SlideShare a Scribd company logo

Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ)

Download as PPTX, PDF
Akamai Technologies
Akamai Technologies

A comprehensive study on distributed denial of service (DDoS) attacks in Asia - from Prolexic/Akamai, the world’s largest and most trusted DDoS mitigation service provider. Get data and insights into the Asian security landscape, including the most common types of DDoS attacks, industries and protocols targeted, and attack origins. Case studies on the now infamous Shellshock attack and other notable botnets include analysis of attack patterns, PCAP samples, and successful mitigation strategies. For more information, visit: www.akamai.com

Internet
1 of 28
Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ) Ashvini Singhal, Security Practice Manager Clark Shishido, Security Researcher (CSIRT)
©2014 AKAMAI | FASTER FORWARDTM Agenda • Global Threat Landscape and Insights • Security incidents in Q3 • ShellShock • Iptables • Large scale DDOS • Case Studies • APJ DDoS Trends Late 2014 • Q&A
©2014 AKAMAI | FASTER FORWARDTM Global View: Nature of DDOS Attacks Types of DDoS attacks and their relative distribution. Infrastructure layer: 89.29% (SYN 25.73%, UDP Fragment 13.41%, UDP Floods 11.24%, DNS 8.11%, NTP 7.35%) Source: PLXsert (Q2-2014)
©2014 AKAMAI | FASTER FORWARDTM Protocols Targeted Protocols Targeted Top 5: WWW (HTTP), Microsoft DNS, Telnet, SSL (HTTPS), Microsoft SQL Server Source: Akamai State of the Internet Report (Q2-2014)
©2014 AKAMAI | FASTER FORWARDTM DDOS Attacks by Geography and Sectors By region: Americas 57%, Asia Pacific & Japan 25%, EMEA 18% Source: Akamai State of the Internet Report (Q2 2014) By industry: Enterprise 30%, Commerce 29%, High Tech 15%, Media & Entertainment 15%, Public sector 11%
©2014 AKAMAI | FASTER FORWARDTM 1. China 2. Indonesia 3. United States 4. Taiwan 5. India 6. Russia 7. Brazil 8. South Korea 9. Turkey 10. Romania Attack Sources Source: Akamai State of the Internet Report (Q2 2014)
©2014 AKAMAI | FASTER FORWARDTM Incidents observed in Q3 • ShellShock • Iptables • Large scale DDOS. • Numerous application layer attacks on a daily basis (XSS, RFI, SQL Injection etc.)
©2014 AKAMAI | FASTER FORWARDTM ShellShock • ShellShock Collection of Vulnerabilities in Bash (The Bourne again Shell) Shellshock exists in a feature of bash called "function importing”. • Started with one (CVE-2014-6271), grown to six in a week. • Attack Payload:- () { () { :; }; /bin/ping () { :;} ; echo shellshock" `which bash` () { :;}; /bin/bash -c "cat /etc/shadow"NULL NULL () { :;}; /usr/bin/wget • Attack tools became famous overnight https://shellshock.detectify.com http://shellshock.brandonpotter.com
©2014 AKAMAI | FASTER FORWARDTM ShellShock • Mitigations  WAFs can block '() {‘ – effective against import of function.  Staying up-to-date on patches.  Switch to an alternate shell For SSH servers: Removing non-administrative users until the systems are patched. For Web Applications: CGI functionality which makes calls to a shell can be disabled entirely (short term measure) • Akamai customer Mitigations  Custom WAF rule.  Customer using KRS are protected against some attacks with Command Injection Risk group.  Siteshield – direct to origin attacks.  Akamai Platform protects some attack using HTTP normalization be default.
©2014 AKAMAI | FASTER FORWARDTM IptabLes/IptabLex • A new botnet surfaced with command and control in Asia. Linked to two hardcoded IP addresses in China. • Causes volumetric DDOS attacks by executing DNS and SYN flood attacks. • Spread by compromising Linux based Web servers, using exploits of Apache Struts, Tomcat, Elasticsearch vulnerabilities. • Indicators: • Slow network. • presence of Linux ELF Binary file which create a copy of itself and name it, .IptabLes or .IptabLex. • /boot/.IptabLes and /boot/.IptabLex • Infecting popular Linux distributions such as Debian, Ubuntu, CentOS and RedHat. • Mitigation – Server hardening, Anti-virus, rate control. • Akamai Mitigation – Akamai PLXsert has created a YARA rule to detect and Bash command to clean the infection.
©2014 AKAMAI | FASTER FORWARDTM Large Scale DDOS • APJ is becoming the biggest target for largest scale DDOS attacks. • Volume • 2012 – 25 Gbps attack not very common. • 2014 – 350 Gbps attack common and absolutely fatal to any organization. • Attacks heavily distributed in nature, difficult to block specific source. • More than 40 percent of all Q2 2014 DDoS attacks were initiated from Asia- Pacific countries • Cloud platform such as Akamai, are effective to block such large scale attacks.
