 Thank you all for joining me. I really do appreciate you taking the time to sit here and listen to me talk. I know that I'm in between you and beer, so feel free to come and go as you please to get some more. I'm actually really happy to be here because I actually grew up in Montreal, actually just outside of Montreal in DDO. So anytime I get a chance to come back here and talk, I always love it because I always feel like it feels very like home when I'm here. But yeah, so anyway, I'm here to talk about a distributed denial of service. I work for a little company called Akamai Technologies and we tend to deal with that a whole lot. It's really interesting when you think about it that everybody in this room, at some point in the last 30 days, your IP address ended up in our log files at least once. So I'm gonna wrap your head around. Anyway, so who am I and why am I standing here talking to you? Well, I have, before I came to Akamai, I did 20 years in the trenches. I spent a lot of time in three different banks, two power companies, military contracting and so on and so forth, and I have all the scar tissue to show for it. It was a long ride and I enjoyed it in retrospect and all along the way I kept lots of copious files and lots of notebooks. So as a result, I am actually able to go back and pull stories from there, sanitize them and use them for when I write for a couple of publications, CSL Online and Forbes. Makes it rather interesting. So what I'm gonna talk to you today about, I'm gonna go over some high-level ideas here. We're gonna talk about the actors as part of threat modeling like Robert was talking about in the last talk. We're gonna talk about attacks, the type of tools that attackers are using because one of the things that I noticed a while ago is anytime I ever saw an article in the media, it was a denial of service, but they never really dig down into what it is. I'm not gonna dig too deep, but at least I'm gonna get, you know, touch on the subject. As well, we're gonna look at trends that we see evolving because one of the things that we do at Akamai is we do the thing called the state of the internet report. Funny enough, when you have about 30% of the internet going across your platform at any given point, if you take out pornography, we have 80%, then we get a lot of data and one of the really cool things is we've been going through and parsing out this data and it's an evolutionary process, so about a year from now, you're gonna see some really amazing reports coming out and I hope that, you know, you can drive value from those. So that's one of those things. As well, in addition to the data, we're also gonna talk, I'm just gonna talk about high level of things that you can do. Yes, I know I'm a vendor, we sell something, but it's more along the lines of things that you should be doing for your sites now, not with standing vendor guys standing up here yacking at you. But first, I want to talk about a little PSA that has nothing to do with denial of service. This morning, I got hit with this. I'm a vendor, this drives me nuts. This drove me nuts when I was on the other side of the phone for 20 years. This was a company that reached out and said, oh, look, you got a chance to win 200 euros. Was it 200 euros? Yeah, 200 euros if you fill out this questionnaire. Don't do this. If you work for a vendor, please don't do this. I'm rather irritated because, you know, I have a temper. Anyway, so that being said, I'm going to talk about some of the actors that you have to deal with. And as it falls into your own threat model, and in this case, the first one out of the box, are your mercenary types, your hackers for hire. And there are lots of groups out there in the various underground forums that are actually available for hire to attack sites. One gentleman who was in the C-suite for a company, this was going back about 10 years ago, he hired one of these teams to attack his competitor. The thing he didn't take into account was that when this crew was eventually caught, the FBI flipped them and he ratted them out and he got to go to jail for a long period of time. I do regret that I can't remember his name. I seem to have lost that part of my data. But anyway, max vision, there we go. So thank you. And yes, you feel free to throw things at me verbally as we go along. So this is an underground market list. This is actually two years out of date. So I apologize for that. But you can look at this is a menu item. So you can go through and say, okay, I want to one of these, one of those, one of those, and you know, I'll get the tiramisu to go. So you can look at the price points here. And for example, with the DDS attack, this is two years ago, mind you, you know, 30 to 70 bucks a day, or $1,200 a month. I don't know what the monthly package would be and it'd be probably rather substantial at that point. So there was money to be made in these underground forums for this sort of activity. Now, the upside is that we now have the other side of the phone is now available. We actually have hackers for hire. So a an amalgamation of yourselves that can be hired out for various projects, rather cool project. I don't know too much about this particular project. I only found out about it today. And I thought it was worthy to bring up something to have a look at. That's the hackers list. Now, after you look at the the higher the hackers for hire on the negative side of things, you also have to look at these guys, the board kids at home that are sitting in their parents basement eating Doritos and pissed off at the universe. These are kids with access to tools, access to the internet, lot of free time. And there's a lot of them. So if they get bored and