Download presentation
Presentation is loading. Please wait.
Published byHope Hall Modified over 9 years ago
1
www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo 09/23/11 1 Together with:
2
2 www.egi.eu EGI-InSPIRE RI-261323 acknowledgements NON INTRUSIVE DO NOT affect actual production FULL control of the distributed infection Detailed LOGGING of all infection activity Have an emergency FULL STOP of the drill 2
3
3 www.egi.eu EGI-InSPIRE RI-261323 Goal Simulate a grid wide security incident Means: ~40 sites, globally, all at once Challenge the procedures on IR handling Focus on the communication channel capabilities 3
4
4 www.egi.eu EGI-InSPIRE RI-261323 Architecting the attack 4
5
5 www.egi.eu EGI-InSPIRE RI-261323 t0: Initial tickets 5
6
6 www.egi.eu EGI-InSPIRE RI-261323 t1: Informing NGI and EGI teams 6
7
7 www.egi.eu EGI-InSPIRE RI-261323 t2: Checking the logs 7
8
8 www.egi.eu EGI-InSPIRE RI-261323 t3: Contacting the VO 8
9
9 www.egi.eu EGI-InSPIRE RI-261323 t4: EGI informs T1 & T2 9
10
10 www.egi.eu EGI-InSPIRE RI-261323 t5: NGI containment 10
11
11 www.egi.eu EGI-InSPIRE RI-261323 t6: Forensics & Reporting 11
12
12 www.egi.eu EGI-InSPIRE RI-261323 Bot network deployment through PanDa pilot job submission 12 Worker Node Bot PanDa* SSC5: Portal C&C Submit host IP NAT
13
13 www.egi.eu EGI-InSPIRE RI-261323 The challenge viewed from our side 13
14
14 www.egi.eu EGI-InSPIRE RI-261323 Build-in features in the bot Use plain HTTP as the C&C protocol Packing libevent for HTTP Encrypt the HTTP JSON payload with AES Packing libjson, AES and SHA1/SHA256 Fake (deadcode) for cron/atd tests & others Search for writeable file locations and leave files Command set through JSON incl arbitrary command execution “Look busy” Calculate SHA256 hashes and create 70% load on a Core i7 14
15
15 www.egi.eu EGI-InSPIRE RI-261323 Bot kill switches Through a command; HTTP/JSON-AES Time based; two weeks DNS A specific return value was expected from a DNS service; otherwise stop 15
16
16 www.egi.eu EGI-InSPIRE RI-261323 Anti-debugging features Used: GDB detection ptrace detection Not used: encrypted binary; Not open sourced 16
17
17 www.egi.eu EGI-InSPIRE RI-261323 Future ideas to hide our tracks... 17
18
18 www.egi.eu EGI-InSPIRE RI-261323 SSC-Monitor: the coordination hub 18
19
19 www.egi.eu EGI-InSPIRE RI-261323 Questions? 19
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.