![Page 1: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/1.jpg)
CONTENT DELIVERY NETWORK AND
WEB APPLICATION FIREWALL
A Double Whammy for Hackers?
![Page 2: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/2.jpg)
MY BRIEF CREDENTIALS
Principal IT Consultant, CISSP
eBay Bug bounty award.
0-day full CV dump vulnerability on a major job
search site.
Work in Silicon Valley California as a software
developer during Dot COM boom days.
Email: [email protected]
![Page 3: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/3.jpg)
DISCLAIMER
The information presented does not reflect the
opinion of my current employer.
The views and opinions expressed are purely from
my personal research.
Any product claim, statistic, quote or other
representation about a product or service should be
verified with the manufacturer or provider.
![Page 4: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/4.jpg)
MAIN TOPICS
How does CDN and WAF help prevent cyber attack
for FI?
Discussing the defacement of Malaysia Airlines
Website even though both CDN and WAF were in
place.
Techniques to close the gap and building strengths
for the future.
![Page 5: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/5.jpg)
REMINDER
This presentation is not:
To tell you to be compliant to MAS TRM guidelines which you already
knew.
To tell you the “defense-in-depth” theories which you already knew.
To tell you the dangers and motivation of Cyber Attacks, DDoS
attacks, Malware which you already knew.
To tell you the to give users awareness training which you are
already knew.
To tell you how to create governance process which you already
knew.
Blah Blah...
The objective is not to bored all the Ninjas here!
![Page 6: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/6.jpg)
AGENDA
![Page 7: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/7.jpg)
PREPARING A DDOS ATTACK DEFENCE
Purchase an On-Premise DDoS Mitigation Appliance
E.g. Fortinet, Juniper Network, CISCO Guard
Purchase a DDoS Mitigation Service from your ISP
E.g. Clean-Pipe service, Level3
Purchase a DDoS Mitigation Service from a specialized
mitigation service provider
E.g. Akamai, Incaptula, CloudFlare, DOSarrest, ARBOR
Examples of CDN+WAF,
or “Scrubbers”
technology providers
![Page 8: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/8.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 9: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/9.jpg)
TRADITIONAL ARCHITECTURE
![Page 10: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/10.jpg)
TRADITIONAL ARCHITECTURE
![Page 11: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/11.jpg)
TRADITIONAL ARCHITECTURE
So how to solve it?
Solution: Servers are always close to you!
![Page 12: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/12.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 13: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/13.jpg)
WHAT IS A CONTENT DELIVERY NETWORK
(CDN)?
A Content Delivery Network (CDN) is a network of
servers hosted by a service provider in multiple
locations of the world so that the content could
always be served from a server that is nearest to
the consumer requesting for it.
A CDN consists of two key components:
The Origin Server(s) – the content source server.
Cache / Edge servers – the servers that the client see
and request for content.
![Page 14: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/14.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 15: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/15.jpg)
CDN ARCHITECTURE
CDN Network Architecture
![Page 16: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/16.jpg)
CDN ARCHITECTURE
CDN uses DNS CNAME record to hide your origin (source)
server.
www.dbs.com.sg A record is 23.204.171.241
The “A” in “A” record stands for Address. “A” record is
used to find the address of a computer connected to the
internet from a name.
![Page 17: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/17.jpg)
CDN ARCHITECTURE
23.204.171.241 belong to Akamai.
![Page 18: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/18.jpg)
CDN ARCHITECTURE
po.dbs.com.sg is the SOA or primary DNS server
SOA stands for Start Of Authority
![Page 19: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/19.jpg)
CDN ARCHITECTURE
CDN can also protect your primary/master DNS server (SOA)
![Page 20: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/20.jpg)
CDN ARCHITECTURE
Client request logo.png on images.mydomain.com
The DNS system finds the CNAME and redirects the request to the CDN.
If logo.png is not found or expired in the CDN, it is requested from the Origin
server and refresh the cache in the CDN.
The CDN response to the Client request with the logo.png.
![Page 21: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/21.jpg)
CDN ARCHITECTURE
Request Flow: DNS CDN Origin
CDN have the ability to “pull” content from their origin server
during HTTP requests in order to cache them.
Beside GET request, CDN can also proxy POST requests.
Do check with your CDN provider to block PUT, TRACE,
DELETE, CONNECT, which are unsafe HTTP methods.
