0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/598 Thanks! 1 00:00:11,300 --> 00:00:12,609 Hi, thank you. 2 00:00:14,030 --> 00:00:16,159 So as I said today, we'll learn 3 00:00:16,160 --> 00:00:18,349 about those, but not about 4 00:00:18,350 --> 00:00:20,419 what it is, because that's something that 5 00:00:20,420 --> 00:00:22,159 you all should know about. 6 00:00:22,160 --> 00:00:24,469 But we actually do this from 7 00:00:24,470 --> 00:00:26,539 the defenders side. Mostly we hear 8 00:00:26,540 --> 00:00:28,609 about it on the news or the media 9 00:00:28,610 --> 00:00:30,799 or whatever some Apte 10 00:00:30,800 --> 00:00:32,869 guys did indeed, or some 11 00:00:32,870 --> 00:00:34,369 viruses, some botnet. 12 00:00:34,370 --> 00:00:36,589 But we always hear just one side 13 00:00:36,590 --> 00:00:38,780 of the of the border, the defenders. 14 00:00:40,140 --> 00:00:42,319 Now, we learned today 15 00:00:42,320 --> 00:00:44,509 about mitigation of the dose 16 00:00:44,510 --> 00:00:46,699 or more specifically, how not to mitigate 17 00:00:46,700 --> 00:00:47,700 those. 18 00:00:49,010 --> 00:00:51,529 First of all, we 19 00:00:51,530 --> 00:00:52,530 doesn't walk. 20 00:00:57,140 --> 00:00:59,079 OK, excuse me. 21 00:00:59,080 --> 00:01:01,279 So first of all, we got some intro 22 00:01:01,280 --> 00:01:02,659 into details, what is this? 23 00:01:02,660 --> 00:01:04,549 What it is all about, something boring, 24 00:01:04,550 --> 00:01:07,009 just one slide about it, methodology 25 00:01:07,010 --> 00:01:09,379 of work, of our method of delivering 26 00:01:09,380 --> 00:01:10,339 this kind of service. 27 00:01:10,340 --> 00:01:12,499 We are actually we've been attacking 28 00:01:12,500 --> 00:01:14,299 now for three years. 29 00:01:14,300 --> 00:01:16,639 We added services to our customers 30 00:01:16,640 --> 00:01:18,739 that want to test our systems for 31 00:01:18,740 --> 00:01:20,239 this as mitigation or correctives 32 00:01:20,240 --> 00:01:21,679 mitigation. And guess what? 33 00:01:21,680 --> 00:01:23,869 Not all of them were so correct, as 34 00:01:23,870 --> 00:01:25,459 we figured out before 35 00:01:26,870 --> 00:01:29,059 afterwards, we talked about some ideas 36 00:01:29,060 --> 00:01:31,159 in the wild, what is exactly going 37 00:01:31,160 --> 00:01:33,199 on in the world, just some statistics 38 00:01:33,200 --> 00:01:34,759 against something boring. 39 00:01:34,760 --> 00:01:37,159 And then we've come to the ten most 40 00:01:37,160 --> 00:01:39,739 common from the book strategies that we 41 00:01:39,740 --> 00:01:41,779 figure that you should hear about 42 00:01:42,830 --> 00:01:43,309 at the end. 43 00:01:43,310 --> 00:01:45,559 Will will have some kind, of course. 44 00:01:47,510 --> 00:01:49,879 So myself. 45 00:01:49,880 --> 00:01:51,979 Etzioni I do security stuff. 46 00:01:51,980 --> 00:01:54,439 I know I'm managing 47 00:01:54,440 --> 00:01:56,569 a team of security researchers at Verint. 48 00:01:56,570 --> 00:01:57,829 We do something cool 49 00:01:59,030 --> 00:02:00,139 with defense, 50 00:02:01,280 --> 00:02:03,469 but except that mainly I'm experienced 51 00:02:03,470 --> 00:02:05,539 with penetration testing and 52 00:02:05,540 --> 00:02:06,469 ethical hacking. 53 00:02:06,470 --> 00:02:08,929 And for, as I said, from the from 54 00:02:08,930 --> 00:02:11,299 three years of hard work about details, 55 00:02:11,300 --> 00:02:13,559 we are attacking and providing 56 00:02:13,560 --> 00:02:15,829 our customers a service 57 00:02:15,830 --> 00:02:17,119 of those attacks. 58 00:02:18,650 --> 00:02:20,449 That's the end of the shameless promotion 59 00:02:20,450 --> 00:02:22,309 slide. I will never you will never hear 60 00:02:22,310 --> 00:02:23,310 about it again. 61 00:02:31,430 --> 00:02:33,679 So everyone gets visas, not 62 00:02:33,680 --> 00:02:35,599 in the correct sense of the word, because 63 00:02:35,600 --> 00:02:37,699 everyone meaning you, 64 00:02:37,700 --> 00:02:39,559 if you are an attacker, you will then 65 00:02:39,560 --> 00:02:41,899 maybe I hope that you will learn one 66 00:02:41,900 --> 00:02:44,029 or two tactics that you didn't 67 00:02:44,030 --> 00:02:45,379 know before. 68 00:02:45,380 --> 00:02:47,569 If you're a defender, you know what not 69 00:02:47,570 --> 00:02:50,059 to do or what is what are the most top 70 00:02:50,060 --> 00:02:52,789 10 top top ten common 71 00:02:52,790 --> 00:02:55,039 strategies not not to do or to avoid 72 00:02:55,040 --> 00:02:55,909 from. 73 00:02:55,910 --> 00:02:58,099 And if you are neither an attacker 74 00:02:58,100 --> 00:03:00,199 or defender, you just kick back, relax 75 00:03:00,200 --> 00:03:02,479 and hear some good laughs 76 00:03:02,480 --> 00:03:03,530 over someone else. 77 00:03:06,920 --> 00:03:08,989 So the method, the method of 78 00:03:08,990 --> 00:03:11,059 delivery is somewhat complex 79 00:03:11,060 --> 00:03:13,249 because we want to have control over our 80 00:03:13,250 --> 00:03:15,599 botnet. We have a legitimate botnet. 81 00:03:15,600 --> 00:03:18,799 Of course, everything that I will 82 00:03:18,800 --> 00:03:20,839 mention here is legitimate and we are 83 00:03:20,840 --> 00:03:22,999 doing it as as legit 84 00:03:23,000 --> 00:03:23,689 as we can. 85 00:03:23,690 --> 00:03:25,849 We are we have our own botnet, a pretty 86 00:03:25,850 --> 00:03:27,739 vast botnet all over the world, all over 87 00:03:27,740 --> 00:03:28,999 the globe. 88 00:03:29,000 --> 00:03:31,129 And the living this kind of controlled 89 00:03:31,130 --> 00:03:32,809 mechanisms for those for us, for our 90 00:03:32,810 --> 00:03:34,999 customers have some extra edges 91 00:03:35,000 --> 00:03:37,429 like we view exactly 92 00:03:37,430 --> 00:03:39,619 what is happening. We log all the stuff. 93 00:03:39,620 --> 00:03:41,359 This is pretty hard to do actually, when 94 00:03:41,360 --> 00:03:42,949 we are talking about botnet with 95 00:03:42,950 --> 00:03:45,169 thousands of computers that we want 96 00:03:45,170 --> 00:03:47,329 to control each one of them 97 00:03:47,330 --> 00:03:49,909 and know what exactly we are missing. 98 00:03:49,910 --> 00:03:53,299 And on top of that, we have something, 99 00:03:53,300 --> 00:03:55,279 something more like a red team and a blue 100 00:03:55,280 --> 00:03:57,559 team. So the blue team is 101 00:03:57,560 --> 00:03:59,819 is incorrectly named blue, 102 00:03:59,820 --> 00:04:01,369 but you can see spoke with a blue 103 00:04:01,370 --> 00:04:02,370 T-shirt. 104 00:04:03,050 --> 00:04:05,179 So the blue team is is 105 00:04:05,180 --> 00:04:07,489 on site with the customer and 106 00:04:07,490 --> 00:04:09,589 viewing all the logs, not for 107 00:04:09,590 --> 00:04:11,419 mitigation, not for telling him what to 108 00:04:11,420 --> 00:04:13,549 do, just for taking notes for 109 00:04:13,550 --> 00:04:16,278 the red team. And the red team 110 00:04:16,279 --> 00:04:18,409 is is on the other side of the line 111 00:04:18,410 --> 00:04:20,569 attacking the customer with the 112 00:04:20,570 --> 00:04:22,849 with the botnet and together 113 00:04:22,850 --> 00:04:23,989 with the two spox. 114 00:04:23,990 --> 00:04:26,059 We have a complete image of what exactly 115 00:04:26,060 --> 00:04:28,609 is happening on the network or 116 00:04:28,610 --> 00:04:30,829 maybe in the computers of the 117 00:04:30,830 --> 00:04:31,789 of the customer. 118 00:04:31,790 --> 00:04:33,949 And through that, we can we can have 119 00:04:33,950 --> 00:04:36,019 a good recommendation, logistical 120 00:04:36,020 --> 00:04:36,979 recommendation. 121 00:04:36,980 --> 00:04:37,999 We know the site. 122 00:04:38,000 --> 00:04:39,409 We know exactly what happened. 123 00:04:39,410 --> 00:04:40,489 We can pinpoint it. 124 00:04:40,490 --> 00:04:42,409 We can we can analyze it. 125 00:04:42,410 --> 00:04:44,749 We can analyze our own botnet 126 00:04:44,750 --> 00:04:46,759 in terms of improvement if you want to 127 00:04:46,760 --> 00:04:48,769 improve it for the next time. 128 00:04:48,770 --> 00:04:51,499 So together, we have this visualization 129 00:04:51,500 --> 00:04:53,359 of the analysis and we can progress with 130 00:04:53,360 --> 00:04:54,360 the attack. 131 00:04:58,650 --> 00:05:00,779 Moreover, some in 132 00:05:00,780 --> 00:05:03,109 the world leaders use mainly 133 00:05:03,110 --> 00:05:05,249 maybe it's a shock for most of you, but 134 00:05:05,250 --> 00:05:07,319 mainly by science, most of 135 00:05:07,320 --> 00:05:09,449 the attacks are less than two 136 00:05:09,450 --> 00:05:10,469 gigabit per second. 137 00:05:10,470 --> 00:05:12,509 I mentioning that just to acknowledge 138 00:05:12,510 --> 00:05:14,639 that Deeds does not have to 139 00:05:14,640 --> 00:05:17,039 be so large as the media claims 140 00:05:17,040 --> 00:05:18,239 it claims to be. 141 00:05:18,240 --> 00:05:19,949 Of course, there are times that network 142 00:05:19,950 --> 00:05:21,719 bandwidth is the main main type of 143 00:05:21,720 --> 00:05:23,969 things. But if 144 00:05:23,970 --> 00:05:26,099 we hear about some details in the media, 145 00:05:26,100 --> 00:05:28,439 it doesn't mean that automatically 146 00:05:28,440 --> 00:05:30,849 it leaders by bandwidth by the network. 147 00:05:30,850 --> 00:05:32,230 We'll get to it later. 148 00:05:33,720 --> 00:05:35,379 Other than that, we have reflection 149 00:05:35,380 --> 00:05:36,779 amplification. 150 00:05:36,780 --> 00:05:38,849 This are two wars that we hear a lot. 151 00:05:38,850 --> 00:05:41,309 Reflection is the actual act 152 00:05:41,310 --> 00:05:43,729 of benefiting from 153 00:05:43,730 --> 00:05:45,899 a third party that we want 154 00:05:45,900 --> 00:05:47,759 to we want to communicate with. 155 00:05:47,760 --> 00:05:50,099 And the third party is communicating and 156 00:05:50,100 --> 00:05:52,589 reflecting the so to say 157 00:05:52,590 --> 00:05:54,749 to the actual site that we want to attack 158 00:05:54,750 --> 00:05:57,089 amplification is using some 159 00:05:57,090 --> 00:05:59,579 kind of asymmetric protocol 160 00:05:59,580 --> 00:06:01,919 or asymmetric behavior between the 161 00:06:01,920 --> 00:06:03,629 attackers and the defenders of the 162 00:06:03,630 --> 00:06:05,939 service. So the servers will have 163 00:06:05,940 --> 00:06:08,369 to work much harder in order to 164 00:06:08,370 --> 00:06:09,299 accomplish something. 165 00:06:09,300 --> 00:06:10,680 And that's amplification. 166 00:06:13,210 --> 00:06:15,609 Last most attacks that we hear about 167 00:06:15,610 --> 00:06:17,319 on the Internet and on the media does not 168 00:06:17,320 --> 00:06:18,379 require brains. 169 00:06:18,380 --> 00:06:20,049 You can leave your brain out and then 170 00:06:20,050 --> 00:06:21,729 just attack with some some kind of a 171 00:06:21,730 --> 00:06:23,829 tool. And because of that, most 172 00:06:23,830 --> 00:06:25,509 of them rely heavily on bandwidth 173 00:06:25,510 --> 00:06:26,559 consumption. 174 00:06:26,560 --> 00:06:28,479 My point here is that you don't have to 175 00:06:28,480 --> 00:06:29,739 be that lame. 176 00:06:29,740 --> 00:06:32,139 You can't you don't you don't require 177 00:06:32,140 --> 00:06:34,239 most of the like 90 percent 178 00:06:34,240 --> 00:06:35,769 of your brain, but you need a small 179 00:06:35,770 --> 00:06:38,169 fraction of it in order to to 180 00:06:38,170 --> 00:06:40,329 designate and amplify your attack 181 00:06:40,330 --> 00:06:42,609 without actually using so much 182 00:06:42,610 --> 00:06:44,290 bandwidth as proposed. 183 00:06:46,220 --> 00:06:47,220 So. 184 00:06:48,160 --> 00:06:50,979 Just just some headlines, 185 00:06:50,980 --> 00:06:53,109 headlines, as I mentioned, there 186 00:06:53,110 --> 00:06:54,519 is more than a front end will come 187 00:06:54,520 --> 00:06:56,799 together. We come to it at least once 188 00:06:56,800 --> 00:06:58,329 in the examples. 189 00:06:58,330 --> 00:07:00,079 But everyone is thinking of websites 190 00:07:00,080 --> 00:07:02,169 that's going down by diddles, by 191 00:07:02,170 --> 00:07:04,569 some kind of log into a bank or maybe 192 00:07:04,570 --> 00:07:06,879 the double double W's site for the bank. 193 00:07:06,880 --> 00:07:09,069 But it's not exactly if you can 194 00:07:09,070 --> 00:07:10,779 attack the back end and we will get it. 195 00:07:11,950 --> 00:07:14,169 Other than that, you have 196 00:07:14,170 --> 00:07:16,239 you have the the back 197 00:07:16,240 --> 00:07:18,039 end walk for you. The back end is 198 00:07:18,040 --> 00:07:20,019 actually doing something, not just 199 00:07:20,020 --> 00:07:22,299 presenting a cached page or something so 200 00:07:22,300 --> 00:07:24,549 you can actually amplify your attack 201 00:07:24,550 --> 00:07:25,550 by the back end. 202 00:07:26,320 --> 00:07:27,219 Keep it stealthy. 203 00:07:27,220 --> 00:07:28,209 They might be listening. 204 00:07:28,210 --> 00:07:29,499 The magic of sniffing. 205 00:07:29,500 --> 00:07:31,209 We all have heard about it. 206 00:07:31,210 --> 00:07:33,699 The sock team, the sock manager is online 207 00:07:33,700 --> 00:07:36,249 and checking his site all the time. 208 00:07:36,250 --> 00:07:38,499 He's there with the magic of sniffing 209 00:07:38,500 --> 00:07:40,929 and think 210 00:07:40,930 --> 00:07:42,610 of amplification in a general way. 211 00:07:43,630 --> 00:07:45,819 When I'm when I'm saying stealthy, I 212 00:07:45,820 --> 00:07:47,469 mean that use your own tools. 