they get a tool that they can play with, they can be leveraged into a rather substantial force. And also you have to look at the thought process that go into it when you're someone, you know, 15 years old sitting at home and nothing better to do. Like there was a kid in London, Ontario, who was arrested not too long ago. When Hartley came out, he said, Oh, great, I'll take Hartley and I'll beat up on revenue Canada. Not the greatest idea. So he went there and he was digging away at it all day long. They had so much information on they showed up the next day and arrested him. And he's basically thrown his life away. I don't know his particular age. I believe it was 18 actually, which is not good for him. But the thought process wasn't there where it was a fully formed idea of wait a minute, maybe this is a bad idea. Maybe I shouldn't be doing this. And there's so many of these kids out there that need better guidance that it really worries me that they might get leveraged into a cohesive force that can be used to attack somebody. And possibly somebody had that idea. And this is a perfect example. Anonymous was able to come up with some tools and said, Here you go, join the fray. And lots of people jumped in and they use these tools and attack various sites. And I'll get into that a little bit more later on. Now, when you're dealing with activists and like these are the chaotic actors, you're never sure exactly what you're going to get next. And we've seen anonymous has some campaigns that were, you know, a worthy note and other campaigns where everybody stood there and went, You're doing what now? And it really got got really interesting. And that's the problem when you call yourselves anonymous. Anybody in their brother can hang up a signal and say, I'm anonymous. So you have that decentralization, the chaotic aspect. Most times they're politically and socially motivated. But it's only most of the time, not all the time. Then we have the nation state actors. These guys are fun. These are lots of fun. We've seen, you know, the famous PLA 61398 crew that was tearing apart the United States and everybody else under the sun. I actually worked in an organization who we had an office, roughly two blocks from their headquarters in China. They had owned one of our systems nine ways from Sunday, or at least we suspect it was them couldn't fully prove it, obviously because attribution anyway. Another one that taken to mind is the Al-Qasam cyber fighters from a couple of years ago, who decided to attack every financial institution under the sun in United States. One of the things that we found really interesting with these guys was that they failed geography. They attacked all of the Canadian financial institutions because they figured we're, you know, we must be the same country. Yeah, anyway. So as a result, they were using a tool called Brobot. And Brobot was a set of PHP scripts that they would actually use on infected WordPress sites. And then they could use these and they could customize the code and use all of these WordPress sites as a distributed Denial of Service tool. It was kind of ingenious the way it worked. It was very effective. And, you know, there was a known list of IP addresses that they had. So there was, you know, the ability to block them. But as these robot networks grew, more IP addresses pop up. And they could do UDP floods, application attacks, and with, you know, doing Denial of Service with random query strings. And they were, had demonstrated the ability to change on the fly. So if a defense was put in place, they figured out actually, okay, I'll change this and, you know, up yours. And these guys became very difficult. But it was really interesting that when the new Iranian government came into power, didn't see them again. It was rather interesting. I heard rumors about a year ago that they had popped back up again, but nobody was able to substantiate that. But it seems that they were swept away officially anyway. So that brings me the attacks. The type of attacks that we see a lot of, obviously, are volumetric based. I saw that coming. Application layer and protocol based attacks. Here are some samples of some of these attacks. On our own network, like for example, SIN floods and UDP floods, we just, actually an ICMP floods, for that matter. Pardon me. We actually dropped them at the perimeter and they never make it to the origin systems. Not a product pitch. And we also see a lot of amplification attacks. These things drive me nuts, especially when you look at it from NTP, because that was an avoidable problem. This was actually because of old code that was able to be used to amplify an attack signal and hit all these sites. But if these libraries had been updated, the problem wouldn't have been there, per se. And good old HTTP floods. So being a fan of Starcraft when I was in, well, a long time ago, one of the things that always drove me nuts when I was playing the game was every once in a while, these guys would show up. Anybody in here familiar with Starcraft or have I just dated myself? Oh, I've got a few. So these guys would swarm in, hundreds of them, tear everything up and I'm like, okay, great, I've got to start all over again. And that's sort of the frame of reference that I have when looking at denial of service attacks, because they're trying to exhaust your resources. They're trying to take your systems down and render them unusable for your customers, your users, yourself. And it's really frustrating in that respect. But there's not just, boom, here's a denial of service, move on. There's all kinds of variations. And I apologize because I'm fairly certain that that is an eye chart. A little bit. But anyway, this