Large Scale DDOS (Case Study 1- Major Stock Exchange in APJ) • Attack continued for 4 full days in August, 2014. • The stock exchange main domain targeted with 21 Billion requests and ©2014 AKAMAI | FASTER FORWARDTM cumulative bandwidth of ~19 TB. • Distributed with attack traffic originating from over 50 countries.
Large Scale DDOS (Case Study 1 - Major Stock Exchange in APJ) • Distributed with attack traffic originating from over 50 countries. ©2014 AKAMAI | FASTER FORWARDTM • Full attack blocked by Rate controls Bot rule group blocking Curl/Wget requests.
©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Technical Details Multiple Attack Vectors • SYN flood against 80 & 443 • Cachebusting • www.$CUST.com/$staticstring/search.jsp?q=a • User-Agents • User-Agent: Wget/1.12 (linux-gnu) • User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Security Monitor
©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Geographic Distribution Attack Origins USA Germany France Italy Netherlands United Kingdom Canada China Poland Romania Spain Brazil Japan Sweden Turkey Finland Belgium Czech Republic Hungary Portugal Costa Rica Russian Federation Greece India Lithuania Slovenia Nicaragua Austria Azerbaijan Thailand Australia Ghana Hong Kong Switzerland Latvia Norway Serbia Bulgaria Croatia Denmark Iran Ukraine Kyrgyzstan Argentina Kenya Trinidad and Tobago Algeria Ireland Singapore
©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Attack Profile Profile • Attacking spanning for 4 days:- Between 18th – 22nd August, 2014 • The domain targeted with ~21 Billion requests • Edge Bandwidth Utilization during these 4 days reached ~17.5 TB • This attack was highly distributed with requests origination from over 50 countries • Blocked by Rate controls and an application layer rule to detect wget/curl requests
Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • Attack targeted one of the China’s gaming website. • Attackers persisted for over 2 weeks and tried DDOS every 2nd day. • Over 19 Billion Hits, with cumulative Bandwidth utilization of ~20 TB.
Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • 99% of attack traffic originated from ASIA. • Attack Patterns Specific User-agent (bots, older browser) Attacking base pages with randomizing query string parameters. • Mitigation Rate controls. IP Blocks. Custom rules for specific signatures WAF application layer rules. China 90% Taiwan Vietna 2% m 3% South Korea 2% Hong Kong 1% Malays ia 1M%oroc co <1%
©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – Gaming Microtransactions Multiple Attack Vectors • Flood of empty DNS requests • SYN attacks to port 80/443 • Cache Busting •GET method for / and /images/bg.gif?=<query> • Spoofing User-Agents • User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) • User-Agent: Mozilla/4.0
©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – DNS Traffic Spike
©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – PCAP sample 14:42:24.220078 IP xx.xx.xx.xx.63266 > xxx.xxx.xx.xx.80: Flags [S], seq 1874991005:1874992216, win 61045, length 1211 0x0000: 0065 0800 4500 04e3 9d17 4000 f606 c5a6 .e..E.....@..... 0x0010: 175c 4b5d 728d 4810 f722 0050 6fc2 179d .K]r.H..".Po... 0x0020: 0000 0000 5002 ee75 2089 0000 0000 0000 ....P..u........ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
©2014 AKAMAI | FASTER FORWARDTM Case Study 3 - DDoS in APJ Attack Profile • Deny access to political website with DNS flood • Brute force • No Spoofing • Waves of attacks
©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – Geographic Distribution CN BEIJING US ASHBURN US CHICAGO DE FRANKFURT CN LHASA CN GUANGZHOU CN BEIJING CN SHANGHAI HK HONGKONG CN HANGZHOU CN GUANGZHOU NL AMSTERDAM CN GUANGZHOU NL AMSTERDAM FR TOULOUSE NL AMSTERDAM US SCOTTSDALE RU MOSCOW GB LONDON CN SHANGHAI CN SHANGHAI US ASHBURN DE FRANKFURT US SANJOSE US DALLAS JP OSAKA US MIAMI DE FRANKFURT
©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – PCAP Sample 15:46:43.702607 IP 67.xxx.xxx.xx8 > 184.yy.yyy.yy: ip-proto-255 1052 0x0000: 4500 0430 056d 0000 7aff 89f2 43c6 b812 E..0.m..z...C... 0x0010: b855 f841 4500 041c 0000 0000 8011 0000 .U.AE........... 0x0020: 386b 2335 b855 f841 1fab 0050 0408 0000 8k#5.U.A...P.... 0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA ... (more of the same. 1052 bytes of IP payload)
©2014 AKAMAI | FASTER FORWARDTM APJ DDoS Trends Late 2014 2014Q1-Q2 to 2014Q2-Q3 • Brute Force attacks (more in APJ) • Less spoofing • Multiple attack vectors • Managed botnet • Multiple Waves • Changing Tactics
Questions and Answers sales-singapore@akamai.com +65 6593 8717
sales-singapore@akamai.com +65 6593 8717