213 00:07:47,470 --> 00:07:49,029 Most of the attacks that you hear about 214 00:07:49,030 --> 00:07:51,129 and read or maybe even 215 00:07:51,130 --> 00:07:52,719 even if you have the source code for it, 216 00:07:52,720 --> 00:07:54,429 you can read the source code and then 217 00:07:54,430 --> 00:07:56,769 analyze by yourself what the attack does. 218 00:07:56,770 --> 00:07:58,719 And attacks are mainly these attacks are 219 00:07:58,720 --> 00:08:01,149 mainly very simple to comprehend because, 220 00:08:01,150 --> 00:08:02,349 you know, the small fraction in the 221 00:08:02,350 --> 00:08:04,269 distribution of the attack in order to 222 00:08:04,270 --> 00:08:05,539 complete it. 223 00:08:05,540 --> 00:08:07,959 So if you know what you're doing, you can 224 00:08:07,960 --> 00:08:10,209 easily believe me very easily write 225 00:08:10,210 --> 00:08:11,139 your own scripts. 226 00:08:11,140 --> 00:08:13,449 And by that you eliminate 90 percent 227 00:08:13,450 --> 00:08:15,459 of the signatures that are residing on 228 00:08:15,460 --> 00:08:17,709 idiocies and antidotes machines. 229 00:08:18,850 --> 00:08:21,609 So amplification on the general term, 230 00:08:21,610 --> 00:08:23,889 we refer to it as four pillars. 231 00:08:23,890 --> 00:08:25,809 We have the network attack that the usual 232 00:08:25,810 --> 00:08:27,909 suspect. We have the C.P.U, which is 233 00:08:27,910 --> 00:08:30,009 very limited in some some 234 00:08:30,010 --> 00:08:31,010 cases. 235 00:08:31,750 --> 00:08:34,119 And C.P.U was actually attacked 236 00:08:34,120 --> 00:08:36,259 by someone on 2083 237 00:08:36,260 --> 00:08:38,349 three, which 238 00:08:38,350 --> 00:08:40,928 I forgot his name because it's not my 239 00:08:40,929 --> 00:08:41,929 native language. 240 00:08:42,940 --> 00:08:45,459 But some very professional guys 241 00:08:45,460 --> 00:08:47,559 devise a effective attack over 242 00:08:47,560 --> 00:08:50,169 C.P.U, presenting a 243 00:08:50,170 --> 00:08:52,309 single aget or post request to 244 00:08:52,310 --> 00:08:55,119 an HTP server and then evaluating 245 00:08:55,120 --> 00:08:57,249 the CPU up onto 246 00:08:57,250 --> 00:08:59,499 ninety nine percent of the system 247 00:08:59,500 --> 00:09:00,879 by using hashes. 248 00:09:00,880 --> 00:09:03,189 So C.P.U is again a very prominent 249 00:09:03,190 --> 00:09:05,349 attack that we choose to attack in 250 00:09:05,350 --> 00:09:06,969 the process. The other thing that we 251 00:09:06,970 --> 00:09:09,309 choose to attack mainly is the memory, 252 00:09:09,310 --> 00:09:11,259 memory, volatile memory. 253 00:09:11,260 --> 00:09:13,689 Everyone use it, everything uses 254 00:09:13,690 --> 00:09:15,879 volatile memory and we can use it to 255 00:09:15,880 --> 00:09:16,880 our advantage. 256 00:09:17,710 --> 00:09:19,749 Think of it everything that is done on 257 00:09:19,750 --> 00:09:21,639 the website. If you have, let's say, a 258 00:09:21,640 --> 00:09:23,889 form and the form is undergoing some 259 00:09:23,890 --> 00:09:26,409 kind of a multi-stage, you can actually 260 00:09:26,410 --> 00:09:28,269 do maybe part of the stages, maybe all 261 00:09:28,270 --> 00:09:30,399 the stages. And in memory, 262 00:09:30,400 --> 00:09:32,589 residents will be very effective indeed 263 00:09:32,590 --> 00:09:33,590 of. 264 00:09:34,500 --> 00:09:37,019 And last is the story itself, 265 00:09:37,020 --> 00:09:38,039 you have a 266 00:09:39,570 --> 00:09:41,699 some amount of storage 267 00:09:41,700 --> 00:09:44,159 on disk storage and even the IO buffer 268 00:09:44,160 --> 00:09:46,379 of the drives that are working very hard 269 00:09:46,380 --> 00:09:47,380 to complete the mission. 270 00:09:49,340 --> 00:09:51,409 OK, so last 271 00:09:51,410 --> 00:09:52,549 this is a true story. 272 00:09:55,590 --> 00:09:57,719 At the request of the survivors, the 273 00:09:57,720 --> 00:09:59,999 names have been changed, will never 274 00:10:01,110 --> 00:10:02,940 do shaming to any of our customers. 275 00:10:04,770 --> 00:10:07,409 You know what comes next out of respect 276 00:10:07,410 --> 00:10:09,569 for the dead, the rest 277 00:10:09,570 --> 00:10:12,139 of the rest have been left unchanged. 278 00:10:16,820 --> 00:10:17,820 OK, so 279 00:10:18,950 --> 00:10:19,950 very. 280 00:10:20,910 --> 00:10:22,979 Set the actual 281 00:10:22,980 --> 00:10:25,049 result as facepalm, so every one of 282 00:10:25,050 --> 00:10:27,149 these of the these 283 00:10:27,150 --> 00:10:29,309 stories will be presented by a 284 00:10:29,310 --> 00:10:31,259 facepalm ratio, will have a scale 285 00:10:31,260 --> 00:10:32,369 facepalm. You'll see it. 286 00:10:40,160 --> 00:10:42,259 And did I mention at the end 287 00:10:42,260 --> 00:10:44,959 and the number one, we go ten to one. 288 00:10:44,960 --> 00:10:47,239 Number one, I can promise you that 289 00:10:47,240 --> 00:10:49,319 all of you will do an epic 290 00:10:49,320 --> 00:10:50,320 facepalm. 291 00:10:50,870 --> 00:10:51,999 That's a promise. 292 00:10:52,000 --> 00:10:53,000 OK. 293 00:10:55,450 --> 00:10:56,450 Very. 294 00:11:01,100 --> 00:11:03,289 Number 10, number 10 295 00:11:03,290 --> 00:11:04,179 was common. 296 00:11:04,180 --> 00:11:06,409 Actually, it's it's less 297 00:11:06,410 --> 00:11:08,719 common nowadays because everyone 298 00:11:08,720 --> 00:11:10,789 knows that mainly everyone 299 00:11:10,790 --> 00:11:13,099 network guys knows that that's rubbish. 300 00:11:13,100 --> 00:11:15,019 Limit the rate of incoming Puckett's. 301 00:11:15,020 --> 00:11:17,449 That's something that is meant magic 302 00:11:17,450 --> 00:11:19,399 for network people to say, yeah, yeah, 303 00:11:19,400 --> 00:11:21,409 yeah. We have Adidas like two gigabits of 304 00:11:21,410 --> 00:11:22,639 men with oh, no problem. 305 00:11:22,640 --> 00:11:24,949 We have one megabit megabit of bandwidth. 306 00:11:24,950 --> 00:11:27,139 So let's use only one megabit 307 00:11:27,140 --> 00:11:28,819 of bandwidth to upload. 308 00:11:28,820 --> 00:11:31,159 Then this way we can't even 309 00:11:31,160 --> 00:11:33,319 choke the bend the rest 310 00:11:33,320 --> 00:11:36,179 of the ninety nine megabits per second. 311 00:11:36,180 --> 00:11:38,389 So of course you 312 00:11:38,390 --> 00:11:39,319 are nodding all of you. 313 00:11:39,320 --> 00:11:41,479 I see the heads if you 314 00:11:41,480 --> 00:11:43,609 have an incoming package coming at 315 00:11:43,610 --> 00:11:46,009 you and this doesn't 316 00:11:46,010 --> 00:11:48,109 work and that's why the 317 00:11:48,110 --> 00:11:49,579 customer had to do this actually. 318 00:11:49,580 --> 00:11:52,219 And that's why he asked the ISP 319 00:11:52,220 --> 00:11:54,109 to ISP, told him please, 320 00:11:55,220 --> 00:11:57,439 please rate the limiting, 321 00:11:57,440 --> 00:11:59,209 limit the incoming packets into your 322 00:11:59,210 --> 00:12:00,210 service. 323 00:12:01,010 --> 00:12:03,199 That was the ISP talking. 324 00:12:03,200 --> 00:12:04,219 And so we did. 325 00:12:05,390 --> 00:12:07,699 And he believed that he is 326 00:12:07,700 --> 00:12:08,700 sufficiently 327 00:12:09,980 --> 00:12:12,259 mitigating the attack if we test 328 00:12:12,260 --> 00:12:13,609 him. And he requested the test. 329 00:12:13,610 --> 00:12:14,990 So we delivered 330 00:12:16,480 --> 00:12:18,629 and it was pretty simple liver, 331 00:12:18,630 --> 00:12:20,809 because if you have 332 00:12:20,810 --> 00:12:23,059 the knowledge of how the Internet 333 00:12:23,060 --> 00:12:25,219 works, so 334 00:12:25,220 --> 00:12:27,439 you have a get request or you have let's 335 00:12:27,440 --> 00:12:28,729 say I get requests, I get requests, 336 00:12:28,730 --> 00:12:31,129 something pretty easy in size, 337 00:12:31,130 --> 00:12:33,319 like, let's say level one killer 338 00:12:33,320 --> 00:12:35,599 bit or maybe one kilobyte, 339 00:12:35,600 --> 00:12:37,669 let's say. And you request a file from 340 00:12:37,670 --> 00:12:39,649 the server. If the file is sufficiently 341 00:12:39,650 --> 00:12:42,019 large, you have, let's say, one megabyte 342 00:12:42,020 --> 00:12:43,789 of a file. You can go with the list, by 343 00:12:43,790 --> 00:12:45,169 the way. You can go with two hundred 344 00:12:45,170 --> 00:12:47,089 kilobytes. It will be an amplification 345 00:12:47,090 --> 00:12:49,519 factor of 200 times more. 346 00:12:49,520 --> 00:12:51,649 Think about it. So now we can 347 00:12:51,650 --> 00:12:53,869 use the minimum amount of data 348 00:12:53,870 --> 00:12:56,239 that we want. We want to upload in terms 349 00:12:56,240 --> 00:12:58,219 of and then get it from the download 350 00:12:58,220 --> 00:13:00,769 itself, meaning that 351 00:13:00,770 --> 00:13:02,599 effectively the servers are choking 352 00:13:02,600 --> 00:13:03,739 themselves. 353 00:13:03,740 --> 00:13:06,139 So the beauty of this, this tactic 354 00:13:06,140 --> 00:13:08,269 is that will work always, 355 00:13:08,270 --> 00:13:10,339 not only when someone will try to 356 00:13:10,340 --> 00:13:12,529 mitigate you. So the mitigation is, 357 00:13:12,530 --> 00:13:14,659 of course, Fagel, but 358 00:13:14,660 --> 00:13:17,179 say that the consumption by reflexion. 359 00:13:17,180 --> 00:13:19,519 But it's an implied facepalm, something 360 00:13:19,520 --> 00:13:21,769 that you all should know and say, 361 00:13:21,770 --> 00:13:23,779 OK, that's something stupid to begin 362 00:13:23,780 --> 00:13:25,849 with. So maybe it shouldn't be on 363 00:13:25,850 --> 00:13:26,870 this scale at all. 364 00:13:27,950 --> 00:13:29,329 So does Tommy Lee Jones. 365 00:13:32,530 --> 00:13:33,530 Number nine. 366 00:13:35,870 --> 00:13:36,919 That's that's a beauty. 367 00:13:36,920 --> 00:13:38,689 We have a vendor that monitoring the 368 00:13:38,690 --> 00:13:40,339 sites all the time, or maybe not the 369 00:13:40,340 --> 00:13:42,049 vendors itself, maybe the SOC in this 370 00:13:42,050 --> 00:13:44,149 case, in this story, as I said through 371 00:13:44,150 --> 00:13:46,309 a story, the monitoring was done by 372 00:13:46,310 --> 00:13:47,689 a third party. 373 00:13:47,690 --> 00:13:49,969 That was the only job was 374 00:13:49,970 --> 00:13:51,799 to monitor the site. 375 00:13:51,800 --> 00:13:54,349 Now, when you monitor anything you 376 00:13:54,350 --> 00:13:56,719 you come to after 20 minutes 377 00:13:56,720 --> 00:13:58,219 of an attention, your attention drifts 378 00:13:58,220 --> 00:14:00,109 away. And the thing about puppies or 379 00:14:00,110 --> 00:14:02,329 about your babies or about your friends 380 00:14:02,330 --> 00:14:04,429 or about I know what 381 00:14:04,430 --> 00:14:05,430 you ate for lunch 382 00:14:06,500 --> 00:14:08,329 and then you forget about monitoring 383 00:14:08,330 --> 00:14:10,309 because monitoring tends to be something 384 00:14:10,310 --> 00:14:11,310 very, very, 385 00:14:12,380 --> 00:14:13,549 very boring to do. 386 00:14:13,550 --> 00:14:15,769 So you look at a graph and if everything 387 00:14:15,770 --> 00:14:17,959 is OK, you live it as as 388 00:14:17,960 --> 00:14:19,879 this is it. 389 00:14:19,880 --> 00:14:22,309 But in this case, we didn't live it as 390 00:14:22,310 --> 00:14:24,259 as as I presented it. 391 00:14:24,260 --> 00:14:26,359 We actually we attacked the site and 392 00:14:26,360 --> 00:14:27,619 the site was down. 393 00:14:27,620 --> 00:14:29,779 Now, when was when the site was down, 394 00:14:29,780 --> 00:14:31,369 it was a surprise attack, meaning that 395 00:14:31,370 --> 00:14:33,469 the the the men 396 00:14:33,470 --> 00:14:36,229 that started the test was the 397 00:14:36,230 --> 00:14:37,230 was the 398 00:14:38,630 --> 00:14:40,759 security officer for this customer, for 399 00:14:40,760 --> 00:14:41,749 this organization. 400 00:14:41,750 --> 00:14:43,849 And he didn't let let know of the idea 401 00:14:43,850 --> 00:14:45,949 and the third party that is doing this 402 00:14:45,950 --> 00:14:46,950 kind of test. 403 00:14:48,230 --> 00:14:50,449 So when the site was down and you see 404 00:14:50,450 --> 00:14:52,279 this site is down, you don't have to be 405 00:14:52,280 --> 00:14:53,719 an expert to see that. 406 00:14:53,720 --> 00:14:55,909 And and then you 407 00:14:55,910 --> 00:14:59,089 just waited and waited 408 00:14:59,090 --> 00:15:00,649 and waited some more. 409 00:15:00,650 --> 00:15:02,869 Now you will ask yourself, wait a second, 410 00:15:02,870 --> 00:15:04,999 maybe an email, maybe a 411 00:15:05,000 --> 00:15:07,159 phone, maybe someone will 412 00:15:07,160 --> 00:15:08,689 pick up the line and say to I.T. 413 00:15:08,690 --> 00:15:10,399 or say to the stock, listen, guys, we 414 00:15:10,400 --> 00:15:12,439 have a problem, but no one did. 415 00:15:12,440 --> 00:15:13,999 Why? So? 416 00:15:14,000 --> 00:15:16,609 So because 417 00:15:16,610 --> 00:15:18,769 two things. It was 418 00:15:18,770 --> 00:15:20,659 pretty, pretty quiet. 419 00:15:20,660 --> 00:15:21,859 No one called it in. 420 00:15:21,860 --> 00:15:24,199 And we'll figure out why in a second. 