최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be sql...

of 65 /65
최싞 글로벌 사이버 공격 동향 및 진화하는 봇의 대응 Akamai Technologies Korea 백용기 상무 1 2018910

Upload: others

Post on 17-Mar-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

최싞 글로벌 사이버 공격 동향 및진화하는 봇의 대응

Akamai Technologies Korea백용기 상무

1

2018년 9월10읷

Page 2: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Global Attack Traffic

Recent Cyber Attack Trend

SOTI Security Report Summary

IOT Threat

API Protection

BOT Management

Conclusion

Agenda

Page 3: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

읶터넷 트래픽

WEB & API

Bot

DDoS Attack

WEB Attack

Page 4: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application
Page 5: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

15~30%

Global Internet

Traffic

Global WEB Traffic

https://www.akamai.com/globe/

https://globe.akamai.com/

Page 6: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

15~30%

Global Internet

Traffic

Global WEB Attack Traffic

https://www.akamai.com/globe/

https://globe.akamai.com/

Page 7: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

15~30%

Global Internet

Traffic

Asia WEB Attack Traffic

https://www.akamai.com/globe/

https://globe.akamai.com/

Page 8: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Recent Cyber Attack Trend

Akamai’s SOC(Security Operations Center)

Page 9: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

위협적인 TOP 공격

GitHub에 1.35 Tbps 공격"Memcached"

를 이용하는 새로운 DDoS 증폭 공격

Zero-Day취약점Drupal의 취약점을 겨냥한 웹 공격 급증

악성 Botnet

IOT Device를 활용한 Mirai /IoT 리퍼&루프DDoS공격 위협 및 Prowli 가상화폐 멜웨어

암호화폐 거래소 해킹 + 크리덴셜 스터핑(인증정보 도용 공격)

야피존(55억), 유빗(172억), 빗썸(190억), 코인레일(400억), 코인체크(5800억)

Page 10: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

글로벌 사이버 공격(개인 정보 유출 및 디페이스 해킹)

2018 세읷즈포스 고객정보유출(마케팅 클라우드API 버그)

2018 T-Mobile 200만명 개읶정보유출

2018 티켓 배포 서비스 TicketFly2,600만명 개읶정보 유출

2018 에어 캐나다 항공 20,000명

모바읷 앱 사용자 정보(여권) 유 출

2018티모바읷/읶스타그램/벤모API 해킹 사건

2018 싱가포르 최대 의료기관150만명 홖자정보 유출

2018 114개 국내 교육 웹싸이트디페이싱 해킹

2017 미국 싞용정보 서비스Equifax 1.45억명 데이터 유출

2016 Uber 5,700만명승객/운젂자 데이터 유출

2018 미국 피네라 브레드 API 정보 유출 사건(3,700만명)

Page 11: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

인터넷 현황 보고서(SOTI)- WEB Security

2015.Q1 ~ 2018.Q1 요약

Page 12: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

WEB Attack 통계치 요약Year/WEB Attack 고객당

평균 WEB공격 횟수

WEB 공격공격 Type 비중(%)

2015년

Q1 15LFI 45

SQLi 30PHPi 19

Q2 22Shellshock 49

SQLi 29LFI 18

Q3 30LFI 30

SQLi 28PHPi 21

Q4 24LFI 41

SQLi 28PHPi 22

2016년

Q1 29(최대283회/고객)LFI 42

SQLi 36XSS 6

Q2 27LFI 44.7

SQLi 44.1XSS 7

Q3 30SQLi 49LFI 40XSS 6

Q4 30SQLi 51LFI 37XSS 7

2017년

Q1 25SQLi 44LFI 39XSS 10

Q2 32SQLi 51LFI 33XSS 9

Q3 35SQLi 47LFI 38XSS 9

Q4 33SQLi 50LFI 36XSS 8

2018년 Q1 31SQLi 52LFI 37

XSS 10

Page 13: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

WEB Attack 통계치 요약

(%)

30 29 28 2836

4449 51

4451

47 50 52

45

1830

41 42 44 40 37 39 33 38 36 37

0

10

20

30

40

50

60

웹 애플리케이션 공격 비중(%) 추이

SQLi LFI

Page 14: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

The most popular type of application

attack continues to be SQL

injection, which accounted for 51% of

the attacks seen by Akamai’s Kona

Web Application Firewall in the period.

