trends in web attacks
DESCRIPTION
Talk on "Trends in Web Attacks" by Arthur Clune.See http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2007/talks/clune/TRANSCRIPT
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Trends in Web Attacks
Arthur [email protected]
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Talk Overview
• History of (web) attacks• DDOS attacks and economics• Botnets• Phishing• Why do we care about this anyway?
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
A Taxonomy
• Defacement• Resource stealing• Denial of Service/DDOS
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
History
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Prehistory
• Before the web• ftp (anonymous ftp uploads)• gopher• backdoors
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Why?
• Curiosity• Status• ‘Fame’
• Disk space was expensive!
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Morris Worm
• 1988• Not web based!• First self spreading worm
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Early Web
• Individual attacks
• Mainly motivated as before
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Trinoo/Stachledract
• 1999• First large scale DDOS tool• University of York was among the victims!
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Code Red/Nimbda
• 2001• Caused extensive problems (network
traffic/instability)• First really big worm
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
SQLSlammer
• 2003• Attacked Microsoft SQL Server• Fastest spreading worm ever• How many of your web sites rely on a
database?
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Misc Stuff
• Also at this time:• MS Frontpage extensions
• Edit your webpage remotely…oh, but so can other people.
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Digression
• Zone-h defacement archive demo
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Witty Worm
• 2003• First worm aimed directly at a web server
• MS IIS• Followed by Sasser
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Moving to webapps
• First php worm - 2004• Attacked phpBB
• It’s now most common to attack applications not webservers themselves
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Pure web worms
• 2006• MySpace worm
• Spread only within MySpace profiles• A ‘Web 2.0’ worm?
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Distributed Denial of Service
‘Nice website you’ve got there. Shame if anything happened to it’
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
DDOS - Why bother?
• It’s not about the frame• Sometimes it’s about Money
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
DDOS II
• How it works
• Targets• Gambling• Porn• Anyone with money
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnets
0wning the internet for fun and profit
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnets
• Botnets are sets of machines, all controlled by a ‘bot herder’
• Often machines are infected when visiting a website
• Largest botnet found so far had > 1,000,000 machines in it
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnet example
• Demo of botnet from UK Honeynet data
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing
There’s one born every minute
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing
• Different types:• 401 scams• Bank scams
• Some of these are very realistic• Banks don’t always help themselves
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing 2
• Example of a phishing attack from UK Honeynet data
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Am I bovered?
Or, why this affects web managers
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
How have things changed?
• Attacks often less personal, but bigger• DDOS attacks can be too big to resist• Web servers valuable as a way of
spreading exploit code• It’s not about fame anymore, but money
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
How does this affect you?
• Reputational loss• Potential for damages if you can’t show
due care• Copyright violations on your servers• DDOS attacks against you
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
What can we do?
• Follow best practice• Occams razor - don’t multiply servers!• Code audit/review/pen-testing• Network design (DMZs, firewalls etc)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Questions?