The 2011 Radware Global Application & Network Security Report is an informative and practical compilation of security findings providing a view of the state of global cyber security worldwide.
3. ERT Visibility Into Attacks
Radware’s ERT helps customers when they under attack
• “Free” access to network architecture & configurations
• Unique visibility about how attack actually looks like
• Visibility into traffic distribution
• Resource status of the network and the applications components
• Measure the impact of attacks and the network points of weakness
• Lab research (Botnet lab)
ERT Sees Attacks in Real-time on a Daily Basis
03
4. The ERT Annual Report
The Report is Based on Two Sources
• Survey sent to a wide variety of internet organizations
in order to get responses that were vendor neutral and as
objective as possible
• Includes analysis of about 40 selected cases that were handled
by Radware’s ERT
To download the full report, please visit:
http://www.radware.com/2011globalsecurityreport
04
6. Attackers Change in Motivation & Techniques
LulzSec
Sony, CIA, FBI
Vandalism and Publicity Financially Motivated “Hacktivism” Dec 2010 Mar 2011
Blending Motives Operation Netbot
Payback DDoS
Attack
2010
“Blend”
Risk Peru,
IMDDOS
Chile
Kracken (Botnet)
Mar 2011
DDoS Srizbi (Botnet) Codero DDoS /
(Botnet) 2009 Twitter
Rustock 2007
July 2009
“Worms” (Botnet)
2007 Cyber Attacks
Storm US & Korea
(Botnet) Mar 2011
CodeRed
2007 Operation
2001 Blaster Payback II
2003 Google / Twitter
Nimda
(Installed Trojan) Estonia’s Web Sites Attacks2009
2001 Agobot DoS
Slammer (DoS Botnet) 2007 Mar 2011 DDoS
(Attacking SQL sites) Wordpress.com
2003
Republican
website DoS
2004 Georgia Web sites
DoS 2008
Time
2001 2005 2010
06
7. Attacker’s Motivation (Survey)
Mainly for political reasons
• Uses the power of masses of laymen users who were not even
fully aware of what the tools they downloaded were doing
• In 2011 : Trend toward more sophisticated attack campaigns that
are generated also by the “inner-circle” …
07
9. Attack Sophistication in 2011
• The attacks became more complex with attackers using as many
as five different attack vectors in a single “attack campaign”
• Blending both network and application attacks in a single
attack campaign
• Vote on a target, select the most appropriate attack tools, advertise the
campaign, invite anyone capable…
• Attacker set the attack to the most painful time period for its victim
• Perform short “proof-firing” prior to the attack
• Tend to not rely just on volunteer participants, but the inner circle
09
13. The Server Isn’t Necessarily the 1st to Fail
Attackers also seem to understand that availability based threats
are more likely to impact the firewall rather than the server.
13
14. When You Don’t Protect the Firewall
• A leading online travel agency was hit by a massive HTTP page flood
• More than 4,000 attackers pounded this site for three days with the aim of overloading the site…
Actions:
1st – User Agent filter on the Web servers … partial DoS
2nd – Attack mitigation device in front of the servers … partial DoS
3rd – Attack mitigation device in front of the firewall - 100% Availability
Firewall Resources Status
14
15. Low and Slow Tools & Trends
• “Low & Slow” attacks are gaining attention !
• Tools such as Slowloris and Socketstress have been able to
exploit design weakness a very low rate
• R.U.D.Y. - A new tool that can attack any website
15
16. Low and Slow Tools & Trends
THC-SSL-DoS
• This tool allows a single computer to knock web servers offline by targeting a
well-known weakness in the secure sockets layer implementations.
• An “asymmetric attack” - Single client request can cause the server to invest
up to 15 times more resources
16
17. Attack Impact – The “Size Doesn’t Matter”
Attack “Size” Impact levels
High
Low
Attack “Size” Real Case Attack
Campaign
Attack
HTTP “Floods” UDP TCP Connection Category
App-based Brute Force Connection based
Attack
HTTP Flood DNS Flood TCP Connection Category
Slide 17
17
18. Multi Vector Attack Campaign – Advanced Tools
• Post-LOIC period , Anonymous is not depending on mass user
participate for their attacks in order to protect their supporters from
legal actions that several countries are already enforcing
• To compensate for the LOIC, Anonymous is focusing on their inner-circle
hacking activities, which include the development of tools such as #refref that
rely on exploiting software vulnerabilities rather than brute force attacks…
act as an advanced persistent threat (APT)…
18
19. Recommendations
• Be Prepared for DoS / DDoS Attacks
• Be Wary of Complimentary DoS/DDoS Protection
• Collect information about attacks such as type, size and frequency;
use the right measure
• Position Your DoS/DDoS Mitigation Solution Properly
• Ensure Your DoS/DDoS Mitigation Solution Encompasses
Many Technologies
• Have a Consolidated or “Context Aware” View into Enterprise Security
• Invest in Education and Develop Good Internal Security Policies
19