421 00:15:24,200 --> 00:15:26,329 No one call it no one got an email 422 00:15:26,330 --> 00:15:27,379 about it. 423 00:15:27,380 --> 00:15:29,629 And the monitoring vendor 424 00:15:29,630 --> 00:15:31,909 wasn't aware of anything going wrong on 425 00:15:31,910 --> 00:15:33,499 the network. 426 00:15:33,500 --> 00:15:35,989 So what what what what went wrong 427 00:15:35,990 --> 00:15:38,119 exactly. So first of all, the 428 00:15:38,120 --> 00:15:40,339 vendor saw, as I said, the logging 429 00:15:40,340 --> 00:15:42,739 system and the logging system. 430 00:15:45,160 --> 00:15:47,499 And the logging system was looking a 431 00:15:47,500 --> 00:15:49,779 bit like that, you have a pic, 432 00:15:49,780 --> 00:15:52,019 you have something like a bot, the 433 00:15:52,020 --> 00:15:53,829 the I don't know about the colors, but 434 00:15:53,830 --> 00:15:55,929 the most of it are are 435 00:15:55,930 --> 00:15:57,459 susceptible as botnet. 436 00:15:57,460 --> 00:15:59,539 And it's it's in 437 00:15:59,540 --> 00:16:02,179 a relaxation somewhere. 438 00:16:02,180 --> 00:16:03,879 So first of all, that's the screenshots 439 00:16:03,880 --> 00:16:06,039 that when the security 440 00:16:06,040 --> 00:16:07,869 officer called the vendor and ask say, 441 00:16:07,870 --> 00:16:10,029 guys, do you see this site is everything 442 00:16:10,030 --> 00:16:12,279 is OK, so it's safe to him and send him 443 00:16:12,280 --> 00:16:13,209 the screenshot. 444 00:16:13,210 --> 00:16:14,619 That's the actual screenshot from the 445 00:16:14,620 --> 00:16:16,599 vendor. So everything looks, I don't 446 00:16:16,600 --> 00:16:18,549 know, suspicious. But let's say it's 447 00:16:18,550 --> 00:16:19,719 relaxed after this. 448 00:16:19,720 --> 00:16:20,720 Let's say that the 449 00:16:21,940 --> 00:16:24,189 problem is that, 450 00:16:24,190 --> 00:16:26,559 A, they didn't check the site actively. 451 00:16:26,560 --> 00:16:28,629 They all they needed to do is 452 00:16:28,630 --> 00:16:30,889 just click on the on their 453 00:16:30,890 --> 00:16:33,369 browser, apparently Internet Explorer, 454 00:16:33,370 --> 00:16:35,799 and then go to the site. 455 00:16:35,800 --> 00:16:37,569 And if you go to the site, you see the 456 00:16:37,570 --> 00:16:39,189 site is down. You don't have to be an 457 00:16:39,190 --> 00:16:41,439 expert or a soccer team to see 458 00:16:41,440 --> 00:16:42,440 the site is down. 459 00:16:43,780 --> 00:16:45,369 So they didn't do exactly that. 460 00:16:45,370 --> 00:16:47,169 Now, for this for the second question, 461 00:16:47,170 --> 00:16:49,569 why doesn't the IOC got any calls 462 00:16:49,570 --> 00:16:50,769 or emails? 463 00:16:50,770 --> 00:16:52,449 Because and that's in addition to this 464 00:16:52,450 --> 00:16:54,849 epic fail, the actual the bandwidth 465 00:16:54,850 --> 00:16:57,009 that's used for the banks servers. 466 00:16:57,010 --> 00:16:59,079 This customer service was used 467 00:16:59,080 --> 00:17:01,599 for the HQ traffic 468 00:17:01,600 --> 00:17:03,129 inside the corporate. 469 00:17:03,130 --> 00:17:05,139 So everyone that wanted to serve at the 470 00:17:05,140 --> 00:17:07,419 time, I'm talking about hours of 471 00:17:07,420 --> 00:17:09,818 of of no surfing and 472 00:17:09,819 --> 00:17:12,459 of no email for the corporate sites. 473 00:17:12,460 --> 00:17:14,559 No one could email and no one can can use 474 00:17:14,560 --> 00:17:15,969 the VoIP phones on the. 475 00:17:26,980 --> 00:17:29,379 So that'll be the fun 476 00:17:29,380 --> 00:17:31,719 and this kind of facepalm is 477 00:17:31,720 --> 00:17:34,209 having a face bomb is another rather 478 00:17:34,210 --> 00:17:36,399 that's easy and it's cute, 479 00:17:36,400 --> 00:17:37,539 right? 480 00:17:37,540 --> 00:17:40,029 Ah, OK. 481 00:17:40,030 --> 00:17:41,589 Going and going to number eight. 482 00:17:44,420 --> 00:17:46,399 OK, so I've mentioned it before back and 483 00:17:46,400 --> 00:17:48,739 servers are not important to be protected 484 00:17:48,740 --> 00:17:49,740 against leaders. 485 00:17:51,020 --> 00:17:53,149 Again, a very safe assumption we 486 00:17:53,150 --> 00:17:54,440 have to consider the heavily 487 00:17:55,610 --> 00:17:58,409 backend servers are not important, 488 00:17:58,410 --> 00:18:00,469 eh, eh, that's bullshit. 489 00:18:00,470 --> 00:18:02,239 And servers are always important. 490 00:18:02,240 --> 00:18:03,949 If you think that any servers are not 491 00:18:03,950 --> 00:18:05,599 important and don't use those servers, 492 00:18:05,600 --> 00:18:06,600 that's backup. 493 00:18:07,460 --> 00:18:08,460 So 494 00:18:10,040 --> 00:18:11,040 if. 495 00:18:14,630 --> 00:18:17,569 So if those servers are not 496 00:18:17,570 --> 00:18:19,369 are not needed to be protected against 497 00:18:19,370 --> 00:18:21,979 those, so they are 498 00:18:21,980 --> 00:18:24,469 somewhere and this notion of thinking 499 00:18:24,470 --> 00:18:26,569 was coming from the media, I 500 00:18:26,570 --> 00:18:28,879 guess. So everyone is reading about this 501 00:18:28,880 --> 00:18:31,429 kind of let's say, for example, 502 00:18:31,430 --> 00:18:32,929 supposedly Bank of America was attacked 503 00:18:32,930 --> 00:18:35,059 by Dido's. And the first thing 504 00:18:35,060 --> 00:18:37,189 that you hear about is everyone is 505 00:18:37,190 --> 00:18:39,199 tweeting about the login site for this 506 00:18:39,200 --> 00:18:41,149 bank. Why is not responding? 507 00:18:41,150 --> 00:18:43,099 So the media is responding accordingly. 508 00:18:43,100 --> 00:18:44,059 She's right. 509 00:18:44,060 --> 00:18:46,409 Login site for the site is down. 510 00:18:46,410 --> 00:18:47,410 Oh, man. 511 00:18:48,350 --> 00:18:50,509 But actually, what can happen is, 512 00:18:50,510 --> 00:18:52,669 is something much more vast than 513 00:18:52,670 --> 00:18:55,129 that. But you won't know it unless 514 00:18:55,130 --> 00:18:56,719 you are seeking the stock and know 515 00:18:56,720 --> 00:18:58,219 exactly what what went wrong. 516 00:18:59,480 --> 00:19:02,029 And maybe it is maybe most of the attacks 517 00:19:02,030 --> 00:19:04,069 do actually hit the front end. 518 00:19:04,070 --> 00:19:06,139 But it doesn't mean by that that the 519 00:19:06,140 --> 00:19:07,249 backend not unimportant. 520 00:19:09,780 --> 00:19:11,909 So in this case, we try to 521 00:19:11,910 --> 00:19:14,009 map the site, we as 522 00:19:14,010 --> 00:19:15,989 attackers want to tackle the back because 523 00:19:15,990 --> 00:19:18,179 of this notion, we want to attack it 524 00:19:18,180 --> 00:19:20,369 and want to know what to do, 525 00:19:20,370 --> 00:19:22,499 how to designate some kind of a backend 526 00:19:22,500 --> 00:19:25,259 server. So actually, that's easy because 527 00:19:25,260 --> 00:19:26,819 I don't know about easy that actually, 528 00:19:26,820 --> 00:19:29,159 but it's very common for us 529 00:19:29,160 --> 00:19:30,959 to do when when you check a black box 530 00:19:30,960 --> 00:19:33,059 site, you just go to a site and try 531 00:19:33,060 --> 00:19:35,609 to assume what is going on under 532 00:19:35,610 --> 00:19:37,679 under the covers and see what exactly is 533 00:19:37,680 --> 00:19:39,899 happening. But you can't really see 534 00:19:39,900 --> 00:19:41,099 because you're not a developer, you're 535 00:19:41,100 --> 00:19:43,269 just testing the site as a as a hacker, 536 00:19:43,270 --> 00:19:44,270 a penetration test. 537 00:19:45,270 --> 00:19:47,489 Now, when you decide to try to figure 538 00:19:47,490 --> 00:19:49,619 out where is the database, what is going 539 00:19:49,620 --> 00:19:51,179 on, and that's that's pretty easy. 540 00:19:51,180 --> 00:19:53,279 If you get a query for somewhere, 541 00:19:53,280 --> 00:19:55,409 some search supposedly is and ask 542 00:19:55,410 --> 00:19:57,389 you out and ask your server or anything 543 00:19:57,390 --> 00:20:00,029 like that, maybe a file even, but it is 544 00:20:00,030 --> 00:20:01,889 a data set. You can query it. 545 00:20:01,890 --> 00:20:03,959 You can you can do some work on it. 546 00:20:03,960 --> 00:20:06,239 And that's why this notion is 547 00:20:06,240 --> 00:20:07,240 pretty bad. 548 00:20:08,290 --> 00:20:11,169 So the conservers oh, excuse 549 00:20:11,170 --> 00:20:12,170 me. 550 00:20:13,020 --> 00:20:14,849 Some problems there, maybe someone is 551 00:20:14,850 --> 00:20:16,069 using me now. 552 00:20:16,070 --> 00:20:18,599 OK, so 553 00:20:18,600 --> 00:20:21,149 in this case, we have 554 00:20:21,150 --> 00:20:23,249 like to guess something and that's 555 00:20:23,250 --> 00:20:25,379 a pretty easy guess. If you have delays, 556 00:20:25,380 --> 00:20:27,419 if you have inappropriate delays between 557 00:20:27,420 --> 00:20:29,519 searches or between forms, you 558 00:20:29,520 --> 00:20:31,109 can assume that something is going on at 559 00:20:31,110 --> 00:20:32,129 the back and not in the front. 560 00:20:32,130 --> 00:20:33,569 And the front end doesn't think hard 561 00:20:33,570 --> 00:20:34,599 about something. 562 00:20:34,600 --> 00:20:36,029 That's the whole point. 563 00:20:36,030 --> 00:20:37,859 So if the site is thinking hard about 564 00:20:37,860 --> 00:20:39,269 something, that's the back end. 565 00:20:39,270 --> 00:20:41,399 So you hit gold and you profit from 566 00:20:41,400 --> 00:20:42,599 it when you do need us. 567 00:20:50,430 --> 00:20:51,509 And this facepalm. 568 00:20:54,040 --> 00:20:56,019 Is a kitten because you have to be a 569 00:20:56,020 --> 00:20:57,020 kitten to do that. 570 00:20:58,570 --> 00:20:59,740 That's so nice of you. 571 00:21:01,220 --> 00:21:02,220 OK, 572 00:21:03,730 --> 00:21:06,519 number seven, we had 573 00:21:06,520 --> 00:21:08,079 actually a pretty good customer in terms 574 00:21:08,080 --> 00:21:09,080 of relationships. 575 00:21:11,540 --> 00:21:13,879 And he really respected our work 576 00:21:13,880 --> 00:21:15,709 that we did with one of our leaders, and 577 00:21:15,710 --> 00:21:17,869 then he called us again, but 578 00:21:17,870 --> 00:21:20,149 this time he bought a shiny new 579 00:21:20,150 --> 00:21:22,369 box and this shiny 580 00:21:22,370 --> 00:21:24,559 new box cost a fortune, of course, but 581 00:21:24,560 --> 00:21:26,249 any any box does. 582 00:21:28,130 --> 00:21:30,229 And when you buy 583 00:21:30,230 --> 00:21:32,689 a very, very pricey box, 584 00:21:32,690 --> 00:21:34,819 you may be connected to 585 00:21:34,820 --> 00:21:35,899 all of your service. 586 00:21:35,900 --> 00:21:38,239 We said before that the backend servers 587 00:21:38,240 --> 00:21:40,549 are as important as 588 00:21:40,550 --> 00:21:41,509 the front end. 589 00:21:41,510 --> 00:21:43,669 So protect other domains, connect all 590 00:21:43,670 --> 00:21:45,259 your sites to it, connect to your 591 00:21:45,260 --> 00:21:47,929 corporate machines, your ionno, maybe 592 00:21:47,930 --> 00:21:50,139 your bank. I don't know everything that 593 00:21:50,140 --> 00:21:51,499 that he could figure out how you 594 00:21:51,500 --> 00:21:53,359 connected to this box. 595 00:21:53,360 --> 00:21:55,519 Now you can say to yourself, so what's 596 00:21:55,520 --> 00:21:57,769 the problem? So we get some 597 00:21:57,770 --> 00:22:00,029 extra stuff on 598 00:22:00,030 --> 00:22:01,109 that. 599 00:22:01,110 --> 00:22:03,589 What is really getting is protection from 600 00:22:03,590 --> 00:22:05,869 us against all of those 601 00:22:05,870 --> 00:22:07,399 domains. 602 00:22:07,400 --> 00:22:09,739 And when we did it, when we did 603 00:22:09,740 --> 00:22:12,109 the actual test, we tried to 604 00:22:12,110 --> 00:22:13,999 figure out what is the box is supposed to 605 00:22:14,000 --> 00:22:16,219 do. Now, we didn't have some issues 606 00:22:16,220 --> 00:22:17,989 of this new box that we didn't know 607 00:22:17,990 --> 00:22:18,990 before. 608 00:22:19,490 --> 00:22:22,069 It's name has to be, to be honest. 609 00:22:22,070 --> 00:22:24,169 And so the mitigation is 610 00:22:24,170 --> 00:22:27,109 pretty, pretty unique. 611 00:22:27,110 --> 00:22:29,179 They have like the strategy of of 612 00:22:29,180 --> 00:22:31,399 the the strategy of it is like 613 00:22:31,400 --> 00:22:33,139 thinking about what is going wrong. 614 00:22:33,140 --> 00:22:34,909 The box is just sitting there for 20 615 00:22:34,910 --> 00:22:37,339 seconds when it suspects 616 00:22:37,340 --> 00:22:39,939 something and after 20 seconds after 617 00:22:39,940 --> 00:22:42,109 we suppose it's building some 618 00:22:42,110 --> 00:22:44,239 kind of a model for the attack 619 00:22:44,240 --> 00:22:47,029 and then it tries automatically 620 00:22:47,030 --> 00:22:49,420 to figure out how to deflect the attack. 621 00:22:51,200 --> 00:22:53,719 This this mechanism is usually 622 00:22:53,720 --> 00:22:55,909 preceded by something called draining of 623 00:22:55,910 --> 00:22:57,019 the lines. 624 00:22:57,020 --> 00:22:58,429 When you have all the lines that are 625 00:22:58,430 --> 00:23:00,139 susceptible, you just drain all the 626 00:23:00,140 --> 00:23:02,449 lines. You just drop it all and then wait 627 00:23:02,450 --> 00:23:04,459 for new lines. And then by the model that 628 00:23:04,460 --> 00:23:06,919 you built, the box can decide 629 00:23:06,920 --> 00:23:08,809 what is going what is going in and what 630 00:23:08,810 --> 00:23:09,810 is not going on. 631 00:23:10,520 --> 00:23:12,589 So when we try to 632 00:23:12,590 --> 00:23:14,989 attack it, we were we were very scary 633 00:23:14,990 --> 00:23:17,089 because always before the 634 00:23:17,090 --> 00:23:19,429 attack, before attacking the site, we 635 00:23:19,430 --> 00:23:21,589 we gather information about something. 