• No results found

DDoS Attacks & Defenses

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DDoS Attacks & Defenses"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

DDoS Attacks & Defenses

DDOS(1/2)

• Distributed Denial of Service (DDoS) attacks

form a significant security threat

g

y

• making networked systems unavailable

• by flooding with useless traffic

• using large numbers of “zombies”

• growing sophistication of attacks

g

g

p

(2)

DDoS(2/2)

(3)

Introduction

Introduction

DDoS attack against Korea and US government and biz web sites caused

I. Overview of July 7

th

DDoS Attack

I. Overview of July 7

th

DDoS Attack

system failure and connection delay

Attack Overview

Attack Overview

Target Target

Korea and US government and biz sites(bank, e-commerce and portal) Motivation : political propaganda social disorder

Korea and US government and biz sites(bank, e-commerce and portal) Motivation : political propaganda social disorder

Mechanism

Propagate malware through online storage site Embed the predefined target and schedule in malware

Target

Target Motivation : political propaganda, social disorder (still unknown and under LE investigation) Motivation : political propaganda, social disorder

(still unknown and under LE investigation)

12

(4)

Botnet Size: (over 150,000) Intermediary Host Attacker Block IP Attack target

I. Overview of July 7

th

DDoS Attack

I. Overview of July 7

th

DDoS Attack

TIME ZONE : GMT+9 (KST) ( , ) Malicious code Target list Target list Target list Zombie Army 1stAttack Phase 7thJul 18:00 26 targets 2ndAttack Phase 8th Jul 18:00 16 targets Self destruction Update target site 6thJ l 7thJ l Online Storage Replace download SW with Malware DDoS Attack Malicious code infected Target list 3rdAttack Phase 9thJul 18:00 7 targets Self Destruction Code IPs Blocked 6thJuly ~ 7thJuly 8thJul HDD Destruction 10thJul 00:00 ~ DDoS 7thJul ~ 10thJul Self destruction

II. Details of July 7

th

DDoS Attack

Intermediary Hosts

DDOS Attack Code (+Target List) Initial Infection Code Online Storage Zombie PC Attack Target DDoS Attack Infection Create Additional Codes Code Update Self Destruction Malicious Code hosting HDD Destruction Create flash.gif request flash.gif download wversion.exe update

(5)

해커

Attacker

II. Details of July 7

th

DDoS Attack

Online Storage Service

Service enlist Dedicated download SW install (Normal)

Malicious code upload (Replacing dedicate SW) Mal-code install (tampered dedicate SW) Dedicated SW Recovered(normal) Distribution Server Target list

updated HDD destruction code Code update

Recruiting Zombie UpdatingMalware

Dedicated SW install (Normal) PC Users Dedicated download SW(normal) (tampered dedicate SW)

Malicious code infected (perfvwr.dll, wversion.exe, etc.)

<NAME>XXXX UPDATE</NAME> <VERSION>1.0.0.l</VERSION> <URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL> <NAME>XXXX UPDATE</NAME> <VERSION>1.0.0.1</VERSION> <URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL> Code update

Target list update

(uregvs.nls) flash.gif(wversion.exe)

II. Details of July 7

th

DDoS Attack

Dupdate3.exe

-> C:\WINDOWS\system32\ntdll exe> C:\WINDOWS\system32\ntdll.exe DDoS code -> c:\WINDOWS\system32\wmiconf.dll -> c:\WINDOWS\system32\pxdrv.nls -> c:\WINDOWS\LastGood\system32\npptools.dll -> c:\WINDOWS\system32\Packet.dll -> c:\WINDOWS\system32\WanPacket.dll -> c:\WINDOWS\system32\wpcap.dll -> c:\WINDOWS\system32\dllcache\npptools.dll -> c:\WINDOWS\system32\drivers\npf.sys Online Storage Additional C d D y p y