is from the first quarter of this year. And these are the attacks that we were able to parse out from our data. The number one biggest one of these was SSDP attacks. And this is you from the universal plugin play, and I'll dig into that a little bit more later. But as on top of that, we had sin and UDP, so that was the top three. One of the really interesting things is I wrote an article about SSDP attacks a while ago. And I've been getting a nonstop barrage of emails from the universal plugin play consortium. There's actually a group that, I guess, an industry lobby group for them. And they are constantly sending me emails trying to get me to correct that article because it's perfectly secure. Sure, let's go with that. So SSDP is a simple service discovery protocol. It's basically, you know, plug, play, move on, get your devices. Everything should just work. However, this is actually something that can be used in leveraging denial of service attacks. And they make very attractive for reflectors. So, yeah, obligatory cat pictures. Then the next in the line that we look at, we have application layer attacks. So if you have a web application where, you know, username password or some sort of input box, if you're not sanitizing your data inputs as well as outputs, people can throw arbitrary strings into your data, and they can cause all manner of trouble. And for one example here, let's see where as I put, yeah, so they're trying to exhaust your resources or in cases where they can get away with it, pop your data. So if they can get your intellectual property, they can get your customers, if they can get your users, whatever it happens to be, depending on your site, that's bad. So these are things that need to be addressed. Now, when we're looking at application layer attacks, in our data for Q1 of this year, only about 10% of all the attacks were application based. The vast majority of them were denial of service and a volumetric nature. Now, these application layer ones were primarily HTTB get attacks were 7% of that data. And the other, yeah, the other 91% of it, as we were talking about, as I was talking about before, let me see right here, are all directed at infrastructure. So the funny thing is with the infrastructure based attacks, the vast majority of them, here we go with the attribution game, the vast majority of them based on IP address originated in China. Now, when we switch to this one, the vast majority of these tax, 52% of them originated in the United States. Okay, interesting. Infrastructure, China, web apps, United States. And when these attacks were launched, they were usually, you know, get floods using a combination of Jumla and WordPress installs that had been compromised and get floods that were piped over proxies. Now, last year, we saw, and these are public, so I mean, I'm not giving anything away by saying this, there were sites feedly meet meetup base camp and GitHub all had been hit by a group saying, if you don't pay us a certain amount of money, we're going to launch a Nile service and hold you down. And thankfully, as far as I know, all of them told them to sort off and move on. But the really interesting thing was the price point that was being demanded. In one particular instance, all of them wanted Bitcoin, but in one particular instance, they only wanted $150. And I was like, okay, this is kind of peculiar. It's such a low price point. Why are they, I mean, hold on, this is a trial run. Somebody's testing out their machine. And sure enough, it turns out that that group has resurfaced this year. That group is, as I call, DD4BC. And we wrote up a report on these guys after doing extensive analysis on their attacks. And they didn't like that very much. So the sites that they were attacking that were primarily North American Europe, they just stopped talking. They didn't want press and they got it. So as a result, they've actually shifted their sphere of attacks to Asia Pacific region, which is rather interesting to see. So and as well, the price has gone up dramatically. And when what happens is if you don't pay the price, they launch the attack and the price triples if you want them to stop the attack. However, if you have protections in place like us or whoever, then they tend to leave you alone. So with amplification attacks, we're seeing, you know, the primary ones being NTP, SNIP, DNS, as amplifying platforms, it was really interesting to see some of the orders of magnitude that could be accomplished with these. And rather amazing in some cases, especially with NTP. Now with these amplification attacks, another one that we saw was a DNS text-based attack that was used to increase the amplification rate. And the reason that they were able to do that is they actually took text from a release, I believe it was from the White House, and embedded it in order to amplify the attack by sending more data. And it was really interesting that when they did this, they were able to amplify the responses because of this. And it was not limited to just DNS servers, but here's a sample packet. I don't know if you can read it from there, but this is a sample packet. So for example here, seeing the MX record, SMT, da-da-da, President Obama is taking action to help ensure all of it, wait a minute, what? So they were making a political statement at the same time as they were causing this kind of trouble. So what are the tools that are getting used here? One of the interesting thing about the tools that are being used is that the barrier for entry into this field is getting lower and lower every day. We see so many tools that come out there point and click. It's like my mother can use them. My mother hasn't figured out Skype yet. I'm lucky