Download - UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune [email protected]

Copyright Arthur Clune 2007All rights reserved

UK Honeynet Projectt UK Honeynet Projectt

Trends in Web Attacks

Arthur Clune

[email protected]



Talk Overview

• History of (web) attacks

• DDOS attacks and economics

• Botnets

• Phishing

• Why do we care about this anyway?



A Taxonomy

• Defacement

• Resource stealing

• Denial of Service/DDOS



History



Prehistory

• Before the web• ftp (anonymous ftp uploads)

• gopher

• backdoors



Why?

• Curiosity

• Status

• ‘Fame’

• Disk space was expensive!



Morris Worm

• 1988• Not web based!

• First self spreading worm



Early Web

• Individual attacks

• Mainly motivated as before



Trinoo/Stachledract

• 1999

• First large scale DDOS tool

• University of York was among the victims!



Code Red/Nimbda

• 2001

• Caused extensive problems (network traffic/instability)

• First really big worm



SQLSlammer

• 2003• Attacked Microsoft SQL Server

• Fastest spreading worm ever

• How many of your web sites rely on a database?



Misc Stuff

• Also at this time:• MS Frontpage extensions

• Edit your webpage remotely…oh, but so can other people.



Digression

• Zone-h defacement archive demo



Witty Worm

• 2003

• First worm aimed directly at a web server• MS IIS

• Followed by Sasser



Moving to webapps

• First php worm - 2004• Attacked phpBB

• It’s now most common to attack applications not webservers themselves



Pure web worms

• 2006• MySpace worm

• Spread only within MySpace profiles

• A ‘Web 2.0’ worm?



Distributed Denial of Service

‘Nice website you’ve got there. Shame if anything happened to it’



DDOS - Why bother?

• It’s not about the frame

• Sometimes it’s about Money



DDOS II

• How it works

• Targets• Gambling

• Porn

• Anyone with money



Botnets

0wning the internet for fun and profit



Botnets

• Botnets are sets of machines, all controlled by a ‘bot herder’

• Often machines are infected when visiting a website

• Largest botnet found so far had > 1,000,000 machines in it



Botnet example

• Demo of botnet from UK Honeynet data



Phishing

There’s one born every minute



Phishing

• Different types:• 401 scams

• Bank scams

• Some of these are very realistic

• Banks don’t always help themselves



Phishing 2

• Example of a phishing attack from UK Honeynet data



Am I bovered?

Or, why this affects web managers



How have things changed?

• Attacks often less personal, but bigger

• DDOS attacks can be too big to resist

• Web servers valuable as a way of spreading exploit code

• It’s not about fame anymore, but money



How does this affect you?

• Reputational loss

• Potential for damages if you can’t show due care

• Copyright violations on your servers

• DDOS attacks against you



What can we do?

• Follow best practice

• Occams razor - don’t multiply servers!

• Code audit/review/pen-testing

• Network design (DMZs, firewalls etc)



Questions?

Download - UK Honeynet Projectt Copyright Arthur Clune 2007 All rights reserved Trends in Web Attacks Arthur Clune [email protected]

Top Related