![Page 22: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/22.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 23: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/23.jpg)
KEY BENEFITS OF ENTERPRISE CDN
Faster site performance
High availability
Web application firewall (WAF)
DDoS protection
DNS DDoS and attack protection
Virtually real-time statistics
CDN vendor threats monitoring (managed service)
![Page 24: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/24.jpg)
KEY BENEFITS OF ENTERPRISE CDN
Other Hidden Benefits!
CDN vendor manage your SSL certificates lifecycle.
Wildcard SSL certificates are implemented on the edge servers.
“Free” threats consultation from CDN vendor.
Lessen your company cyber-ops workload
Less need to trigger technical control to block attackers
Less need to escalate threats to internal teams
Lessen the effort to fine tune WAF configurations as compared to
implementing your own WAF.
Reduce overall operation cost.
![Page 25: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/25.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 26: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/26.jpg)
KEY BENEFITS OF WEB APPLICATION FIREWALL
(WAF)
“Most” Layer 7 attacks can be blocked before reaching the
web server.
A “fast” solution to block vulnerable applications from attacks.
Newly discovered application threats like “Path Relative
Stylesheet Import” (PRSSI) vulnerabilities can be protected by
updating the WAF signatures.
Block automated scanners using signatures and rate control.
Legacy applications can be protected while the application
take time to be upgraded.
![Page 27: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/27.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 28: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/28.jpg)
CDN AND WAF ARCHITECTURE
![Page 29: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/29.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 30: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/30.jpg)
WAF WEAKNESS
WAF is not possible to protect all layer 7 attacks.
E.g. Application business logic bypass
WAF uses regular expressions to block matching attack
patterns.
WAF regex needs to be constantly fine tune and improve to
block clever attacks.
Due to the bad coding of the application design, specific WAF
rules are often disable or set it to “warning” mode in order to
allow the application to work.
![Page 31: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/31.jpg)
WAF WEAKNESS
WAF can be bypassed given the attack enough time to figure
out.
Example: Blind SQL Injection WAF regular expression bypass
Substring keyword is block. However, left and right keywords are ok!
Block
and+ascii(substring((SELECT%20db_name()),1,1))%3d70
Bypass
and+ascii(right(left((SELECT%20db_name()),1),1))%3d70
and+ascii(right(left((SELECT%20db_name()),2),1))%3d70
...
![Page 32: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/32.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 33: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/33.jpg)
CDN WEAKNESS
Normal domain name request
DNSIPCDNORGIN
![Page 34: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/34.jpg)
CDN WEAKNESS
What if? DNSIPCDNORIGIN
Just because your origin server's IP address is no longer advertised
over DNS, it's still connected to the internet!
If your IP address is not kept secret, attackers can bypass the CDN
to attack your servers directly!
![Page 35: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/35.jpg)
CDN WEAKNESS
Attacking the Origin Server
Weak Point DDoS
Origin IP
![Page 36: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/36.jpg)
CDN WEAKNESS
Common default Origin naming by CDN providers
ORIGIN.<domain name>
ORIGIN.<sub>.<domain name>
DIRECT.<domain name>
<domain name>.CDN.<CDN domain name>
Try typo error naming:
ORIGN
ORGIN
![Page 37: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/37.jpg)
CDN WEAKNESS
Akamai debug HTTP request pragma headers
Source: http://mesmor.com/2012/03/18/akamai-pragma-debug-headers/
Pragma: akamai-x-cache-on, akamai-x-cache-remote-on,
akamai-x-check-cacheable, akamai-x-get-cache-key, akamai-
x-get-extracted-values, akamai-x-get-nonces, akamai-x-get-
ssl-client-session-id, akamai-x-get-true-cache-key, akamai-x-
serial-no
curl -s -I -H "Pragma: akamai-x-get-true-cache-key "
http://www.malaysiaairlines.com
![Page 38: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/38.jpg)
CDN WEAKNESS
HTTP/1.1 200 OK
Date: Tue, 10 Feb 2015 04:43:34 GMT
ETag: "12fc58b-2b88d-50eb3ec99f1c0"
Server: Apache
X-Cache: TCP_IMS_HIT from a23-220-203-15.deploy.akamaitechnologies.com (AkamaiGHost/7.1.0.2-14656242) (-), MISS from 10.88.3.70, MISS from 10.88.3.70
X-Serial: 1456
X-Cache-Key: /L/1456/211307/1h/origin.www.malaysiaairlines.com/my/en.html
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Tue, 10 Feb 2015 04:00:15 GMT
X-Frame-Options: SAMEORIGIN
Proxy-Connection: Keep-Alive
X-True-Cache-Key: /L/origin.www.malaysiaairlines.com/my/en.html
X-Check-Cacheable: YES
X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=true
X-Akamai-Session-Info: name=AKA_PM_DEV_CHAR_IS_MOBILE; value=false; full_location_id=is_mobile
X-Akamai-Session-Info: name=AKA_PM_FWD_URL; value=/my/en.htm
Default and
guessable origin
name!
