Академический Документы
Профессиональный Документы
Культура Документы
Cracking Protection
A DefensePro Whitepaper
By Renaud Bidou
Senior Security Specialist,Radware
October 2007
www.radware.com
Behavioral Server Cracking Protection
Date: October 2007
Page - 2 -
Table of Contents
Abstract ................................................................................................................3
Abstract
The rapid development of Internet applications has brought with it new challenges. The
world is in constant pursuit of innovative technologies that will replace manual processes
with automated ones. This migration from manual to automated processes often
introduces vulnerabilities that can be exploited by hackers and cybercriminals. The goal
of these “bad guys” is to leverage these automatic processes to facilitate widespread
attacks. Over time, hackers have developed attack tools that integrate well with legitimate
forms of communication. This means that it is becoming increasingly difficult to detect
and prevent network attacks. Recent attacks have exploited legitimate internet
applications in order to generate hostile events. These sophisticated attacks try to “take
cover” amid the jungle that is the new, complex Internet environment.
In practice, there are several methodologies for penetrating and attacking computer
networks. However, all of these methodologies generally employ the following three
phases of operation: intelligence, attack planning, and attack execution, which can be
explained as follows:
This paper describes the methods that were developed over that last few years in order
to perform the first attack operation phase – information gathering activity. It specifies the
threat that this operation imposes, the challenge in detecting it, and the technology used
by Radware’s Intrusion Prevention System, the DefensePro, in order to detect and
mitigate the threat.
Behavioral Server Cracking Protection
Date: October 2007
Page - 4 -
Information Gathering
Cracking Attacks - Cracking attacks, being brute force or dictionary attacks, try to break
into an application by guessing user names and passwords from known lists. The risk
associated with these types of attacks is very clear. Once a useful username and
password are obtained the attacker has free access to a service, information or even can
get administration permissions to the server itself.
Additional risks are denial of service by triggering built-in protections in the applications,
locking out users or consuming system resources during authentication attempts.
1
As mentioned earlier, over time hackers have developed attack tools that integrate well with legitimate forms of
communications. Application layer scanning and cracking tools are part of this family of tools.
Behavioral Server Cracking Protection
Date: October 2007
Page - 5 -
Brute force attack tools usually use a technique called Mass Generator. This technique is
designed to launch a massive number of similar operations at high speed. In the case of
a brute force attack the similar operation includes different types of login attempts.
A common type of brute force tool is called the generic brute forcers. These tools support
the capability to target multiple applications, including methods to test more than 20
different authentication types, from the usual ones such as HTTP and FTP, to quite exotic
ones such as cvs, pc anywhere etc. These types of tools test authentication methods that
are defined in standards, such as the Basic HTTP authentication.
These application scanners generate thousands of application requests to the server and
analyze the different behaviors of its responses. Through analysis of the application
responses, the tools can identify the exact targeted application information (type, version
etc.). According to the discovered application’s information the tool typically searches into
a vulnerabilities database and selects a specific set of application requests that fit the
application type and version and sends them to the probed application. Through this
scheme the tool can automatically identify which vulnerabilities exist in the application.
Behavioral Server Cracking Protection
Date: October 2007
Page - 6 -
Response code
Public Web Server
st
Figure 1a – HTTP Vulnerability Scan Activities (1 phase)
After the 1st scanning phase the following results are achieved by the hacker:
• Information about the server application type and version is discovered.
• During the scanning activities the server resources (CPU and Memory) are
misused and this can result in service disruption.
• Known potential application vulnerabilities are detected.
• As shown in Figure 1b below, in the 2nd phase a direct vulnerability exploitation
attempt can be generated with a high probability of success.
Exploitation
Attacker
Radware DefensePro
The Server Cracking behavioral protection detects and prevents the following known and
unknown (zero-day) threats:
• Web Authentication brute-force & dictionary attacks
• HTTP vulnerability scans
• SMTP (Mail) brute-force & dictionary attacks
• FTP brute-force & dictionary attacks
• POP3 (Mail) brute-force & dictionary attacks
• MySQL brute-force & dictionary attacks
Behavioral Server Cracking Protection
Date: October 2007
Page - 8 -
In order to solve this problem, Radware’s server cracking decision engine automatically
adjusts the user monitoring interval based upon the user’s degree of anomaly. This
dynamic monitoring interval determines how much time the system will consider the user
suspect and continue to analyze his activities until a decision can be made. This
adaptation process increases the accuracy of the system’s decisions and reduces
dramatically the configuration and maintenance operations that are required from the
system administrator.
Once a user has been identified as an attacker he is blocked, meaning no more
connections from this source to the attack target server will be accepted. In case of
attack, DefensePro inserts the source IP to a dynamic block list, or extends the blocking
duration in case the source IP address was already blocking in the past during the same
attack lifecycle.
Dynamic Blocking
Dynamic blocking
closed-feedback
Fuzzy Logic
Decision Engine
Adaptive user
Statistics Collection monitoring interval
User Classification
Summary
Radware’s DefensePro integrates multiple layers of defense, including signature-based
protection, adaptive behavioral network-based protection that covers threats such as
zero-day worm propagation and DoS&DDoS network flood attacks and bandwidth
management. Looking into the next level of attacks, the server cracking feature set
complements the IPS offering with the adaptive behavioral server-based protection
technology.
Understanding today’s threats and security challenges lead to the conclusion that
effective protection should include the following key capabilities:
• Wide Security Coverage – Application protection should include a multi-layer of
defense technology that includes network, transport and application layer protections.
Both known and unknown attacks should be confronted through both proactive
behavioral-based and signature-based security technologies.
• Scalability – The security product should be able to work in a high-speed
environment with minimal impact on traffic latency. This important capability should
be supported through advanced hardware architecture accompanied by advanced
security technologies.
• Low TCO – Maintaining low Total Cost of Ownership forces systems to be more
independent of the human factor (“hands-off” systems). Relying less on the human
factor means that operations that were usually conducted by the security expert need
now to be performed automatically by the systems themselves.
• Accuracy - The accuracy of both the detection and prevention technologies that the
product has to offer, especially in real-time environments are paramount. Even low
percentages of false positive detections or false preventions (i.e., packets that are
dropped unnecessarily) render the security product useless.
Radware's Behavioral server cracking protection system has the ability to accurately
prevent application pre-attack probes such as application vulnerability scans and brute
force attack and the misuse of application server resources, all in real-time.
The Behavioral protection supports statistical algorithms, which characterize the pattern
of ongoing attacks and then filter these attacks accordingly, without any human
intervention. Thus, Radware’s DefensePro introduces a Network Intrusion Prevention
System that was deigned to fulfill all the aforementioned key capabilities.