636 00:23:21,590 --> 00:23:23,299 We try to assess what exactly is 637 00:23:23,300 --> 00:23:25,579 happening in mostly the customer does not 638 00:23:25,580 --> 00:23:26,959 need to respond to anything. 639 00:23:26,960 --> 00:23:29,059 We do not intrusively and try 640 00:23:29,060 --> 00:23:31,399 to figure out the technological 641 00:23:31,400 --> 00:23:33,439 benefits and technological traps that we 642 00:23:33,440 --> 00:23:35,869 want to overcome. 643 00:23:35,870 --> 00:23:37,679 So in this case, we just read the 644 00:23:37,680 --> 00:23:39,349 brochures and try to figure out some 645 00:23:39,350 --> 00:23:41,749 strategic spasticity the 646 00:23:41,750 --> 00:23:43,969 defenders could do and try to 647 00:23:43,970 --> 00:23:44,869 circumvent it. 648 00:23:44,870 --> 00:23:47,359 So we didn't have something really 649 00:23:47,360 --> 00:23:49,489 good, let's say, to be honest, 650 00:23:49,490 --> 00:23:51,139 when we started to attack. 651 00:23:51,140 --> 00:23:53,509 But exactly twenty seconds, twenty 652 00:23:53,510 --> 00:23:55,699 one seconds later, all 653 00:23:55,700 --> 00:23:56,700 the site went down 654 00:23:57,920 --> 00:23:59,239 from all of the old. 655 00:23:59,240 --> 00:24:01,609 Not only that, six minutes 656 00:24:01,610 --> 00:24:03,859 later, the guys from the blue team gets 657 00:24:03,860 --> 00:24:04,860 a call. 658 00:24:05,220 --> 00:24:06,649 Listen, guys, you have to stop the 659 00:24:06,650 --> 00:24:06,949 attack. 660 00:24:06,950 --> 00:24:09,589 Right now someone is very angry. 661 00:24:09,590 --> 00:24:10,729 Why? What is happening? 662 00:24:10,730 --> 00:24:12,379 You knew that this stuff is going on. 663 00:24:12,380 --> 00:24:13,429 We just. 664 00:24:13,430 --> 00:24:14,539 We just shut it off. 665 00:24:14,540 --> 00:24:15,439 It's OK. 666 00:24:15,440 --> 00:24:16,999 We take about two minutes to shut off and 667 00:24:17,000 --> 00:24:19,579 attack and started if we want to. 668 00:24:19,580 --> 00:24:20,779 So two minutes. 669 00:24:20,780 --> 00:24:22,729 Let's let's let's wait a bit. 670 00:24:22,730 --> 00:24:24,859 It took about one and a half minutes and 671 00:24:24,860 --> 00:24:27,199 then the attack attack was gone, 672 00:24:27,200 --> 00:24:29,629 but none of the servers was responsive. 673 00:24:29,630 --> 00:24:30,630 So 674 00:24:32,570 --> 00:24:34,789 so apparently they were very, 675 00:24:34,790 --> 00:24:35,809 very stressed about it, 676 00:24:37,280 --> 00:24:38,280 I guess. 677 00:24:41,340 --> 00:24:42,340 Not only that, 678 00:24:43,560 --> 00:24:44,909 you said you thought that at the end of 679 00:24:44,910 --> 00:24:47,159 the line, not only that, 680 00:24:47,160 --> 00:24:49,709 is that not only 681 00:24:49,710 --> 00:24:51,959 the mean that we we thought 682 00:24:51,960 --> 00:24:54,449 that we are attacking was down. 683 00:24:54,450 --> 00:24:56,129 All the corporate network was down, of 684 00:24:56,130 --> 00:24:57,839 course, because all the main was was 685 00:24:57,840 --> 00:24:59,880 covered by the box and 686 00:25:01,020 --> 00:25:03,269 because of the behavior of 687 00:25:03,270 --> 00:25:04,589 this kind of shutdown, the complete 688 00:25:04,590 --> 00:25:06,669 shutdown of most of the computers that 689 00:25:06,670 --> 00:25:07,679 they are involved with, the Internet 690 00:25:07,680 --> 00:25:09,869 traffic, some back very back 691 00:25:09,870 --> 00:25:11,549 and let's say second to back end of the 692 00:25:11,550 --> 00:25:13,619 corporate side, it was trying to 693 00:25:13,620 --> 00:25:15,539 communicate to something very crucial to 694 00:25:15,540 --> 00:25:17,939 them without explaining exactly 695 00:25:17,940 --> 00:25:20,009 what. But let's say some something 696 00:25:20,010 --> 00:25:22,619 went very wrong on the corporate side 697 00:25:22,620 --> 00:25:23,620 and they lost 698 00:25:24,870 --> 00:25:27,029 some some hefty 699 00:25:27,030 --> 00:25:29,099 money about it when they were 700 00:25:29,100 --> 00:25:31,229 dealing with transactions. 701 00:25:31,230 --> 00:25:33,389 So that 702 00:25:33,390 --> 00:25:34,799 was pretty embarrassing. 703 00:25:34,800 --> 00:25:36,929 And you can figure out exactly what 704 00:25:36,930 --> 00:25:39,059 happened when the box was seeing all 705 00:25:39,060 --> 00:25:40,979 of it. By the way, I didn't mention 706 00:25:40,980 --> 00:25:42,989 monitoring. The monitoring itself was 707 00:25:42,990 --> 00:25:45,209 shut down because it was connected 708 00:25:45,210 --> 00:25:46,210 to the box. 709 00:25:54,400 --> 00:25:56,649 So everything went dark in a second 710 00:25:56,650 --> 00:25:58,389 and everyone was stressed, the phones 711 00:25:58,390 --> 00:26:00,729 were orange voice over IP, 712 00:26:00,730 --> 00:26:02,809 so they they were PSTN 713 00:26:02,810 --> 00:26:05,169 or dials and then they 714 00:26:05,170 --> 00:26:07,299 each other and said, OK, guys, let's stop 715 00:26:07,300 --> 00:26:08,619 it. And we stopped. 716 00:26:08,620 --> 00:26:10,869 And then I think it took like seven 717 00:26:10,870 --> 00:26:13,779 hours of actual mitigation, actual 718 00:26:13,780 --> 00:26:16,089 try to bring back the service 719 00:26:16,090 --> 00:26:17,589 to normal operation. 720 00:26:22,460 --> 00:26:23,460 This facepalm 721 00:26:25,010 --> 00:26:26,010 is like that. 722 00:26:30,140 --> 00:26:31,140 OK, No.6, 723 00:26:33,950 --> 00:26:35,389 that's a good one. 724 00:26:35,390 --> 00:26:37,249 I love it. It happens all the time, by 725 00:26:37,250 --> 00:26:39,349 the way. It's not. It's pretty 726 00:26:39,350 --> 00:26:41,239 common to encounter nowadays when you 727 00:26:41,240 --> 00:26:43,309 have many vendors that provide 728 00:26:43,310 --> 00:26:45,469 some kind of a cloud based dust 729 00:26:45,470 --> 00:26:46,470 mitigation. 730 00:26:47,180 --> 00:26:48,319 We don't trust the vendor. 731 00:26:48,320 --> 00:26:49,699 And that's what they are saying all the 732 00:26:49,700 --> 00:26:51,440 time. We don't give them certificates 733 00:26:54,140 --> 00:26:54,829 shamefully. 734 00:26:54,830 --> 00:26:56,899 That's what happens when when you 735 00:26:56,900 --> 00:26:58,639 rely on third parties that you don't 736 00:26:58,640 --> 00:27:00,559 really know. It's not nothing like the 737 00:27:00,560 --> 00:27:02,699 big five ional providers 738 00:27:02,700 --> 00:27:04,939 that provide some kind of a box or maybe 739 00:27:04,940 --> 00:27:06,839 cloud based mitigation. 740 00:27:06,840 --> 00:27:08,779 But you go with something, maybe a 741 00:27:08,780 --> 00:27:11,059 startup, maybe something in in 742 00:27:11,060 --> 00:27:12,739 its youth when you want to support them. 743 00:27:12,740 --> 00:27:14,989 And maybe it gives you for for free. 744 00:27:14,990 --> 00:27:17,089 Doesn't matter what, but it gives you 745 00:27:17,090 --> 00:27:19,369 some kind of another layer 746 00:27:19,370 --> 00:27:21,619 of security when talking about. 747 00:27:21,620 --> 00:27:24,139 So this kind of defense is is 748 00:27:24,140 --> 00:27:26,419 pretty awesome for us because if we know 749 00:27:26,420 --> 00:27:28,159 that this kind of operation is going on 750 00:27:28,160 --> 00:27:30,229 or we can assume because of the nature of 751 00:27:30,230 --> 00:27:32,869 the relationship with a vendor, 752 00:27:32,870 --> 00:27:35,029 we can say, OK, so https 753 00:27:35,030 --> 00:27:36,079 is not covert. 754 00:27:36,080 --> 00:27:38,419 So you go with steps and when 755 00:27:38,420 --> 00:27:40,759 we go it steps it it becomes 756 00:27:40,760 --> 00:27:43,079 even even better because 757 00:27:43,080 --> 00:27:45,139 you see, the hackers choice did 758 00:27:45,140 --> 00:27:47,419 a terrific research on renegotiation 759 00:27:47,420 --> 00:27:49,399 for SSL and renegotiation. 760 00:27:49,400 --> 00:27:51,559 SSL was approved by them to 761 00:27:51,560 --> 00:27:53,779 be so effective like 15 times more 762 00:27:53,780 --> 00:27:55,160 for the c.p.u of the server, 763 00:27:56,780 --> 00:27:59,029 harder that are harder than your own 764 00:27:59,030 --> 00:28:01,249 walk when you when you try to push 765 00:28:01,250 --> 00:28:03,289 your computer to the most. 766 00:28:03,290 --> 00:28:05,779 And it can be actually 767 00:28:05,780 --> 00:28:07,879 pretty, pretty simple to employ 768 00:28:07,880 --> 00:28:09,319 you with only two computers. 769 00:28:10,460 --> 00:28:12,769 But if we're talking about a very large 770 00:28:12,770 --> 00:28:14,509 you to do computers will not be enough. 771 00:28:14,510 --> 00:28:16,399 You need like 100. 772 00:28:16,400 --> 00:28:18,559 So if renegotiation is 773 00:28:18,560 --> 00:28:19,699 is present, we'll talk. 774 00:28:19,700 --> 00:28:22,189 We'll we'll attack with renegotiation 775 00:28:22,190 --> 00:28:23,599 and it will be done. 776 00:28:23,600 --> 00:28:25,519 It's really hard to counter this kind of 777 00:28:25,520 --> 00:28:27,919 thing unless you have https 778 00:28:27,920 --> 00:28:29,869 and you know what exactly is going on on 779 00:28:29,870 --> 00:28:31,189 the line and you can read it. 780 00:28:31,190 --> 00:28:33,079 And the second thing that not only the 781 00:28:33,080 --> 00:28:35,179 vendor can protect you, you can't see 782 00:28:35,180 --> 00:28:37,339 anything because you are not actually 783 00:28:37,340 --> 00:28:38,659 processing the data. 784 00:28:38,660 --> 00:28:40,759 Now, you can say and 785 00:28:40,760 --> 00:28:43,009 you will be right that you don't want 786 00:28:43,010 --> 00:28:44,869 to anyone else to see your data. 787 00:28:44,870 --> 00:28:45,799 Right. 788 00:28:45,800 --> 00:28:47,989 But the thing is my point is, 789 00:28:47,990 --> 00:28:49,609 if you are not trusting a security 790 00:28:49,610 --> 00:28:51,169 vendor, don't work with him. 791 00:28:51,170 --> 00:28:53,429 That's a that's a pretty simple 792 00:28:53,430 --> 00:28:54,430 advice. 793 00:29:00,830 --> 00:29:02,150 And that's fixable. 794 00:29:04,760 --> 00:29:06,200 They the first one 795 00:29:07,250 --> 00:29:09,319 is the walking with a security window 796 00:29:09,320 --> 00:29:11,429 that you don't trust, 797 00:29:11,430 --> 00:29:12,430 the second one 798 00:29:13,580 --> 00:29:15,229 is the visibility that you don't give 799 00:29:15,230 --> 00:29:18,079 yourself if https is not actually 800 00:29:18,080 --> 00:29:19,160 terminated by anyone. 801 00:29:21,660 --> 00:29:22,660 OK. 802 00:29:27,160 --> 00:29:28,160 We need big data. 803 00:29:33,090 --> 00:29:34,090 Collectors'. 804 00:29:37,680 --> 00:29:39,630 It wasn't just rank of some order. 805 00:29:41,980 --> 00:29:42,969 So we need big data. 806 00:29:42,970 --> 00:29:44,769 That's a big world, I don't know if you 807 00:29:44,770 --> 00:29:45,770 heard about it before. 808 00:29:47,800 --> 00:29:49,569 But big data is going to be a trend, I 809 00:29:49,570 --> 00:29:50,570 tell you. 810 00:29:51,850 --> 00:29:52,909 So we need the big data. 811 00:29:52,910 --> 00:29:55,419 Let's collected all like documents. 812 00:29:55,420 --> 00:29:56,349 We have big data. 813 00:29:56,350 --> 00:29:58,389 We have this we have this netballer 814 00:29:58,390 --> 00:30:00,319 device. We have this network división. 815 00:30:00,320 --> 00:30:02,019 And we want to collect it all. 816 00:30:02,020 --> 00:30:03,699 So that's great for you. 817 00:30:03,700 --> 00:30:05,919 But when you collect it all, you have one 818 00:30:05,920 --> 00:30:08,409 big problem. That's storage 819 00:30:08,410 --> 00:30:09,410 space. 820 00:30:10,480 --> 00:30:12,789 And let's be honest, some protocols 821 00:30:12,790 --> 00:30:14,949 like PCI tells you to 822 00:30:14,950 --> 00:30:16,269 save all the data. 823 00:30:16,270 --> 00:30:18,009 That's something that you have to do. 824 00:30:18,010 --> 00:30:20,229 So maybe it's not it's not only 825 00:30:20,230 --> 00:30:22,149 that you are wrong with their assumption 826 00:30:22,150 --> 00:30:23,889 of just collect the data, don't do 827 00:30:23,890 --> 00:30:26,379 anything with it, just collect it 828 00:30:26,380 --> 00:30:27,380 responsibly. 829 00:30:30,720 --> 00:30:33,629 And when it doesn't happen responsively, 830 00:30:33,630 --> 00:30:36,449 you have logs and overcoming 831 00:30:36,450 --> 00:30:38,729 some storage boom and Silow 832 00:30:38,730 --> 00:30:39,730 needed. 833 00:30:43,780 --> 00:30:45,189 The result in a complete lockdown. 