DDoSAttacks & Defenses - KAISTcaislab.kaist.ac.kr/lecture/2010/fall/cs748/2010-02-DDoS...- If...
Transcript of DDoSAttacks & Defenses - KAISTcaislab.kaist.ac.kr/lecture/2010/fall/cs748/2010-02-DDoS...- If...
2010-11-16
1
DDoS Attacks & Defenses
DDOS(1/2)
• Distributed Denial of Service (DDoS) attacks form a significant security threatg y
• making networked systems unavailable
• by flooding with useless traffic
• using large numbers of “zombies”
• growing sophistication of attacksg g p
• defense technologies struggling to cope
2010-11-16
2
DDoS(2/2)
http://caislab.kaist.ac.kr/77ddos/Program.html
2010-11-16
3
IntroductionIntroduction
DDoS attack against Korea and US government and biz web sites caused
I. Overview of July 7th DDoS AttackI. Overview of July 7th DDoS Attack
system failure and connection delay
Attack OverviewAttack Overview
TargetTarget
Korea and US government and biz sites(bank, e-commerce and portal)
Motivation : political propaganda social disorder
Korea and US government and biz sites(bank, e-commerce and portal)
Motivation : political propaganda social disorder
MechanismPropagate malware through online storage site
Embed the predefined target and schedule in malware
TargetTarget Motivation : political propaganda, social disorder
(still unknown and under LE investigation)
Motivation : political propaganda, social disorder
(still unknown and under LE investigation)
- 12 -
Typical IRC botnet : real-time connection with C&C servers
2010-11-16
4
Botnet Size:(over 150,000)
Intermediary Host
Attacker Block IP
Attack target
I. Overview of July 7th DDoS AttackI. Overview of July 7th DDoS Attack
TIME ZONE : GMT+9(KST)
( , )
Malicious code
Target list
Target list
Target list
Zombie Army
1st Attack Phase 7th Jul 18:0026 targets
2nd Attack Phase 8th Jul 18:00
16 targets
Self destruction
Update target site
6th J l 7th J l
OnlineStorage
Replace download SW with Malware
DDoS Attack
Malicious code infected
Target list
3rd Attack Phase 9th Jul 18:00
7 targets
Self Destruction Code
IPsBlocked
6th July ~ 7th July
8th Jul
HDD Destruction10th Jul 00:00 ~
DDoS7th Jul ~ 10th Jul
Self destruction
II. Details of July 7th DDoS Attack
Intermediary Hosts
DDOS Attack Code(+Target List)
Initial Infection Code
OnlineStorage
Zombie PC
Attack Target
DDoS Attack
Infection
Create
Additional Codes
Code Update
Self DestructionMalicious Code
hosting
HDDDestruction
Createflash.gif request
flash.gif downloadwversion.exe update
2010-11-16
5
해커
Attacker
II. Details of July 7th DDoS Attack
Online StorageService
Service enlist Dedicated downloadSW install (Normal)
Malicious code upload(Replacing dedicate SW)
Mal-code install(tampered dedicate SW)
Dedicated SWRecovered(normal)
DistributionServer
Target listupdated
HDD destruction codeCode update
Recruiting Zombie UpdatingMalware
Dedicated SWinstall (Normal)
PC Users
Dedicated downloadSW(normal)
(tampered dedicate SW)
Malicious code infected(perfvwr.dll, wversion.exe, etc.)
<NAME>XXXX UPDATE</NAME><VERSION>1.0.0.l</VERSION><URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL>
<NAME>XXXX UPDATE</NAME><VERSION>1.0.0.1</VERSION><URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL>
Code update
Target list update(uregvs.nls)
flash.gif(wversion.exe)
II. Details of July 7th DDoS Attack
Dupdate3.exe -> C:\WINDOWS\system32\ntdll exe
DDoS code> C:\WINDOWS\system32\ntdll.exe
-> c:\WINDOWS\system32\wmiconf.dll -> c:\WINDOWS\system32\pxdrv.nls -> c:\WINDOWS\LastGood\system32\npptools.dll -> c:\WINDOWS\system32\Packet.dll -> c:\WINDOWS\system32\WanPacket.dll -> c:\WINDOWS\system32\wpcap.dll -> c:\WINDOWS\system32\dllcache\npptools.dll -> c:\WINDOWS\system32\drivers\npf.sys
OnlineStorage
Additional C d D
y p y-> c:\WINDOWS\system32\wmcfg.exe Code Dropper
-> c:\WINDOWS\system32\wversion.exe -> c:\WINDOWS\system32\mstimer.dll
HDD DestructionCode update
2010-11-16
6
II. Details of July 7th DDoS Attack
• HDDs in certain Zombie PCs destroyedD t ll ki d f d t fil d– Destroy all kind of document file and program source file (overwrite and encryption)
– Overwrite fixed disks MBR with specific value
008F1850 4D 65 6D 6F 72 79 20 6F 66 20 74 68 65 20 49 6E Memory of the In008F1860 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 00 00 dependence Day..008F1870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F18A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F18B0 00 00 00 00 55 55 55 55 55 55 55 55 55 55 55 55 ....UUUUUUUUUUUU008F18C0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18D0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18E0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18F0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F1900 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
• Difficulties to respond
IV. Characteristics of July 7th Attack
– Small amount of attack traffic generated from zombie• Less than 50Kbps of network traffic per PC observed
– Various attack methods• Small amount of UDP/ICMP flooding (about 4% of total
tt k t ffi )attack traffic)
• Small amount of HTTP request (only 1 ~ 25Kbps of traffic measured)
• http get flooding varying agent information in the HTTP request header made difficult to filter at victim sites
2010-11-16
7
IV. Characteristics of July 7th Attack
• Exploits Online Storage Service S/W– Replace the download S/W with Malware
• Suspicious situation has monitored but could not analyze abused host
– Became zombie regardless of security patch i t ll dinstalled
• All PCs installed file download software are infected by malware through software update procedure
DDos Monitoring System using Cloud AV
2009.09.30
AhnLab, Inc.
