Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Published byBruno Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT."— Presentation transcript:

1 Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT

2 ©2013 AKAMAI | FASTER FORWARD TM Akamai CSIRT: What We Do Akamai Customer Security Incident Response Team: Incident Response for 30% of the web We only do web, DNS, and the infrastructure No: APT, endpoints, email, Active Directory Lots of: Threat intelligence OSINT Coordination with peer CERT/CSIRT Discussions with policy-makers Customer outreach

3 ©2013 AKAMAI | FASTER FORWARD TM Login Abuses

4 ©2013 AKAMAI | FASTER FORWARD TM Login Abuses – TTPs and Defenses Rate controls to block fast moving scripts Attack relies on being able to check thousands of accounts quickly Blocking aggressive scripts prevents login exploitation Internal monitoring for changes to customer accounts Email address Shipping address Same email on multiple accounts Geo blocklists for areas where there is no business Cuts down on the places attackers can launch from Do cloud server providers need to access your webpage? Custom rules to block User-Agent strings (or lack thereof) Attack scripts are often simple and will contain only “curl” or “wget” Sometimes none at all

5 ©2013 AKAMAI | FASTER FORWARD TM Domain Hijacking Attackers gain credentials via phishing Attack can be against domain owner or registrar Domain maliciously redirected DNS settings updated at registrar Preventions include properly trained users against social engineering and domain locks

6 ©2013 AKAMAI | FASTER FORWARD TM Domain Hijacking – TTPs and Countermeasures DNS Locking – Two Levels ClientUpdateProhibited ClientTransferProhibited ClientDeleteProhibited ServerUpdateProhibited ServerTransferProhibited ServerDeleteProhibited

7 ©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

8 ©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

9 ©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

10 ©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots

11 ©2013 AKAMAI | FASTER FORWARD TM Scrapers and Bots – TTPs and Countermeasures Reduce Efficiency Reduce Impact Client Validation Welcome Bots

12 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - TTPs Attack types are all across the board: DDoS SQL Injection Defacement/Cross-Site Scriping (XSS) Local File Include (LFI) Social Engineering In-person protests

13 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures DDoS – Rate Controls

14 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures DDoS – Rate Controls

15 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures SQL Injection – WAF Rules

16 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures Defacement/Cross Site Scripting (XSS) – WAF Rules

17 ©2013 AKAMAI | FASTER FORWARD TM Hacktivists - Countermeasures Local File Include (LFI) – WAF Rules

18 ©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks

19 ©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks - Analysis Reflection: Uses UDP packets with forged source headers Attacker targets in intermediate server: DNS, NTP, etc Server replies to the forged source, sending traffic to the victim Victim does not know the source of the attack Amplification Attacker makes a query to the intermediate server The query is small but the answer is large The difference allows a small botnet to send lots of small queries and still hit with a lot of traffic

20 ©2013 AKAMAI | FASTER FORWARD TM Reflection and Amplification Attacks - Analysis Amplification Factors: BitTorrent: 3.8 SNMP: 6.3 DNS: 28-54 QOTD: 140.3 CharGEN: 358.8 NTP: 556.9

21 ©2013 AKAMAI | FASTER FORWARD TM Flash Crowds vs. DDoS Both have large number of requests Flash crowd has low requests per source IP address DDoS has high requests per source IP address Other differentiators Referrers URL pattern User demographics Blacklists DDoS bot signatures Session tokens Responses differ greatly Block a malicious DDoS Allow a flash crowd

22 ©2013 AKAMAI | FASTER FORWARD TM Flash Crowds

23 ©2013 AKAMAI | FASTER FORWARD TM Questions?

Download ppt "Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.
Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.

Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Registrars and Security Greg Rattray Chief Internet Security Advisor.

Registrars and Security Greg Rattray Chief Internet Security Advisor.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google