DoS on Competitor Web Site

 Phoenix has a “referral” from “Mr. Dobbs” ◦ Dobbs has threatened his girlfriend in the past ◦ Dobbs sent a “client” to Phoenix with a reminder about his girlfriend  Client ◦ Works for a computer parts company ◦ $9B annual revenues ◦ Asking that a whistleblower organization’s web site ( be down/inaccessible for a single day  Organization intends to splash damaging information on a specific day (day before the earnings statement release)  Client does not wish to have the company’s stock prices fall just prior to the earnings release

 Recon ◦ Shows the site to be amateurish ◦ Google search indicates that HS students were allowed to get experience in designing and putting up the website  Phoenix hopes for poor design, maintenance/security and lower bandwidth

 Find an unprotected wireless network to perform the hack  Use an anonymizer  Make a DDoS attack using Freak88 DDoS tool  Test the DDoS tool in lab  Infect unprotected hosts with the Server.exe Trojan Horse  Take control of the infected hosts and launch the DDoS on the target site

 Download contains ◦ Clienttrinno.exe ◦ Server.exe ◦ Msbvm50.dll  Client controls the boxes which have the Trojan server running on them ◦ Servers will issue to pings ◦ These boxes are referred to as “zombies”  The more zombies in the field attacking the victim, the better for the attacker!

 Shift from phishing attacks to web based attacks ◦ filters are becoming more effective ◦ Web based attacks are more popular now because so much is being put into “business rich” web sites and browsers fail to handle such content  Their primary function is to render web pages  SQL injection  Cross site scripting  Inline frames  CSS  Ping attacks might be filtered ◦ Accomplish the same effect using a web based attack

 Attack #1: Test  Attack #2: The one that worked  Gain access to Pawn Web site  Lab test the hack  Modify the Pawn site

 Phoenix ◦ Sets up a victim machine ◦ Starts up Wireshark filtering ICMP traffic ◦ Fires up a server zombie on a machine ◦ Fires up the client software  Dialog box allows attacker to “stack” the IP’s and ports of the zombie machines  Indicates the IP of the victim  Buttons:  Connect, Disconnect, and “Takemout” ◦ Wireshark confirms ton of ICMP traffic

 Just to be sure… ◦ Phoenix attempts to ping the webpage at  Gets Timed Out results  It turns out that the students have set up a PIX firewall to prevent pings to the web server!

 Inline frames ◦ If small, but many, inline frames can be installed on a web page  Each frame can load the web page from a site  FORCE MULTIPLIER!  If you can constantly refresh each frame… better still

 The trick is now to find a web site with lots of bandwidth and lots of traffic  Social engineer the web design company ◦ Phoenix needs write access to the server  Modify the home page ◦ Add inline frames calling the target’s homepage  If 10 frames are added, every time a user brings up the unknowing accomplice’s page, 10 HTML “get” requests are issued against the victime  If you “refresh” the inline request every 5 seconds…

 Phoenix poses as a potential client ◦ Speaks with developers and requests a demonstration ◦ Representative shows Phoenix how quickly a page can be added  In doing so, the rep refers to a 3-ring binder for the information on sites (credentials, etc)  Phoenix notes the location of the binder  Phoenix bribes the cleaner to photocopy the contents of the 3-ring binder

<iframe src= width = 0 height=0> ◦ Refreshing every 5 seconds  Add a meta tag to the web page

 Phoenix downloads the Pawn’s web page ◦ Inserts the inline frames and the meta tag ◦ FTP’s the altered page to the Pawn’s server

 DDoS against the victim  How long? ◦ Depends…  If traffic is examined, requests for the page are coming from all over  If IP is changed, the requests are made for URL and not IP… no effect! ◦ Someone would have to examine the pawn’s HTML within their page to spot the inline frames  If reported to the pawn site, they might not notify the target that they were the unwitting accomplice  Once the pawn replaces the modified page with the original  Cached pages still might exist in browsers around the world…

 Phoenix could have inserted a source pointer to a Trojan instead of the target’s URL ◦ If the pointer is to a keylogger, the pawn site could be made to appear as if they are infecting computers around the world  What is the pawn company’s liability in this case?

 Prevent disclosure of information via passive means ◦ Configure DNS not to reveal information (via registrar) ◦ Configure web server settings ◦ Don’t “advertise” information about the site or developers that nobody requires  Even if removed from the web, historical pages might exist  NETCRAFT might reveal information regardless…

 ICMP ◦ Disable entry of Ping packets into the network from outside  If required, then script a “block” from IP’s in the event that pings exceed a given number in a time period  Might not be that effective in a DDoS attack…

 Blocking DDoS attacks via web ◦ Create customize stack  Costly (development and maintenance)  Reserved for highly secured environments ◦ Rate limiting  Bandwidth  Connection limits ◦ Black hole filtering  Send suspicious traffic to a nonexistent interface  These are all counter to the reason the company site is up in the first place…

 Review the web site hosting company’s policies and security statements  Your company should authorize all changes ◦ One time passwords, maintained by your company  Forces the developer to contact you for each modification

 Physical access to information ◦ Paper format? ◦ Put onto encrypted electronic format, and then on a locked down workstation, which is physically protected  Separation of duty  Principle of least privilege