![Page 39: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/39.jpg)
CDN WEAKNESS
CDN providers also provide customers with staging CDN platform.
CDN staging platforms allows customers to test the changes before
implementing on production CDN.
Theoretically, staging platform will be less “robust” than the
production platform.
CDN staging platform may not be monitored at all! A good way for
hackers to test for vulnerabilities without being caught or alerted.
To find the staging platforms url, just google it and guess it!
Or simply sign-up for the CDN provider service to find out!
![Page 40: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/40.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 41: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/41.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Source: http://www.theguardian.com/world/2015/jan/26/malaysia-airlines-
website-hacked-by-lizard-squad
![Page 42: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/42.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Name Server (NS) is akam.net (using Akamai CDN! Holy S***)
Start Of Authority (SOA) is barbara.ns.cloudflare.com
Why 2 CDN vendors? Really?
![Page 43: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/43.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
HTTP Response Header
Server: LIZARDSQUAD
Who will bother to change the server banner after a
defacement? (e.g. modify httpd.conf, registry)
Most likely it is a DNS hijacking attack!
![Page 44: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/44.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Source: http://www.computerworld.com/article/2874928/malaysia-airlines-
claim-dns-hijacked-site-not-hacked-but-attackers-threaten-data-dump.html
![Page 45: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/45.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Source: http://www.washingtonpost.com/news/morning-
mix/wp/2015/01/26/lizard-squad-hacks-malaysia-airlines-claiming-link-to-
islamic-state/
![Page 46: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/46.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Phishing attack possible cause.
Source: http://www.tnooz.com/article/explainer-malaysian-airlines-
website-attack/
![Page 47: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/47.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
After site went back to normal, the DNS records are as follows:
SOA is now rusa.skali.com.my
Is this the correct SOA?
Or they’ve move out of Cloudflare?
![Page 48: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/48.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Search historical DNS records using DNSHistory.org
Malaysiaairlines.com SOA is rusa.skali.com.my!
![Page 49: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/49.jpg)
CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)
Malaysiaairlines.com domain Registrar is Webnic.cc
Webnic.cc got compromised? Most likely... But no public news to
confirm.
![Page 50: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/50.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 51: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/51.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: http://www.theguardian.com/technology/2015/feb/26/lenovo-website-
hacked-and-defaced-by-lizard-squad-in-superfish-protest
![Page 52: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/52.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: http://www.eweek.com/security/lenovo.com-hacked-but-soon-
restored-after-intervention-by-cloudflare.html
![Page 53: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/53.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: https://twitter.com/lizardcircle
![Page 54: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/54.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
The EPP Authorization Code is basically a password for the domain
and is one of the most powerful safeguards against unauthorized
transfers of a domain name.
In other words, EPP Authorization Codes are an extra security
measure ensuring that only the actual domain name owner is able to
initiate an outgoing domain transfer towards another Registrar
Client locked
EPP code
![Page 55: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/55.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: https://twitter.com/lizardcircle
Lenovo emails has also been hijacked due to the DNS hijacked.
![Page 56: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/56.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-
hijack-of-lenovo-google-domains/
![Page 57: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/57.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Source: http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-
hijack-of-lenovo-google-domains/
Rootkit!
![Page 58: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/58.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
What is a Rootkit?
A Rootkit is a stealthy type of malicious software, designed to
hide the existence of certain processes or programs from
normal methods of detection and enable continued privileged
access to a computer.
Damages: A Rootkit might covertly steal user passwords and
sensitive data or conduct other unauthorized activities.
