View
217
Download
0
Category
Preview:
Citation preview
©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
War Stories from the Cloud
John Summers, VP Cloud Security
©2013 AKAMAI | FASTER FORWARDTM
The Akamai Intelligent Platform
• The Platform• 150,000+ Servers
• 2,300+ Locations
• 750+ Cities
• 92 Countries
• 1,227+ Networks
• The Data• 2 trillion hits per day
• 780 million unique IPv4
addresses seen quarterly
• 13+ trillion log lines per day
• 260+ terabytes of
compressed daily logs
15 - 30% of all web traffic
©2013 AKAMAI | FASTER FORWARDTM
How the Akamai Platform Works
Application ServerUsers
Edge Region closeto Origin Server
“SureRoute” and AkamaiProtocol optimize routeand reduce round trips
Edge Region closeto End User
Web-enabled ApplicationsMobile Applications
IP Applications
High PerformanceGlobal Overlay Network
Security embedded intoAkamai Edge Servers
©2013 AKAMAI | FASTER FORWARDTM
(Cloud)Datacenters
End User
1
10
100
10000
OriginTraffic
1000
AkamaiTraffic
1
10
100
10000
1000
The Akamai Platform Provides a Perimeter Defense
©2013 AKAMAI | FASTER FORWARDTM
9911317
2002
2936
68
38
79
45
8269
144
320
270
190
80x20142013201220112010
©2014 AKAMAI | FASTER FORWARDTM
Attacks Are Increasing in Size and Frequency
Attack size (Gigabits per second)
Attack size (Million packets per second)
Number of attacks per year
©2013 AKAMAI | FASTER FORWARDTM
Attack Trends
• Growth in “reflection”
DDoS attacks
• The rise of DDoS as a
service sites
• Robust attack landscape
reflects geopolitical
landscape
©2013 AKAMAI | FASTER FORWARDTM
Technology Trends
• The Enterprise attack
surface continues to grow
• Continued movement of
applications to the cloud
• Bring your own device
and SAAS applications
means more enterprise
traffic is completely
outside the perimeter
©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Case Study: Large Financial Institution
Day 2
HTTP flood againstunprotected Web site
Page view errors spike1,327%
Day 2
DNS-based volumetricattack
40 Gbps, 1.8m requests/speak
Maintained 100%availability
Day 1
HTTP flood against homepage
30 Gbps, 4m requests/minpeak
Maintained normalcustomer traffic through theattack
Challenge
Maintain customer Web experience during amulti-dimensional DDoS attack by asophisticated attacker
Solution
Cloud-based Web security that stops DDoSattacks at the edge, before they reach theapplication
©2013 AKAMAI | FASTER FORWARDTM
Case Study: DDoS Attack against Media Company
0
20
40
60
80
100
120
• Q2 14 attack targeted a politically-active newspaperin APJ
Phase 1• Bandwidth: 88 Gbps
• Requests: 56 Mpps
• Duration: 18 hours
Phase 2• Bandwidth: 93 Gbps
• Packets: 53 Mpps
• Duration: 30 hours
Phase 3• Bandwidth: 111 Gbps
• Packets: 53 Mpps
• Duration: 3 hours
W Th F S S M T W Th F S S
©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Not just DDoS: Mobile check deposit applicationattack
What happened
Anonymous attacker accessed URLs for mobile check deposit application 120,000 timesover four hours
Web requests for “checkfront.jpg”, “checkback.jpg”, and more
How the attack was defeated
Web application firewall rate controls
©2013 AKAMAI | FASTER FORWARDTM
Large March 2014 Attack
• Mixed Attack, Significant NTP Traffic
• DDoS Start :: 8MAR14 13:52:00 UTC
• DDoS Stop :: 9MAR14 02:00:00 UTC
• Peak Bps :: 200+Gbps
• Peak Pps :: 65Mpps
• 2 hosts targeted on Random
UDP/TCP/ICMP ports
©2013 AKAMAI | FASTER FORWARDTM
320 Gbps DDoS Attack against Gaming Customer
• Largest attack ever mitigated by
Akamai against a single customer
• Targeted primary website,
supporting network infrastructure,
and DNS
• Multiple attack vectors:
– SYN / UDP floods against an entire
subnet
– Volumetric attack against DNS
• Attack characteristics:
– 320 Gbps and 71.5 Mpps peak attack
traffic through Prolexic scrubbing centers
– 2.1 million requests/s through Fast DNS
Prolexic:
Fast DNS:
©2013 AKAMAI | FASTER FORWARDTM
138
232
321
155177
312
4
198217
308
35 33
70
3
21.5
One Attack in a Broader DDoS Attack Campaign
Start End
Infrastructure (Gbps) DNS (Mpps) DNS (Mpps)Web (Gbps)
Two-month campaign against single
customer
• 39 distinct attacks targeting applications and DNS
infrastructure
• Eight attacks >100 Gbps including record 321 Gbps attack
©2013 AKAMAI | FASTER FORWARDTM
Web Application Attacks and Holiday Shopping
• Spike in attacks against Top 30 retailers
– 5.6x increase in blocked attacks from Nov 1 to Nov 29
• Attacks grew twice as fast as user traffic
– 2x increase in blocked attacks per page view
365k
222k
79k67k65k
.017.013
.019
.031
.038
Attacks .016xRatio 50x
Nov 1 Nov 8 Nov 15 Nov 22 Nov 29
©2014 AKAMAI | FASTER FORWARDTM
Blocked attacks
Blocked attacks perpage view
©2013 AKAMAI | FASTER FORWARDTM
“Akamai, we are under attack!...”
The following slides are based on a real events on January 5th 2014….
Leveraging Big Data to Understand Attackers
©2013 AKAMAI | FASTER FORWARDTM
Ad-Hoc Attack Analysis
• An attempt to exploit an old (2007) WordPress Remote File Inclusion
vulnerability. The victim application was running ASP.NET
GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1Host: www.vulnerable.siteUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4)
Attacked parameter : wpPATH
Malicious payload: http://www.google.com/humans.txt
©2013 AKAMAI | FASTER FORWARDTM
What Else Did This Attacker Do On This Site?
• Same attacker Sent 2122 different RFI exploit attempts
©2013 AKAMAI | FASTER FORWARDTM
• 34 different sites were attacked by the same attacker
• with a total of 24,301 attacks
Was There Similar Activity Going On At The Same Time?
Attacks originated from a botnet containing 272attacking machines
1696 victim applications were targeted
1,358,980 attacks were launched during thecampaignThe campaign lasted for 2 weeks
©2013 AKAMAI | FASTER FORWARDTM
Closing Thoughts
• Attacks are increasing targeting the application
• Most web applications have vulnerabilities that can be
exploited
• Organizations need to incorporate security into their
SDLC
• It is simply not possible to patch a production
vulnerability fast enough
• A cloud security layer is no longer a nice to have
©2013 AKAMAI | FASTER FORWARDTM
©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Recommended