834 00:30:45,190 --> 00:30:47,079 You don't have to do what you can do 835 00:30:47,080 --> 00:30:49,149 anything on the servers, it's very 836 00:30:49,150 --> 00:30:51,339 hard to operate without, let's say, 837 00:30:51,340 --> 00:30:53,589 Fourcade, for minimum, if 838 00:30:53,590 --> 00:30:55,869 you need something from the from the disk 839 00:30:55,870 --> 00:30:58,029 and maybe the IO itself is breaking 840 00:30:58,030 --> 00:31:00,609 down. But the most susceptible 841 00:31:00,610 --> 00:31:02,439 to those attacks are not servers 842 00:31:02,440 --> 00:31:04,689 themselves because servers can be 843 00:31:04,690 --> 00:31:06,759 cycled through their logs and 844 00:31:06,760 --> 00:31:08,739 most of the network guys knows how to do 845 00:31:08,740 --> 00:31:10,959 that. And infrastructure guys. 846 00:31:10,960 --> 00:31:13,299 But something that is overlooked 847 00:31:13,300 --> 00:31:15,369 many times is the networks and 848 00:31:15,370 --> 00:31:17,739 network switches and ideas, IP 849 00:31:17,740 --> 00:31:19,929 as firewall as well, and maybe the 850 00:31:19,930 --> 00:31:21,759 A.D.s mitigation machine that you have, 851 00:31:21,760 --> 00:31:23,769 or maybe the VPN. 852 00:31:23,770 --> 00:31:25,689 And in this case that I want to mention, 853 00:31:25,690 --> 00:31:26,890 it was the ISPs, 854 00:31:28,060 --> 00:31:30,489 the ISPs. I live the vendor, 855 00:31:30,490 --> 00:31:31,419 of course, alone. 856 00:31:31,420 --> 00:31:33,639 But the ISPs wasn't cycling through 857 00:31:33,640 --> 00:31:36,209 its logs and it over 858 00:31:36,210 --> 00:31:38,799 it, it got the storage boom 859 00:31:38,800 --> 00:31:40,929 and then it just disconnected the 860 00:31:40,930 --> 00:31:42,429 whole site. 861 00:31:42,430 --> 00:31:44,589 So even when they wanted to 862 00:31:44,590 --> 00:31:45,909 mitigate the attack, they couldn't 863 00:31:45,910 --> 00:31:47,619 because the ISPs was down and because the 864 00:31:47,620 --> 00:31:49,839 IP was down. No network can 865 00:31:49,840 --> 00:31:52,239 be reached to the site itself and 866 00:31:52,240 --> 00:31:54,549 they couldn't connect to the ISPs 867 00:31:54,550 --> 00:31:56,679 because there was no storage room on 868 00:31:56,680 --> 00:31:57,680 the IP. So 869 00:31:58,750 --> 00:32:00,909 they couldn't fix the problem and they 870 00:32:00,910 --> 00:32:03,009 needed to get to some 871 00:32:03,010 --> 00:32:05,349 bunker and press the button. 872 00:32:05,350 --> 00:32:06,489 I think the correct button. 873 00:32:09,250 --> 00:32:11,499 And that's a facepalm that 874 00:32:11,500 --> 00:32:12,579 is done by a third party. 875 00:32:21,660 --> 00:32:22,660 Number four. 876 00:32:25,300 --> 00:32:26,349 We are under attack 877 00:32:27,550 --> 00:32:29,109 and forced the OnDemand scrubbing 878 00:32:29,110 --> 00:32:31,299 service, first of all, there is no such 879 00:32:31,300 --> 00:32:32,949 thing. I don't know if you heard about 880 00:32:32,950 --> 00:32:35,209 it, but OnDemand scrubbing service, 881 00:32:35,210 --> 00:32:36,849 scrubbing service is something they need 882 00:32:36,850 --> 00:32:38,229 to learn about your traffic. 883 00:32:38,230 --> 00:32:40,239 You need to know what exactly to scrub 884 00:32:40,240 --> 00:32:41,919 unless you want to teach them. 885 00:32:41,920 --> 00:32:44,019 And that's pretty much impossible 886 00:32:44,020 --> 00:32:45,549 if you are talking about a dynamic 887 00:32:45,550 --> 00:32:47,329 changing site. 888 00:32:47,330 --> 00:32:48,489 But let's leave it. 889 00:32:48,490 --> 00:32:50,079 Let's say there is such a thing like 890 00:32:50,080 --> 00:32:52,329 OnDemand scribing service. 891 00:32:52,330 --> 00:32:53,330 In this case, 892 00:32:54,460 --> 00:32:56,629 we have learning mode, learning mode, 893 00:32:56,630 --> 00:32:58,149 something very beautiful that lets you 894 00:32:58,150 --> 00:33:00,309 just switch switch off 895 00:33:00,310 --> 00:33:02,139 this kind of responsibility or this kind 896 00:33:02,140 --> 00:33:04,659 of mitigation and just switch it on 897 00:33:04,660 --> 00:33:06,729 when when you want to mitigation 898 00:33:06,730 --> 00:33:09,429 to be actually occurring. 899 00:33:09,430 --> 00:33:11,739 Now, in this case, we had it 900 00:33:11,740 --> 00:33:13,899 was in Australia and 901 00:33:13,900 --> 00:33:16,419 it was an Australian customer and 902 00:33:16,420 --> 00:33:17,439 it's not his fault. 903 00:33:17,440 --> 00:33:19,539 And he used some kind of a 904 00:33:19,540 --> 00:33:22,299 OnDemand scribing service, such as say, 905 00:33:22,300 --> 00:33:24,669 and the attack was legitimate 906 00:33:24,670 --> 00:33:27,189 traffic. If you actually know how 907 00:33:27,190 --> 00:33:29,289 legitimate traffic looks like, you can 908 00:33:29,290 --> 00:33:30,429 mimic it pretty easily. 909 00:33:30,430 --> 00:33:32,679 If you use your own tools with other 910 00:33:32,680 --> 00:33:35,079 more robust tools, you can do that 911 00:33:35,080 --> 00:33:36,969 in a good way. 912 00:33:36,970 --> 00:33:39,249 And last, you have to read the manual. 913 00:33:39,250 --> 00:33:41,469 Please do. And they read the manual and 914 00:33:41,470 --> 00:33:43,449 and discovered that the manual itself of 915 00:33:43,450 --> 00:33:45,849 the vendor said that's no, no problem. 916 00:33:45,850 --> 00:33:47,919 We can learn on demand. 917 00:33:49,440 --> 00:33:51,509 I don't I don't really familiar I'm not 918 00:33:51,510 --> 00:33:53,639 familiar with with this notion, but let's 919 00:33:53,640 --> 00:33:56,339 say it's possible and 920 00:33:56,340 --> 00:33:58,559 we'll live it four minutes from 921 00:33:58,560 --> 00:34:00,659 now when the response was 922 00:34:00,660 --> 00:34:01,660 epic. 923 00:34:02,190 --> 00:34:04,109 Now, the story went like this. 924 00:34:04,110 --> 00:34:06,299 We had the the side 925 00:34:06,300 --> 00:34:08,309 of the customer. We actually attacked it. 926 00:34:08,310 --> 00:34:09,749 And then it was pretty OK, 927 00:34:10,800 --> 00:34:13,109 the we try to to 928 00:34:13,110 --> 00:34:15,178 make wrap up 929 00:34:15,179 --> 00:34:17,669 a ramp up of the attack so we can analyze 930 00:34:17,670 --> 00:34:19,039 what exactly is going on. 931 00:34:19,040 --> 00:34:20,309 So we wrapped up them, wrapped up to 932 00:34:20,310 --> 00:34:21,029 remember that. 933 00:34:21,030 --> 00:34:23,099 And then when we reach some kind of a 934 00:34:23,100 --> 00:34:25,169 limit, we said, OK, it looks 935 00:34:25,170 --> 00:34:27,339 fine. Do you want us to continue with 936 00:34:27,340 --> 00:34:29,009 the ramp up? And he said, no, I want to 937 00:34:29,010 --> 00:34:31,350 test the On-Demand streaming service. 938 00:34:32,940 --> 00:34:35,649 And in the second that he switched 939 00:34:35,650 --> 00:34:37,759 on the on demand 940 00:34:37,760 --> 00:34:39,899 service, I was all was 941 00:34:39,900 --> 00:34:41,550 shot and nothing can be accessed. 942 00:34:42,900 --> 00:34:45,029 And it was pretty impressive because 943 00:34:45,030 --> 00:34:46,948 not only that, it does like that he 944 00:34:46,949 --> 00:34:49,229 didn't have any kind of control over 945 00:34:49,230 --> 00:34:51,029 it. He can switch it off. 946 00:34:51,030 --> 00:34:53,099 You can you can maybe try to 947 00:34:53,100 --> 00:34:54,539 DNS the incident. 948 00:34:54,540 --> 00:34:56,279 He tried to call the vendor and now 949 00:34:56,280 --> 00:34:58,109 usually we do it overnight because we 950 00:34:58,110 --> 00:35:00,359 want we don't want to hurt customers 951 00:35:00,360 --> 00:35:02,189 that are actually using the site. 952 00:35:02,190 --> 00:35:02,639 True. 953 00:35:02,640 --> 00:35:04,829 This is harmful to us because we want 954 00:35:04,830 --> 00:35:07,709 to actually mimic a true and 955 00:35:07,710 --> 00:35:09,809 not off-peak, but but on 956 00:35:09,810 --> 00:35:11,699 peak hours when we want to actually 957 00:35:11,700 --> 00:35:13,919 attack during Christmastime, 958 00:35:13,920 --> 00:35:14,920 I say 959 00:35:16,200 --> 00:35:18,329 but in this case, of course, it was a 960 00:35:18,330 --> 00:35:20,219 large customer that didn't want to 961 00:35:20,220 --> 00:35:21,929 actually hurt the customers. 962 00:35:21,930 --> 00:35:23,789 So that's negligible. 963 00:35:23,790 --> 00:35:25,859 So he picked up the phone 964 00:35:25,860 --> 00:35:27,389 and called the vendor. 965 00:35:27,390 --> 00:35:29,939 The vendor has a twenty four seven hour 966 00:35:29,940 --> 00:35:31,919 someone that is picking up the phone, 967 00:35:31,920 --> 00:35:33,959 that someone picked up the phone and 968 00:35:33,960 --> 00:35:36,989 looked and and heard about. 969 00:35:36,990 --> 00:35:39,089 He he was 970 00:35:39,090 --> 00:35:41,159 going on like someone that actually woke 971 00:35:41,160 --> 00:35:42,419 up from sleep. 972 00:35:42,420 --> 00:35:45,239 We would imagine that you were if you 973 00:35:45,240 --> 00:35:46,859 didn't have any kind of communication 974 00:35:46,860 --> 00:35:49,049 with him except his voice. 975 00:35:49,050 --> 00:35:51,389 So he said to the vendor, listen, 976 00:35:51,390 --> 00:35:53,489 I have I have to have your help. 977 00:35:53,490 --> 00:35:54,719 My site is down. 978 00:35:54,720 --> 00:35:57,419 We are six hours to, uh, to, uh, 979 00:35:57,420 --> 00:35:59,259 to actually the mall. 980 00:35:59,260 --> 00:36:00,569 We six hours for morning. 981 00:36:00,570 --> 00:36:02,249 And when the morning comes, the customer 982 00:36:02,250 --> 00:36:04,709 will try to to exercise and no one can 983 00:36:04,710 --> 00:36:05,849 currently. No one can. 984 00:36:05,850 --> 00:36:08,039 But it's again, it's it's 985 00:36:08,040 --> 00:36:10,019 controlled. So the vendor says, wait a 986 00:36:10,020 --> 00:36:11,609 second, I have to consult with someone. 987 00:36:11,610 --> 00:36:13,919 He consulted with someone and 988 00:36:13,920 --> 00:36:15,509 in half an hour passed. 989 00:36:15,510 --> 00:36:17,639 And then he called back to him 990 00:36:17,640 --> 00:36:19,409 and said, OK, OK, we'll we'll try to 991 00:36:19,410 --> 00:36:21,209 figure it out another hour. 992 00:36:21,210 --> 00:36:23,099 And then the unstrapping service was 993 00:36:23,100 --> 00:36:24,179 down. 994 00:36:24,180 --> 00:36:26,489 But the aptness about this is the 995 00:36:26,490 --> 00:36:28,259 answer, the complete answer of the 996 00:36:28,260 --> 00:36:30,389 vendor. The vendor said when when 997 00:36:30,390 --> 00:36:32,939 they were asked, why didn't you 998 00:36:32,940 --> 00:36:35,279 actually told us that we want 999 00:36:35,280 --> 00:36:37,499 we need to calibrate the, uh, 1000 00:36:37,500 --> 00:36:39,599 the I know describing service that that 1001 00:36:39,600 --> 00:36:41,879 was the the thing that he said. 1002 00:36:41,880 --> 00:36:44,069 He said another thing next time by our 1003 00:36:44,070 --> 00:36:46,199 service of calibrating 1004 00:36:46,200 --> 00:36:47,200 your site. 1005 00:36:55,100 --> 00:36:56,100 That's a good friend. 1006 00:36:58,220 --> 00:36:59,220 And that's. 1007 00:37:02,310 --> 00:37:03,329 A triple facepalm, 1008 00:37:04,660 --> 00:37:06,489 why a triple, because Fehling had 1009 00:37:06,490 --> 00:37:09,249 protection working with a vendor 1010 00:37:09,250 --> 00:37:11,110 and the pool vendors answer. 1011 00:37:13,740 --> 00:37:15,299 We are approaching number one, number 1012 00:37:15,300 --> 00:37:17,639 three, so what Sydney's is not 1013 00:37:17,640 --> 00:37:19,949 dynamic, let's enable its citizens 1014 00:37:19,950 --> 00:37:22,289 is the distribution network is 1015 00:37:22,290 --> 00:37:24,060 pretty popular nowadays in protecting 1016 00:37:25,200 --> 00:37:26,399 against those. 1017 00:37:26,400 --> 00:37:27,959 And that's pretty cool because it 1018 00:37:27,960 --> 00:37:29,999 actually works if you have a spread out a 1019 00:37:30,000 --> 00:37:32,189 city and you can actually mitigate 1020 00:37:32,190 --> 00:37:34,559 network based, maybe 1021 00:37:34,560 --> 00:37:37,499 even other other based attacks 1022 00:37:37,500 --> 00:37:39,359 to your system. That's cool, right? 1023 00:37:39,360 --> 00:37:41,189 But Sydney, as a culture, it's called 1024 00:37:41,190 --> 00:37:43,349 static and dynamic and it's usually 1025 00:37:43,350 --> 00:37:45,599 marketing, but most of the citizens 1026 00:37:45,600 --> 00:37:46,769 are static. 1027 00:37:46,770 --> 00:37:49,169 Static means that it can pull off 1028 00:37:49,170 --> 00:37:51,029 some requests for your site from static 1029 00:37:51,030 --> 00:37:52,709 data, not something like searchable 1030 00:37:52,710 --> 00:37:53,849 queries and stuff. 1031 00:37:53,850 --> 00:37:56,159 And then you can you can cache 1032 00:37:56,160 --> 00:37:58,349 those data, those data, this 1033 00:37:58,350 --> 00:38:00,539 data on the CDN and 1034 00:38:00,540 --> 00:38:02,699 via that other customers can benefit from 1035 00:38:02,700 --> 00:38:04,799 the no lag at all 1036 00:38:04,800 --> 00:38:06,329 from the sit in. 1037 00:38:06,330 --> 00:38:08,669 Now, when a citizen tells you that it's 1038 00:38:08,670 --> 00:38:10,529 not dynamic's, which is good, which you 1039 00:38:10,530 --> 00:38:13,079 should know about, and you use your site, 1040 00:38:13,080 --> 00:38:15,179 which is dynamic on this CDN, 1041 00:38:15,180 --> 00:38:17,879 it can be very, very devastating. 1042 00:38:17,880 --> 00:38:18,880 Now why? 1043 00:38:20,340 --> 00:38:22,409 Because the thing is that it works like 1044 00:38:22,410 --> 00:38:24,719 that. If you have a citizen 1045 00:38:24,720 --> 00:38:26,999 and a citizen is is getting 1046 00:38:27,000 --> 00:38:29,100 a request from an attacker or just 1047 00:38:30,240 --> 00:38:32,609 just a regular user, it asks for 1048 00:38:32,610 --> 00:38:33,639 some kind of a landing page. 1049 00:38:33,640 --> 00:38:35,849 Let's say if the landing page is on 1050 00:38:35,850 --> 00:38:38,459 is was visited by someone 1051 00:38:38,460 --> 00:38:40,709 else in the vicinity of the and it will 1052 00:38:40,710 --> 00:38:42,719 know how to respond and then respond from 1053 00:38:42,720 --> 00:38:43,739 its own cache. 