The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,
a high-ranking military general, strategist and tactician. It is commonly
known to be the definitive work on military strategy and tactics, and for the
last two thousand years has remained the most important military
dissertation in Asia. It has had an influence on Eastern and Western military
thinking, business tactics, legal strategy and beyond. Leaders as diverse as
Mao Zedong and General Douglas MacArthur have drawn inspiration from
the work.
Many of its conclusions remain valid today in the cyber warfare era.
孫子兵法
3
知彼知己,百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Notable DDoS Attacks in the Last 12 Months
Feb/July 2013
USA
Operation Ababil Targeting financial institutions
July 2013
Colombia
The Colombian
Independence Day Attack
March 2013
The Netherlands
Spamhaus The biggest DDoS attack ever
August 2013
Syria
Syrian Electronic Army
attacking US media outlets
November 2013
Ukraine & Baltic Countries
Operation “Opindependence”
June 2013
South Korea
South Korea governement
websites under attacks
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
Volumetric attacks Network & Stateful attacks Application attacks
App Misuse
6
Attackers Deploy Multi-vulnerability Attack Campaigns
High Bandwidth or PPS
Network flood attacks
Network Scan
Syn Floods SSL Floods
HTTP Floods
Brute
Force
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
SQL
Injection
Cross Site
Scripting
Intrusions
“Low & Slow” DoS
attacks (e.g.Sockstress)
More than 50% of 2013 attack campaigns
had more than 5 attack vectors.
Source: Radware 2013 ERT Report
7
Hacktivism – Move To Campaign-APT Oriented
• Complex: More than seven different attack vectors at once
• Blending: Both network and application attacks
• Targeteering: Select the most appropriate target, attack tools
• Resourcing: Advertise, invite, coerce anyone capable
• Testing: Perform short “proof-firing” prior to the attack
• Timeline: Establish the most painful time period for his victim
Sophis
tic
atio
n
2013 2010 2011 2012
• Duration: 3 Days
• 4 attack vectors
• Attack target: Visa, MasterCard
• Duration: 3 Days
• 5 attack vectors
• Attack target: HKEX
• Duration: 20 Days
• More than 7 attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
8
故善战者,立于不败之地 The good fighters of old, first put themselves beyond the possibility of defeat.
Slide
9
The Threat Landscape
DDoS is the most common
attack method. Attacks last longer.
Government and Financial Services
are the most attacked sectors. Multi-vector trend continues.
10
You don’t control all of your critical
business systems.
Understand your vulnerabilities in the
distributed, outsourced world.
没有战略,战术是之前失败的噪音
漏洞 Vulnerability
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single
entity by direct
communication.
Examples:
Trin00, TFN, Trinity
Botnets
Stealthy malicious
software installed
mostly on personal
computers without the
owner’s consent;
controlled by a single
entity through indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
Voluntary Botnets
Many users, at times
part of a Hacktivist
group, willingly share
their personal
computers. Using
predetermined and
publicly available attack
tools and methods,
with an optional remote
control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers
generate the same
impact as hundreds of
clients.
12
2012 1998 - 2002 1998 - Present 2010 - Present
不戰而屈人之兵,善之善者也 To subdue the enemy without fighting is the acme of skill
13
不戰而屈人之兵,善之善者也
Current prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-$20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70 / day, $1,200 / month
Botnet: $200 for 2,000 bots
DDoS Botnet: $700
ZeuS source code: $200-$250
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email scam (using customer database): $50-$500 per one million emails
16
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Attackers: Cyber Fighters of Izz ad-Din al-Qassam
Result: Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.
行軍: Operation Ababil
17
行軍: Operation Ababil
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.
HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page
downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by
consuming 15x more CPU in order to process the encrypted attack traffic.
18
Don’t assume that you’re not a target.
Draw up battle plans. Learn from the
mistakes of others.
没有战略,战术是之前失败的噪音
目标 Target
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
20
0
5
10
15
20
25
30
35
Internet Pipe Firewall IPS / DSS ADC Server SQL Server
2011
2012
2013
Volumetric attacks Network & Session attacks Application attacks
不可胜在己 Being unconquerable lies within yourself.
不可胜在己
22
Bypassing CDN Protection
Bo
tn
et
E n t e r p r i s e
C D N
GET www.enterprise.com/?[Random]
不可胜在己
23
Cloud protection limitations.
Bo
tn
et
Volumetric attacks
Low & Slow attacks
SSL encrypted attacks
E n t e r p r i s e
C l o u d S c r u b b i n g
24
Don’t believe the propaganda.
Understand the limitations of solutions.
Not all networking and security solutions
are created equal.
没有战略,战术是之前失败的噪音
宣传 Propaganda
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
27
兵之情主速
T H E S E C U R I T Y G A P
Attacker has time to bypass automatic mitigation.
Target does not possess required defensive skills.
28
You can’t defend against attacks you can’t detect.
Know your limitations.
Enlist forces that have expertise to help you fight.
没有战略,战术是之前失败的噪音
检测 Detection
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
30
故兵貴勝,不貴久
• Web Attacks
• Application Misuse
• Connection Floods
• Brute Force
• Directory Traversals
• Injections
• Scraping & API Misuse
Detection: Application Attacks
31
故兵貴勝,不貴久 What is essential in war is victory, not prolonged operations.
• Envelope Attacks – Device Overload
• Directed Attacks - Exploits
• Intrusions – Mis-Configurations
• Localized Volume Attacks
• Low & Slow Attacks
• SSL Floods
Detection: Encrypted / Non-Volumetric Attacks
App Misuse App Misuse
Slide
33
Layered Lines Of Defense
Large volume
network flood
attacks Network Scan
Syn Floods
SSL Floods
“Low & Slow” DoS
attacks
(e.g.Sockstress)
HTTP Floods
Brute
Force
DoS protection
Behavioral analysis SSL protection
IPS
WAF
Cloud DDoS protection
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
Volumetric attacks Network & Stateful attacks Application attacks
34
Aligned forces will make the difference
Protecting your data is not the same as protecting your business.
True security necessitates data protection, system integrity and operational availability.
没有战略,战术是之前失败的噪音
可用性 Protection
Thank You [email protected] www.radware.com
http://security.radware.com
Top Related