the Internet faster, reliable and secure • About Me Makoto Niimura – CTO, Akamai Technologies, GK Former developer of Telco sys and Biz app. Recently, encouraging globally operaHng JP companies adopt advanced biz scheme through be(er use of Internet.
2. Macro Trend of A(ack Traffic 3. A(ack Incidents 1) Senkaku Island related 2) London Olympic 3) Recent a(ack to a Major Bank 4) Account Checker 4. Summary
• 90% of Internet User access any EdgeServer within 1 NW hop. • Request to Akamai customer site goes through an EdgeServer close to the client. • EdgeServer analyzes HTTP request, gets content accordingly, then respond to the client. • Detail log is recorded, collected and analyzed for various purpose including security related intelligence.
Tbps at peak Protected customer sites from 200Gbps a(ack Approx. 15-‐30% of global Web traffic Security info derived from the same sample size 147,000+ Servers 2,300+ LocaHons 92 Countries 1,200+ Network 900+ CiHes
for global major players directed to Akamai ! Hackers trying to defeat Akamai itself ! Probably one of the most attacked company, platform ! Publishing Qly “State of the Internet” report. ! http://www.akamai.com/stateoftheinternet/ index.html#nui
Or big 4 accompanied by Taiwan • China stood out from the end of 2011 • US steadily increased at the same period • Spring 2011, and again Spring through Summer 2013, Indonesia abruptly emerge as #1. Trend for A(ack Origin
Conficker, which was widely spread around 2009 • It has been declining in share by 1) increased other type of a(acks in number, 2) declining number of affected Windows PC older than XP. • Sudden surge of port 80 in the first half of 2011 is a(ributed for the sudden increase of HTTP a(ack from Myanmer and Indonesia. No details behind is available. Trend for Targeted Port
50 60 70 80 2010 Q1 2010 Q3 2011 Q1 2011 Q3 2012 Q1 2012 Q3 2013 Q1 2013 Q3 80: HTTP 443: HTTPS 0 10 20 30 40 50 2010 Q1 2010 Q3 2011 Q1 2011 Q3 2012 Q1 2012 Q3 2013 Q1 2013 Q3 Indonesia China USA Taiwan Turkey Russia Sudden increase in malicious web traffic from Indonesia. Including both HTTP and HTTPS. Tool, Account Checker behind the scene. Organized acHviHes by a specific group could produce big enough a(ack to influence the global staHsHcs. Trend for Targeted Port
territorial water, the captain arrested. • Anniversary a(ack to Manchurian Incident on Sep.18 • 50X access to a major bank. • Simple a(ack, like F5 (reload on IE)
Aug. 2012. ! China hacker group “紅客連盟” iniHated cyber a(ack to Japan ! 4,000 people joined BBS and Chat room ! Shared link to the a(ack tool embedded with targets of 300 companies, organizaHons ! Lasted more than a week from Sep.11 to Sep.19, 2012 ! At least 19 sites recognized a(acks according to the police. ! 11 sites from Gov and Enterprise down as long as 15 hours. ! Sites from courts, hospitals were altered. EX) http://www.nikkei.com/article/DGXNASDG1904B_Z10C12A9CC1000/ Senkaku Island related 2
5 hours prior to the opening ceremony with 23 different vectors, including SQL InjecHon, X-‐site scripHng, LDAP injecHon, scripted BOTS 223,000 requests / sec at peak Hit CRS 11,094/sec 18% of a(ack denied at WAF
(Layer 7) More increasing Major Trend in 2012 A(ack using various vectors is becoming more common. Over flooding the sophisHcated security mechanism → Management tends to prioriHze accepHng users, hopefully they are legiHmate → Loosen security mechanism → A(ack in order to steal secret, alter the content coming in. DDoS Paradox:Overwhelmed security mechanism easily allow malicious a(ack going through.
EC and travel sites started around Spring 2013. At least $200M loss reported unHl the hacker group in Vietnam arrested in Jun 2013. Used the same ID – Pass sets leaked somewhere else. The tool Account Checker picked valid ID – Pass set at targeted EC/ travel sites.
of unintended address change. • Changed to the same shipping address, and e-‐ mail address across mulHple customers. • Change requests coming in from a small set of IP address. • Aier the long invesHgaHon, authority finally found the Vietnamese hacker group. • The tool sHll appears to exist even today.
lD – Pass would be leaked somewhere – Never use the same password across sites • As a site owner – Assume already targeted by the account checker • Look for increased failed login a(empt • Be careful for customer complaint of unintended address change – Assume valid ID-‐Pass set were idenHfied • Be sure to send e-‐mail noHficaHon when customer info change • Be(er hash for important info like card # – ProtecHon from Account Checker • Mandatory human intervenHon scheme like CAPTCHA
by Akamai WAF. It is available daily basis from Mar. 21, 2013, summarized by region, industry and a(ack vector. h(ps://cdb.akamai.com/kona/index.html 330 million a(ack recorded on Feb17 globally.
small group could generate massive traffic. • Security mechanism which runs OWASP CRS needs to have bigger capacity to match up the the magnitude of the a(acks. • As an consumer, never use the same password across sites. • As a site owner, never assume login info is safe. Be(er hash for important date stored, mechanism to pick up any unordinary acHvity of client should be introduced.
owaspjapan
marktimemedia
lemiorhan
moore
marketingsoph
skipperchong
uxyall
sarafernandez
speakerdeck
quramy
aleyda
reverentgeek
stephenakadiri