1054 00:38:43,740 --> 00:38:45,989 If it's not was if it wasn't 1055 00:38:45,990 --> 00:38:48,409 asked by someone at that 1056 00:38:48,410 --> 00:38:50,769 a given time, it will ask itself. 1057 00:38:50,770 --> 00:38:52,949 It was a request for the origin. 1058 00:38:52,950 --> 00:38:55,109 The origin is the actual domain that no 1059 00:38:55,110 --> 00:38:56,429 one should access except the city. 1060 00:38:56,430 --> 00:38:58,559 And it will ask the 1061 00:38:58,560 --> 00:39:00,489 origin about this request. 1062 00:39:00,490 --> 00:39:02,099 Get it back and then get back. 1063 00:39:02,100 --> 00:39:03,959 Get back to the to the customer, to the 1064 00:39:03,960 --> 00:39:05,609 user. And attack tracker will do the 1065 00:39:05,610 --> 00:39:07,379 same. But that does not know. 1066 00:39:07,380 --> 00:39:08,999 We'll get to it in a second. 1067 00:39:09,000 --> 00:39:11,159 Does not know where the origin is and 1068 00:39:11,160 --> 00:39:12,389 how to ask it directly. 1069 00:39:12,390 --> 00:39:13,679 You need to ask the citizen about 1070 00:39:13,680 --> 00:39:16,139 something in the DNS that the NSA 1071 00:39:16,140 --> 00:39:18,359 is issuing is giving him 1072 00:39:18,360 --> 00:39:20,459 the closer to the end that 1073 00:39:20,460 --> 00:39:22,499 he can need to think about when he's 1074 00:39:22,500 --> 00:39:23,819 talking about the site. 1075 00:39:23,820 --> 00:39:26,219 So in this case, we have 1076 00:39:26,220 --> 00:39:27,220 an origin 1077 00:39:28,350 --> 00:39:31,379 that is getting so many requests. 1078 00:39:31,380 --> 00:39:33,479 So that's wrong if you're using 1079 00:39:33,480 --> 00:39:34,259 dynamic. 1080 00:39:34,260 --> 00:39:36,479 The thing is that dynamic is pretty 1081 00:39:36,480 --> 00:39:38,759 easy to deduce because if 1082 00:39:38,760 --> 00:39:40,409 it's not dynamic, say the end, meaning 1083 00:39:40,410 --> 00:39:42,659 that he will need to issue each and every 1084 00:39:42,660 --> 00:39:44,979 one of the requests if it's a 1085 00:39:44,980 --> 00:39:47,249 different parameter or value for those 1086 00:39:47,250 --> 00:39:48,869 for those parameters, it will need to 1087 00:39:48,870 --> 00:39:50,999 issue each and every one of that. 1088 00:39:51,000 --> 00:39:53,249 All we need to do is just requesting 1089 00:39:53,250 --> 00:39:55,829 from the see the end data with parameters 1090 00:39:55,830 --> 00:39:57,959 that didn't know the same page, 1091 00:39:57,960 --> 00:39:59,729 other parameters, sometimes even 1092 00:39:59,730 --> 00:40:01,049 parameters that doesn't exist in the 1093 00:40:01,050 --> 00:40:02,789 site. But it doesn't matter. 1094 00:40:02,790 --> 00:40:04,379 He will issue a command and issue a 1095 00:40:04,380 --> 00:40:05,939 request for the site because it doesn't 1096 00:40:05,940 --> 00:40:08,039 know the correct you URL for that 1097 00:40:08,040 --> 00:40:10,259 and it doesn't have it on cache. 1098 00:40:10,260 --> 00:40:12,479 So one of our customers did exactly 1099 00:40:12,480 --> 00:40:14,549 that user sedan on a 1100 00:40:14,550 --> 00:40:16,889 dynamic site and we easily 1101 00:40:16,890 --> 00:40:19,229 they just deduces machine. 1102 00:40:19,230 --> 00:40:21,479 And other thing about citizens, which 1103 00:40:21,480 --> 00:40:23,459 is not exclusively for dynamic but for 1104 00:40:23,460 --> 00:40:25,919 dynamics, is much more devastating, is 1105 00:40:25,920 --> 00:40:28,469 that if you monitor your origin, 1106 00:40:28,470 --> 00:40:30,449 many of the citizens does not give you 1107 00:40:30,450 --> 00:40:33,419 actual uses for monitoring 1108 00:40:33,420 --> 00:40:35,489 like traffic, like did you have your 1109 00:40:35,490 --> 00:40:37,559 own machine and you monitor that as 1110 00:40:37,560 --> 00:40:39,629 good as you can and maybe some some 1111 00:40:39,630 --> 00:40:40,799 kind of tools that you get from the 1112 00:40:40,800 --> 00:40:42,510 vendor of the sedan. 1113 00:40:45,160 --> 00:40:47,289 And actually, when you try to 1114 00:40:47,290 --> 00:40:49,719 mitigate it on your sites, 1115 00:40:49,720 --> 00:40:51,999 you actually many times can't 1116 00:40:52,000 --> 00:40:53,919 because you can see the actual attacker 1117 00:40:53,920 --> 00:40:55,989 and you can't blacklist the attacker or 1118 00:40:55,990 --> 00:40:57,519 something. You just see request from the 1119 00:40:57,520 --> 00:40:59,589 citizen. And if you block the city in 1120 00:40:59,590 --> 00:41:01,679 itself, that's good for us. 1121 00:41:05,400 --> 00:41:08,219 OK, and that's deserve 1122 00:41:08,220 --> 00:41:10,379 a distributed collage 1123 00:41:10,380 --> 00:41:11,380 of facepalm. 1124 00:41:19,940 --> 00:41:22,579 Number two, again, city 1125 00:41:22,580 --> 00:41:25,339 is pretty exciting for me because 1126 00:41:25,340 --> 00:41:27,470 no one knows how to protect students. 1127 00:41:28,790 --> 00:41:31,189 And when someone searches the Web 1128 00:41:31,190 --> 00:41:33,019 in this case, some obscure site name, 1129 00:41:33,020 --> 00:41:35,149 Google will use it for 1130 00:41:35,150 --> 00:41:37,549 finding how to protect protected 1131 00:41:37,550 --> 00:41:38,659 in origin. 1132 00:41:38,660 --> 00:41:40,339 That's the best phrasing that we can. 1133 00:41:40,340 --> 00:41:42,759 We could walk out and the 1134 00:41:42,760 --> 00:41:44,179 the first one after the 1135 00:41:45,590 --> 00:41:48,829 one, which is advertisement, 1136 00:41:48,830 --> 00:41:50,419 you have the how to protect your city in 1137 00:41:50,420 --> 00:41:52,069 origin. So let's click on that what you 1138 00:41:52,070 --> 00:41:53,070 say. 1139 00:41:53,450 --> 00:41:55,849 OK, we clicked on that and that's magic. 1140 00:41:55,850 --> 00:41:58,429 And then we have several 1141 00:41:58,430 --> 00:42:00,559 recommendations how to mitigate and how 1142 00:42:00,560 --> 00:42:02,659 to protect your city and your citizens 1143 00:42:02,660 --> 00:42:03,660 origin. 1144 00:42:04,330 --> 00:42:06,429 And just magnified for you, this 1145 00:42:06,430 --> 00:42:08,559 is a simple trick and it is also the 1146 00:42:08,560 --> 00:42:11,169 best solution, create some random 1147 00:42:11,170 --> 00:42:13,479 long set of alphabetic characters 1148 00:42:13,480 --> 00:42:15,039 and use that as a subdomain 1149 00:42:16,060 --> 00:42:17,829 even more. So can it be guessed? 1150 00:42:17,830 --> 00:42:19,359 Yes, but highly unlikely. 1151 00:42:19,360 --> 00:42:20,499 Can it be linked? 1152 00:42:20,500 --> 00:42:22,419 Yes, but again, highly unlikely. 1153 00:42:24,190 --> 00:42:25,869 There was much rejoicing reading those 1154 00:42:25,870 --> 00:42:26,870 lines. 1155 00:42:28,430 --> 00:42:29,430 Why so? 1156 00:42:30,920 --> 00:42:31,920 Let's talk about it. 1157 00:42:34,320 --> 00:42:36,539 So the tactic is like 1158 00:42:36,540 --> 00:42:39,119 that find other subdomains 1159 00:42:39,120 --> 00:42:41,639 dance that translated to Ipis scared 1160 00:42:41,640 --> 00:42:43,139 the hell out of it. 1161 00:42:43,140 --> 00:42:45,509 It's a serious sless, 20 for 1162 00:42:45,510 --> 00:42:46,769 16. 1163 00:42:46,770 --> 00:42:48,689 Good, good chances, but it's not 1164 00:42:48,690 --> 00:42:50,519 bulletproof. You can you can actually 1165 00:42:50,520 --> 00:42:53,579 miss a lot of of those origins 1166 00:42:53,580 --> 00:42:55,139 from the actual name. 1167 00:42:55,140 --> 00:42:57,149 But something that is much more probable 1168 00:42:57,150 --> 00:42:59,339 to find out is the who is this? 1169 00:42:59,340 --> 00:43:01,499 Who is Elvis never forgets means 1170 00:43:01,500 --> 00:43:03,029 it is forgetting because who is this 1171 00:43:03,030 --> 00:43:05,219 dynamic? But you have who is history's 1172 00:43:05,220 --> 00:43:07,289 online and you can check 1173 00:43:07,290 --> 00:43:09,929 who is history or history 1174 00:43:09,930 --> 00:43:12,059 domains. And then when you check it, you 1175 00:43:12,060 --> 00:43:13,619 figure out and we figure it out in this 1176 00:43:13,620 --> 00:43:15,719 case that the if we 1177 00:43:15,720 --> 00:43:17,529 want to solve some of our customers 1178 00:43:17,530 --> 00:43:19,619 actually but this kind of service 1179 00:43:19,620 --> 00:43:21,209 and try to protect against it and we 1180 00:43:21,210 --> 00:43:22,739 figure out how we can know what is the 1181 00:43:22,740 --> 00:43:23,999 origin, who wanted to attack the 1182 00:43:24,000 --> 00:43:25,769 original. Everything is static. 1183 00:43:25,770 --> 00:43:27,959 It's pretty hard to to attack static 1184 00:43:27,960 --> 00:43:30,359 sites unless 1185 00:43:30,360 --> 00:43:31,859 we have a subdomain or unless we have 1186 00:43:31,860 --> 00:43:34,019 another origin that we know that 1187 00:43:34,020 --> 00:43:36,089 will will be hurt by that by 1188 00:43:36,090 --> 00:43:38,039 our attack. And we can just attack some 1189 00:43:38,040 --> 00:43:40,019 some obscure subdomain. 1190 00:43:40,020 --> 00:43:42,029 We need to know what we are attacking to 1191 00:43:42,030 --> 00:43:43,079 some extent. Of course, 1192 00:43:44,490 --> 00:43:46,919 because of the backend that doesn't 1193 00:43:46,920 --> 00:43:48,479 really determinists isn't really 1194 00:43:48,480 --> 00:43:51,089 deterministic all the time, so 1195 00:43:51,090 --> 00:43:53,009 we never forget. So we look online. 1196 00:43:53,010 --> 00:43:54,929 In this case, I'm just giving an example 1197 00:43:54,930 --> 00:43:57,239 for a malicious infected site 1198 00:43:57,240 --> 00:43:58,649 named Big Dot Com. 1199 00:43:58,650 --> 00:44:00,749 And this site is 1200 00:44:00,750 --> 00:44:02,909 covered with who is history that you 1201 00:44:02,910 --> 00:44:05,009 can pull off from View DNS in this case. 1202 00:44:05,010 --> 00:44:06,779 But there are many other services for who 1203 00:44:06,780 --> 00:44:08,939 is Esrey. And then we actually thought 1204 00:44:08,940 --> 00:44:10,919 about it when you bastardy and you don't 1205 00:44:10,920 --> 00:44:13,139 actually change at the last IP 1206 00:44:13,140 --> 00:44:15,059 of your site, you just giving it out to 1207 00:44:15,060 --> 00:44:18,059 the actual content provider. 1208 00:44:18,060 --> 00:44:19,979 And then if you look up the who is 1209 00:44:19,980 --> 00:44:21,929 history the last one or maybe one or one 1210 00:44:21,930 --> 00:44:24,149 before that, you actually hit the jackpot 1211 00:44:24,150 --> 00:44:26,579 because this is the IP 1212 00:44:26,580 --> 00:44:27,599 of the origin. 1213 00:44:27,600 --> 00:44:29,489 And that's exactly what we did. 1214 00:44:29,490 --> 00:44:31,709 And that's exactly what happened when the 1215 00:44:31,710 --> 00:44:33,719 site went down and the customer said to 1216 00:44:33,720 --> 00:44:36,089 us that he doesn't see anything 1217 00:44:36,090 --> 00:44:37,090 on the Syrian. 1218 00:44:43,230 --> 00:44:44,230 That's around. 1219 00:44:51,980 --> 00:44:52,980 No one. 1220 00:44:55,180 --> 00:44:58,039 OK, that's something personal 1221 00:44:58,040 --> 00:45:01,219 because in this case, 1222 00:45:01,220 --> 00:45:03,379 the again, the the 1223 00:45:03,380 --> 00:45:05,449 actual the actual person that 1224 00:45:05,450 --> 00:45:07,339 bought the service from us was the 1225 00:45:07,340 --> 00:45:09,079 security officer of the organization, a 1226 00:45:09,080 --> 00:45:10,969 big organization in Israel in this case. 1227 00:45:12,200 --> 00:45:14,539 And this organization 1228 00:45:14,540 --> 00:45:16,699 was very, let's say, 1229 00:45:16,700 --> 00:45:17,689 politically savvy. 1230 00:45:17,690 --> 00:45:20,179 So it was very 1231 00:45:20,180 --> 00:45:22,099 vicious in their attempts to block the 1232 00:45:22,100 --> 00:45:23,100 attack. 1233 00:45:24,080 --> 00:45:26,419 So as I said during 1234 00:45:26,420 --> 00:45:28,429 this week of research before the attack, 1235 00:45:28,430 --> 00:45:30,079 which is nonintrusive, we try to figure 1236 00:45:30,080 --> 00:45:32,419 out how the mitigation works from low, 1237 00:45:32,420 --> 00:45:35,089 low impact attacks and stuff without 1238 00:45:35,090 --> 00:45:36,769 actually impacting anything. 1239 00:45:37,850 --> 00:45:39,349 We try to figure out what is going on. 1240 00:45:39,350 --> 00:45:41,569 And we saw that the mitigation that they 1241 00:45:41,570 --> 00:45:43,549 they invented was amazing. 1242 00:45:43,550 --> 00:45:45,739 Like we have one server and we are 1243 00:45:45,740 --> 00:45:46,759 taken from this server. 1244 00:45:46,760 --> 00:45:48,979 And that's and from this on, 1245 00:45:48,980 --> 00:45:51,049 the blacklist is not following just 1246 00:45:51,050 --> 00:45:53,179 on on our servers, but all of our servers 1247 00:45:53,180 --> 00:45:55,699 worldwide or just a branch of our service 1248 00:45:55,700 --> 00:45:57,939 in some place in for 1249 00:45:57,940 --> 00:45:59,719 instance, in this example in the United 1250 00:45:59,720 --> 00:46:02,719 States. And we try to figure out why. 1251 00:46:02,720 --> 00:46:04,549 Why is that? If you are taking from one 1252 00:46:04,550 --> 00:46:06,949 source, how come you can mitigate 1253 00:46:06,950 --> 00:46:09,469 all the sources from this area and 1254 00:46:09,470 --> 00:46:11,509 the the susceptible answer? 