2010-11-16

1

DDoS Attacks & Defenses

DDOS(1/2)

• Distributed Denial of Service (DDoS) attacks form a significant security threatg y

• making networked systems unavailable

• by flooding with useless traffic

• using large numbers of “zombies”

• growing sophistication of attacksg g p

• defense technologies struggling to cope

2010-11-16

2

DDoS(2/2)

http://caislab.kaist.ac.kr/77ddos/Program.html

2010-11-16

3

IntroductionIntroduction

DDoS attack against Korea and US government and biz web sites caused

I. Overview of July 7th DDoS AttackI. Overview of July 7th DDoS Attack

system failure and connection delay

Attack OverviewAttack Overview

TargetTarget

Korea and US government and biz sites(bank, e-commerce and portal)

Motivation : political propaganda social disorder

Korea and US government and biz sites(bank, e-commerce and portal)

Motivation : political propaganda social disorder

MechanismPropagate malware through online storage site

Embed the predefined target and schedule in malware

TargetTarget Motivation : political propaganda, social disorder

(still unknown and under LE investigation)

Motivation : political propaganda, social disorder

(still unknown and under LE investigation)

- 12 -

Typical IRC botnet : real-time connection with C&C servers

2010-11-16

4

Botnet Size:(over 150,000)

Intermediary Host

Attacker Block IP

Attack target

I. Overview of July 7th DDoS AttackI. Overview of July 7th DDoS Attack

TIME ZONE : GMT+9(KST)

( , )

Malicious code

Target list

Target list

Target list

Zombie Army

1st Attack Phase 7th Jul 18:0026 targets

2nd Attack Phase 8th Jul 18:00

16 targets

Self destruction

Update target site

6th J l 7th J l

OnlineStorage

Replace download SW with Malware

DDoS Attack

Malicious code infected

Target list

3rd Attack Phase 9th Jul 18:00

7 targets

Self Destruction Code

IPsBlocked

6th July ~ 7th July

8th Jul

HDD Destruction10th Jul 00:00 ~

DDoS7th Jul ~ 10th Jul

Self destruction

II. Details of July 7th DDoS Attack

Intermediary Hosts

DDOS Attack Code(+Target List)

Initial Infection Code

OnlineStorage

Zombie PC

Attack Target

DDoS Attack

Infection

Create

Additional Codes

Code Update

Self DestructionMalicious Code

hosting

HDDDestruction

Createflash.gif request

flash.gif downloadwversion.exe update

2010-11-16

5

해커

Attacker

II. Details of July 7th DDoS Attack

Online StorageService

Service enlist Dedicated downloadSW install (Normal)

Malicious code upload(Replacing dedicate SW)

Mal-code install(tampered dedicate SW)

Dedicated SWRecovered(normal)

DistributionServer

Target listupdated

HDD destruction codeCode update

Recruiting Zombie UpdatingMalware

Dedicated SWinstall (Normal)

PC Users

Dedicated downloadSW(normal)

(tampered dedicate SW)

Malicious code infected(perfvwr.dll, wversion.exe, etc.)

<NAME>XXXX UPDATE</NAME><VERSION>1.0.0.l</VERSION><URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL>

<NAME>XXXX UPDATE</NAME><VERSION>1.0.0.1</VERSION><URL>http://update.xxxx.co.kr/mmsv/DUpdate.exe </URL>

Code update

Target list update(uregvs.nls)

flash.gif(wversion.exe)

II. Details of July 7th DDoS Attack

Dupdate3.exe -> C:\WINDOWS\system32\ntdll exe

DDoS code> C:\WINDOWS\system32\ntdll.exe

-> c:\WINDOWS\system32\wmiconf.dll -> c:\WINDOWS\system32\pxdrv.nls -> c:\WINDOWS\LastGood\system32\npptools.dll -> c:\WINDOWS\system32\Packet.dll -> c:\WINDOWS\system32\WanPacket.dll -> c:\WINDOWS\system32\wpcap.dll -> c:\WINDOWS\system32\dllcache\npptools.dll -> c:\WINDOWS\system32\drivers\npf.sys

OnlineStorage

Additional C d D

y p y-> c:\WINDOWS\system32\wmcfg.exe Code Dropper

-> c:\WINDOWS\system32\wversion.exe -> c:\WINDOWS\system32\mstimer.dll

HDD DestructionCode update

2010-11-16

6

II. Details of July 7th DDoS Attack

• HDDs in certain Zombie PCs destroyedD t ll ki d f d t fil d– Destroy all kind of document file and program source file (overwrite and encryption)

– Overwrite fixed disks MBR with specific value

008F1850 4D 65 6D 6F 72 79 20 6F 66 20 74 68 65 20 49 6E Memory of the In008F1860 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 00 00 dependence Day..008F1870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F1890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F18A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................008F18B0 00 00 00 00 55 55 55 55 55 55 55 55 55 55 55 55 ....UUUUUUUUUUUU008F18C0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18D0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18E0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F18F0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU008F1900 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU

• Difficulties to respond

IV. Characteristics of July 7th Attack

– Small amount of attack traffic generated from zombie• Less than 50Kbps of network traffic per PC observed

– Various attack methods• Small amount of UDP/ICMP flooding (about 4% of total

tt k t ffi )attack traffic)

• Small amount of HTTP request (only 1 ~ 25Kbps of traffic measured)

• http get flooding varying agent information in the HTTP request header made difficult to filter at victim sites

2010-11-16

7

IV. Characteristics of July 7th Attack

• Exploits Online Storage Service S/W– Replace the download S/W with Malware

• Suspicious situation has monitored but could not analyze abused host

– Became zombie regardless of security patch i t ll dinstalled

• All PCs installed file download software are infected by malware through software update procedure

DDos Monitoring System using Cloud AV

2009.09.30

AhnLab, Inc.

