Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Trends in Web Attacks

Arthur Clune

arthur@honeynet.org.uk

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Talk Overview

• History of (web) attacks

• DDOS attacks and economics

• Botnets

• Phishing

• Why do we care about this anyway?

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

A Taxonomy

• Defacement

• Resource stealing

• Denial of Service/DDOS

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

History

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Prehistory

• Before the web• ftp (anonymous ftp uploads)

• gopher

• backdoors

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Why?

• Curiosity

• Status

• ‘Fame’

• Disk space was expensive!

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Morris Worm

• 1988• Not web based!

• First self spreading worm

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Early Web

• Individual attacks

• Mainly motivated as before

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Trinoo/Stachledract

• 1999

• First large scale DDOS tool

• University of York was among the victims!

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Code Red/Nimbda

• 2001

• Caused extensive problems (network traffic/instability)

• First really big worm

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

SQLSlammer

• 2003• Attacked Microsoft SQL Server

• Fastest spreading worm ever

• How many of your web sites rely on a database?

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Misc Stuff

• Also at this time:• MS Frontpage extensions

• Edit your webpage remotely…oh, but so can other people.

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Digression

• Zone-h defacement archive demo

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Witty Worm

• 2003

• First worm aimed directly at a web server• MS IIS

• Followed by Sasser

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Moving to webapps

• First php worm - 2004• Attacked phpBB

• It’s now most common to attack applications not webservers themselves

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Pure web worms

• 2006• MySpace worm

• Spread only within MySpace profiles

• A ‘Web 2.0’ worm?

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Distributed Denial of Service

‘Nice website you’ve got there. Shame if anything happened to it’

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

DDOS - Why bother?

• It’s not about the frame

• Sometimes it’s about Money

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

DDOS II

• How it works

• Targets• Gambling

• Porn

• Anyone with money

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Botnets

0wning the internet for fun and profit

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Botnets

• Botnets are sets of machines, all controlled by a ‘bot herder’

• Often machines are infected when visiting a website

• Largest botnet found so far had > 1,000,000 machines in it

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Botnet example

• Demo of botnet from UK Honeynet data

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Phishing

There’s one born every minute

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Phishing

• Different types:• 401 scams

• Bank scams

• Some of these are very realistic

• Banks don’t always help themselves

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Phishing 2

• Example of a phishing attack from UK Honeynet data

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Am I bovered?

Or, why this affects web managers

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

How have things changed?

• Attacks often less personal, but bigger

• DDOS attacks can be too big to resist

• Web servers valuable as a way of spreading exploit code

• It’s not about fame anymore, but money

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

How does this affect you?

• Reputational loss

• Potential for damages if you can’t show due care

• Copyright violations on your servers

• DDOS attacks against you

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

What can we do?

• Follow best practice

• Occams razor - don’t multiply servers!

• Code audit/review/pen-testing

• Network design (DMZs, firewalls etc)

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Questions?