Recommended

2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated
noellefaris
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
Akamai Technologies
 
Replacing recovery with resilience
Replacing recovery with resilienceReplacing recovery with resilience
Replacing recovery with resilience
Akamai Technologies
 
Competitive EDGE - Data Driven Differentiation
Competitive EDGE - Data Driven DifferentiationCompetitive EDGE - Data Driven Differentiation
Competitive EDGE - Data Driven Differentiation
Akamai Technologies
 
3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware
Akamai Technologies
 
3 Reasons It's Time for a New Remote Access Model
3 Reasons It's Time for a New Remote Access Model3 Reasons It's Time for a New Remote Access Model
3 Reasons It's Time for a New Remote Access Model
Akamai Technologies
 
새로운 원격 접속 모델이 필요한 3가지 이유
새로운 원격 접속 모델이 필요한 3가지 이유새로운 원격 접속 모델이 필요한 3가지 이유
새로운 원격 접속 모델이 필요한 3가지 이유
Akamai Technologies
 
更新遠端存取模式的 3 大理由
更新遠端存取模式的 3 大理由更新遠端存取模式的 3 大理由
更新遠端存取模式的 3 大理由
Akamai Technologies
 

Recommended

2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated
noellefaris
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
Akamai Technologies
 
Replacing recovery with resilience
Replacing recovery with resilienceReplacing recovery with resilience
Replacing recovery with resilience
Akamai Technologies
 
Competitive EDGE - Data Driven Differentiation
Competitive EDGE - Data Driven DifferentiationCompetitive EDGE - Data Driven Differentiation
Competitive EDGE - Data Driven Differentiation
Akamai Technologies
 
3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware3 Reasons You Need Proactive Protection Against Malware
3 Reasons You Need Proactive Protection Against Malware
Akamai Technologies
 
3 Reasons It's Time for a New Remote Access Model
3 Reasons It's Time for a New Remote Access Model3 Reasons It's Time for a New Remote Access Model
3 Reasons It's Time for a New Remote Access Model
Akamai Technologies
 
새로운 원격 접속 모델이 필요한 3가지 이유
새로운 원격 접속 모델이 필요한 3가지 이유새로운 원격 접속 모델이 필요한 3가지 이유
새로운 원격 접속 모델이 필요한 3가지 이유
Akamai Technologies
 