in that respect, but this is even easier than Skype in some of these cases. And within the weapons locker you're looking at, obviously volumetric tools, you're looking at SQL injection tools, and so on and so forth. This tool, anybody familiar with this one? It's been around for a bit. This one is really easy. You take this, you point it at a site, you go click. If it's vulnerable to SQL injection, you've got a very high probability that it's going to work. It's rather remarkable how simple this tool is to use. And we still see this actually today quite frequently popping up. They craft recursive queries and overwhelm the database, as well as the overwhelming the application server in some cases. And then we have the Hulk. This is actually a couple of years old. The Hulk was an HTTP, the name means HTTP unbearable load king. Stretching there. And what it would do is it would do HTTP get requests against the site in the hopes of taking it down because it's chewing up all the resources. And one of the best ways to do something like this, or actually any HTTP get based attack is doing IP rate limiting in whatever fashion is available to you to accomplish that. And it was interesting with this tool, they were able to obfuscate the source client. And they had a list of strings where they could actually vary it up and say, you know, it's this, it's that, whatever type of browser. And really interesting thing is if you didn't know any better, you probably can't see this. Let me have a look here. With this particular list, this is actually a request that would come in from Hulk against one of your systems. So this would be something that your system would be seeing. There's really not a whole lot to sell it off. It says user agents Mozilla 5.0. And so on and so forth. It is only when you see thousands of these coming in that you realize you have a problem. So it becomes really interesting to deal with in that particular tool. Now, another tool that we saw, I quite like this one actually in the way that it was set up. This is Torx Hammer. This is just a Python script. It's very simple. And the whole premise here is to do a low and slow attack against the site, but doing it over a Tor network to obfuscate their point of origin. And unfortunately for them, but in some cases, whenever this got used, it would actually drop a lot of exit nodes because there's just a sheer volume of traffic. So it sort of backfired on them in many ways. Excuse me. It was very simple to use. It's still available today. You just launch it, pick the IP address and pick the number of threads you want off it goes. However, you would really annoy Runa and the rest of the Tor crew if you did that. And it would do a slow post-EDOS testing. So the whole premise of it is it's for testing, but obviously people will take that and play wonderful games with it. And there was this cute little guy. This is Donut. Donut is another HTTP type tool. It's simple. You can just throw junk data at a site doing HTTP requests. And the idea is to have it as a flutter. It was sort of a precursor to other tools that I'll talk about in a second. And here's another sample. This is the traffic that you would see coming in from Donut. And it's fairly innocuous on the face of it. But you see thousands and thousands of those requests come in. You know that something is up. So again, that was another one for rate limiting would help. Now, this is the one that always got me. Going back to the kids who were talking about it and in their parent's basement. Huge available workforce for somebody with a nefarious end. I give you low orbit eye on Canon. This has been around for a while now. But one of the things that all the kids and other parties that were using this didn't realize is it didn't cover your tracks at all. But then again, the group that put it out didn't care if you're covering your tracks. They weren't doing it. It's like, oh no, there you go attack them. So they would have a distributed denial of service like their own meat space button it for one of a better term where they could attack sites. And knuckle heads would download it, click the button and go. They're like, hey, look at me. I'm hacking until the police showed up. So evolution being what it is, this tool came out a little bit later. This is a high orbit eye on Canon. Got a little of these names. And again, it's back to the hdb get method for the attack tool. This seemed to be the default thread through all of these tools. The point and click tools is always hdb get traffic. That amount of traffic is actually fairly low in the grand scheme of things with denial of service platforms. And I'll get to that in a little bit as to why. Now, this is the one that was by far the most effective one. And I was talking about earlier is BroBot. It's a php troden installed on word primarily WordPress sites, but it had various other sites that it could actually compromise as well. And they could do all manner of things with this. It was pretty cool for its time when it first rolled out. And it's essentially been quiet since then, but we still keep an eye on them. And then there was the news not too long ago that various government agencies decided that wget was a hacker tool. I don't get it. I just don't get it. And this is one of the things that I worry about with, you know, law enforcement, various political parties, things like that. These are the folks that are making the legislation that we all have to live with. And when they think that wget is an attack tool, that worries me. I could say, yes, I have a hammer. It's an attack tool. I can smack you in the head, but that's not its intended purpose. So it's not so much the tool as the purpose behind it. Are