutions EMEA & CALA

2. The Art of War is an ancient Chinese military treatise attributed to Sun Tzu, a high-ranking military general, strategist and tactician. It is commonly known to be the definitive work on military strategy and tactics, and for the last two thousand years has remained the most important military dissertation in Asia. It has had an influence on Eastern and Western military thinking, business tactics, legal strategy and beyond. Leaders as diverse as Mao Zedong and General Douglas MacArthur have drawn inspiration from the work.
Many of its conclusions remain valid today in the cyber warfare era.
孫子兵法

3. 3
知彼知己，百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Notable DDoS Attacks in the Last 12 Months

4. Feb/July 2013
USA
Operation Ababil
Targeting financial institutions
July 2013
Colombia
The Colombian Independence Day Attack
March 2013
The Netherlands
Spamhaus
The biggest DDoS attack ever
August 2013
Syria
Syrian Electronic Army attacking US media outlets
November 2013
Ukraine & Baltic Countries
Operation “Opindependence”
June 2013
South Korea
South Korea governement websites under attacks

5. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計

6. Volumetric attacks
Network & Stateful attacks
Application attacks
App Misuse
6
Attackers Deploy Multi-vulnerability Attack Campaigns
High Bandwidth or PPS Network flood attacks
Network Scan
Syn Floods
SSL Floods
HTTP Floods
Brute Force
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
SQL Injection
Cross Site Scripting
Intrusions
“Low & Slow” DoS attacks (e.g.Sockstress)
More than 50% of 2013 attack campaigns had more than 5 attack vectors.
Source: Radware 2013 ERT Report

7. 7
Hacktivism – Move To Campaign-APT Oriented
•Complex: More than seven different attack vectors at once
•Blending: Both network and application attacks
•Targeteering: Select the most appropriate target, attack tools
•Resourcing: Advertise, invite, coerce anyone capable
•Testing: Perform short “proof-firing” prior to the attack
•Timeline: Establish the most painful time period for his victim

8. Sophistication
2013
2010
2011
2012
• Duration: 3 Days
• 4 attack vectors
• Attack target: Visa, MasterCard
• Duration: 3 Days
• 5 attack vectors
• Attack target: HKEX
• Duration: 20 Days
• More than 7 attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
8
故善战者，立于不败之地
The good fighters of old, first put themselves beyond the possibility of defeat.

9. Slide 9
The Threat Landscape
DDoS is the most common attack method.
Attacks last longer.
Government and Financial Services are the most attacked sectors.
Multi-vector trend continues.

10. 10
You don’t control all of your critical business systems.
Understand your vulnerabilities in the distributed, outsourced world.
没有战略，战术是之前失败的噪音
漏洞
Vulnerability

11. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計

12. Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. Examples: Trin00, TFN, Trinity
Botnets Stealthy malicious software installed mostly on personal computers without the owner’s consent; controlled by a single entity through indirect channels (IRC, HTTP) Examples: Agobot, DirtJumper, Zemra
Voluntary Botnets
Many users, at times part of a Hacktivist group, willingly share their personal computers. Using
predetermined and publicly available attack tools and methods, with an optional remote control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients.
12
2012
1998 - 2002
1998 - Present
2010 - Present
不戰而屈人之兵，善之善者也
To subdue the enemy without fighting is the acme of skill

13. 13
不戰而屈人之兵，善之善者也
Current prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-$20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70 / day, $1,200 / month
Botnet: $200 for 2,000 bots
DDoS Botnet: $700
ZeuS source code: $200-$250
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email scam (using customer database): $50-$500 per one million emails

14. 14
不戰而屈人之兵，善之善者也

15. 15
不戰而屈人之兵，善之善者也

16. 16
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil – that commenced during the week of July 22nd. Primary targets included: Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank, Citibank and others.
Attackers: Cyber Fighters of Izz ad-Din al-Qassam
Result: Major US financial institutions impacted by intensive and protracted Distributed Denial of Service attacks.
行軍: Operation Ababil

17. 17
行軍: Operation Ababil
Massive TCP and UDP flood attacks:
•Targeting both Web servers and DNS servers. Radware Emergency Response Team tracked and mitigated attacks of up to 25Gbps against one of its customers. Source appears to be Brobot botnet.
DNS amplification attacks:
•Attacker sends queries to a DNS server with a spoofed address that identifies the target under attack. Large replies from the DNS servers, usually so big that they need to be split over several packets, flood the target.
HTTP flood attacks:
•Cause web server resource starvation due to overwhelming number of page downloads.
Encrypted attacks:
•SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x more CPU in order to process the encrypted attack traffic.

18. 18
Don’t assume that you’re not a target.
Draw up battle plans. Learn from the mistakes of others.
没有战略，战术是之前失败的噪音
目标
Target

19. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計

20. Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
20
0
5
10
15
20
25
30
35
Internet Pipe
Firewall
IPS / DSS
ADC
Server
SQL Server
2011
2012
2013
Volumetric attacks
Network & Session attacks
Application attacks
不可胜在己
Being unconquerable lies within yourself.

21. 不可胜在己
21
Proportion of businesses relying on CDNs for DDoS protection.
70%

22. 不可胜在己
22
Bypassing CDN Protection
Botnet
Enterprise
CDN
GET www.enterprise.com/?[Random]

23. 不可胜在己
23
Cloud protection limitations.
Botnet
Volumetric attacks
Low & Slow attacks
SSL encrypted attacks
Enterprise
Cloud Scrubbing

24. 24
Don’t believe the propaganda.
Understand the limitations of solutions.
Not all networking and security solutions are created equal.
没有战略，战术是之前失败的噪音
宣传
Propaganda

25. Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計

26. 26
兵之情主速
Speed is the essence of war
Attack Degree Axis
Attack Area
Suspicious
Area
Normal Area

27. 27
兵之情主速
THE SECURITY GAP
Attacker has time to bypass automatic mitigation.
Target does not possess required defensive skills.

28. 28
You can’t defend against attacks you can’t detect.
Know your limitations.
Enlist forces that have expertise to help you fight.
没有战略，战术是之前失败的噪音
检测
Detection

29. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計

30. 30
故兵貴勝，不貴久
•Web Attacks
•Application Misuse
•Connection Floods
•Brute Force
•Directory Traversals
•Injections
•Scraping & API Misuse
Detection: Application Attacks

31. 31
故兵貴勝，不貴久
What is essential in war is victory, not prolonged operations.
•Envelope Attacks – Device Overload
•Directed Attacks - Exploits
•Intrusions – Mis-Configurations
•Localized Volume Attacks
•Low & Slow Attacks
•SSL Floods
Detection: Encrypted / Non-Volumetric Attacks

32. 32
故兵貴勝，不貴久
Attack Detection: Volumetric Attacks
•Network DDoS
•SYN Floods
•HTTP Floods

33. App Misuse
Slide 33
Layered Lines Of Defense
Large volume network flood attacks
Network Scan
Syn Floods
SSL Floods
“Low & Slow” DoS attacks (e.g.Sockstress)
HTTP Floods
Brute
Force
DoS protection
Behavioral analysis
SSL protection
IPS
WAF
Cloud DDoS protection
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
Volumetric attacks
Network & Stateful attacks
Application attacks

34. 34
Aligned forces will make the difference
Protecting your data is not the same as protecting your business.
True security necessitates data protection, system integrity and operational availability.
没有战略，战术是之前失败的噪音
可用性 Protection

35. 35
你准备好了吗?
Are You Ready?

36. Thank You
mottya@radware.www.radware.com
http://security.radware.com