SiHaeng Cho, Director of R & D Center

2010-11-16

8

Malicious Code Evolution

Financial motives/organized

Targeted attacks

Quick & easy to produce variation

Aggravating into crime

Slow infectionCuriosity, self-display

Quick infectionCuriosity, self-display

Zero-Day attackFinancial motive

Macro Virus

• Worm• Spyware• Spam• Phishing

•Trojans•Social engineering technique

•Complicated & sophisticated

•Diversifying distribution

15

~ 1995 1996 ~ 2000 2001 ~2005 2006 ~

• Files Virus

• Boot Virus

• Macro Virus

• Script Virus

• Phishing• BotNet• Rootkit

LANInternet Internet

y gmethods

WEB, P2P, USBMultimedia service

7.7 DDoS Attack Flow

msiexec1.exe (main)Win-Trojan/Downloader.374651

pxdrv.nls(Encrypted File)

msiexec1.exe

……

CreateA certain IP address

Create

_S3.tmp (wmiconf.dll) MalwareWin-Trojan/Agent.67072.DL

_S4.tmp (wpcap.dll)

_S5.tmp (packet.dll)

_S6.tmp (wanpacket.dll)

_S7.tmp (npf.sys)

_S8.tmp (npptools.dll)

_S9.tmp (wmcfg.exe) MalwareWin-Trojan/Mydoom.88064

uregvs.nlsBinImage/Host

Attack URL/Time/Type

msiexec9.exe

Win-Trojan/Agent.xxxx

flash.gifBinImage/Destroyer

File Download(Update Target Host)

Create

DDoS Attack!!!(30 Threads/Sites)

Service Provider

wversion.exe (2nd)Win-Trojan/Destroyer.37264

wversion.exe (1st)Win32/Mydoom.worm.33764

mstimer.dllWin32/Mydoom.worm.45056.D

BinImage/Destroyer

wversion.exe (Dropper)Win-Trojan/Destroyer. 40960

Disk Data Damage

SPAM Mail Sending

If msvcr90.dll exists,Download

Create

Create

09.07.10 00AM

16

2010-11-16

9

DDoS Attack Evolution

17

“Anti-DDoS protection alone cannot defeat DDoS attack attempts.”

A new form of • Compound attack, unlike conventional type of attack, frustrates simple anti-DDoS protection arrangement

Recent DDoS Attack Highlights Criticality of Client Security

compound attack

protection arrangement

Intelligent attack

• Scheduler built in malicious codes renders defense ineffective, unless malicious codes are fully analyzed

DDoS attack is no longer distinguishable from normal traffic

DDoS codes wait in complete ambush even after infection before launching attack at once

Damage HW in addition to

turning PC into Zombie

• Defense is not possible unless malicious code designed to damage HW is fixed or prevented from being downloaded in advance

Early action intended to keep PC from being turned into Zombie in advance is essential

18

2010-11-16

10

DDoS Monitoring System

① Detect abnormal network traffic from a specific file

DDoS Monitoring Center③ Analyze in real time

• Analyze program information

• Analyze reputation system• Analyze file activity trend• Analyze behavior-based

activity• Analyze inter-file relation• Analyze malicious code

distribution pathRisk information collector

② Monitor identical events

③ Analyze in real time

④ Apply analysis results in real time

Prevent propagation of Zombie PCs

④ Apply analysis results in real time

Authorities/ ISPs

Early DDoS propagation warning

Businesses

Preemptive DDoS defense

19

- Analyze program information- Analyze reputation system- Analyze file activity trend- Analyze behavior-based activity- Analyze inter-file relation

Detect malicious codes

DDoS Monitoring System Capabilities

- If network traffic exceeds predefined DDoS threshold, but, whether a file contains malicious codes or not cannot be determined, statistics-base processing is utilized(Ex.: network traffic generated in multiple clients for the same

destination exceeds Predefined threshold)

Statistics-based processing

y

- Analyze traffic statistics including entity causing network traffic,

destination and traffic volume

- Trace file distribution path

File path tracking

20

2010-11-16

11

- Employ a variety of diagnostic technologies

- Enable real time response prior to vaccine engine updateRespond to unknown

malicious codes

DDoS Monitoring System Advantages

- Reduce diagnostic error rate by determining existence ofmalicious code in reference to AhnLab Smart DefenseDatabase

- Reduce error rate by analyzing on the basis of behavior &statistics

Reduce diagnostic error rate

- Update information on new malicious code real time to keep

Zombie PCs from multiplyingReal time update

benefits

21

2010-11-16

12

2010-11-16

13

2010-11-16

14

2010-11-16

15

2010-11-16

16

2010-11-16

17

2010-11-16

18

2010-11-16

19

2010-11-16

20

2010-11-16

21