![Page 59: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/59.jpg)
CASE STUDY: LENOVO INCIDENT (25-FEB-15)
Webnic registrar offline for around 5 days after the incident.
![Page 60: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/60.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 61: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/61.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
Major DNS Hijacking incidents
![Page 62: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/62.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
DNS Hijacking aka Domain Theft is the process by
which the registration of a currently registered
domain name is transferred without the permission
of its original registrant, generally by exploiting a
vulnerability in the domain name registration
system.
![Page 63: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/63.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
Registrar Clients locks:
Purpose: To prevent unauthenticated changes.
clientUpdateProhibited
clientTransferProhibited
clientDeleteProhibited
This is useless when the attacker has obtain the credentials to
a registrar account.
Source: https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-
defenses.html
![Page 64: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/64.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
Registrar Servers locks:
Purpose: The registrar will contact the previously agreed upon admin
contact to verify the changes.
Requires call back to a specified phone number
Only certain individuals can make changes
serverUpdateProhibited
serverTransferProhibited
serverDeleteProhibited
Source: https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-defenses.html
![Page 65: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/65.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
After the incident, Malaysia Airlines implemented both
Registrar Client Lock and Registrar Server Lock.
![Page 66: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/66.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
After the incident, Lenovo implemented both Registrar Client
Lock and Registrar Server Lock.
![Page 67: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/67.jpg)
DNS HIJACKING PREVENTION BEST PRACTICE
Most domains implement Registrar Client Lock only to avoid inconvenience
when there is a need for fast turnaround time.
Example: www.dbs.com.sg
![Page 68: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/68.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 69: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/69.jpg)
QUESTIONS TO ASK YOUR DOMAIN REGISTRAR
Choose a reputable Domain Registrar. Do your research by
asking the following questions:
Q1: What are my authentication options?
Q2: How will authorized changes be verified?
Q3: Can I lock changes to a call back number?
Q4: Backup plan when primary authentication method fails?
Q5: Can the above be circumvented via API, Rookit or portal?
![Page 70: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/70.jpg)
AGENDA
1. Preparing a DDoS Attack Defence
2. Traditional Architecture
3. What is a Content Delivery Network (CDN)?
4. CDN Architecture
5. Key Benefits of Enterprise CDN
6. Key Benefits of Web Application Firewall (WAF)
7. CDN and WAF Architecture
8. WAF Weakness
9. CDN Weakness
10. Case Study: Malaysia Airlines incident (26-Jan-15)
11. Case Study: Lenovo incident (25-Feb-15)
12. DNS Hijacking Prevention Best Practices
13. Questions to ask your Domain Registrar
14. CDN Security Protection Best Practices
![Page 71: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/71.jpg)
CDN SECURITY PROTECTION BEST PRACTICES
Don’t use guessable origin domain name. The attacker can guess
the origin system DNS record to bypass the controls. Or using
Shodan (http://shodanhq.com).
E.g. origin.www.<domain name>
![Page 72: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/72.jpg)
CDN SECURITY PROTECTION BEST PRACTICES
Disable CDN debugging features. The debugging information can be
used by attacks to design a DDoS attack.
![Page 73: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/73.jpg)
CDN SECURITY PROTECTION BEST PRACTICES
Only allow your Origin server to communicate with your CDN servers
by white-listing the CDN servers on your firewall.
![Page 74: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/74.jpg)
CDN SECURITY PROTECTION BEST PRACTICES
Only allow your Primary DSN server to communicate with your CDN
DNS servers by white-listing the CDN DNS servers on your firewall.
![Page 75: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/75.jpg)
CDN SECURITY PROTECTION BEST PRACTICES
To prevent Direct-to-Origin attacks
Subscribe to your ISP Clean-Pipe service or to a Scrubber service
provider.
![Page 76: Content delivery network and web application firewall](https://reader034.vdocuments.us/reader034/viewer/2022052400/55a76f9f1a28abd9438b48a2/html5/thumbnails/76.jpg)
THANK YOU!
References:
https://www.incapsula.com/blog/
https://blogs.akamai.com/2013/08/bypassing-content-delivery-
security.html
https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-
defenses.html
https://blogs.akamai.com/2014/06/fresh-wave-of-online-
extortion-attacks-underway.html
https://blogs.akamai.com/
https://blog.cloudflare.com/
http://mesmor.com/2012/03/18/akamai-pragma-debug-
headers/