1 / 21

TEL 283

TEL 283. DoS on Competitor Web Site. The approach. Phoenix has a “referral” from “Mr. Dobbs” Dobbs has threatened his girlfriend in the past Dobbs sent a “client” to Phoenix with a reminder about his girlfriend Client Works for a computer parts company $9B annual revenues

albany
Download Presentation

TEL 283

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TEL 283 DoS on Competitor Web Site

  2. The approach • Phoenix has a “referral” from “Mr. Dobbs” • Dobbs has threatened his girlfriend in the past • Dobbs sent a “client” to Phoenix with a reminder about his girlfriend • Client • Works for a computer parts company • $9B annual revenues • Asking that a whistleblower organization’s web site (www.thetruthusa.org) be down/inaccessible for a single day • Organization intends to splash damaging information on a specific day (day before the earnings statement release) • Client does not wish to have the company’s stock prices fall just prior to the earnings release

  3. www.thetruth.org • Recon • Shows the site to be amateurish • Google search indicates that HS students were allowed to get experience in designing and putting up the website • Phoenix hopes for poor design, maintenance/security and lower bandwidth

  4. The Plan • Find an unprotected wireless network to perform the hack • Use an anonymizer • Make a DDoS attack using Freak88 DDoS tool • Test the DDoS tool in lab • Infect unprotected hosts with the Server.exe Trojan Horse • Take control of the infected hosts and launch the DDoS on the target site

  5. Freak88 • Download contains • Clienttrinno.exe • Server.exe • Msbvm50.dll • Client controls the boxes which have the Trojan server running on them • Servers will issue to pings • These boxes are referred to as “zombies” • The more zombies in the field attacking the victim, the better for the attacker!

  6. History • Shift from email phishing attacks to web based attacks • Email filters are becoming more effective • Web based attacks are more popular now because so much is being put into “business rich” web sites and browsers fail to handle such content • Their primary function is to render web pages • SQL injection • Cross site scripting • Inline frames • CSS • Ping attacks might be filtered • Accomplish the same effect using a web based attack

  7. The exploit • Attack #1: Test • Attack #2: The one that worked • Gain access to Pawn Web site • Lab test the hack • Modify the Pawn site

  8. Test • Phoenix • Sets up a victim machine • Starts up Wireshark filtering ICMP traffic • Fires up a server zombie on a machine • Fires up the client software • Dialog box allows attacker to “stack” the IP’s and ports of the zombie machines • Indicates the IP of the victim • Buttons: • Connect, Disconnect, and “Takemout” • Wireshark confirms ton of ICMP traffic

  9. Test • Just to be sure… • Phoenix attempts to ping the webpage at www.thetruthusa.org • Gets Timed Out results • It turns out that the students have set up a PIX firewall to prevent pings to the web server!

  10. Alternate attack • Inline frames • If small, but many, inline frames can be installed on a web page • Each frame can load the web page from a site • FORCE MULTIPLIER! • If you can constantly refresh each frame… better still

  11. Alternate attack • The trick is now to find a web site with lots of bandwidth and lots of traffic • Social engineer the web design company • Phoenix needs write access to the server • Modify the home page • Add inline frames calling the target’s homepage • If 10 frames are added, every time a user brings up the unknowing accomplice’s page, 10 HTML “get” requests are issued against the victime • If you “refresh” the inline request every 5 seconds…

  12. Social Engineering • Phoenix poses as a potential client • Speaks with developers and requests a demonstration • Representative shows Phoenix how quickly a page can be added • In doing so, the rep refers to a 3-ring binder for the information on sites (credentials, etc) • Phoenix notes the location of the binder • Phoenix bribes the cleaner to photocopy the contents of the 3-ring binder

  13. Inline frames <iframe src=http://www.thetruthusa.org width = 0 height=0> </iframe> • Refreshing every 5 seconds • Add a meta tag to the web page <meta http-equiv=“refresh” content=“5”>

  14. Modify the Pawn Site • Phoenix downloads the Pawn’s web page • Inserts the inline frames and the meta tag • FTP’s the altered page to the Pawn’s server

  15. Results • DDoS against the victim • How long? • Depends… • If traffic is examined, requests for the page are coming from all over • If IP is changed, the requests are made for URL and not IP… no effect! • Someone would have to examine the pawn’s HTML within their page to spot the inline frames • If reported to the pawn site, they might not notify the target that they were the unwitting accomplice • Once the pawn replaces the modified page with the original • Cached pages still might exist in browsers around the world…

  16. Other possibilities • Phoenix could have inserted a source pointer to a Trojan instead of the target’s URL • If the pointer is to a keylogger, the pawn site could be made to appear as if they are infecting computers around the world • What is the pawn company’s liability in this case?

  17. Countermeasures • Prevent disclosure of information via passive means • Configure DNS not to reveal information (via registrar) • Configure web server settings • Don’t “advertise” information about the site or developers that nobody requires • Even if removed from the web, historical pages might exist • NETCRAFT might reveal information regardless…

  18. Countermeasures • ICMP • Disable entry of Ping packets into the network from outside • If required, then script a “block” from IP’s in the event that pings exceed a given number in a time period • Might not be that effective in a DDoS attack…

  19. Countermeasures • Blocking DDoS attacks via web • Create customize stack • Costly (development and maintenance) • Reserved for highly secured environments • Rate limiting • Bandwidth • Connection limits • Black hole filtering • Send suspicious traffic to a nonexistent interface • These are all counter to the reason the company site is up in the first place…

  20. Countermeasures for web site modification • Review the web site hosting company’s policies and security statements • Your company should authorize all changes • One time passwords, maintained by your company • Forces the developer to contact you for each modification

  21. Countermeasures for employee compromise • Physical access to information • Paper format? • Put onto encrypted electronic format, and then on a locked down workstation, which is physically protected • Separation of duty • Principle of least privilege

More Related