Local File Inclusion (LFI) and cross-site

scripting (XSS) made up the majority of

the remainder of attacks, 34% and 8%

of all attacks respectively. These three

types of attack together accounted for

93% of malicious application attacks.

WEB Attack 통계치 요약 (2017/11- 2018/04)

SQLi 51% LFI 34% XSS 8% PHPi 2% RFI 2% Other 3%

Page 15: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

DDoS 발원국가 TOP 10 (2018/07)

Page 16: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

DDoS 통계치 요약Year/DDoS Attack

최대 DDoS 공격규모(Gbps)

100 Gbps 이상공격횟수

DDoS 공격 Type

Infra layer 공격 비중(%) App Layer 공격

2015년

Q1 170 10SSDP 21 HTTP GET

SYN Flood 16UDP Flood 13

Q2 249 12

Q3 149 8SSDP

CHARGENNTP

Q4 309 5Multi Vector 56

2016년

Q1 28919

(14건 DNS반사)

Multi Vector 60(DNS, CHARGEN,

UDP Fragment)

Q2 36312

(최대 373회/고객)

NTP 반사 16%

Q3623(Mirai봇넷)

555(ACK flood/NTP 반사)19

ACK HTTP FloodCHARGEN

DNS

Q4 51712

(200Gbps이상 5건)

UDP Fragment 27DNS 21

NTP 15

2017년

Q1 120 15UDP Fragment 29

DNS Flood 20NTP Flood 15

Q2 75평균 32회/고객

(최대 558회/고객)

UDP Fragment 27 GET/PUSH/POSTDNS Flood 15

DDoS 공격 Type 15

Q3 109 (최대 612회/고객)

Q4 600 (최대 512회/고객)UDP Fragment 33 GET/PUSH/POST

DNS 19CLDAP 10

2018년 Q1 1.35 Tbpsmemcached

UDP-based attacks

Page 17: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Layer 3 & 4 attacks

account for 99.1%

of DDoS attacks

seen by Akamai.

TOP10 Attack Vectors 통계치 요약(2017/01- 2018/04)

Page 18: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(횟수)

170 249 149309

289 363

623517

120 75 109

600

1,350

9

12

8

5

19

12

19

12

1513

1715

12

0

5

10

15

20

0

200

400

600

800

1,000

1,200

1,400

1,600

최대 DDoS 공격규모 및 100Gbps이상 횟수

Gbps 100Gbps 이상 횟수

Gbps 횟수

DDoS 공격 크기 증가 추세 SNMP 6x

DNS 28x ~ 54x

CHARGEN 358x

NTP 556x

Memcache 510,000x

DDoS Attacks on the Rise

Page 19: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

IOT Threat

2015 to 2025 (in billions)

IoT connected devices installed base worldwide

Page 20: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Source Code 공개

A rapid increase in scans of ports 23/2323 began on May 13, 2016

Mirai 봇넷 공격 이력 Krebs on Security - 620Gbps(2016/9/20) OVH – 990 Gbps

Dyn DNS – 1.3 Tbps (Mirai#:100k) Liberia Telco – 600 Gbps

Attack Size: 500Gbps ~ 1+Tbps Target: CCTV, DVR, Home AP Method: BruteForce

Satori 변종 발생(2017/11/29)

