![Page 1: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/1.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Trends in Web Attacks
Arthur Clune
![Page 2: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/2.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Talk Overview
• History of (web) attacks
• DDOS attacks and economics
• Botnets
• Phishing
• Why do we care about this anyway?
![Page 3: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/3.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
A Taxonomy
• Defacement
• Resource stealing
• Denial of Service/DDOS
![Page 4: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/4.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
History
![Page 5: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/5.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Prehistory
• Before the web• ftp (anonymous ftp uploads)
• gopher
• backdoors
![Page 6: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/6.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Why?
• Curiosity
• Status
• ‘Fame’
• Disk space was expensive!
![Page 7: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/7.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Morris Worm
• 1988• Not web based!
• First self spreading worm
![Page 8: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/8.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Early Web
• Individual attacks
• Mainly motivated as before
![Page 9: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/9.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Trinoo/Stachledract
• 1999
• First large scale DDOS tool
• University of York was among the victims!
![Page 10: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/10.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Code Red/Nimbda
• 2001
• Caused extensive problems (network traffic/instability)
• First really big worm
![Page 11: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/11.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
SQLSlammer
• 2003• Attacked Microsoft SQL Server
• Fastest spreading worm ever
• How many of your web sites rely on a database?
![Page 12: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/12.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Misc Stuff
• Also at this time:• MS Frontpage extensions
• Edit your webpage remotely…oh, but so can other people.
![Page 13: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/13.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Digression
• Zone-h defacement archive demo
![Page 14: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/14.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Witty Worm
• 2003
• First worm aimed directly at a web server• MS IIS
• Followed by Sasser
![Page 15: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/15.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Moving to webapps
• First php worm - 2004• Attacked phpBB
• It’s now most common to attack applications not webservers themselves
![Page 16: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/16.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Pure web worms
• 2006• MySpace worm
• Spread only within MySpace profiles
• A ‘Web 2.0’ worm?
![Page 17: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/17.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Distributed Denial of Service
‘Nice website you’ve got there. Shame if anything happened to it’
![Page 18: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/18.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
DDOS - Why bother?
• It’s not about the frame
• Sometimes it’s about Money
![Page 19: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/19.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
DDOS II
• How it works
• Targets• Gambling
• Porn
• Anyone with money
![Page 20: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/20.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnets
0wning the internet for fun and profit
![Page 21: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/21.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnets
• Botnets are sets of machines, all controlled by a ‘bot herder’
• Often machines are infected when visiting a website
• Largest botnet found so far had > 1,000,000 machines in it
![Page 22: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/22.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Botnet example
• Demo of botnet from UK Honeynet data
![Page 23: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/23.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing
There’s one born every minute
![Page 24: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/24.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing
• Different types:• 401 scams
• Bank scams
• Some of these are very realistic
• Banks don’t always help themselves
![Page 25: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/25.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Phishing 2
• Example of a phishing attack from UK Honeynet data
![Page 26: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/26.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Am I bovered?
Or, why this affects web managers
![Page 27: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/27.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
How have things changed?
• Attacks often less personal, but bigger
• DDOS attacks can be too big to resist
• Web servers valuable as a way of spreading exploit code
• It’s not about fame anymore, but money
![Page 28: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/28.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
How does this affect you?
• Reputational loss
• Potential for damages if you can’t show due care
• Copyright violations on your servers
• DDOS attacks against you
![Page 29: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/29.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
What can we do?
• Follow best practice
• Occams razor - don’t multiply servers!
• Code audit/review/pen-testing
• Network design (DMZs, firewalls etc)
![Page 30: UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune arthur@honeynet.org.uk](https://reader036.vdocuments.mx/reader036/viewer/2022062716/56649e175503460f94b023df/html5/thumbnails/30.jpg)
Copyright Arthur Clune 2007All rights reserved
UK Honeynet Projectt UK Honeynet Projectt
Questions?