you a criminal or are you not a criminal? That's a differentiator. I was going to talk about beasts, but I have to be honest. I meant to take this slide out. So I'll let you read that for a second. I had neglected to remove that one. Now, now we're going to get into some of the trends. And this is one of the really cool thing about having all this data is we can see the evolution of things as it goes along. The one thing that has really popped out, especially in the last six months, are these guys. There is no shortage of this nonsense going on and it may rhyme with Isard Squad. This is one of the prime examples because these guys would attack sites, attack various gaming networks and all that sort of thing, but they didn't know enough to shut up. So a lot of them have actually found themselves incarcerated and probably won't see daylight for a very long time. These sort of attacks really started to spin up in the fall of last year and hit their stride right about just after Christmas when they rolled out their Lizard Stressor platform, which I'll talk to you a little bit more in a moment. And they always seem to be really focused on gaming. And when you look at the ages of the folks that are getting arrested, you realize that is because that is that group. They are gamers. This is what they want. They want to smack their friends. It sort of harkens back to ten years ago when you had people defacing websites. You had all DOS and attrition and all the rest of them were actually keeping archives of these things. It would always be, ha ha ha, I hacked you, shout out to my peeps and that sort of thing. This just seems to have taken that behavior and evolved it to this, which then brings us to the commoditization of denial of service, distributed denial of service. This is something I'm seeing a lot more of where you see these SaaS offerings for attack platforms. Of course they put lipstick on it and call it something else, but that's ostensibly exactly what they are. Now, this is a perfect example because they were very good at getting in front of the media. They're still around to some extent. It seems to have become more of a brand like anonymous, a hex sign, if you will. They offered this service for a very low amount of money and the lowest part of the service offering being six bucks a month. The really funny thing was they built it on somebody else's code. It was actually from a group called Titanium. They took their code and installed it, set it up, did not put any sort of HTTP access files on any of their directories and also you were able to index all of the users on the system. And then I wish I had written this up because a month later, Brian Krebs wrote about it and everybody went, oh, really? So here is from the Lizard Tracer one. Here is actually some of their pricing packages. And funny thing is they're very similar to the pricing packages that Titanium had. The really funny thing is that in the 7,200 second model in the bottom right there, that's 69.99 a month. So you take a month, say 30 days divided by that. You're looking at $2.33 a day. To put that in perspective, a Grande Americano at Starbucks is 255. Less than a cup of coffee a day, you're able to cause trouble. Now, this is where we get into booters and stressors and these have very different entomologies. Now, the booter comes from the online gaming world where you're able to actually find the information about somebody they're playing against and you want to get their IP address or username, whatever it happens to be, so that you can target them for the next step of the attack. And these sort of rivalies would escalate to massive denial of services that would take out all kinds of other sites as well. And it was really frustrating to see this sort of activity because so many other people are getting impacted because of these petty little turf wars. Now, after you had gone through and done the booter part of it, you had the stressor. This is actually really amusing that they call it a stressor because it's actually using it as a legal artifact. The reason they use this is to say, oh, well, we're providing this platform to stress test your environment under the idea that if you're attacking somebody, they can go, oh, we're not doing the attack. They're actually misusing our platform. And well, it didn't work out so well for all of them. So it provides them with the appearance that they're operating within the legal limits and they really are pushing the limits at that point. Here is a list of some of the stressors and booters that are available out there. Relatively recent. And not all of them are good. Some of them are very, very good. And some of them are absolute shite. Now, this next video that I'm going to give you, see if this works. This shows you the levels that they're willing to go to set up their service to look like a legitimate business. Incidentally, Big Bang Booter, I'll give them credit. That's a pretty neat name. Apparently, this platform is complete crap, so don't waste your Bitcoin on them. Some of our other researchers have played with this one, not myself. So they go through and they give you a rundown of the various components that they can do, the types of attacks they can do. You can hit like a boss. Awesome. And I'm just going to let this run for a little bit because there's a piece that comes up in just a minute that absolutely made me hysterical. And we're almost there. Are we there? The untraceable servers. Yeah, OK. What internet are you working on? So at that point, this was when they first made this, there it is. 24-7 friendly support. Great. Awesome. This is absolutely nonsensical gibberish. Now, this actually goes to show the lengths that they're