1255 00:46:11,510 --> 00:46:13,279 And in this case, the correct answer was 1256 00:46:13,280 --> 00:46:15,229 that the mitigation walked like that. 1257 00:46:15,230 --> 00:46:17,449 If you see an IP, if the sea 1258 00:46:17,450 --> 00:46:19,759 rises up and alert and then an IP 1259 00:46:19,760 --> 00:46:22,069 is raised, then it doesn't block 1260 00:46:22,070 --> 00:46:23,509 only the IP. 1261 00:46:23,510 --> 00:46:25,759 Remember, he wants to block us, not an 1262 00:46:25,760 --> 00:46:27,049 attacker. And he knows that we are 1263 00:46:27,050 --> 00:46:28,939 limited with our with our resources 1264 00:46:28,940 --> 00:46:30,889 because because, as I said, we are 1265 00:46:30,890 --> 00:46:32,479 legitimate as possible. 1266 00:46:32,480 --> 00:46:34,699 So when he tried 1267 00:46:34,700 --> 00:46:36,769 to mitigate us, he said to himself, 1268 00:46:36,770 --> 00:46:38,929 OK, you have some botnet that released or 1269 00:46:38,930 --> 00:46:41,149 bought somewhere and that this will be 1270 00:46:41,150 --> 00:46:42,949 some kind of a cluster of vipers, which 1271 00:46:42,950 --> 00:46:44,119 was correct in this case. 1272 00:46:44,120 --> 00:46:46,249 Most of our servers do like 1273 00:46:46,250 --> 00:46:48,829 that. So it didn't just 1274 00:46:48,830 --> 00:46:51,379 block us. He blocked the whole 16 1275 00:46:51,380 --> 00:46:52,380 site. 1276 00:47:02,360 --> 00:47:03,949 I'm hoping that you are not cheering for 1277 00:47:03,950 --> 00:47:04,950 him because. 1278 00:47:07,730 --> 00:47:09,919 So, for example, in Germany, you 1279 00:47:09,920 --> 00:47:12,439 have like one hundred sixteen million 1280 00:47:12,440 --> 00:47:13,909 IDPs in Israel. 1281 00:47:13,910 --> 00:47:15,319 It's much, much smaller, but you can 1282 00:47:15,320 --> 00:47:16,519 extrapolate. 1283 00:47:16,520 --> 00:47:18,619 So if you 1284 00:47:18,620 --> 00:47:20,809 have 160 million 1285 00:47:20,810 --> 00:47:23,119 IDPs, you have about 1286 00:47:23,120 --> 00:47:25,689 roughly, of course, one hundred thousand 1287 00:47:25,690 --> 00:47:28,129 eight hundred class 1288 00:47:28,130 --> 00:47:29,389 ranges. Right. 1289 00:47:29,390 --> 00:47:31,519 So if 1290 00:47:31,520 --> 00:47:34,219 we have only hundred 1291 00:47:34,220 --> 00:47:36,289 IDPs that we need to hit 1292 00:47:36,290 --> 00:47:39,229 and we can, let's say, 1293 00:47:39,230 --> 00:47:40,309 spoof the scene, 1294 00:47:41,900 --> 00:47:43,669 we can actually block all of the 1295 00:47:43,670 --> 00:47:45,739 customers nation if the 1296 00:47:45,740 --> 00:47:47,539 nation is deplorable, customer in this 1297 00:47:47,540 --> 00:47:49,759 case, insurance is Proval to 1298 00:47:49,760 --> 00:47:51,829 to come from customers from this 1299 00:47:51,830 --> 00:47:52,339 nation. 1300 00:47:52,340 --> 00:47:54,319 And in this case, Israel, as I said, is 1301 00:47:54,320 --> 00:47:56,389 very small. And so 1302 00:47:56,390 --> 00:47:58,280 we told them a bit so. 1303 00:48:09,130 --> 00:48:11,199 So think of a monkey just typing high 1304 00:48:11,200 --> 00:48:13,539 fees like crazy, and then it just blocks 1305 00:48:13,540 --> 00:48:15,729 on the nation by itself and he 1306 00:48:15,730 --> 00:48:18,189 can do anything about it because 1307 00:48:18,190 --> 00:48:20,469 50 minutes after after the 1308 00:48:20,470 --> 00:48:22,689 the actual attacks have started, it's 1309 00:48:22,690 --> 00:48:24,909 inflicted by all the nation. 1310 00:48:24,910 --> 00:48:27,549 And before the 15 minutes of light, 1311 00:48:27,550 --> 00:48:29,799 like half the time of that, 1312 00:48:29,800 --> 00:48:31,819 he blocked himself so he couldn't see 1313 00:48:31,820 --> 00:48:32,820 the. 1314 00:48:42,560 --> 00:48:44,750 And now you can see why it's my favorite. 1315 00:48:47,300 --> 00:48:49,969 Now, remember what I told you about the 1316 00:48:49,970 --> 00:48:52,699 mega fund that will give me remember? 1317 00:48:52,700 --> 00:48:53,779 So that's the one. 1318 00:48:53,780 --> 00:48:55,939 But I don't see you face palming, 1319 00:48:55,940 --> 00:48:58,280 so I brought my own picture. 1320 00:49:08,290 --> 00:49:10,089 And actually, I think it's kind of a 1321 00:49:10,090 --> 00:49:12,249 tradition, so if you may find 1322 00:49:12,250 --> 00:49:13,250 yourself for a second. 1323 00:49:17,610 --> 00:49:18,639 That's OK, right? 1324 00:49:18,640 --> 00:49:19,949 Right, let's say it's OK. 1325 00:49:31,700 --> 00:49:33,199 OK, so 1326 00:49:35,270 --> 00:49:36,429 I thought about it, 1327 00:49:38,180 --> 00:49:40,909 maybe the most important one is test. 1328 00:49:40,910 --> 00:49:41,959 Don't be afraid to test. 1329 00:49:41,960 --> 00:49:43,549 Many of our customers didn't know that 1330 00:49:43,550 --> 00:49:45,649 such services is is in 1331 00:49:45,650 --> 00:49:47,149 existence. And we are not the only one 1332 00:49:47,150 --> 00:49:48,670 that providing this kind of service. 1333 00:49:49,850 --> 00:49:51,289 We know. 1334 00:49:51,290 --> 00:49:52,290 So 1335 00:49:53,750 --> 00:49:54,649 there is no magic pill. 1336 00:49:54,650 --> 00:49:56,389 You have to be an architect to understand 1337 00:49:56,390 --> 00:49:58,489 that. It implies not only the front 1338 00:49:58,490 --> 00:50:00,619 end of the place, all your network, all 1339 00:50:00,620 --> 00:50:02,749 your computers, maybe even more than 1340 00:50:02,750 --> 00:50:05,179 that, maybe your phones and emails. 1341 00:50:06,770 --> 00:50:08,989 But test it and and you 1342 00:50:08,990 --> 00:50:10,999 have all the money and all the toys. 1343 00:50:11,000 --> 00:50:13,189 If you just deploy it without thinking, 1344 00:50:13,190 --> 00:50:15,169 it will fail you. 1345 00:50:15,170 --> 00:50:17,419 So please be 1346 00:50:17,420 --> 00:50:18,439 responsible about it. 1347 00:50:18,440 --> 00:50:19,730 And one less promise. 1348 00:50:22,630 --> 00:50:24,129 If you wanna do that, you can be 1349 00:50:24,130 --> 00:50:26,259 evaluated to this presentation in 1350 00:50:26,260 --> 00:50:27,260 the future. 1351 00:50:37,250 --> 00:50:38,250 Thank you. 1352 00:50:40,360 --> 00:50:43,239 We now have about 10 minutes for Q&A. 1353 00:50:43,240 --> 00:50:45,459 So, as always, police line 1354 00:50:45,460 --> 00:50:47,709 up at the microphones or 1355 00:50:47,710 --> 00:50:49,959 use the Internet to ask an ISP 1356 00:50:49,960 --> 00:50:50,960 or Twitter. 1357 00:50:51,730 --> 00:50:53,049 We have a person reading out your 1358 00:50:53,050 --> 00:50:54,699 questions here. 1359 00:50:54,700 --> 00:50:56,589 And if you leave, as always, please be 1360 00:50:56,590 --> 00:50:58,659 very, very quiet because 1361 00:50:58,660 --> 00:51:00,789 the talk is not over. It's going to go on 1362 00:51:00,790 --> 00:51:02,919 for ten more minutes. So please be 1363 00:51:02,920 --> 00:51:03,920 very quiet. 1364 00:51:04,720 --> 00:51:06,069 Microphone. 1365 00:51:06,070 --> 00:51:07,059 No, no, no. 1366 00:51:07,060 --> 00:51:08,349 You're not hearing is not hearing. 1367 00:51:13,240 --> 00:51:14,240 Any questions? 1368 00:51:17,390 --> 00:51:18,590 OK, the Internet. 1369 00:51:25,720 --> 00:51:27,460 You need to switch on the microphone. 1370 00:51:31,500 --> 00:51:33,569 Should I ask my ISP before it 1371 00:51:33,570 --> 00:51:35,099 does or not? 1372 00:51:35,100 --> 00:51:37,619 Oh, that's so if they 1373 00:51:37,620 --> 00:51:39,599 wanted us is included in the. 1374 00:51:41,130 --> 00:51:43,409 So that's partly a 1375 00:51:43,410 --> 00:51:45,629 legal question and partly a 1376 00:51:45,630 --> 00:51:47,579 tactical question, let's say, for your 1377 00:51:47,580 --> 00:51:50,069 sake of evaluating your security. 1378 00:51:50,070 --> 00:51:52,229 I won't touch the legal sections because 1379 00:51:52,230 --> 00:51:53,759 I'm not a lawyer. 1380 00:51:53,760 --> 00:51:55,859 And for the legal section, you 1381 00:51:55,860 --> 00:51:57,539 have to consult your law department if 1382 00:51:57,540 --> 00:51:59,669 you have so if you have such a department 1383 00:51:59,670 --> 00:52:01,409 department. For the other part, 1384 00:52:02,550 --> 00:52:04,649 it depends on what is your focus 1385 00:52:04,650 --> 00:52:06,239 on the testing. If you if you are 1386 00:52:06,240 --> 00:52:08,339 focusing on testing the system as 1387 00:52:08,340 --> 00:52:10,409 a whole, if you are looking at the army 1388 00:52:10,410 --> 00:52:12,059 to get all the mitigation factors that 1389 00:52:12,060 --> 00:52:14,219 you put into place, in my opinion, 1390 00:52:14,220 --> 00:52:16,289 it's important not to notify the ISP if 1391 00:52:16,290 --> 00:52:18,389 possible, but if it's not 1392 00:52:18,390 --> 00:52:19,829 possible, of course. 1393 00:52:19,830 --> 00:52:20,830 Notified. 1394 00:52:23,060 --> 00:52:25,669 Microphone number three, please. 1395 00:52:25,670 --> 00:52:28,009 Hey, so there 1396 00:52:28,010 --> 00:52:30,169 are techniques that, for example, 1397 00:52:30,170 --> 00:52:32,389 CloudFlare has this project called 1398 00:52:32,390 --> 00:52:34,489 Railgun, where they def the 1399 00:52:34,490 --> 00:52:36,799 websites and 1400 00:52:36,800 --> 00:52:39,349 sort of not request the full website. 1401 00:52:39,350 --> 00:52:41,449 I don't know really how they do it, but 1402 00:52:41,450 --> 00:52:42,829 does this have any impact? 1403 00:52:42,830 --> 00:52:44,339 Can you see this when you did? 1404 00:52:44,340 --> 00:52:47,029 Does this help at all or is this just. 1405 00:52:47,030 --> 00:52:48,559 Yeah, OK. 1406 00:52:48,560 --> 00:52:50,869 This, um, usually 1407 00:52:50,870 --> 00:52:52,309 we test with blackbox. 1408 00:52:52,310 --> 00:52:53,839 It means like testing. 1409 00:52:53,840 --> 00:52:55,969 We don't really know what exactly 1410 00:52:55,970 --> 00:52:57,499 is happening on the other side except 1411 00:52:57,500 --> 00:53:00,489 what what the blue team is being fed 1412 00:53:00,490 --> 00:53:02,900 also or seeing by the customer. 1413 00:53:04,100 --> 00:53:06,859 Such examples as CloudFlare and others 1414 00:53:06,860 --> 00:53:09,139 are examples of of 1415 00:53:09,140 --> 00:53:11,389 partly participating factors into 1416 00:53:11,390 --> 00:53:13,699 the attacks and the testing, because 1417 00:53:13,700 --> 00:53:15,949 they they didn't provide us with much 1418 00:53:15,950 --> 00:53:17,239 of the explanation that we want to. 1419 00:53:17,240 --> 00:53:19,189 Actually, I'm not talking about and not 1420 00:53:19,190 --> 00:53:20,779 talking about CloudFlare, because 1421 00:53:20,780 --> 00:53:22,519 actually we're not going to figure that 1422 00:53:22,520 --> 00:53:24,559 we've never tested something with with 1423 00:53:24,560 --> 00:53:25,999 CloudFlare in mind. 1424 00:53:26,000 --> 00:53:28,279 Not not that I know of. 1425 00:53:28,280 --> 00:53:30,019 It wasn't effective, actually. 1426 00:53:30,020 --> 00:53:32,089 And let's say other 1427 00:53:32,090 --> 00:53:34,279 vendors similar to CloudFlare has 1428 00:53:34,280 --> 00:53:37,009 approached us and and usually 1429 00:53:37,010 --> 00:53:39,139 put up some difficulties. 1430 00:53:39,140 --> 00:53:40,219 I'm not talking about technical 1431 00:53:40,220 --> 00:53:41,389 difficulties, more political 1432 00:53:41,390 --> 00:53:42,349 difficulties. 1433 00:53:42,350 --> 00:53:44,119 Let let me know when you are doing it 1434 00:53:44,120 --> 00:53:45,619 with the legal stuff is not correct. 1435 00:53:45,620 --> 00:53:47,929 You can do it and you have only 1436 00:53:47,930 --> 00:53:49,819 ten minutes of time and something like 1437 00:53:49,820 --> 00:53:51,709 that. So something like well done and 1438 00:53:51,710 --> 00:53:54,079 similar is not employed 1439 00:53:54,080 --> 00:53:56,179 by it. Haven't been employed in our 1440 00:53:56,180 --> 00:53:57,649 testing yet. 1441 00:53:57,650 --> 00:53:59,719 I hope it, uh, it answers your 1442 00:53:59,720 --> 00:54:00,720 question. 1443 00:54:01,830 --> 00:54:03,989 Microphone number two, please. 1444 00:54:03,990 --> 00:54:05,789 How often do you find your customers were 1445 00:54:05,790 --> 00:54:07,949 protected when you get there the 1446 00:54:07,950 --> 00:54:08,950 first time? 1447 00:54:11,040 --> 00:54:13,289 Let me let me put it that 1448 00:54:13,290 --> 00:54:14,189 way. 1449 00:54:14,190 --> 00:54:16,769 We are when we conducted tests. 1450 00:54:17,850 --> 00:54:20,099 It is important to say that I'm not I'm 1451 00:54:20,100 --> 00:54:22,049 not continuing these tests anymore. 1452 00:54:22,050 --> 00:54:24,269 Like two months from now, I'm 1453 00:54:24,270 --> 00:54:25,270 I'm off. 1454 00:54:27,270 --> 00:54:28,949 When we conducted these tests, 1455 00:54:30,000 --> 00:54:32,219 we actually did we 1456 00:54:32,220 --> 00:54:34,499 took a length spend 1457 00:54:34,500 --> 00:54:36,809 four to six hours from the customer. 