Barbarians at the Gate(way) - Dave Lewis - Codemotion Rome 2017
1 like386 views
The document discusses various cyber threats, specifically focusing on the actors behind DDoS attacks, the tools they use, and the defenses against such attacks. It highlights different prices for cybercriminal services and outlines specific groups like Al-Qassam cyber fighters and their attack methodologies. The document also emphasizes the need for system hardening and collaboration with ISPs for better mitigation strategies against cyber threats.
Barbarians at the Gate(way) - Dave Lewis - Codemotion Rome 2017
- 1. Text Barbarians At The Gate(way) Examination of actors, tools and defenses
- 8. W E F O U N D H I M ! M Y S T E RY S O LV E D !
- 15. It left me wanting…
- 17. Actors: For Hire
- 18. Current(ish) prices on the Russian underground market: Hacking corporate mailbox: $500 Winlocker ransomware: $10-20 Intelligent exploit bundle: $10-$3,000 Hiring a DDoS attack: $30-$70/day, $1,200/month Botnet: $200 for 2,000 bots DDoS botnet: $700
- 21. B O R E D T E E N S A N D
- 23. H A C K T I V I S T S T H E
- 25. S TA N D A R D V I L L A I N S T H E R E A R E
- 26. A R C H V I L L A I N S A N D T H E R E A R E
- 27. Actors: al-Qassam Cyber Fighters, QCF QCF is an Iranian group that has been focused on attacking US and Canadian banks. They use the Brobot botnet that attacks from compromised servers. Using server hardware and connection they can usually overwhelm scrubbers with traffic.
- 28. Attacks
- 29. Attack Vectors Over HTTP
- 31. Types of Attacks SYN Floods UDP Floods ICMP Floods NTP Amplification HTTP Flood
- 33. Your website can be overwhelmed…
- 47. DD4BC Began by targeting sites with ransom demands Failure to pay lead to increased $$$ to stop the attack Earlier attacks focused on businesses that would avoid reporting the attacks to law enforcement. Once research published they relocated their campaigns to APAC
- 54. Tools
- 55. Tools: Havij
- 56. Tools: Donut
- 57. Tools: Donut (con’t) GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave- flash, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) Host: www.foo.bar Connection: Close
- 58. Tools: HULK
- 59. Tools: HULK (con’t) GET /?NJB=VURZQ HTTP/1.1 Accept-Encoding: identity Host: www.foo.bar Keep-Alive: 112 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/ 20090913 Firefox/3.5.3 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.foo.bar Cache-Control: no-cache
- 60. Tools: LOIC
- 61. Tools: HOIC
- 62. Tools: Brobot Brobot is a PHP trojan that allows an attacker to take control of a victim's compromised hosted Web server and use it to launch DDOS attacks.
- 63. Tools: Mirai
- 67. Tools: WGET
- 68. Trends
- 74. What’s a Booter?
- 75. OK, What’s a Stresser?
- 76. Stressers or Booters xBOOT Flash Stresser Hyper Stresser Grim Booter Anonymous Stresser Titanium Stresser / Lizards Big Bang Booter…and so on.
- 81. Other Observations SQLi Local/Remote File Inclusion Popping shells PHP Injection Malicious File upload JAVA …best remote access platform ever!
- 84. Why this is a problem.
- 86. Passwords
- 88. File Inclusions
- 89. Malicious Uploads KCFinder file upload vulnerability Open Flash Chart file upload vulnerability (CVE-2009-4140) appRain CMF (uploadify.php) unrestricted file upload exploit (CVE-2012-1153) FCKeditor file upload vulnerability (CVE-2008-6178)
- 91. So, what to do? SQL INJECTION IS A SOLVABLE PROBLEM Harden systems Work with your ISP on mitigation strategies Use ACL lists to deal with known bad IPs IP Rate limiting PATCH PATCH PATCH
- 96. A K A M A I I S H I R I N G ! A N D W I T H T H A T …
- 97. Grazie per aver ascoltato!
- 98. Questions? Visit our booth! Dave Lewis @gattaca [email protected]