IOT Botnets - Mirai

First major Attack

감염된 IP 수

Page 21: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

IOT Botnets – IoTReaper/IoTRoop64 9 29

2612 9 30

2657 10 1

3736 10 2

5947 10 3

4694 10 4

4426 10 5

5838 10 6

8614 10 7

9088 10 8

8153 10 9

7141 10 10

6885 10 11

7273 10 12

6207 10 13

6803 10 14

8453 10 15

8899 10 16

8268 10 17

7792 10 18

9631 10 19

9283 10 20

9783 10 21

9472 10 22

6539 10 23

3208 10 24

2356 10 25

2065 10 26

1770 10 27

1628 10 28

1425 10 29

공격 표적 : 라우터와

무선IP카메라

D-링크(D-Link),

TP-링크(TP-Link),

에이브이테크(Avtech),

넷기어(Netgear),

미크로틱(MikroTik),

링크시스(Linksys),

시놀로지(Synology),

고어헤드(GoAhead)

(2017/9/29 ~ 10/29 한달 기간)

Page 22: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

API Protection

Page 23: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

144,713,265,352 (144.7 Billion) HTTP transactions36,593,891,540 (36.6 Billion) API transactions

API 트래픽 비중

Page 24: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

API 취약점

OWASP Top 10 – 2017년

(Open Web Application Security Project)

A3 – 민감데이터 노출

A7 – XSS(크로스사이트 스크립트)

A9 – 알려진 컴포넌트 취약점

A10 – 불충분한 로깅 & 모니터링

Page 25: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

주요 4개 API 취약 포읶트

1) Application Downtime

due to an Excessive Rate of API Calls(DDoS)

2) Weak Authentication & Authorization

3) Exploiting API Parameters

4) Data Theft via MITM Attacks

70%

30%

4M

1M

<API lifecycle between Service Request and Server Response>

Page 26: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

DDoS/웹공격/API공격대안은?

Page 27: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

변화하는 보앆 구조(DDoS공격 방어)

우회 서비스

ScrubbingCenter

IDC/DC 중심

Router

Firewall

Load balancer

Bandwidth

클라우드 홗용

Cloud

Platform

ISP

ISP 와의 협업

Page 28: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

웹어플리케이션 공격 점검 항목

포레스트웨이브 WAF 평가 스코아카드(2018/Q2)

• 공격/방어 실시간 가시성 확보

• 상세 공격정보분석(Granularity)

• Rate Control (Reverse

Proxy형태 트래픽 제어)

• 100% 가용성 SLA

• Client & Network

Intelligence

• 선제적읶 자동패치

• 오탐/미탐 최소화

• API 보앆

공격탐지/

대응

제로데이

공격

분석과

리포팅관리측면

Page 29: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

BOT Management

Page 30: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

30

• What is Bot?

“BOT”• 소프트웨어 로봇

• 자동화 툴, 스크립트

• 반복 작업 수행

• 주로 악성 코드 감염

• 컴퓨터 네트워크

• 중앙 제어

• Botnet ?

Page 31: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

31

• 활용예

“BOT”

• 챗봇 (고객 상담)

• 컨텐츠 인덱싱

• 검색 엔진 최적화 (SEO)

• 피드 공급 (SNS, RSS)

• 가용성 모니터링

• 자동 구매 (Automated Inventory Purchasers)

• 컨텐츠 수집 (Content aggregators)

• 웹사이트 수집 (Web scrapers), 크롤러

• 인증 도용 (Credential abusers)

• DDoS 에이전트

Slow Down

Human

Bot

Page 32: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Understanding

THE “BOT PROBLEM”

Your site traffic What you think your

traffic looks like

What your traffic

actually looks like

Page 33: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

33

Understanding

THE “BOT PROBLEM”

63% │User traffic

Advertising │1%

Web archiver │2%

Site development & monitoring │5%

Unknown │10%

Search engine │20%

Other │1%

Page 34: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

© 2017 AKAMAI | FASTER FORWARDTM

봇 Requests(2017/11) - 산업굮별

Page 35: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

다양한 봇의 영향

봇으로 인한 문제들

GIFT CARD

SIGN IN BAGSIGN IN BAG

LOGIN CREATE ACCOUNT

정보 도용

SIGN IN BAG

3rd 파티협력사들

경쟁 업체들 도용된 정보의 사기 비용 증가

Page 36: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

• Mimic browser

•합법적으로 판매중

MultiLogin App

Page 37: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

2017년 9월 (24시간) 커머스/유통, 금융, 여행/호텔, 미디어/게임, 공공산업굮 주요 45개 고객사 대상

66% Unique 타겟 계정수

→ 34,225,052 개

악성 봇넷 시그니처

→ 420 개

최근 아카마이 트래픽 분석

분석 결과

591,774,594

[VALUE]