更新遠端存取模式的 3 大理由
更新遠端存取模式的 3 大理由更新遠端存取模式的 3 大理由
更新遠端存取模式的 3 大理由
Akamai Technologies
 
应该采用全新远程访问模式的 3 大原因
应该采用全新远程访问模式的 3 大原因应该采用全新远程访问模式的 3 大原因
应该采用全新远程访问模式的 3 大原因
Akamai Technologies
 
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
Akamai Technologies
 
3 razões chegou a hora de um novo modelo de acesso remoto
3 razões chegou a hora de um novo modelo de acesso remoto3 razões chegou a hora de um novo modelo de acesso remoto
3 razões chegou a hora de um novo modelo de acesso remoto
Akamai Technologies
 
3 motivi per cui è necessario un nuovo modello di accesso remoto
3 motivi per cui è necessario un nuovo modello di accesso remoto3 motivi per cui è necessario un nuovo modello di accesso remoto
3 motivi per cui è necessario un nuovo modello di accesso remoto
Akamai Technologies
 
3 raisons de changer votre modèle d'accès à distance
3 raisons de changer votre modèle d'accès à distance3 raisons de changer votre modèle d'accès à distance
3 raisons de changer votre modèle d'accès à distance
Akamai Technologies
 
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
Akamai Technologies
 
3 Gründe für eine neue Art des Remotezugriffs
3 Gründe für eine neue Art des Remotezugriffs3 Gründe für eine neue Art des Remotezugriffs
3 Gründe für eine neue Art des Remotezugriffs
Akamai Technologies
 
Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2
Akamai Technologies
 
Chicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWDChicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWD
Akamai Technologies
 
Chicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesChicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden Features
Akamai Technologies
 
Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015
Akamai Technologies
 
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAEdge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Akamai Technologies
 
Edge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayEdge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBay
Akamai Technologies
 
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyEdge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Akamai Technologies
 
Edge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format TodayEdge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format Today
Akamai Technologies
 
Edge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance MonitoringEdge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance Monitoring
Akamai Technologies
 
Edge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live DemonstrationEdge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live Demonstration
Akamai Technologies
 
Key Reasons Customers Choose Akamai
Key Reasons Customers Choose Akamai Key Reasons Customers Choose Akamai
Key Reasons Customers Choose Akamai
Akamai Technologies
 
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
Akamai Technologies
 
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Akamai Technologies
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Seo
 

More Related Content

More from Akamai Technologies

Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAEdge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Akamai Technologies
 
Edge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayEdge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBay
Akamai Technologies
 
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyEdge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Akamai Technologies
 
Edge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format TodayEdge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format Today
Akamai Technologies
 
Edge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance MonitoringEdge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance Monitoring
Akamai Technologies
 
Edge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live DemonstrationEdge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live Demonstration
Akamai Technologies
 
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Akamai Technologies
 

More from Akamai Technologies (20)

应该采用全新远程访问模式的 3 大原因
应该采用全新远程访问模式的 3 大原因应该采用全新远程访问模式的 3 大原因
应该采用全新远程访问模式的 3 大原因
 
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
3 つの理由 今こそ新しいリモート・アク セス・モデルを採用すべきと き
 
3 razões chegou a hora de um novo modelo de acesso remoto
3 razões chegou a hora de um novo modelo de acesso remoto3 razões chegou a hora de um novo modelo de acesso remoto
3 razões chegou a hora de um novo modelo de acesso remoto
 
3 motivi per cui è necessario un nuovo modello di accesso remoto
3 motivi per cui è necessario un nuovo modello di accesso remoto3 motivi per cui è necessario un nuovo modello di accesso remoto
3 motivi per cui è necessario un nuovo modello di accesso remoto
 
3 raisons de changer votre modèle d'accès à distance
3 raisons de changer votre modèle d'accès à distance3 raisons de changer votre modèle d'accès à distance
3 raisons de changer votre modèle d'accès à distance
 
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
3 motivos por los que ahora es el momento perfecto para adoptar un nuevo mode...
 