willing to go. There's some pretty slick production values they've got going there. I'll give them credit. That's kind of neat. I wish I could do that sort of thing. But it just shows you the lengths they're willing to go to try and make it look like a legitimate business. But it's anything but. So some other highlights that we're seeing as well. Joomla and other type of SaaS-based apps are being routinely targeted and obviously because they want to try and extend their platforms so that they can actually get people to pay for this with the Bitcoin. Data breaches are a big problem, obviously, because a lot of replay attacks are happening and we're seeing this far too often because people like to use the same password over and over again. I get why, because people don't remember passwords. That's why I have a password management tool because that way I only have to remember one. However, most people don't have that wherewithal and this is where we have to do a better job of educating people saying don't reuse your password because these crews can get on and get them, launch attacks, get resources or even compromise systems. It's a problem that you have to take into account. Now the wonderful attribution game. So this is something that always drives me crazy but based on the data we're able to show that the predominant number of attacks against infrastructure originated in China. In the logs, whether or not they actually came from China is another thing. The reason I say that is because I worked in an organization roughly about 10 years ago where we came with the ring attack by an IP address from China. We actually worked with the ISP in China to actually track it down. They were actually very helpful which I was always led to believe that it wouldn't be the case but they really were very helpful. Now when we went through this whole process we found that it was just an open relay and all the original source traffic back us. Why they were tracking us? No real idea because we weren't neat commerce site, we weren't retail anything like that but sometimes somebody's annoyed for whatever reason. So just in this first quarter of the year this is how the attack traffic broke out by geolocation. So Germany for whatever reason was number two which is really interesting because I'm fairly certain they outlawed these kind of schools there. See how that works out and with all of that you kind of begs the question who is suffering as a result of these attacks? Now in the first quarter these are attacks that were basically over 100 gigabits per second and something I forgot to mention with those platforms the booters and stressors originally they were able to do about 30 gigs per second as an attack. Not too bad definitely formidable against a smaller site but in the last few months they've been able to actually amp that up to over 100 gigabits per second. We're figuring based on that that by next year they'll be able to do 300 or so which is so it's becoming a real problem. Now within these verticals the one that actually got hit the most was gaming big shocker there and it's ever increasing this isn't actually slacking off. Now within the application layers perspective and our data went through and we looked at the information that really showed us something unexpected. Retail was the number one subject of these type of attacks and it seemed to be really contrasting to what we'd known in the past because before it was financial institutions were the target of these sort of things but I think it's more the case of the attackers went okay these financial institutions are tired of us and they've actually put in security measures in place to actually rebuff us so let's go attack retail soft underbelly easier target and then we've seen all of these point of sale breaches and all the rest of it not that they're too or necessarily related so that's how the data broke out for the first quarter as to the types of verticals that were actually getting hit and hotels and motels get hit a lot as well and we've seen some very public breaches in the news and as I was okay I'm now talking over top of myself I apologize so yes on IP the attacks that were application based were 52% coming out of the United States and with these types of attacks we saw huge sin floods and this is a sample of a packet that we got and this was absolutely withering attack but with our platform we were able to deal with it but if you aren't properly protected this sort of thing would just take you out and this is only one part of the puzzle whenever you see these major attacks and click and move on they're actually hitting you from various different types of platforms be it over HTTP over ICMP whatever will work they'll throw the kitchen sink at you if they think it's going to play out and then I'll just put this up there for your own reading edification just to break out of the types of numbers and things that we're seeing rather than speak to it now other observations are these seven attack vectors accounted for 179 million attacks in the first quarter it's by no means an entire list but these are the seven possible ones I say popping shells but this command injection I just thought it sounded better so I'll go through some of these as well and obviously Java I think is very much maligned I think it's actually one of the best remote access platforms on the planet SQL injection is a problem that I don't know why we're still talking about this this has been on the OS 10 yet here we are because sites get stood up all the time they're not sanitizing their inputs they're not sanitizing their outputs this is a real problem why can't we get this right and I often wonder if it's a case of are we talking to the