-> c:\WINDOWS\system32\wmcfg.exe Code Dropper

-> c:\WINDOWS\system32\wversion.exe -> c:\WINDOWS\system32\mstimer.dll

HDD Destruction Code update

(6)

II. Details of July 7

th

DDoS Attack

• HDDs in certain Zombie PCs destroyed

D

t

ll ki d f d

t fil

d

– Destroy all kind of document file and program

source file (overwrite and encryption)

– Overwrite fixed disks MBR with specific value

008F1850 4D 65 6D 6F 72 79 20 6F 66 20 74 68 65 20 49 6E Memory of the In 008F1860 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 00 00 dependence Day.. 008F1870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 008F1890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 008F18A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 008F18B0 00 00 00 00 55 55 55 55 55 55 55 55 55 55 55 55 ....UUUUUUUUUUUU 008F18C0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18D0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18E0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F18F0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 008F1900 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU

• Difficulties to respond

IV. Characteristics of July 7

th

Attack

– Small amount of attack traffic generated from zombie

• Less than 50Kbps of network traffic per PC observed

– Various attack methods

• Small amount of UDP/ICMP flooding (about 4% of total

tt

k t ffi )

attack traffic)

• Small amount of HTTP request (only 1 ~ 25Kbps of traffic

measured)

• http get flooding varying agent information in the HTTP

request header made difficult to filter at victim sites

(7)

IV. Characteristics of July 7

th

Attack

• Exploits Online Storage Service S/W

– Replace the download S/W with Malware

• Suspicious situation has monitored but could not

analyze abused host

– Became zombie regardless of security patch

i

t ll d

installed

• All PCs installed file download software are infected by

malware through software update procedure

DDos Monitoring System using Cloud AV

2009.09.30 AhnLab, Inc.

(8)

Malicious Code Evolution

Financial motives/organized Targeted attacks Quick & easy to produce variation

Aggravating into crime

Slow infection Curiosity, self-display Quick infection Curiosity, self-display Zero-Day attack Financial motive Macro Virus • Worm • Spyware • Spam • Phishing •Trojans •Social engineering technique •Complicated & sophisticated •Diversifying distribution 15 ~ 1995 1996 ~ 2000 2001 ~2005 2006 ~ • Files Virus • Boot Virus • Macro Virus • Script Virus • Phishing • BotNet • Rootkit LAN Internet Internet y g methods WEB, P2P, USB Multimedia service

7.7 DDoS Attack Flow

msiexec1.exe (main) Win-Trojan/Downloader.374651 pxdrv.nls (Encrypted File) msiexec1.exe …… Create A certain IP address Create _S3.tmp (wmiconf.dll) Malware Win-Trojan/Agent.67072.DL _S4.tmp (wpcap.dll) _S5.tmp (packet.dll) _S6.tmp (wanpacket.dll) _S7.tmp (npf.sys) _S8.tmp (npptools.dll) _S9.tmp (wmcfg.exe) Malware Win-Trojan/Mydoom.88064 uregvs.nls BinImage/Host Attack URL/Time/Type msiexec9.exe Win-Trojan/Agent.xxxx flash.gif BinImage/Destroyer File Download (Update Target Host)

Create DDoS Attack!!! (30 Threads/Sites) Service Provider wversion.exe (2nd) Win-Trojan/Destroyer.37264 wversion.exe (1st) Win32/Mydoom.worm.33764 mstimer.dll Win32/Mydoom.worm.45056.D BinImage/Destroyer wversion.exe (Dropper) Win-Trojan/Destroyer. 40960 Disk Data Damage

SPAM Mail Sending

If msvcr90.dll exists, Download Create Create 09.07.10 00AM 16

(9)

DDoS Attack Evolution

17

“Anti-DDoS protection alone cannot defeat DDoS attack attempts.”