3 Gründe für eine neue Art des Remotezugriffs
3 Gründe für eine neue Art des Remotezugriffs3 Gründe für eine neue Art des Remotezugriffs
3 Gründe für eine neue Art des Remotezugriffs
 
Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2
 
Chicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWDChicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWD
 
Chicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesChicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden Features
 
Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015
 
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAEdge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
 
Edge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayEdge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBay
 
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyEdge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
 
Edge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format TodayEdge 2014: MPEG DASH – Tomorrow's Format Today
Edge 2014: MPEG DASH – Tomorrow's Format Today
 
Edge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance MonitoringEdge 2014: A Modern Approach to Performance Monitoring
Edge 2014: A Modern Approach to Performance Monitoring
 
Edge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live DemonstrationEdge 2014: Million Browser Botnet - Live Demonstration
Edge 2014: Million Browser Botnet - Live Demonstration
 
Key Reasons Customers Choose Akamai
Key Reasons Customers Choose Akamai Key Reasons Customers Choose Akamai
Key Reasons Customers Choose Akamai
 
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
Site Shield Product Brief - Origin defense by cloaking web infrastructure and...
 
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
Prolexic Routed Product Brief - DDoS defense for protecting network and data ...
 

Recently uploaded

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
kumarajju5765
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
sexy call girls service in goa
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 

Recently uploaded (20)

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 

Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ)