wrong audience we're talking to each other we get it but maybe we should be talking to the apt of getting a wider audience going to conferences we don't necessarily talk at and you know going out of our comfort zone to actually talk to them because the application is this we need to actually do a better job of getting that information out there because this is a very much a solvable problem now when we looked at the data this is SQL injection attacks as well as local file inclusion attacks and how the data broke out over the year and again or over the first quarter my apologies so again retail is getting wailed on this is a very real problem and obviously media entertainment came up a close second they go after things that are going to break and wordpress plugins are a great target one particular wordpress plugin I'll get that out eventually is the Rev Slider I haven't used this one personally but I've looked at it and it actually looks pretty nice from a visual type of aspect but this had a vulnerability where you could actually upload your own shell a bit of a problem really and this led to a massive number of sites being compromised in March alone we saw 75 million attacks for LFI type of approach and we see scanners going looking for this sort of thing all the time and whenever we see a site that's actually being scanned extensively we know that what's coming next is they're going to try and do file upload and eventually launch a denial of service or pop the site and this is the type of behavior leading up to the attack because people do their recon and these are four examples of sites that are typically targeted for malicious upload now for these four look at the dates on two of them the CVEs for two of them are 2008 and 2009 we put out this data actually we published this two days ago so these are attacks that are ongoing now and the problem is that maintaining these sites don't necessarily have a security person I was able to give a talk at interop a few weeks ago and had a room of about 100 CIOs and I said of this room how many people has a dedicated security person four hands went up out of a room of 100 people so this is why these sort of things work because they don't have the resources or the ability to actually address this sort of thing and it's a real problem now when we look at the data from the perspective of looking at malicious file uploads and PHP attacks and that sort of thing this is how it played out for the first quarter the command injections were the most frequently targeted against media and entertainment and Java attacks were actually down and I can show you some of those which is really funny because Java is Java so I'm surprised they don't leverage this more or maybe that sort of information set is you know falling out of fashion where people are educated in other types of formats now when you're dealing with all this sort of thing you want to make sure that with your own systems you're not falling into the bucket of being part of an undead army and this is something that I worry about a lot because you want to want to avoid having your system as part of one of these networks but the reason you want to have is not so much that it's part of the network but at some point law enforcement of the organization is going to say well you're actually liable for that attack traffic I haven't seen that pop up yet but I'm worried that that will eventually come especially when I hear rhetoric from the US about it making you know security research illegal or at least tightly controlled that worries me to no end so what can you do about all of this first take a sip of water and yes I realize that I work for a vendor in this space like I was saying before SQL injections this is a solvable problem we need to fix this we need to actually look at hardening your systems making sure that you don't have open configurations or something simple like one of those malicious file upload vulnerabilities that could have been fixed that has been around for years work with your ISP to talk about mitigation strategies they're the next hop up streaming from you so if you have a site that you're worried about it's worth a talk use access control lists as well as Bogan lists on your edge routers so that you can actually dump IP addresses into oblivion that you're not having any interest in so if you say you don't want to deal with attack traffic coming out of Ukraine or whatever it happens to be you can all route them into oblivion and not have to worry about it to an extent obviously it's not a hundred percent solution as you all know there's no hundred percent solutions in security but these are things that will help especially IP rate limiting so if you're under attack there are different methods to do that as well the one thing that absolutely drives me bonkers patch at your systems this is one of the biggest things that drives me absolutely to distraction I look at breach notifications that go out every year for the last year I was looking at them and publicly disclosed information going through them the vast majority of them the reason I was successful was because the system was not patched to current or n minus one these were problems that could have been avoided if patches were applied I've worked in organizations where databases Oracle databases I'll pick on that one as an example were several releases behind because the database admin did not want to hurt his database it was never the database it was his database three revs back within those three rails multiple remote execution vulnerabilities so these are things you need to take into account and seeing as how in between you and beer I'll switch over to questions at this point if anybody has any