Internet Attack Reality #appsecapac2014

Transcript

1. Internet  A(ack  Reality   Akamai  Technologies,  Inc.   Makoto  Niimura

    

2. About  Me   •  About  Akamai  Technologies   　Akamai  makes

    the  Internet  faster,  reliable  and   secure   •  About  Me     　Makoto  Niimura  –  CTO,  Akamai  Technologies,  GK   　Former  developer  of  Telco  sys  and  Biz  app.   Recently,  encouraging  globally  operaHng  JP   companies  adopt  advanced  biz  scheme  through   be(er  use  of  Internet.  

3. •  Agenda   1.  Akamai  PlaLorm  and  Security  informaHon  

   2.  Macro  Trend  of  A(ack  Traffic   3.  A(ack  Incidents   1)  Senkaku  Island  related   2)  London  Olympic   3)  Recent  a(ack  to  a  Major  Bank   4)  Account  Checker   4.  Summary  

4. Akamai  PlaLorm  and  Security  informaHon  

5. Akamai  PlaLorm   •  Deploying  Akamai  EdgeServer  at  major  ISP/IX.

     •  90%  of  Internet  User  access  any  EdgeServer  within  1  NW  hop.   •  Request  to  Akamai  customer  site  goes  through  an  EdgeServer  close  to  the  client. •  EdgeServer  analyzes  HTTP  request,  gets  content  accordingly,  then  respond  to  the   client.   •  Detail  log  is  recorded,  collected  and  analyzed  for  various  purpose  including  security   related  intelligence.

6. Akamai  PlaLorm   2  Trillion  requests  per  day   21.6

    Tbps  at  peak   Protected  customer  sites  from  200Gbps  a(ack     Approx.  15-­‐30%  of  global  Web  traffic   Security  info  derived  from  the  same  sample  size   147,000+   Servers   2,300+   LocaHons   92   Countries   1,200+   Network   900+   CiHes    

7. ConnecHon  through   Akamai   DNS Customer Site

8. Security  Info  CollecHon   DNS Analysis  Engine   Customer Site

9. State  of  the  Internet   Report   !  Attack targeting

   for global major players directed to Akamai !  Hackers trying to defeat Akamai itself !  Probably one of the most attacked company, platform !  Publishing Qly “State of the Internet” report.　 !  http://www.akamai.com/stateoftheinternet/ index.html#nui

10. Macro  Trend  of  A(ack  Traffic  

11. Trend  for  A(ack  Origin   0   5   10

      15   20   25   30   35   40   45   2010   Q1   2010   Q2   2010   Q3   2010   Q4   2011   Q1   2011   Q2   2011   Q3   2011   Q4   2012   Q1   2012   Q2   2012   Q3   2012   Q4   2013   Q1   2013   Q2   2013   Q3   Indonesia   China   USA   Taiwan   Turkey   Russia   Brazil   Romania  

12. •  2010-­‐2011,  China,  US,  and  Russia  are  big  3.  

     Or     big  4  accompanied  by  Taiwan   •  China  stood  out  from  the  end  of  2011   •  US  steadily  increased  at  the  same  period   •  Spring  2011,  and  again  Spring  through   Summer  2013,  Indonesia  abruptly  emerge  as   #1.   Trend  for  A(ack  Origin  

13. Trend  for  Targeted  Port   0   10   20

      30   40   50   60   70   80   2010   Q1   2010   Q2   2010   Q3   2010   Q4   2011   Q1   2011   Q2   2011   Q3   2011   Q4   2012   Q1   2012   Q2   2012   Q3   2012   Q4   2013   Q1   2013   Q2   2013   Q3   80:  HTTP   443:  HTTPS   445:  Microsoi-­‐DS   1433:  Microsoi  SQL  Server   3389:  Microsoi  Terminal   Service   23:  Telnet   22:  SSH  

14. •  Port  445  is  the  targeted  port  by  the  warm

      Conficker,  which  was  widely  spread  around  2009   •  It  has  been  declining  in  share  by  1)  increased   other  type  of  a(acks  in  number,  2)  declining   number  of  affected  Windows  PC  older  than  XP.     •  Sudden  surge  of  port  80  in  the  first  half  of  2011  is   a(ributed  for  the  sudden  increase  of  HTTP  a(ack   from  Myanmer  and  Indonesia.    No  details  behind   is  available.   Trend  for  Targeted  Port  

15. 0   10   20   30   40  

    50   60   70   80   2010  Q1   2010  Q3   2011  Q1   2011  Q3   2012  Q1   2012  Q3   2013  Q1   2013  Q3   80:  HTTP   443:  HTTPS   0   10   20   30   40   50   2010  Q1   2010  Q3   2011  Q1   2011  Q3   2012  Q1   2012  Q3   2013  Q1   2013  Q3   Indonesia   China   USA   Taiwan   Turkey   Russia   Sudden  increase  in  malicious  web   traffic  from  Indonesia.   Including  both  HTTP  and  HTTPS.   Tool,  Account  Checker  behind  the   scene.   Organized  acHviHes  by  a  specific   group  could  produce  big  enough   a(ack  to  influence  the  global   staHsHcs.   Trend  for  Targeted  Port  