0

100,000,000

200,000,000

300,000,000

400,000,000

500,000,000

600,000,000

700,000,000

전체 악성 봇넷

로그읶 시도수

Page 38: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

크리덴셜(읶증정보) 스터핑(Credential stuffing)도난당한 인증 정보(사용자 이름 & 패스워드)목록을 획득한 후

봇을 이용해 다른 사이트에도 로긴 가능한지 검증하는 기법

해커 봇넷 웹서버 자산

Login 상품 구매(금젂이익)

읶증도용 공격 계정탈취 공격

읶증정보 검증읶증정보 획득(구매)

Page 39: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

© 2017 AKAMAI | FASTER FORWARDTM

크리덴셜 스터핑 공격(2017/11) - 산업굮별

Page 40: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 41: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 42: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 43: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 44: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 45: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

(2018년 6월)

Page 46: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

A flexible framework

BOT

Spam botsHarmful

Web scrapersHarmful

Grey marketersMixed

Search

engineBeneficial

AggregatorsMixed

3rd party

servicesBeneficial

Partner botsBeneficial

Content aggregation

Inventory grabbing

Web scraping

Web analytics

Online web strategy

Good bot management

Page 47: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

봇의 영향도 확읶

IT 읶프라 및 비즈니스에 영향

Bot traffic• Performance

• CostsIT에 미치는 영향 웹경혐

• 사용자 참여

• 매출

경쟁• 고객 관리

• 판매 기회

마케팅• 컨텐츠 관리• 웹 분석(Web Analytics)• SEO

보앆• 사기 / 정보 유출

비즈니스에 미치는 영향

봇 트래픽• 성능

• 비용

ITBUSINESS

Origin load

Page 48: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Motivation(목적/동기)The bot is here to get something

Blocking(차단)Prevents the bot from getting

what it came for

Awareness(인지)Blocking also alerts Bot Operator

Evasion(회피)Operator modifies the bot to

evade detection / mitigation

Whack-a-mole(두더지 게임)The bot returns but is now

better hidden from detection

Traditional solutions

BLOCKING DOES NOT WORK

Better manage BUSINESS and IT IMPACTS of bots as a cloud-based service

Page 49: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

To manage bots

WHAT YOU NEED

Detection

CategorizationManagement

Visibility

Page 50: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Randomizeduser agent

Browserimpersonation

Sessionreplay

Fullcookiesupport

JavaScriptsupport

Browserfingerprintspoofing

Recordedhuman

behavior

Rate limiting

Multiple IPs Low

request rate

SingleIP

Evolving bot landscape

1. DETECTION

IP blocking

HTTP anomaly detection

Browser fingerprinting

User behavior analysis

Simple Sophisticated

User-Agent Based Detection

Request anomaly Detection

Reputation

Cookie integration

Browser Validation

Session Validation

Workflow Validation

Behavior Anomaly Detection

Page 51: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

대부분의 솔루션은 봇 트래픽에 대해 보안의 관점에서 접근

Good bot(Whitelist)

Bad bot(Block)

명확히 구분할 수 있을까?

2. CATEGORIZATION

Page 52: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Google

FraudsterAuthorized partner

3rd-party service

Content aggregator

CompetitorAnd does not account for UNKNOWN bots

좋은 봇인지 나쁜 봇인지에 대한 판단은 비즈니스에 미치는 영향에 따라유연하게 결정 되어야 한다.

