互联网现状安全性：DDoS和应用程序攻击（英文版）.pdf

state of the internet / security DDoS Volume 5, Issue 1 and Application Attacks2 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 Letter from the Editor Welcome to the first issue of the State of the Internet / Security report of 2019! We are already a few weeks into the new year, and the holidays are now a memory. While the first day of the year is just an arbitrary marker in time, its a good point of demarcation to look back on the past and plan for the future. Network security professionals are responsible for using the lessons learned from previous experiences to build controls that will protect systems in the future. This can be an easy process, but its often complicated by the daily tasks needed to make an enterprise run. Finding time for reflection is rarely a high priority. Has your team set aside a time to talk through the major incidents and challenges you faced in 2018 and how they might influence your experiences in 2019? Were you fighting countless unrelated fires, or was there an overarching theme to your experiences? There are many examples of security teams doing an excellent job of reviewing every incident in their enterprise and learning from them. But even the best teams sometimes forget to step back to look at their experiences as a whole. Global and long-term trends can only come into focus when we give ourselves a bit of distance and perspective. Sometimes an “attack” isnt exactly what it first appears to be. The experts in Akamais SOCC saw 4 billion requests impacting a site and dug into the real cause. Bots are big money for attackers, and theyre constantly evolving to circumvent new defenses. One attacker went so far as to offer good money for someone with experience overcoming Akamais defenses. Mental health issues cost U.S. businesses more than $190 billion a year in lost earnings. Our guest author, Amanda Berlin, highlights issues you should be monitoring in your team. TL;DR3 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 An additional reminder for you as we look at the year ahead: Check on the stress levels and mental health of the people you work and socialize with in the security field. Whether its someone who reports to you, your boss, or simply a friend at another organization, take a few minutes to reach out and see how people are doing. Multiple conferences have added tracks on stress and burnout part of their content in recent years, most notably the BSides and RSA conferences. A short call or email can make a big difference in a peers day. Ours is a stressful career no matter how you look at it, and we need to make a point of reaching out from time to time. There are a wealth of opportunities to make change in 2019. What do you want to accomplish?4 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 Table of Contents LETTER FROM THE EDITOR 2 MENTAL HEALTH: AWARENESS TRAINING FOR HACKERS 5 RECENT RESEARCH 11jQuery File Upload 11UPnProxy 11 AKAMAI RESEARCH 11The DDoS Attack That Wasnt 11More Bots, More Problems 15 LOOKING FORWARD 22 APPENDIX A: METHODOLOGIES 23 CREDITS 245 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 MENTAL HEALTH: Awareness Training for Hackers The information security community is composed of intelligent, driven, passionate, opinionated individuals, and is difficult to compare to any other industry. When you combine the pressure and stress we put on ourselves (from research, learning, teaching, etc.), things can quickly come to a head. But not only do we put pressure on ourselves, we also take in additional pressures from our bosses, co-workers, and family in many different forms. The majority of roles we fill cater to our drive and willingness to be behind a keyboard for hours on end. The result is that many of us are broken. Were broken in different ways, at different times, and for different reasons but were broken all the same. Amanda Berlin, the guest author for this edition of the State of the Internet / Security report, offers a different viewpoint than our usual external contribution. The SOTI / Security series focuses on immersing itself and you, our reader deep in the stories of bad days on the Internet. There is increasing anecdotal evidence that the levels of stress and burnout in the information security industry are on the rise, from an already high state. This often leads to fair questions about how to address wellness for security staff, not only physically, but emotionally and mentally as well. I am fortunate to work in an organization that focuses on staff wellness, which is one of Akamais core values, but not all of our readers have the same support structure. While the issue cannot be solved with a few pages of commentary, as members of the security community, I and the rest of the SOTI team felt Ms. Berlins perspective could shine light on issues that arent typically discussed openly at this level. We want to encourage and inspire more efforts at improving staff wellness, so we can all focus on making the Internet a better place. This essay should not be construed as medical advice or professional counseling. Please seek professional help if you feel you or someone you know exhibits the symptoms highlighted in this essay. Martin McKeay, Editorial Director6 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 The World Health Organization states that over 800,000 people die due to suicide every year and suicide is the second-leading cause of death in 1529-year-olds. There are indications that for each adult who died of suicide there may have been more than 20 others attempting suicide. Early identification and effective management are key to ensuring that people receive the care they need. MENTAL HEALTH AS A BUSINESS OBJECTIVE: Serious mental illness costs America $193.2 billion in lost earnings per year; and approximately 1 in 25 adults in the U.S. 9.8 million or 4% experience a serious mental illness in a given year that substantially interferes with or limits one or more major life activities. Many businesses are now incorporating mental health treatments and awareness into everyday activity. They have seen that a happy, well-balanced employee produces better results, stays around longer, and in general helps provide a greater working environment. MENTAL HEALTH HACKERS (MHH): Everyone has mental health needs at different levels. Whether or not you have a condition that makes it harder to maintain good mental health can also be a factor. Keeping it in the forefront of your decision making, just as if you were to go to the gym every day for physical health, can make incredible differences in your day-to-day life. Whether youre attempting to do some self-reflection, or help out a friend or family member, trying to tell the difference between what expected behaviors are and what might be the signs of a mental health condition isnt always easy. Theres no simple test that can let someone know if there is a mental health condition, or if actions and thoughts might be typical behaviors or the result of a physical illness. Each condition has its own set of symptoms, but some common signs of mental health conditions can include the