SiHaeng Cho, Director of R & D Center
2010-11-16
8
Malicious Code Evolution
Financial motives/organized
Targeted attacks
Quick & easy to produce variation
Aggravating into crime
Slow infectionCuriosity, self-display
Quick infectionCuriosity, self-display
Zero-Day attackFinancial motive
Macro Virus
• Worm• Spyware• Spam• Phishing
•Trojans•Social engineering technique
•Complicated & sophisticated
•Diversifying distribution
15
~ 1995 1996 ~ 2000 2001 ~2005 2006 ~
• Files Virus
• Boot Virus
• Macro Virus
• Script Virus
• Phishing• BotNet• Rootkit
LANInternet Internet
y gmethods
WEB, P2P, USBMultimedia service
7.7 DDoS Attack Flow
msiexec1.exe (main)Win-Trojan/Downloader.374651
pxdrv.nls(Encrypted File)
msiexec1.exe
……
CreateA certain IP address
Create
_S3.tmp (wmiconf.dll) MalwareWin-Trojan/Agent.67072.DL
_S4.tmp (wpcap.dll)
_S5.tmp (packet.dll)
_S6.tmp (wanpacket.dll)
_S7.tmp (npf.sys)
_S8.tmp (npptools.dll)
_S9.tmp (wmcfg.exe) MalwareWin-Trojan/Mydoom.88064
uregvs.nlsBinImage/Host
Attack URL/Time/Type
msiexec9.exe
Win-Trojan/Agent.xxxx
flash.gifBinImage/Destroyer
File Download(Update Target Host)
Create
DDoS Attack!!!(30 Threads/Sites)
Service Provider
wversion.exe (2nd)Win-Trojan/Destroyer.37264
wversion.exe (1st)Win32/Mydoom.worm.33764
mstimer.dllWin32/Mydoom.worm.45056.D
BinImage/Destroyer
wversion.exe (Dropper)Win-Trojan/Destroyer. 40960
Disk Data Damage
SPAM Mail Sending
If msvcr90.dll exists,Download
Create
Create
09.07.10 00AM
16
2010-11-16
9
DDoS Attack Evolution
17
“Anti-DDoS protection alone cannot defeat DDoS attack attempts.”
A new form of • Compound attack, unlike conventional type of attack, frustrates simple anti-DDoS protection arrangement
Recent DDoS Attack Highlights Criticality of Client Security
compound attack
protection arrangement
Intelligent attack
• Scheduler built in malicious codes renders defense ineffective, unless malicious codes are fully analyzed
DDoS attack is no longer distinguishable from normal traffic
DDoS codes wait in complete ambush even after infection before launching attack at once
Damage HW in addition to
turning PC into Zombie
• Defense is not possible unless malicious code designed to damage HW is fixed or prevented from being downloaded in advance
Early action intended to keep PC from being turned into Zombie in advance is essential
18
2010-11-16
10
DDoS Monitoring System
① Detect abnormal network traffic from a specific file
DDoS Monitoring Center③ Analyze in real time
• Analyze program information
• Analyze reputation system• Analyze file activity trend• Analyze behavior-based
activity• Analyze inter-file relation• Analyze malicious code
distribution pathRisk information collector
② Monitor identical events
③ Analyze in real time
④ Apply analysis results in real time
Prevent propagation of Zombie PCs
④ Apply analysis results in real time
Authorities/ ISPs
Early DDoS propagation warning
Businesses
Preemptive DDoS defense
19
- Analyze program information- Analyze reputation system- Analyze file activity trend- Analyze behavior-based activity- Analyze inter-file relation
Detect malicious codes
DDoS Monitoring System Capabilities
- If network traffic exceeds predefined DDoS threshold, but, whether a file contains malicious codes or not cannot be determined, statistics-base processing is utilized(Ex.: network traffic generated in multiple clients for the same
destination exceeds Predefined threshold)
Statistics-based processing
y
- Analyze traffic statistics including entity causing network traffic,
destination and traffic volume
- Trace file distribution path
File path tracking
20
2010-11-16
11
- Employ a variety of diagnostic technologies
- Enable real time response prior to vaccine engine updateRespond to unknown
malicious codes
DDoS Monitoring System Advantages
- Reduce diagnostic error rate by determining existence ofmalicious code in reference to AhnLab Smart DefenseDatabase
- Reduce error rate by analyzing on the basis of behavior &statistics
Reduce diagnostic error rate
- Update information on new malicious code real time to keep
Zombie PCs from multiplyingReal time update
benefits
21
2010-11-16
12
2010-11-16
13
2010-11-16
14
2010-11-16
15
2010-11-16
16
2010-11-16
17
2010-11-16
18
2010-11-16
19
2010-11-16
20
2010-11-16
21