1458 00:54:36,810 --> 00:54:38,999 And through these four to six hours, we 1459 00:54:39,000 --> 00:54:42,059 actually provided usually 1460 00:54:42,060 --> 00:54:43,469 one one attack per hour. 1461 00:54:43,470 --> 00:54:45,449 We tested some some kind of attack that 1462 00:54:45,450 --> 00:54:47,789 we have in Stasch that we actually 1463 00:54:47,790 --> 00:54:50,099 prepared before according to our research 1464 00:54:50,100 --> 00:54:52,199 and evaluating by overnight. 1465 00:54:52,200 --> 00:54:54,359 If we have whatever a number 1466 00:54:54,360 --> 00:54:56,369 of attacks that we have a night like a 1467 00:54:56,370 --> 00:54:57,539 real attacker will do. 1468 00:54:57,540 --> 00:54:59,819 But on an on a very lengthy, 1469 00:54:59,820 --> 00:55:01,889 a lengthy span, 1470 00:55:01,890 --> 00:55:04,409 we have more than 95 1471 00:55:04,410 --> 00:55:06,449 percent of success. 1472 00:55:06,450 --> 00:55:08,519 So most of the attacks, unfortunately, 1473 00:55:08,520 --> 00:55:09,599 are not well protected. 1474 00:55:11,460 --> 00:55:14,199 That that answers your question, yes, OK. 1475 00:55:14,200 --> 00:55:15,670 And now the Internet plays. 1476 00:55:18,970 --> 00:55:21,189 You said you just scanned the whole 20 1477 00:55:21,190 --> 00:55:23,289 for 16, even word 1478 00:55:23,290 --> 00:55:25,209 IPV six, make it better. 1479 00:55:25,210 --> 00:55:27,339 Think of a whole 56 and random 1480 00:55:27,340 --> 00:55:29,619 IPS. That's quite something to scan. 1481 00:55:29,620 --> 00:55:30,620 Yeah, 1482 00:55:32,470 --> 00:55:34,029 this is good. This is great. 1483 00:55:34,030 --> 00:55:36,249 But I am I'm not familiar 1484 00:55:36,250 --> 00:55:38,469 with any bank that is working with us 1485 00:55:38,470 --> 00:55:40,689 or any bank at all that is moving 1486 00:55:40,690 --> 00:55:43,419 to IPV six as a whole is 1487 00:55:43,420 --> 00:55:45,819 just using IP before and the IP is 1488 00:55:45,820 --> 00:55:46,820 on top of that. 1489 00:55:48,660 --> 00:55:50,939 Number three, please. 1490 00:55:50,940 --> 00:55:53,009 So given that a lot of things 1491 00:55:53,010 --> 00:55:54,989 are on shared infrastructure with Amazon 1492 00:55:54,990 --> 00:55:57,239 and CloudFlare and stuff like that, how 1493 00:55:57,240 --> 00:55:58,859 do you make sure that whatever you're 1494 00:55:58,860 --> 00:56:01,019 detoxing doesn't cause any 1495 00:56:01,020 --> 00:56:03,089 collateral damage with people who 1496 00:56:03,090 --> 00:56:04,619 are just innocent bystanders? 1497 00:56:06,330 --> 00:56:07,889 It does. It does. 1498 00:56:07,890 --> 00:56:10,409 And it's probably 1499 00:56:10,410 --> 00:56:12,629 if you're referring to to to 1500 00:56:12,630 --> 00:56:14,969 not not customers of the 1501 00:56:14,970 --> 00:56:16,769 front to to actually customers or clients 1502 00:56:16,770 --> 00:56:17,770 of the customer. 1503 00:56:18,360 --> 00:56:21,139 So, yeah, give it like someone on Amazon 1504 00:56:21,140 --> 00:56:23,309 dossing like them for something 1505 00:56:23,310 --> 00:56:25,619 and like something on Amazon 1506 00:56:25,620 --> 00:56:26,159 GhostTown. 1507 00:56:26,160 --> 00:56:27,989 OK, so should infrastructure as a whole 1508 00:56:27,990 --> 00:56:29,249 is a whole different ballgame. 1509 00:56:29,250 --> 00:56:31,349 We have to consult legal 1510 00:56:31,350 --> 00:56:33,599 and the SLA with Amazon 1511 00:56:33,600 --> 00:56:35,879 and Azure and others are 1512 00:56:35,880 --> 00:56:37,829 pretty different from one another Azure 1513 00:56:37,830 --> 00:56:40,169 that we do stuff if you 1514 00:56:40,170 --> 00:56:42,479 let let them know in advance. 1515 00:56:42,480 --> 00:56:45,239 Amazon, as far as I as I know of, 1516 00:56:45,240 --> 00:56:46,649 doesn't let you do anything. 1517 00:56:46,650 --> 00:56:49,799 It's pretty strict in terms of testing. 1518 00:56:49,800 --> 00:56:51,629 Think about it. It's pretty massive not 1519 00:56:51,630 --> 00:56:54,299 to test your own site, but again, it's 1520 00:56:54,300 --> 00:56:55,919 considerable when you're thinking about 1521 00:56:55,920 --> 00:56:57,239 the shared infrastructure, when you have 1522 00:56:57,240 --> 00:57:00,029 Amazon or so others. 1523 00:57:00,030 --> 00:57:02,129 So it depends on the on 1524 00:57:02,130 --> 00:57:03,089 the host. 1525 00:57:03,090 --> 00:57:05,189 And what what are the SLA with? 1526 00:57:07,580 --> 00:57:09,709 Number one, please, so 1527 00:57:09,710 --> 00:57:11,959 thank you for the nice talk, but can we 1528 00:57:11,960 --> 00:57:13,639 change the rules? 1529 00:57:13,640 --> 00:57:16,729 So I would like to 1530 00:57:16,730 --> 00:57:18,889 to hear you a bit elaborating 1531 00:57:18,890 --> 00:57:20,959 about what you would do if you 1532 00:57:20,960 --> 00:57:22,759 have to run mission critical 1533 00:57:22,760 --> 00:57:24,919 infrastructure and how you would 1534 00:57:24,920 --> 00:57:25,920 protect it. 1535 00:57:27,350 --> 00:57:28,319 I'm not a genius. 1536 00:57:28,320 --> 00:57:31,339 So for starters, I 1537 00:57:31,340 --> 00:57:33,379 won't presume that everything that I will 1538 00:57:33,380 --> 00:57:35,479 say will be holy. 1539 00:57:35,480 --> 00:57:37,429 It will be holy in another term. 1540 00:57:37,430 --> 00:57:39,559 But I know that everything I 1541 00:57:39,560 --> 00:57:41,749 will do, I will try to architect not just 1542 00:57:41,750 --> 00:57:43,879 design and mitigation, architecture and 1543 00:57:43,880 --> 00:57:46,069 mitigation and redundancy, as 1544 00:57:46,070 --> 00:57:48,229 much as others know nowadays 1545 00:57:48,230 --> 00:57:50,749 how to back up and how to help something, 1546 00:57:50,750 --> 00:57:52,339 it's pretty much the same when you are 1547 00:57:52,340 --> 00:57:54,649 talking about redundancy and things 1548 00:57:54,650 --> 00:57:56,629 that need to be standing by and how much 1549 00:57:56,630 --> 00:57:58,699 like the time that you can you have 1550 00:57:58,700 --> 00:58:00,449 because this can occur. 1551 00:58:00,450 --> 00:58:02,479 It doesn't. It isn't. 1552 00:58:02,480 --> 00:58:03,379 There is no magic pill. 1553 00:58:03,380 --> 00:58:05,299 As I said, nothing that I will provide 1554 00:58:05,300 --> 00:58:07,069 you with, with a complete architecture 1555 00:58:07,070 --> 00:58:09,229 will not be failsafe, but it 1556 00:58:09,230 --> 00:58:10,909 will be epic, fail safe. 1557 00:58:10,910 --> 00:58:13,699 And and and on top of that, 1558 00:58:13,700 --> 00:58:15,979 test your systems any time 1559 00:58:15,980 --> 00:58:17,299 you want, you can be the greatest 1560 00:58:17,300 --> 00:58:19,579 developer. You will actually test your 1561 00:58:19,580 --> 00:58:20,119 obligations. 1562 00:58:20,120 --> 00:58:21,829 Right. So that's the same thing. 1563 00:58:21,830 --> 00:58:24,029 If you architect something tested it 1564 00:58:24,030 --> 00:58:25,030 to test. 1565 00:58:25,580 --> 00:58:27,199 Thank you. OK. 1566 00:58:27,200 --> 00:58:30,259 And once again, the Internet, please. 1567 00:58:30,260 --> 00:58:32,329 Are there any particular solutions 1568 00:58:32,330 --> 00:58:33,919 or products recommended or that are 1569 00:58:33,920 --> 00:58:34,939 particularly bad? 1570 00:58:36,020 --> 00:58:37,020 No. 1571 00:58:43,790 --> 00:58:45,949 Number four, 1572 00:58:45,950 --> 00:58:47,509 I'm home. 1573 00:58:47,510 --> 00:58:49,669 So, first of all, the photo was 1574 00:58:49,670 --> 00:58:51,049 not really appreciated. 1575 00:58:51,050 --> 00:58:53,179 I mean, we're not here for 1576 00:58:53,180 --> 00:58:55,459 your amusement or anything. 1577 00:58:55,460 --> 00:58:57,079 It's it's kind of bad, Norm. 1578 00:58:57,080 --> 00:58:59,539 And now moving on to the question, 1579 00:58:59,540 --> 00:59:01,779 have you given any thought to 1580 00:59:01,780 --> 00:59:04,039 to saturate the link without sending 1581 00:59:04,040 --> 00:59:06,229 any package to the 1582 00:59:06,230 --> 00:59:07,230 target? 1583 00:59:08,330 --> 00:59:10,489 First of all, how to, like, legally do 1584 00:59:10,490 --> 00:59:12,649 that and if you've ever had to do it or 1585 00:59:12,650 --> 00:59:14,389 it was never necessary because the sites 1586 00:59:14,390 --> 00:59:15,600 are done for other reasons. 1587 00:59:17,330 --> 00:59:18,379 Let me put it again. 1588 00:59:18,380 --> 00:59:20,569 If I if I understand correctly 1589 00:59:20,570 --> 00:59:22,639 what your question is, how 1590 00:59:22,640 --> 00:59:24,739 can you actually do 1591 00:59:24,740 --> 00:59:26,839 some damage without 1592 00:59:26,840 --> 00:59:29,059 going on and on and on with 1593 00:59:29,060 --> 00:59:30,229 the traffic? 1594 00:59:30,230 --> 00:59:31,699 Yeah. So you can be sending 1595 00:59:32,780 --> 00:59:35,419 traffic to sites 1596 00:59:35,420 --> 00:59:37,619 ipis actually that Syria 1597 00:59:37,620 --> 00:59:39,559 link with your target so that your target 1598 00:59:39,560 --> 00:59:41,869 does not observe any traffic and so 1599 00:59:41,870 --> 00:59:44,339 that you do not actually 1600 00:59:44,340 --> 00:59:45,679 do with any of them. 1601 00:59:45,680 --> 00:59:47,839 But so I mean 1602 00:59:47,840 --> 00:59:50,239 they do not get tons of traffic 1603 00:59:50,240 --> 00:59:52,159 individually, but the whole link that 1604 00:59:52,160 --> 00:59:54,349 they share will be saturated, 1605 00:59:54,350 --> 00:59:56,239 which would be nice to have because then 1606 00:59:56,240 --> 00:59:57,619 you could see how 1607 00:59:58,790 --> 01:00:00,739 your path actually how resilient your 1608 01:00:00,740 --> 01:00:02,479 path is to those attacks. 1609 01:00:02,480 --> 01:00:04,399 I mean, it's been described in academia, 1610 01:00:04,400 --> 01:00:05,749 but I don't know if you use it in 1611 01:00:05,750 --> 01:00:06,750 practice. 1612 01:00:07,640 --> 01:00:09,859 OK, we didn't we didn't 1613 01:00:09,860 --> 01:00:11,929 do something like that before. 1614 01:00:11,930 --> 01:00:14,209 Personally, I it's 1615 01:00:14,210 --> 01:00:16,459 hard to think about something that we can 1616 01:00:16,460 --> 01:00:18,619 deliver such an attack with 1617 01:00:18,620 --> 01:00:20,329 without anything unless we have an 1618 01:00:20,330 --> 01:00:21,559 exploit for that. 1619 01:00:21,560 --> 01:00:24,739 Like like a like I said, 2083. 1620 01:00:24,740 --> 01:00:27,049 There was an exploit exploiting many 1621 01:00:27,050 --> 01:00:29,419 Web application servers through 1622 01:00:29,420 --> 01:00:31,429 the hacking mechanism. 1623 01:00:31,430 --> 01:00:33,409 But unless we have an exploit, a 1624 01:00:33,410 --> 01:00:35,749 designated exploit and we talked about 1625 01:00:35,750 --> 01:00:38,029 generalized stuff, not exploits a pair 1626 01:00:38,030 --> 01:00:40,339 of Web application servers, I don't think 1627 01:00:40,340 --> 01:00:41,359 that's possible. 1628 01:00:41,360 --> 01:00:43,789 But maybe it is in some 1629 01:00:43,790 --> 01:00:45,499 in some situations when you have a 1630 01:00:45,500 --> 01:00:47,629 database that is working very hard and 1631 01:00:47,630 --> 01:00:49,699 crunching something and you can do pretty 1632 01:00:49,700 --> 01:00:51,439 much the same, which is the equivalent of 1633 01:00:51,440 --> 01:00:53,179 XPoint as an expert as I see it. 1634 01:00:54,740 --> 01:00:55,639 Not exactly. 1635 01:00:55,640 --> 01:00:58,129 So you're sending traffic to piece 1636 01:00:58,130 --> 01:01:00,019 that they're not related to your target, 1637 01:01:00,020 --> 01:01:01,699 except that they're being hosted in the 1638 01:01:01,700 --> 01:01:03,799 same data center, say, oh, that you 1639 01:01:03,800 --> 01:01:05,359 saturate the link, but your target 1640 01:01:05,360 --> 01:01:06,319 doesn't seem to traffic. 1641 01:01:06,320 --> 01:01:08,359 Oh, you mean so excuse me. 1642 01:01:08,360 --> 01:01:10,849 You mean that another subdomain 1643 01:01:10,850 --> 01:01:12,859 and through that is is impacting the 1644 01:01:12,860 --> 01:01:14,239 actual one that I wouldn't call another 1645 01:01:14,240 --> 01:01:16,519 IP. Yeah. It doesn't have to be related 1646 01:01:16,520 --> 01:01:18,049 at all to your target. Yeah. 1647 01:01:18,050 --> 01:01:19,699 That happened a lot and that happened a 1648 01:01:19,700 --> 01:01:21,979 lot when we, when we got confirmation 1649 01:01:21,980 --> 01:01:23,929 from the from the customer of course, to 1650 01:01:23,930 --> 01:01:26,269 attack other domains just for a second 1651 01:01:26,270 --> 01:01:28,789 to test if the infrastructure was shared 1652 01:01:28,790 --> 01:01:30,919 for any means, you have to have some kind 1653 01:01:30,920 --> 01:01:32,299 of a shared infrastructure, of course, 1654 01:01:32,300 --> 01:01:34,489 maybe the same host, maybe, 1655 01:01:34,490 --> 01:01:36,859 maybe it's networking on some sites. 1656 01:01:36,860 --> 01:01:38,809 And the one example that I said about the 1657 01:01:38,810 --> 01:01:40,910 shiny box, it was in the U.K., 1658 01:01:42,050 --> 01:01:44,359 that's exactly exactly what what 1659 01:01:44,360 --> 01:01:46,849 happened on the tier two back and 1660 01:01:46,850 --> 01:01:47,989 the tier two was attacked. 1661 01:01:47,990 --> 01:01:49,429 It wasn't our target, but it was 1662 01:01:49,430 --> 01:01:49,759 attacked. 1663 01:01:49,760 --> 01:01:51,829 So it is possible through other 1664 01:01:51,830 --> 01:01:54,050 subdomains, by by definition in the. 1665 01:01:56,480 --> 01:01:58,459 And unfortunately, we are out of time, so 1666 01:01:58,460 --> 01:02:00,109 please, once again, thank Delmar's.