A new form of Compound attack, unlike conventional type of attack, frustrates simple anti-DDoS protection arrangement

Recent DDoS Attack Highlights Criticality of Client Security

compound attack

protection arrangement

Intelligent attack

Scheduler built in malicious codes renders defense ineffective, unless

malicious codes are fully analyzed

DDoS attack is no longer distinguishable from normal traffic

DDoS codes wait in complete ambush even after infection before launching attack at once

Damage HW in addition to turning PC into

Zombie

Defense is not possible unless malicious code designed to

damage HW is fixed or prevented from being downloaded in advance

Early action intended to keep PC from being turned into Zombie in advance is essential

(10)

DDoS Monitoring System

① Detect abnormal network traffic from a specific file

DDoS Monitoring Center

③ Analyze in real time

• Analyze program

information

• Analyze reputation system • Analyze file activity trend • Analyze behavior-based

activity

• Analyze inter-file relation • Analyze malicious code

distribution path

Risk information collector ② Monitor identical events

③ Analyze in real time

④ Apply analysis results in real time

Prevent propagation of Zombie PCs ④ Apply analysis results in real time

Authorities/ ISPs Early DDoS propagation warning

Businesses Preemptive DDoS

defense

19

- Analyze program information - Analyze reputation system - Analyze file activity trend - Analyze behavior-based activity - Analyze inter-file relation

Detect malicious codes

DDoS Monitoring System Capabilities

- If network traffic exceeds predefined DDoS threshold, but, whether a file contains malicious codes or not cannot be determined, statistics-base processing is utilized

(Ex.: network traffic generated in multiple clients for the same destination exceeds Predefined threshold)

Statistics-based processing

y

- Analyze traffic statistics including entity causing network traffic, destination and traffic volume

- Trace file distribution path

File path tracking

(11)

- Employ a variety of diagnostic technologies

- Enable real time response prior to vaccine engine update

Respond to unknown malicious codes

DDoS Monitoring System Advantages

-Reduce diagnostic error rate by determining existence of malicious code in reference to AhnLab Smart Defense Database

- Reduce error rate by analyzing on the basis of behavior & statistics

Reduce diagnostic error rate

- Update information on new malicious code real time to keep Zombie PCs from multiplying

Real time update benefits

(12)
(13)
(14)
(15)
(16)
(17)
(18)
(19)
(20)
(21)

References

Download now ( PDF - 21 Page - 2.81 MB )

Related documents

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Network Level DDoS Attacks Reflective DDoS Attacks Outbound DDoS Attacks Application Layer DDoS Attacks Specially Crafted Packet Attacks Pre-Attack Recon (Scans)

UNRESTRICTED EXTERNAL

 shell server if an ‘S’ (0x53) is sent as the first byte, the connection is cached as a bind shell drozer makes use of this server throughout exploitation to host the

GUIDELINES FOR COMPLETING THE EXCLUSIVE RIGHT TO SELL LISTING AGREEMENT (standard form 101)

The first representation is set forth to assist the agent in discharging the ethical obligation imposed by Standard of Practice 16-9 of the Code of Ethics of the National

Female employment and higher fertility policy goals in perfect harmony?

Data source: Eurostat: labor force participation rate by gender, part-time employment, February 2013. Increase in female labor force participation rate in percentage

Patent Cooperation Treaty Pct à à

Grant a foreign patent cooperation treaty pct ค terms of the examination report shall require that state, by the executive committee, the international bureau and

Role of Cold Fronts in South American Monsoon Onset

In this study, regional variability of monsoon onset in South America was analyzed using composites of GPCP rainfall and NCEP/NCAR Reanalysis upper and lower level variables. The

How To Get A Computer To Run A Computer On A Computer (For Free)

Ukoliko vam se javi ova poruka prilikom logovanja na aplikaciju Fx Client neposredno nakon što ste sertifikat obnovili potrebno je da sistemsko vreme na računaru pomerite za 2

A converse bound for cache-aided interference networks

We obtain an information-theoretic lower bound on both the peak normalized delivery time (NDT), and the expected NDT of cache-aided interference networks with uniform