  • 1. Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ) Ashvini Singhal, Security Practice Manager Clark Shishido, Security Researcher (CSIRT)
  • 2. ©2014 AKAMAI | FASTER FORWARDTM Agenda • Global Threat Landscape and Insights • Security incidents in Q3 • ShellShock • Iptables • Large scale DDOS • Case Studies • APJ DDoS Trends Late 2014 • Q&A
  • 3. ©2014 AKAMAI | FASTER FORWARDTM Global View: Nature of DDOS Attacks Types of DDoS attacks and their relative distribution. Infrastructure layer: 89.29% (SYN 25.73%, UDP Fragment 13.41%, UDP Floods 11.24%, DNS 8.11%, NTP 7.35%) Source: PLXsert (Q2-2014)
  • 4. ©2014 AKAMAI | FASTER FORWARDTM Protocols Targeted Protocols Targeted Top 5: WWW (HTTP), Microsoft DNS, Telnet, SSL (HTTPS), Microsoft SQL Server Source: Akamai State of the Internet Report (Q2-2014)
  • 5. ©2014 AKAMAI | FASTER FORWARDTM DDOS Attacks by Geography and Sectors By region: Americas 57%, Asia Pacific & Japan 25%, EMEA 18% Source: Akamai State of the Internet Report (Q2 2014) By industry: Enterprise 30%, Commerce 29%, High Tech 15%, Media & Entertainment 15%, Public sector 11%
  • 6. ©2014 AKAMAI | FASTER FORWARDTM 1. China 2. Indonesia 3. United States 4. Taiwan 5. India 6. Russia 7. Brazil 8. South Korea 9. Turkey 10. Romania Attack Sources Source: Akamai State of the Internet Report (Q2 2014)
  • 7. ©2014 AKAMAI | FASTER FORWARDTM Incidents observed in Q3 • ShellShock • Iptables • Large scale DDOS. • Numerous application layer attacks on a daily basis (XSS, RFI, SQL Injection etc.)
  • 8. ©2014 AKAMAI | FASTER FORWARDTM ShellShock • ShellShock Collection of Vulnerabilities in Bash (The Bourne again Shell) Shellshock exists in a feature of bash called "function importing”. • Started with one (CVE-2014-6271), grown to six in a week. • Attack Payload:- () { () { :; }; /bin/ping () { :;} ; echo shellshock" `which bash` () { :;}; /bin/bash -c "cat /etc/shadow"NULL NULL () { :;}; /usr/bin/wget • Attack tools became famous overnight https://shellshock.detectify.com http://shellshock.brandonpotter.com
  • 9. ©2014 AKAMAI | FASTER FORWARDTM ShellShock • Mitigations  WAFs can block '() {‘ – effective against import of function.  Staying up-to-date on patches.  Switch to an alternate shell For SSH servers: Removing non-administrative users until the systems are patched. For Web Applications: CGI functionality which makes calls to a shell can be disabled entirely (short term measure) • Akamai customer Mitigations  Custom WAF rule.  Customer using KRS are protected against some attacks with Command Injection Risk group.  Siteshield – direct to origin attacks.  Akamai Platform protects some attack using HTTP normalization be default.
  • 10. ©2014 AKAMAI | FASTER FORWARDTM IptabLes/IptabLex • A new botnet surfaced with command and control in Asia. Linked to two hardcoded IP addresses in China. • Causes volumetric DDOS attacks by executing DNS and SYN flood attacks. • Spread by compromising Linux based Web servers, using exploits of Apache Struts, Tomcat, Elasticsearch vulnerabilities. • Indicators: • Slow network. • presence of Linux ELF Binary file which create a copy of itself and name it, .IptabLes or .IptabLex. • /boot/.IptabLes and /boot/.IptabLex • Infecting popular Linux distributions such as Debian, Ubuntu, CentOS and RedHat. • Mitigation – Server hardening, Anti-virus, rate control. • Akamai Mitigation – Akamai PLXsert has created a YARA rule to detect and Bash command to clean the infection.
  • 11. ©2014 AKAMAI | FASTER FORWARDTM Large Scale DDOS • APJ is becoming the biggest target for largest scale DDOS attacks. • Volume • 2012 – 25 Gbps attack not very common. • 2014 – 350 Gbps attack common and absolutely fatal to any organization. • Attacks heavily distributed in nature, difficult to block specific source. • More than 40 percent of all Q2 2014 DDoS attacks were initiated from Asia- Pacific countries • Cloud platform such as Akamai, are effective to block such large scale attacks.
  • 12. Large Scale DDOS (Case Study 1- Major Stock Exchange in APJ) • Attack continued for 4 full days in August, 2014. • The stock exchange main domain targeted with 21 Billion requests and ©2014 AKAMAI | FASTER FORWARDTM cumulative bandwidth of ~19 TB. • Distributed with attack traffic originating from over 50 countries.
  • 13. Large Scale DDOS (Case Study 1 - Major Stock Exchange in APJ) • Distributed with attack traffic originating from over 50 countries. ©2014 AKAMAI | FASTER FORWARDTM • Full attack blocked by Rate controls Bot rule group blocking Curl/Wget requests.
  • 14. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Technical Details Multiple Attack Vectors • SYN flood against 80 & 443 • Cachebusting • www.$CUST.com/$staticstring/search.jsp?q=a • User-Agents • User-Agent: Wget/1.12 (linux-gnu) • User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