16. A(ack  Incidents  

17. Senkaku Island related１ •  Sep.  2010,  China  fish  boat  intruded

     territorial  water,   the  captain  arrested.     •  Anniversary  a(ack  to  Manchurian  Incident  on  Sep.18   •  50X  access  to  a  major  bank.   •  Simple  a(ack,  like  F5  (reload  on  IE)  

18. !  Protest  against  island  ownership  by  Japanese   Government  in

     Aug.  2012.   !  China  hacker  group  “紅客連盟”  iniHated  cyber  a(ack  to   Japan   !  4,000  people  joined  BBS  and  Chat  room   !  Shared  link  to  the  a(ack  tool  embedded  with  targets  of  300   companies,  organizaHons   !  Lasted  more  than  a  week  from  Sep.11  to  Sep.19,  2012   !  At  least  19  sites  recognized  a(acks  according  to  the   police.   !  11  sites  from  Gov  and  Enterprise  down  as  long  as  15  hours.   !  Sites  from  courts,  hospitals  were  altered.   EX) http://www.nikkei.com/article/DGXNASDG1904B_Z10C12A9CC1000/ Senkaku Island related 2

19. London  Olympic  2012   Attack #1 Target：www.london2012.com   A(ack  started

     5  hours  prior  to  the   opening  ceremony  with  23  different   vectors,  including     　SQL  InjecHon,  X-­‐site  scripHng,        LDAP  injecHon,  scripted  BOTS     223,000  requests  /  sec  at  peak   Hit  CRS  11,094/sec   18%  of  a(ack  denied  at  WAF  

20. Attack #2 1st  day  of  the  game,  5.6  Billion  

    a(ack  request  coming.   WAF  CRS  denied  36  Million.   London  Olympic  2012  

21. Old  DDoS  Target   Network Layer (Layers 3/4) Application Layer

    (Layer 7) More   increasing   Major  Trend  in  2012   A(ack  using  various  vectors  is  becoming  more   common.   Over  flooding  the  sophisHcated  security  mechanism   →   Management  tends  to  prioriHze  accepHng  users,   hopefully  they  are  legiHmate     →   Loosen  security  mechanism   →   A(ack  in  order  to  steal  secret,  alter  the  content   coming  in.   DDoS  Paradox：Overwhelmed  security  mechanism  easily  allow  malicious  a(ack  going  through.  

22. Recent  A(ack  to  a  Major  Bank   A(ack  coming  in

      every  week.   Various  vectors,  more  than  20  of     CRS  acHvated  

23. Account Checker Massive  hacking  of  consumer  login  accounts  at  major

     EC  and  travel  sites  started   around  Spring  2013.   At  least  $200M  loss  reported  unHl  the  hacker  group  in  Vietnam  arrested  in  Jun  2013.   Used  the  same  ID  –  Pass  sets  leaked  somewhere  else.   The  tool  Account  Checker  picked  valid  ID  –  Pass  set  at  targeted  EC/  travel  sites.  

24. NHK  featured  in  TV  news   EX)  h(p://www3.nhk.or.jp/news/web_tokushu/2014_0204.html   Account

    Checker

25. Account  Checker   •  Started  out  by  the  customer  complaint

     of   unintended  address  change.   •  Changed  to  the  same  shipping  address,  and  e-­‐ mail  address  across  mulHple  customers.   •  Change  requests  coming  in  from  a  small  set  of   IP  address.   •  Aier  the  long  invesHgaHon,  authority  finally   found  the  Vietnamese  hacker  group.   •  The  tool  sHll  appears  to  exist  even  today.  

26. Account  Checker   ValidaHng  ID-­‐Pass  set  at  each  target  site

     through  public  proxy.   Appears  to  be  ordinary  login  a(empts  from  the  site.  

27. Account  Checker   •  As  a  consumer   –  Assume

     lD  –  Pass  would  be  leaked  somewhere   –  Never  use  the  same  password  across  sites   •  As  a  site  owner   –  Assume  already  targeted  by  the  account  checker   •  Look  for  increased  failed  login  a(empt   •  Be  careful  for  customer  complaint  of  unintended  address  change   –  Assume  valid  ID-­‐Pass  set  were  idenHfied   •  Be  sure  to  send  e-­‐mail  noHficaHon  when  customer  info  change   •  Be(er  hash  for  important  info  like  card  #   –  ProtecHon  from  Account  Checker   •  Mandatory  human  intervenHon  scheme  like  CAPTCHA  

28. Overall  A(ack  StaHsHcs   Akamai  publishes  overall  a(ack  staHsHcs  caught

     by  Akamai  WAF.   It  is  available  daily  basis  from  Mar.  21,  2013,  summarized  by  region,  industry  and  a(ack  vector.   h(ps://cdb.akamai.com/kona/index.html   330  million  a(ack   recorded  on   Feb17  globally.  

29. Summary   •  With  advanced  a(ack  tools,  an  iniHaHve  from

      small  group  could  generate  massive  traffic.   •  Security  mechanism  which  runs  OWASP  CRS   needs  to  have  bigger  capacity  to  match  up  the   the  magnitude  of  the  a(acks.   •  As  an  consumer,  never  use  the  same  password   across  sites.     •  As  a  site  owner,  never  assume  login  info  is  safe.   Be(er  hash  for  important  date  stored,   mechanism  to  pick  up  any  unordinary  acHvity  of   client  should  be  introduced.  

30. Thank  you