Upload File

rise of the botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_level_credential...bots bots...

  • Home
  • Documents
  • Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
23
RISE of the BOTS Peter Scheffler, Cyber Security Solutions Architect [email protected] / @pmscheffler

Upload: others

Post on 07-Aug-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

RISE of the BOTS

Peter Scheffler, Cyber Security Solutions [email protected] / @pmscheffler

mailto:[email protected]
Page 2: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

OK, but how do these happen?

Who really “attacks”

me?

Page 3: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 4: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

• Roughly 50% of traffic is

human

• About 20% is good bots

• Remaining 30% is

malicious bots

How do we differentiate?

Page 5: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

Page 6: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

Page 7: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

••

Page 8: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

Exploiting POST for Fun & DoS

••

Attackers work to identify weaknesses in application infrastructure

Page 9: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 10: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

••

Page 11: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 12: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 13: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

Page 14: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 15: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 16: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

Only 26% of Scalar Survey

Respondents said their users

are trained…

Page 17: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

* Threat Matrix Cyber Crimes 2017 Report

Page 18: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

Web Application

Page 19: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

••

• https://PanOpticlick.eff.org

http://panopticlick.eff.org/
Page 20: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

1st time request to web server

Internet

Web Application

Legitimate browser

verification

No challenge response from

botsBOTS ARE DROPPED

WAF responds with injected JS challenge. Request is not passed to server

1

JS challenge placed in browser

2

WAF verifies response authenticity

Cookie is signed, time stamped and finger printed

4

Valid requests are passed to the

server

5

Browser responds to challenge &

resends request

3

Continuous invalid bot attempts are

blocked

Valid browser requests bypass challenge w/

future requests

Page 21: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

http://bit.ly/ASMLabManual

https://training.f5agility.com/7280/<#

http://bit.ly/ASMLabManual
https://training.f5agility.com/7280/<
Page 22: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server
Page 23: Rise of the Botsstatic.carahsoft.com/concrete/files/9615/2328/9842/300_Level_Credential...bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server

Ss Peter & Paul s Catholic Primary School · Ss Peter & Paul’s Catholic Primary School 16 Beverley Street, Doncaster East , 3109 Tel: (03) 9842 2056 Fax: (03) 9842 1125 ... It is

Virtual Bots

‘Bots 4 Brains’

Bots Manual

Bots Inc

Bots Not Cattle - GitHub Pagesjberkus.github.io/pdf_presos/bots_not_cattle_automacon.pdfnew bot rules 1. bots initialize themselves 2. bots know their own state 3. bots share their

bots bots bots - Amazon S3s3.amazonaws.com/aparrish/bots+bots+bots.pdf · bots some historical threads ! Allison Parrish. bots are. procedural uncreative data-driven graffiti. procedural

Museum Bots

Simple Bots Skitter

Twitter Bots

COMELEC Resolution No. 9615 – RULES AND REGULATIONS

Bushido bots

Twitch Bots

Pandora Bots Overview

Optimization class notes MTH-9842

F reso no.-9615

Bots: An introduction for developers - AgentNnamdi · Bots: An introduction for developers Bots are third-par ty applications that run inside Telegram. Users can interact with bots

Brains Bots Builders - mirnova.orgmirnova.org/papers-public/brains-bots-builders-rtc-extreme... · Brains Bots Builders Reconfigurability and Redesign in Human-Robotic Systems

Swarm bots

Australian Energy Regulator | AER and MHIA Submissions on … · P: 02 9615 9999 F: 02 9615 9998 E: [email protected] Caravan, Camping & Touring Industry & Manufactured Housing

AI Chat bots developing - InfraDrive.com · Selling chat bots: helps people to know item prices and offers. Supporting chat bots: you may find this kind of chat bots in websites which

Robert Shaw 9615

Bright Bots

Contact Melissa Franklin at 713-395-9615 or …media.bizj.us/view/img/1972911/hbjclass021414.pdf · THE BUSINESS MARKETPLACE Contact Melissa Franklin at 713-395-9615 or [email protected]

Telegram bots

CAUSE NO. 9842 - Freedom Schoolfreedom-school.com/9842/request-for-admissions.pdfCAUSE NO. 9842 In the Admiralty ... If your response to for Request # 30 is "denied," please ... The

Battle bots

ISSN 1745-9842 Barrowmore Model Railway JournalISSN 1745-9842 Barrowmore Model Railway Journal Number9, David Faulkner 23 Parkhill Road Prenton BIRKENHEAD Wirral CH42 9IB December

Arts and bots

COMELEC PHILIPPINES: Resolution 9615

9615 RULES AND REGULATIONS IMPLEMENTING REPUBLIC ACT NO.docx

Comelec Resolution 9615

Publi Bots

Gallagher T Series Readers - Murich€¦ · Cardax IV (using Cat5e Belden 9842 (24AWG)200M) HBUS - 500m + Cardax IV ( using Cat5e Belden 9842 (24AWG) 200m) ENVIRONMENTAL SPECIFICATIONS

Magnetic Bots