Don’t get DDoSed and Confused - pspinfo.us · Don’t get DDoSed and Confused Patrick Sullivan ... WAF Edge servers Akamai has unique insight into Web/DDoS ... • Banking site

Don’t get DDoSed and Confused

Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH

Managed, Security Services

©2015 AKAMAI | FASTER FORWARDTM

Agenda

• Intro/Data Collection

• DDoS Basics

• Trends and Statistics

• Adversarial Groups/Motivations

• Defense


Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

WAF

Edge servers

Akamai has unique insight into Web/DDoS Traffic

Akamai’s Edge carries ~ 20Tbps of Web Traffic at steady

state with bursts to 30+Tbps 1

Prolexic BGP-Based DDoS Mitigation 3

FAST DNS

DNS servers

FAST DNS Authoritative DNS Solution 2

Prolexic

Scrubbing

centers

Akamai Customer Base. 4

Akamai Web Platform

• 98 of top 100 Commerce Sites

• All Braches of US Military

• All Agencies of the US Gov’t

• 10 of top 10 Banks

• 30 of top 30 Media Sites

• 10 of top 10 Asset Managers

• 10 of top 10 P&C Companies

• 8 of top 10 Auto Manufacturers


Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection. Akamai Security Center

New in Q1 2015

Cloud Security Intelligence

Visibility 15 to 30 percent of global Web traffic

Data 20 TB of daily attack data; 4 PB / 45 days stored


Agenda


• DDoS Basics



• Defense


CISSP Refresher

Availability

What: Site Unavailable, Unresponsive, Unresolvable

How: DDoS (Packet flooding, HTTP request flooding)

What: Site Defacement, Hosting Malware, DNS

Zone Hijacking

How: Injection, Social Engineering

What: Data Breach, Session Hijacking,

Account Hijacking

How: Injection, Social Engineering,

Brute force login checking


How most people think of DDoS


How we/attackers think of DDoS

VPN Concentrator wwwwww

ISP xcons

Public Internet

Relational Database

wwwwww

Users (good/bad)

DMZ

IPS/IDS

Remote Offices

LB

Name Servers

=


DDoS Techniques

• Protocol Level Flooding

• Reflection/Amplification Attacks Dominate these type of attacks

• Web Application(Layer 7)

• More Subtle

• Targeting more fragile Web/Database resources


Transport Layer Protocol Abuse: Fun with TCP

There are many variations of TCP Handshake Abuse.

SYN

SYN-ACK

ACK

SYN X 100

SYN-ACK X 100

SYN

?????


Network Layer Attacks:

Reflection + Amplification Attacks

a.b.c.d(Address doesn’t matter. This is UDP. He will spoof it.)

10.1.10.128

1Mbps of Character Gen requests

360Mbps of this=>

CHARGEN Attack Script

Vulnerable Server






Case Study: NTP Reflection Attacks

500X RETURN RATE IN TRAFFIC

>100GBPS ATTACK TRAFFIC AGAINST ORIGIN

1,000+ INCREASE IN HITS PER

SECOND AGAINST ORIGIN

Attack Vector Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function. NTP server replies back to the target IP, direct to origin, at massive scale.


138

232

321

155

177

312

4

198 217

30

8

35 33

70

3

2 1.5

NTP Reflection used in attack:

(Source/Target in Asia)

Start End Infrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps) Web (Gbps)

21 + Day campaign against single customer

• 39 distinct attacks targeting applications and DNS infrastructure

• Eight attacks >100 Gbps including record 320 Gbps attack


SSDP aka uPnP (Universal Plug and Play)


So many Amplification vectors for an attacker to choose from…..

Most select several.

Source:US-Cert.gov


DDoS: Attackers find various bottlenecks to target

Firewall IPS Application Database Load

Balancer

Internet

Pipe

Capacity declines as you move to deeper towards the DB


Slow Layer-7 Resource Exhaustion Attacks


Attackers are leveraging common IT Mega-Trends

IoT

We have detected refrigerators participating in DDoS Attacks

Mobile

BotNets frequently own Mobile Devices

Cloud Sourced DDoS Attacks Challenge Legacy Defenses


DDoS as a Counter to Tight Security Controls

Akamai Advisory


DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers

Best Practice DNS Locks

Client DNS Locks

• clientUpdateProhibited

• clientTransferProhibited

• clientDeleteProhibited

Registrar locks

• serverUpdateProhibited

• serverTransferProhibited

• serverDeleteProhibited

US DoD’s DNS Hijacked


China’s Great Cannon DDoS Tool

DDoS Attack Trends

Facts and Figures from Q2 2015


In Q2 2015, DDoS attacks were less powerful..

but longer and more frequent

11 18 22

39 48

68 79 82

190

320

171

240

2 8 11 15

29 38

45

69

144

270

89

214

0

50

100

150

200

250

300

350

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Q1 2015

Q2 2015

Gbps

Mpps

Traditional DDoS attacks harness the

scale of global botnets

Newer attacks target protocol

vulnerabilities to amplify size

• SNMP (6x)

• DNS (28x-54x)

• CHARGEN (358x)

• NTP (556x)


DDoS Attack Instances, Q1 2013 - Q2 2015

The number of DDoS

attacks has more than

doubled compared with

Q2 2014, though with

slightly smaller attack

sizes


Compared to Q2 2014

132% Total DDoS attacks

11% Average peak bandwidth

77% Average peak volume

122% Application layer DDoS attacks

134% Infrastructure layer attacks

19% Average attack duration

100% Total attacks > 100 Gbps

Q2 set a record for the number of DDoS attacks observed over the Akamai Prolexic Routed network, more than doubling the number of attacks observed in Q2 2014.


