30 1 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
HOW TO BUILD YOUR OWN BOTNET!
WAIT, I PROBABLY CANT SAY THAT. HOW TO DEFEND AGAINST BOTNETS! Presenter: Terrence OConnor 30 2 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 INTRODUCTION Terrence OConnor - CISSP, CISA, GPEN, C|EH Global Enterprise Security Architect Akamai Security Center of Excellence Based in Atlanta, GA - USA Over 14 years of security expertise. Prior role as Global Security Architecture for Travelport Worked in many verticals including, commerce, !nancial, enterprise, travel and media. 30 3 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 AGENDA Security Threat Brie!ng Attack Tools and Techniques Live RFI and DDoS Attacks Summary Q&A 30 4 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Security Concepts The Super Condensed Version 30 5 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 MOTIVATION Attacker motivations fall into categories: Political Attack those that dont agree with their beliefs. Financial There is some !nancial gain to be had by attacking. Glory They attack for recognition of their prowess. Or Its Tuesday and they are bored
Attack impacts: Data Loss Service Interruption Fraud
Attack methods: Resource Consumption Attacks (DDoS) Man-in-the-Middle (Manipulation of Data in Transit) Hijacking/Redirection Application Attacks Injecting Unwanted Behavior into Processing Logic SQL Injection, Command Injection, etc. The list goes on
30 6 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 LEVEL SETTING What are your biggest security concerns and challenges with your online presence?
30 7 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 WHAT KEEPS CISOS UP AT NIGHT? Data Breaches How do you mitigate against data breaches and unintentional information disclosure? Service Availability Either through miscon!guration (improper change control) or through Attack (DDoS) this generally falls under the oversight of the CISO. What is your strategy to mitigate availability attacks? Billing Attacks Volumetric Tra"c Flooding Those Scaling Overages sure, well bill you for that! Brand Protection What is the cost of an impact to your companys Brand in terms of dollars?
30 8 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 What Ive seen 30 9 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 HEADLINES 30 10 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 BOTS NOT LIMITED TO HTTP(S) Once your applications are compromised by a bot, they can execute any TCP/UDP tra"c that the language/server allows. Examples: DNS Flood FTP Brute-force SSH Brute-force NTP Re#ection/Ampli!cation SNMP 30 11 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 BROBOT IN ACTION 30 12 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 ADVERSARIES FOLLOWING THE SAME TRENDS Increasingly focused on the Web Application Fraud Web App is trusted by the Database and users of the App Establish Pivot to target the Enterprise DDoS has evolved to focus on the Web App in recent years Utilization of Re#ective Services Cloud Based Attack Adoption Fast Easy Convenient Powerful 30 13 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Why is it so easy? 30 14 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 SO MANY REMOTE FILE INCLUSION/COMMAND INJECTION VULNERABILITIES!!! Source: http://www.exploit-db.com/ Source: http://web.nvd.nist.gov/ 30 15 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 KEEP IN MIND If, I own your box, I own your service. I own your customers. I own your reputation. 30 16 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Tools and Techniques 30 17 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 HIGH LEVEL DEMO OVERVIEW Attacker 1) Recon/Mapping to find Application with known vulnerability Not covered in the Demo, because Exploitation is more interesting Hint: Google is a big help! 2) Exploit RFI vulnerability to run attack controlled code on Server In this case, code is BroBot DDoS 3) Launch DDoS targeting the Open cart Site from our new Server 30 18 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 THE SCENARIO Vulnerable Blog (and consequently, our Bot): Fully Patched and Updated WordPress Well-connected Cloud Hosted Unprotected Site: Cloud Hosted Site with network layer protections, but nothing more. Protected Site: Patent Pending Technology Protects Form Submissions from Bots 30 19 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 WORDPRESS FULLY PATCHED Some stats: Powers 1/6 of all sites on the internet. Thats ~70,900,000 sites at last count. Many disparate hosting providers. Thousands of Custom Themes Joomla! has very similar issues 30 20 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 THEME TIMTHUMB DROP-IN A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. - OH NO! Developed for use in the WordPress theme Mimbo Pro, and since used in many other WordPress themes. Pulls remote !les locally Not a lot of input checking Requires !le to be local prior to content veri!cation No default security mechanisms Note: I am using an older version, thats still out there on MANY blogs 30 21 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 BAD SCRIPT SERVER - BROBOT Used primarily by QCF and Us Very Simple Script Easily Uploaded Easily Executed Creates Massive Tra"c and CPU Load on Attacked Servers 30 22 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 BROBOT CODE SNIPPET function curl_download ($remote){
$useragent = array('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110929 Iceweasel/3.5.16','IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;)','GoogleSub/2.1 ( http:// www.googleSub.com/Sub.html)','msnSub-Products/1.0 (+http://search.msn.com/msnSub.htm)','Opera/9.00 (Windows NT 5.1; U; en)','Safari/5.00 (Macintosh; U; en)');
if(function_exists(curl_init)){ for($i = 0;$i < 10000;$i++){ curl_download($target."?".rand(0,3000)/3.33334444); } } 30 23 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Attack Its really easy. 30 24 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Defense Its really hard. 30 25 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 PROTECTIONS Must have Protection on Application Layer Attacks at Global Scale Real-time Always-on Security Seconds Matter! Protecting Multiple Origins from Attack with one Solution Bot Mitigation must be Cacheable Make Inputs Harder to Guess Block Bad Inputs 30 26 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Bot Mitigation Techniques 30 27 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Recap 30 28 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 SUMMARY Attacks are easily executed on a large scale Including DNS, HTTP(S), Data Ex!ltration, etc.
Targets are in all verticals and of all sizes Operating on the internet means constant automated attack Are you the lowest hanging fruit?
Prepare, Protect, Monitor 30 29 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 MORE INFO 30 30 Presentation by Terrence OConnor to CarolinaCon May 17, 2014 Q&A ? Presenter Terrence OConnor terrence.oconnor (at) gmail dot com Senior Enterprise Security Architect