© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

Slides:

Advertisements

Similar presentations

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Advertisements

Web Content Control Application Providing Secure & Reliable Internet Access December 2010.

The BitTorrent Protocol

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

BitTorrent Join the swarm! BY: Joe Petruska. What is BitTorrent? a peer-to-peer file sharing protocol used for distributing large amounts of data.

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Presented by Stephen Kozy. Presentation Outline Definition and explanation Comparison and Examples Advantages and Disadvantages Illegal and Legal uses.

Part 1: Overview of Web Systems Part 2: Peer-to-Peer Systems Internet Computing Workshop Tom Chothia.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

Web server security Dr Jim Briggs WEBP security1.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

The Bittorrent Protocol

Barracuda Load Balancer Server Availability and Scalability.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Staying Safe. Files can be added to a computer by:- when users are copying files from a USB stick or CD/DVD - downloading files from the Internet - opening.

ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.

BitTorrent Presentation by: NANO Surmi Chatterjee Nagakalyani Padakanti Sajitha Iqbal Reetu Sinha Fatemeh Marashi.

BitTorrent Internet Technologies and Applications.

BitTorrent How it applies to networking. What is BitTorrent P2P file sharing protocol Allows users to distribute large amounts of data without placing.

HOW ACCESS TO WWW Student Name : Hussein Alkhaldi.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

P2P For More Showcase Presentation Jessie Gardiner John Lasa Travis Sheppard April 29, 2010.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

Bit Torrent A good or a bad?. Common methods of transferring files in the internet: Client-Server Model Peer-to-Peer Network.

CONTENTS  INTRODUCTION.  KEYWORDS  WHAT IS FIREWALL ?  WHY WE NEED FIREWALL ?  WHY NOT OTHER SECURITY MECHANISM ?  HOW FIREWALL WORKS ?  WHAT IT.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Peer to Peer Networks November 28, 2007 Jenni Aaker David Mize.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

Web Caching and Replication Presented by Bhushan Sonawane.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

Kona Security Solutions - Overview

Team Wikipedia Distributing digital stored information (computer programs, multi-media, etc). Regular methods : Removable media

Bit Torrent Nirav A. Vasa. Topics What is BitTorrent? Related Terms How BitTorrent works Steps involved in the working Advantages and Disadvantages.

INTERNET TECHNOLOGIES Week 10 Peer to Peer Paradigm 1.

Janis Buikauskis Joe Kubena Kyle Nelson Chris Schrader.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

TMG Client Protection 6NPS – Session 7.

Securing the Network Perimeter with ISA 2004

Introduction to Networking

Configuring Internet-related services

Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.

Comodo Dome Data Protection

Presentation transcript:

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC

© 2015 Imperva, Inc. All rights reserved. About Imperva Founded in November 2002 by Shlomo Kramer, Amichai Shulman and Mickey Boodaei ~700 employees. R&D center in Tel-Aviv SecureSphere protects web applications, databases, file access, cloud applications Went public in 2011

© 2015 Imperva, Inc. All rights reserved. Outline BitTorrent Introduction BitTorrent DDoS Collateral DDoS For Conspiracy Lovers Conclusions 3

© 2015 Imperva, Inc. All rights reserved. Introduction The BitTorrent Protocol 1 4

© 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol Wikipedia: “BitTorrent is a protocol for the practice of peer-to-peer file sharing that is used to distribute large amounts of data over the Internet” Allows simultaneous download from multiple peers Orchestrated by a central ‘tracker’ server – Every download requires tracker communication (over HTTP) – Holds the file peer sources information Based on ‘.torrent’ files – Contain the data files names and the tracker servers – Available on the internet in popular web sites – Anyone can create/edit and upload a file

© 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol – Content Discovery WWW Torrent file

© 2015 Imperva, Inc. All rights reserved. WWW Tracker server Peers Torrent file BitTorrent SW The BitTorrent Protocol – Content Delivery

© 2015 Imperva, Inc. All rights reserved. The BitTorrent Protocol BitTorrent DDoS 2 8

© 2015 Imperva, Inc. All rights reserved. BitTorrent DDoS Target: the so-called ‘tracker’ servers Vulnerability: open source Torrent files Very effective distribution

© 2015 Imperva, Inc. All rights reserved. Attack method Create a popular torrent Add the targeted server as a ‘tracker’ Every user downloading the file will address the target server Requests to servers are continuous, with a default interval 10

© 2015 Imperva, Inc. All rights reserved. BitTorrent File

© 2015 Imperva, Inc. All rights reserved. Triggering the Research We use an attack data monitoring system We perform regular scans for anomalies Major abnormal activity to one of our customers

© 2015 Imperva, Inc. All rights reserved. The Traffic Attributes Unusually high number of requests User-Agent: mostly ‘BitTorrent’ URL: announce/announce.php IP: many different IP sources, most from China Host header: mostly variations of the Pirate Bay

© 2015 Imperva, Inc. All rights reserved. The Attack

© 2015 Imperva, Inc. All rights reserved. An Example Day Total number of requests that day: ~130, % with an HTTP host header of pirate bay. Almost 10% were with ‘appspot’ host 95% of the requests had ‘Bittorrent’ as their user agent. The other 5% also had different Torrent UA’s Very distributed (9000 source IPs)

© 2015 Imperva, Inc. All rights reserved. Host Header Distribution

© 2015 Imperva, Inc. All rights reserved. 17 Why does a standard web server, receive that many BitTorrent requests, intended for a whole other host?

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS The Great Firewall of China 3 18

© 2015 Imperva, Inc. All rights reserved. The Great Firewall of China The cyber nickname for the Chinese government censorship program The program censors many western web applications –Facebook, Twitter etc. –And also: Pirate Bay, Appspot Blocking method: – DNS filtering and Redirection – Specifically: Returning random IP addresses for blocked hosts Result: Innocent web servers experiencing unexplained traffic from random Chinese clients

© 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario DNS server BlockedHost.com? Random IP of Innocent.com: Great Firewall of China

© 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario DNS server BlockedHost.com? Random IP of Innocent.com: Great Firewall of China

© 2015 Imperva, Inc. All rights reserved. The Chinese BitTorrent DDoS Scenario 22 BlockedHost.com Innocent.com

© 2015 Imperva, Inc. All rights reserved. Pirate Bay Not so much:

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS The new Chinese policy, meant to block unwanted hosts, caused a very effective DDoS attack on innocent web applications

© 2015 Imperva, Inc. All rights reserved. For Conspiracy Lovers Really Collateral? 4 25

© 2015 Imperva, Inc. All rights reserved. For Conspiracy Lovers But wait! The pirate bay has stopped tracking torrents in 2009 (!) Why is it still so popular? The conspiracy theory: this is a Russian attack, originating in China, covered up as a BitTorrent DDoS attack

© 2015 Imperva, Inc. All rights reserved. Why Would You Say That? A web admin testifying that once he blocked Russia the attack stopped He also claims that returning a 404 response did not stop the requester Suspicious User Agent distribution and value (95% percent ‘BitTorrent’) Pirate Bay is long dead as a tracker Protocol discrepancies Attack target is a food conglomerate, prone to DDoS attacks

© 2015 Imperva, Inc. All rights reserved. Conclusions Server admins don’t care about the attack origins (BitTorrent DDoS, Chinese FW or Russian attack) They are experiencing an aggressive DDoS attack DDoS issues, unlike traditional web server vulnerabilities, cannot be prevented by smart coding and configuration Solution must be external! In this case: the WAF product identified the attack for several reasons, and prevented the damage Web server admins/developers didn’t need to do anything!