  • 15. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Security Monitor
  • 16. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Geographic Distribution Attack Origins USA Germany France Italy Netherlands United Kingdom Canada China Poland Romania Spain Brazil Japan Sweden Turkey Finland Belgium Czech Republic Hungary Portugal Costa Rica Russian Federation Greece India Lithuania Slovenia Nicaragua Austria Azerbaijan Thailand Australia Ghana Hong Kong Switzerland Latvia Norway Serbia Bulgaria Croatia Denmark Iran Ukraine Kyrgyzstan Argentina Kenya Trinidad and Tobago Algeria Ireland Singapore
  • 17. ©2014 AKAMAI | FASTER FORWARDTM Case Study 1 – Attack Profile Profile • Attacking spanning for 4 days:- Between 18th – 22nd August, 2014 • The domain targeted with ~21 Billion requests • Edge Bandwidth Utilization during these 4 days reached ~17.5 TB • This attack was highly distributed with requests origination from over 50 countries • Blocked by Rate controls and an application layer rule to detect wget/curl requests
  • 18. Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • Attack targeted one of the China’s gaming website. • Attackers persisted for over 2 weeks and tried DDOS every 2nd day. • Over 19 Billion Hits, with cumulative Bandwidth utilization of ~20 TB.
  • 19. Large Scale DDOS (Case Study 2 – Gaming customer in APJ) ©2014 AKAMAI | FASTER FORWARDTM • 99% of attack traffic originated from ASIA. • Attack Patterns Specific User-agent (bots, older browser) Attacking base pages with randomizing query string parameters. • Mitigation Rate controls. IP Blocks. Custom rules for specific signatures WAF application layer rules. China 90% Taiwan Vietna 2% m 3% South Korea 2% Hong Kong 1% Malays ia 1M%oroc co <1%
  • 20. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – Gaming Microtransactions Multiple Attack Vectors • Flood of empty DNS requests • SYN attacks to port 80/443 • Cache Busting •GET method for / and /images/bg.gif?=<query> • Spoofing User-Agents • User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) • User-Agent: Mozilla/4.0
  • 21. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – DNS Traffic Spike
  • 22. ©2014 AKAMAI | FASTER FORWARDTM Case Study 2 – PCAP sample 14:42:24.220078 IP xx.xx.xx.xx.63266 > xxx.xxx.xx.xx.80: Flags [S], seq 1874991005:1874992216, win 61045, length 1211 0x0000: 0065 0800 4500 04e3 9d17 4000 f606 c5a6 .e..E.....@..... 0x0010: 175c 4b5d 728d 4810 f722 0050 6fc2 179d .K]r.H..".Po... 0x0020: 0000 0000 5002 ee75 2089 0000 0000 0000 ....P..u........ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
  • 23. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 - DDoS in APJ Attack Profile • Deny access to political website with DNS flood • Brute force • No Spoofing • Waves of attacks
  • 24. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – Geographic Distribution CN BEIJING US ASHBURN US CHICAGO DE FRANKFURT CN LHASA CN GUANGZHOU CN BEIJING CN SHANGHAI HK HONGKONG CN HANGZHOU CN GUANGZHOU NL AMSTERDAM CN GUANGZHOU NL AMSTERDAM FR TOULOUSE NL AMSTERDAM US SCOTTSDALE RU MOSCOW GB LONDON CN SHANGHAI CN SHANGHAI US ASHBURN DE FRANKFURT US SANJOSE US DALLAS JP OSAKA US MIAMI DE FRANKFURT
  • 25. ©2014 AKAMAI | FASTER FORWARDTM Case Study 3 – PCAP Sample 15:46:43.702607 IP 67.xxx.xxx.xx8 > 184.yy.yyy.yy: ip-proto-255 1052 0x0000: 4500 0430 056d 0000 7aff 89f2 43c6 b812 E..0.m..z...C... 0x0010: b855 f841 4500 041c 0000 0000 8011 0000 .U.AE........... 0x0020: 386b 2335 b855 f841 1fab 0050 0408 0000 8k#5.U.A...P.... 0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA ... (more of the same. 1052 bytes of IP payload)
  • 26. ©2014 AKAMAI | FASTER FORWARDTM APJ DDoS Trends Late 2014 2014Q1-Q2 to 2014Q2-Q3 • Brute Force attacks (more in APJ) • Less spoofing • Multiple attack vectors • Managed botnet • Multiple Waves • Changing Tactics
  • 27. Questions and Answers sales-singapore@akamai.com +65 6593 8717

Editor's Notes

  1. On average, DDoS attacks lasted 17 hours Eighty-nine percent of Q2 2014 DDoS attacks targeted the infrastructure layer; the remaining 11 percent were application attacks The most common infrastructure attacks included SYN floods (26 percent of all attacks mitigated in Q2), UDP floods (25 percent), NTP (7.4 percent) and ICMP (6.6 percent) The most common application-layer attacks were HTTP GET floods (7.5 percent of all attacks mitigated in Q2), HTTP POST floods (2.3 percent), PUSH floods (0.8 percent) and HEAD floods (0.2 percent) The most common reflection attacks vectors included NTP (7.35 percent), CHARGEN (4.54 percent) DNS (4.00 percent) and SNMP (3.03 percent) Nearly half (46 percent) of all DDoS attacks targeted the Gaming industry The top three country sources for DDoS attacks this quarter were United States, Japan and China
  2. Talk about the cloud here