DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks -...
Transcript of DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks -...
![Page 1: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/1.jpg)
Eldad Chai, VP Product
DDoS Attacks -Peeling the Onion on One of the Most Sophisticated Ever Seen
![Page 2: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/2.jpg)
Incapsula – Application Delivery from the Cloud
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2
![Page 3: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/3.jpg)
DDoS 101
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
ISPNetwork Devices
Web serversApplications
![Page 4: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/4.jpg)
DDoS 101
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
ISPNetwork Devices
Web serversApplications
• Volume Based Attacks
> Method: Include UDP floods, ICMP floods, and other spoofed packet floods.
> Objective: Saturate the bandwidth of the attacked site.
> Magnitude: Typically measured in Bits per second.
![Page 5: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/5.jpg)
DDoS 101
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.5
ISPNetwork Devices
Web serversApplications
• Protocol Attacks:
> Method: Primarily SYN floods, but also fragmented packet attacks.
> Objective: Consume web server resources or intermediate communication equipment, such as firewalls and load balancers.
> Magnitude :These are usually measured in Packets per second.
![Page 6: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/6.jpg)
DDoS 101
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
ISPNetwork Devices
Web serversApplications
• Application Layer Attacks
> Method: Unlike protocol attacks, these are comprised of legitimate and seemingly innocent requests.
> Objective: Bring the application servers down.
> Magnitude: Requests per second.
![Page 7: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/7.jpg)
Where do we stand today?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
[PERCENTAGE]
[PERCENTAGE]
<10Gbps
>=10Gbps
Attacks bandwidth is showing exponential growth
Two thirds of attacks exceed 10GbpsMore than 13% exceed 40Gbps
![Page 8: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/8.jpg)
It’s not all bandwidth
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
More than 25% of attacks exceed 10MppsMost IPS/IDS will crash at 5Mpps
![Page 9: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/9.jpg)
Recent campaigns / SaaS applications
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
![Page 10: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/10.jpg)
How are attackers reaching these numbers?
• Are botnets becoming bigger?
> No, according to www.shadowserver.org
• Are there more open DNS resolvers?
> No, the number is actually declining according to www.openresolverproject.org
• Are there more open NTP servers?
> Probably not, www.openntpproject.org
• So what is it then?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.10
![Page 11: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/11.jpg)
How are attackers reaching these numbers?
• They are using bigger guns
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.11
Example of a 4Mpps attackLess than 30 IPs are generating more than 99% of the traffic
![Page 12: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/12.jpg)
Peeling the Onion on One of the Most Sophisticated Attacks Ever Seen
![Page 13: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/13.jpg)
The players
• Successful SaaS Platform
• Very competitive online trading industry
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
• Polish hackers
VS
![Page 14: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/14.jpg)
Round 1
![Page 15: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/15.jpg)
Round 1 - Volumetric Attack
• 30Gbps SYN Flood
• Typical of any DDoS attack> Easy to perform (Given the resources)
• No amplification was used
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
![Page 16: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/16.jpg)
Round 1 – Win, Geo distribution
• Geo Distribution of attack traffic (sharing the load)
• Dedicated networking capabilities to deal with volumetric attacks
• Aggressive blacklisting of offending IP addresses
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16
![Page 17: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/17.jpg)
Round 2
![Page 18: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/18.jpg)
Round 2 – HTTP Flood
• Layer 7 - 100K Req/Sec
• Targeting “resource intensive” pages
• “The smoke screen”> This type & level of attack persisted for weeks
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.18
![Page 19: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/19.jpg)
Round 2 – Win, spot the bot
• Anti bot technology
• Non intrusive differentiation between legitimate browsers and bots
• Good bots vs. Bad bots> Google / Bing / Yandex / Baido = Good
> DDoS agents = Bad
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.19
![Page 20: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/20.jpg)
Round 3
![Page 21: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/21.jpg)
Round 3 – Real browsers on call
• Legit traffic?
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.21
![Page 22: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/22.jpg)
Round 3 – Real browsers on call
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.22
![Page 23: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/23.jpg)
Round 3 – Win, Pushdo CAPTCHA
We got one! It’s Pushdo
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.23
O look, it’s calling home
![Page 24: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/24.jpg)
Round 4
![Page 25: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/25.jpg)
Round 4 – Headless Browsers
• Headless browsers leveraging Phantom JS were being used to emulate real users> Generating 700 Million requests / Day
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.25
![Page 26: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/26.jpg)
Round 4 – Win, Phantom JS fingerprinting
• Reverse engineering Phantom JS Kit
• Crafting a signature to identify all bots using the kit
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.26
![Page 27: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/27.jpg)
Round 5
![Page 28: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/28.jpg)
Round 5 – CAPTCHA solving Firefox???
• Yes, CAPTCHA solving Firefox!
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.28
![Page 29: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/29.jpg)
Round 5 – Win, Javascript injection to the rescue
• Added some JavaScript to the CAPTCHA page template
• The JavaScript logs the user typing the CAPTCHA challenge
• A-Ha! The attackers are not typing the CAPTCHA
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.29
![Page 30: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/30.jpg)
Round 5 – Adaptation
• A week later, attackers are typing CAPTCHA
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.30
![Page 31: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/31.jpg)
Round 5 – Win, Javascript injection to the rescue
• HEHE! Typing Slow
• Seems it takes them more than a minute to start typing the CAPTCHA
• Added a JS that puts a time limit on the CAPTCHA
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.31
![Page 32: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/32.jpg)
Round 5 – Adaptation
• The clients that manage to be quick still cause damage
• Randomizing URLs
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.32
![Page 33: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/33.jpg)
Round 5 – How we won
• Tracking DDoS botnets – Same botnet is used to launch the Firefox attacks
• ~200K unique IP per day
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.33
![Page 34: DDoSAttacks - Peeling the Onion on One of the Most ... · Eldad Chai, VP Product DDoSAttacks - Peeling the Onion on One of the Most Sophisticated Ever Seen](https://reader035.fdocuments.net/reader035/viewer/2022062603/5f13218ffbec4b05971e67af/html5/thumbnails/34.jpg)
The aftermath
• DDoS can resemble APTs
• Visibility is crucial
• Analyzing different levels of the interaction is crucial
• Reacting fast is crucial
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.34