3. Potential Motivation of Cyber Attacks
3
Political Motivation
Extension of politics in the 21st
century
Cyber-attacks are referred to as the
fifth generation warfare
Facet Description References
1. Mirkovic, 2004
2. Arbor Networks web
3. Jose Nazario, 2007
Social Motivation
Governments are common targets
as not supported by people
utilize cyber-attack tools against
government websites
1. Don Jackson, 2009
2. Steven Adair, 2008
Business Motivation
Cyber-attacked by competing
companies
Steal confidential information
1. FoxNews.com, 2008
2. Eneken Tikk, 2008
Personal Motivation
Curiosity
Get paid
1. Jeff Carr, 2009
Risks / Benefits
It’s nearly impossible to find out who are conducting cyber attacks,
there are definitely reasons as to how it would benefit them.
4. Cyber War Case - Afghanistan
• Two-way cyber war measures
– Cyber offensive capability
– Cyber dependence :
• Degree to which a nation relies upon cyber-controlled systems
– Cyber defensive capability
• “We have the most bandwidth running though our society and are
more dependent on that bandwidth. We are the most
vulnerable.“ – former Admiral McConnell.
• Afghanistan 2001
– US had conducted a cyber war plan, but no targets for
cyber warriors, that gives Afghanistan an advantage.
– If Afghanistan had any offensive cyber capability, the cyber
war would have shifted in different way
4
5. Cyber War Case - China
• Offense vs. defense
– US has the most sophisticated offensive capability, but it can’t make
up its weaknesses in defensive position. Cyber defense trainings are
offensive focus.
– China cyber warriors are tasked with both offense and defense in
cyberspace.
• China advantages in cyber war
– Ownership : Internet in China is like an intranet of a company.
Government is the only service provider
– Censorship
• Great Firewall of China provides security advantages
• The technology that Chinese use to screen emails/message provide the
infrastructure to stop malware
• Install software on all computers to keep children from gaining access to
pornography – Give China control over every desktop in the country.
– Critical infra: For electric power system, US relies on automation
controlled system, but China require a large degree of manual control.
5
6. Cyber War Strength
6
US
Cyber Offense: 8
Cyber Dependence : 2
Cyber Defense: 1
Total : 11
Russia
Cyber Offense: 7
Cyber Dependence : 5
Cyber Defense: 4
Total : 16
China
Cyber Offense: 5
Cyber Dependence : 4
Cyber Defense: 6
Total : 15
Iran
Cyber Offense: 4
Cyber Dependence : 5
Cyber Defense: 3
Total : 12
North Korea
Cyber Offense: 2
Cyber Dependence : 9
Cyber Defense: 7
Total : 18
(Richard Clarke, 2010).
7. Cyber Defense Award
US Military Training for Cyber Warfare
7
YouTube. (2013 Apr 30). Cyber Defense - Military Training for Cyber Warfare
8. DDoS: Recent Cases Highlight
8
Date/Location:
Event :
2014 June 14 Hong Kong
Hong Kong Voting Site Suffers Massive
DDoS Attack Before Civil Referendum
Date/Location: 2014 June 19 US
Event : Facebook being massive DDOS attack
by China
10. False Assumptions
• Attackers use specific pattern to attack
– No
– Attackers try all means to maximize the outcome
– Uniqueness of pattern is the principle of a cyber attack
• Severe cyber-attack should be driven by cyber military
(cyberwarfare)
– Yes and no.
– Massive traffic can be easily generated in an affordable price.
• Solutions are available to against attacks
– Yes and no
– No ready-made solution for any cyber-attack
• Cyber-attack happens occasionally in the global internet
– It happens all the time. Live with it
10
11. DDoS vs. Cyber War
11
Critical info
infrastructure
of enemy
country
Cyber war
initiated
country
DDoS
DMZ
1. DDoS can only attack DMZ zone. DMZ was built for that purpose.
2. DDoS attacks are compelling. The targets can be easily identified. It
gives enemy an advantage of increasing defensive capability, or
relaxing cyber dependence.
DDoS Cyber War
12. ECO System
12
Bot Makers
BotNet Builders
BotNet Operators
BotNet brokers
BotNet Users
Selling tools or give away
System compromised and code
distribution. Trade valuable private
information.
Provide cloud services
(non-exclusive ownership)
Matching buyers and sellers
running code on BotNet platform
Legal
Enforcement
Low
Low
Low
Low
Medium
13. Economy
13
1000 Bots in Australia 24 Hrs : $100
1000 Bots in Vietnam 24 Hrs : $5
1000 Bots in China 24 Hrs
Mainland (Tier2 cities) : $13
LiaoNing : $80
GuangDong : $160
1000 Bots in Taiwan 24 Hrs : $484
Bot Applications
1 Sell private information
2 Advertisement
3 DDoS services
(PC Magazine, 2009 June)
14. Math Exercise
• Infected PCs (Bot)
– Assume 10,000 PCs
– Sending 10,000 DNS queries /PC.sec, total 100M queries/sec
– Generating outbound traffic 640KBytes/PC.sec
– Total Cost : USD 130 (Bot@China) for 24 hrs
• Public DNS resolvers
– Assume 20,000 servers (open resolvers > 60K)
– Message amplification x 50 times=>3,000bytes (6 packets)/msg
– Receiving 5,000 DNS queries/server.sec
– Generating outbound traffic 15MBytes/server.sec (30,000
packets/server.sec)
– Total cost : Free (public goods)
• Target Victims
– Receiving inbound traffic 300GBytes/sec. (600M packets/sec)
– Total liability : considerable costly. (priceless to actors, vice versa)
14
15. Solution Zone
15
ssh; ping; ftp; …., etc
Firewall/DefenseSystem
Build filtering rules/policing on the fly
1 block sources
2 block protocols/ports
Challenges
1 capacity and performance
2 hard to identify dynamic sources
3 design new algorithm for new patterns instantly.
S1 : rules/policing
16. Continue
16
Spoofed source IP DNS; NTP; …, etc
technical compliance protocols
technical compliance protocols
Amplification Attack
Firewall/DefenseSystem
S1: BIND rate limit S2: buy transit S3: rules/policing
Challenges
S1 : out of victim’s control
S2 : port speed may not be upgradable accordingly
S3 : 1 capacity and performance
2 design new algorithm for new patterns instantly
(DNSSEC: destination validation)
18. Strengthen The Defensive System
Unique Algorithm for Unique Pattern
18
Analyze attack pattern
Design defensive algorithm
Sizing engineering
#max number of sessions/connections
#fit in CPU Cache
#risk of saturating a CPU at a given packet rate
#timeout adjustment
Rapid coding and deployment
On going monitoring
Knowledge Intensive