Types of DDoS Attacks & Relative Distribution

in Q2 2015


Mega Attacks > 100 Gbps in Q2 2015

Twelve mega-

attacks in Q2 2015

vs. six in Q2 2014.

Most targeted

Internet/Telecom.

Two targeted

Gaming.


Mega Attacks > 50 Mpps in Q2 2015

A 214 million packets per second (Mpps) DDoS attack was among the highest ever recorded. Such attacks can take out tier 1 routers, such as used by Internet service providers (ISPs).






Most Commonly Attacked Verticals – Q1 2015






Top 10 Source Countries for DDoS Attacks in

Q2 2015


Agenda


• DDoS Basics



• Defense


Attacker Motivation


“Attacking for the Lulz!”


Extortion

DDoS for BitCoin Campaign: DD4BC


1. Initial small attack

2. Email ransom demand Payment in bitcoin

Increasing ransom over time

3. Claims of capability 400 Gbps attack sizes

Bypass DDoS defenses

4. Continued email threats Increasing ransom for countermeasures

DD4BC

WHAT TO EXPECT


DD4BC Ransom Note


DDoS as a Distraction


DDoS as a Distraction

Multi-Vector Attacks: 2014 Sochi Olympics • 3.5 Tbps event

• 50% Growth in Average User Connection Speed Compared to 2012.

• More than a Million Malicious Requests Blocked • Multi-Vector Attacks Detected Again in 2014

• Application DDoS • RFI • Command Injection • Requests from Anonymous Proxy

• Attacks Again Spiked During Major Events

• Opening Ceremonies • Hockey Semi-Final(US v. Canada)


Public Sector/Education DDoS Attacks


Large March 2014 Attack:

Target was European Media Company

• Blended Attack, Significant NTP Traffic

• DDoS Start :: 8MAR14 13:52:00 UTC

• DDoS Stop :: 9MAR14 02:00:00 UTC

• Peak Bps :: 200+Gbps

• Peak Pps :: 65Mpps

• 2 hosts targeted on Random

UDP/TCP/ICMP ports


QCF Attacks 2013-2014


BroBot: Advanced Attacker Evades Common DDoS Services

Attack IP’s Changing every ~ 10 minutes

• Banking site real-time Kona security dashboard view

• Blocking ~18M HTTPS attacks per minute

• Attacker requesting URL’s with heavy compute burden(search, login, ATM locator)

• Source IP’s are frequently Cloud servers

• Commandeered using vulnerabilities in well known CMS’s


QCF Later Stages of Campaign:

Targeting small regional banks and Credit Unions


Case Study: Augusta County Public Schools

• Augusta County’s Education IT team Mission:

• Provide IT support for 20+ schools and manage 7500+ Devices

• Challenge:

• Persistent DDoS Attacks impact ability to deliver uninterrupted access to Government

Mandated SOL testing

• SOL testing impacts grades and graduation eligibility for students.

• Solution:

• Akamai’s Prolexic Routed Cloud-based DDoS Protection


Georgia High School Case Study: Sept 2015

• School system experiences daily DDoS Attacks disrupting confidence in students/parents in

the school’s ability to deliver IT Services

• SOL Systems are at risk, which is a huge concern for School Administrators

• Akamai Enterprise Security Architect goes on site to speak with school IT Team

• UDP Flood on port 80 is observed

• Akamai ESA directs customer to review web-logs and students were observed visiting DDoS-

as-a-Service Sites kicking off attacks

• Logs identified which students were logged onto machines at the time of visits to Stressor websites


Agenda


• DDoS Basics



• Defense


How do you defend from these attacks?

• Architecture

• Knowledge of Attack Trends

• A Plan


Potential Architectures for Defending from DDoS

Data center

Transit Network

ISP

ISP

ISP


Potential Architectures for Defending from DDoS

Data center

Transit Network

ISP

ISP

ISP


ISP

ISP

ISP

Cloud Security Architecture

Transit Network

Data center






1. You Need Data To derive intelligence on current & evolving threats.

2. Scale, Availability & Resilience To be high performing, take the punches, & stay online.

3. A Plan To understand how to respond to bad day scenarios.

4. Control & Flexibility To adapt your defenses dynamically.

5. People & Experience To execute every time you come under attack.

DDoS Mitigation Success: 5 Points To Take Away


Stress Test your Plan


Documents

Don’t get DDoSed and Confused - pspinfo.us · Don’t get DDoSed and Confused Patrick Sullivan ... WAF Edge servers Akamai has unique insight into Web/DDoS ... • Banking site