following. Excessive worrying or fear Feeling excessively sad or low7 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 Confused thinking or problems concentrating and learning Extreme mood changes, including uncontrollable “highs” or feelings of euphoria Prolonged or strong feelings of irritability or anger Avoiding friends and social activities Difficulties understanding or relating to other people Changes in sleeping habits or feeling tired and low energy Changes in eating habits such as increased hunger or lack of appetite Changes in sex drive Difficulty perceiving reality (delusions/hallucinations) Inability to perceive changes in ones own feelings, behavior, or personality Abuse of substances like alcohol or drugs Multiple physical ailments without obvious causes Thoughts of suicide, or suicidal planning Inability to carry out daily activities or handle daily problems and stress Dont be afraid to reach out if you or someone you know needs help. Learning all you can about mental health is an important first step. Reach out to your health insurance, primary care doctor, or state/country mental health authority for more resources. I highly recommend finding a Mental Health First Aid class near you, regardless of whether you are personally struggling with an issue. Chances are high that you are close to someone who is, whether you realize it or not. Directly or indirectly, mental health conditions affect all of us. In fact, one in four people have some sort of mental health condition. We are not as alone as we think, and we can make a huge contribution to society just by staying alive.8 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 Support systems are vital to recovery. The support helps minimize damage posed by mental illness on an individual. It also can save a loved ones life. There are many steps you can take to help yourself or others, including: Inform yourself as much as possible about the illness being faced. Start dialogues, not debates, with family and friends. In cases of acute psychiatric distress (experiencing psychosis or feeling suicidal, for instance), getting to the hospital is the wisest choice. Instead of guessing what helps: Communicate about it, or ask. Seek out support groups. Reassure your friends or family members that you care about them. Offer to help them with everyday tasks if they are unable. Include them in your plans and continue to invite them without being overbearing, even if they resist your invitations. Keep yourself well and pace yourself. Overextending yourself will only cause further problems in the long run. Avoid falling into the role of “fixer” and “savior.” No matter how much you love someone, it cannot save them. Offering objectivity, compassion, and acceptance is valuable beyond measure. Know that even if your actions and love may seem to have little impact, they are making a difference. Have realistic expectations. The recovery process is not a straight line, nor is it one that happens quickly.9 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 COMMUNITY OUTREACH: For those of you that havent heard my Hackers, Hugs & Drugs talk, a little background is called for first. Ive been struggling with anxiety and depression since my mid-teens in one way or another. Poor relationships did nothing but fuel the issues I was already having. When I started interacting with the InfoSec community about six years ago, I started feeling a sense of belonging. Through my trials with different medications and coping mechanisms Ive started to get a little more of a handle on (or at least a better awareness) of my own mental health. After a year and a half giving this talk at various conferences and meetups, I continued to be awestruck at the overwhelmingly positive responses. Each time I would think “Okay, maybe Ive given this speech enough,” another person come up to me to talk about how it led them to go get some counseling, or changed their minds about self- harm or suicide. After hearing story after story, I thought it would be good to continue these efforts at a larger scale. While I love speaking, it only reaches a certain number of people. 10 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 We the security community as a whole needed more. That is when the idea of the Mental Health & Wellness workshop at DerbyCon came about, and honestly it did turn out to be more of a village with smaller workshops inside of it. This room turned into something more than I could have ever envisioned. We had a community of passionate information security professionals come together to create this amazing thing to provide group self-care. We havent stopped from there. Weve now started up Mental Health Hackers, to bring this education and relaxed environment to more conferences. Were all in this together and are passionate about learning new things, its time to start the change from within our communities and families so we can start talking about our mental health almost as much as we do about vulnerabilities, protocols, and patches. Amanda Berlin, Mental Health Hackers November, 201811 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 Recent Research In the fourth quarter of 2018, Akamai researchers released new research detailing vulnerabilities in jQuery File Upload, and fresh attacks against UPnP . JQUERY FILE UPLOAD: In October, Larry Cashdollar reported a file upload vulnerability in Blueimps jQuery File Upload project, which resulted in a quick fix. The problem didnt stop there, as other projects were using Blueimps base code, so he attempted to reach out to those projects as well. In the end, several projects were updated, but there were several thousand that could not be reached due to visibility and contact issues on GitHub. UPNPROXY: In November, Chad Seaman updated his original UPnP research and discovered new attacks using Eternal Blue and Eternal Red. He discovered 277,000 devices running vulnerable implementation of UPnP , and more than 45,000 active injection attacks. At the time his research was released, the 45,113 routers with confirmed injections exposed 1.7 million machines to the attackers. Akamai Research THE DDOS ATTACK THAT WASNT Early in 2018, Akamai noticed a customer in Asia was receiving an abnormal amount of traffic to one of its URLs. The customer was seeing so much traffic that, at its peak, it almost overflowed the database Akamai uses to log such activity. When another department flagged this traffic as something to investigate, the initial report and associated data showed all the hallmarks of a major DDoS attack. Traffic volume reached 875,000 requests per second at one point. Notes from early in the incident record the flood of traffic as highly distributed, with early log grabs recording 5.5 Gbps.12 state of the internet / security DDoS and Application Attacks Report: Volume 5, Issue 1 A MASSIVE AMOUNT OF TRAFFIC: When the incident first came to the attention of the Security Operations Command Center (SOCC), it didnt come to them through normal channels. Instead, it was reported by another department within Akamai. Something was seriously wrong. Once the SOCC started digging into the report, t