Increases findability

Incurs financial loss

Supports business /

may impact performance

Helps manage website /

may impact performance

Diverts visitors and

reduces marketing ROI

GOOD BAD

Reduces sales revenue

2. CATEGORIZATION

Page 53: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

12

Step 2: Categorizing bot traffic

Commerce search

Web search

M&E search

SEO

RSS

Social

Site monitoring

Business intelligence

Online advertisingNews aggregator

Web archiver

Enterprise aggregator

Financial

Job search

Academic

Custom 1

Custom X

Real-time 1

Real-time X

Categorizing bots

HOW IT WORKS

Page 54: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

• 응답하지 않거나, 아주 가끔만 정상 응답

• 사용자가 많은 시간에는 응답하지 않음

• Cache된 정보로 응답

• 대부분 정상 응답을 하고, 가끔 오답으로 응답

• 차단, 모니터링

이렇게 할 수 있다면… X

Y

X

Y

천천히 응답

오답으로 응답

3. MANAGEMENT단순히 막으려 하지 말고 관리해야 합니다

Basic │ Monitor

Block

Signal origin

Rate │ Delay (1-3s)

Slow (8-10s)

Drop │ Tarpit

Serve │ Serve alternate origin

Serve alternate content

Serve cached

Page 55: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

로그인/인증시도

부정확한 ID/Password를 제공한다.

변종봇 대응

응답속도를 지연시켜 봇 운영자에게노출되지 않으면서 추가 변종 방지

쇼핑몰

가짜 가격 정보로 응답한다.

금융 서비스

정보 수집 봇에 대해서 성능 이슈를최소화한다.

Partners

비즈니스 시간에는 파트너사에 대한응답 속도를 줄인다.

$

온라인 미디어

컨텐츠 수집 봇을 차단하여 방문자가줄어드는 것을 방지한다.

쇼핑몰 이벤트

써드파티 봇은 cache로응답하여, 가용성을 증대한다.

?

성능

성능을 개선하기 위해서 다른오리진으로 응답한다.

3. MANAGEMENT

Page 56: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

High-level 통계치

• 인프라 및 네트워크에 대한 증설 필요성 확인

• 각종 통계치를 통한, 전략 수립 및 적용

Detail 트래픽 정보

• 사용자 IP, GEO, Request, Cookie 등의 세부 정보 확인

• 각 정보에 기반한 트래픽 분류 및 정책 적용 가능

4. VISIBILITYVisibility needs to support your STRATEGY

Page 57: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

© 2017 AKAMAI | FASTER FORWARDTM

Visibility needs to support your STRATEGY

How to think about

VISIBILITY

Example 1: Example 2:

Page 58: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

© 2017 AKAMAI | FASTER FORWARDTM

Page 59: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

© 2017 AKAMAI | FASTER FORWARDTM

Page 60: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

봇 관리시 고려요소

비즈니스 영향도에 따라 Bot을 분류

단순히 Block 하지 않고 Good 과 Bad Bot을 관리

Bot 트래픽을 모니터링/관리

분석 및 리포팅

4 2 13

Bot 트래픽 감지- 봇 카테고리 사용- 고객 카테고리 설정 가능- 실시간 감지 (형태, rate 분석)- 브라우저 검증

카테고리 분류- 지속적인 카테고리 업데이트 요구됨

- Web search, SEO, Aggregator- RSS, Social, BI, Monitoring 등..

- 고객 카테고리는 Customizing 가능해야 함

Manage/Action- Basic (Monitor, Block)- Drop- Rate (Delay 1-3s, Slow 8-10s)- Serve (다른 origin, 다른 content, 캐시)- 조건에 따른 Action 적용

분석 및 Reporting- Security Center- Bot Activity report- Bot Analysis report

Page 62: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

봇 식별 결과 분석(Bot vs Human)

Page 63: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

봇 식별 결과 분석(Bot vs Human)

Page 64: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

DDoS 공격 방어 용량

웹 취약점 관리 및 사젂 방어(ZeroDay공격)

API 트래픽 보앆 대책

봇 트래픽 가시성 확보 및 관리

Page 65: 최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

감사합니다 !