Evolving DDoS Threat and Standards Based Mitigation Techniques

Ken O’Kelly / Sanjay Chohan – Juniper Networks

November 2014

Agenda

• Introduction • DDoS Evolution• DDoS Identification• Network Protection techniques• BGP Flowspec• Q & A

SECURITY Represents A Big Problem

Denial of Service Attacks Data stolen Web site hacked Government snooping Passwords cracked Laptop stolen

The cost to affected organisations is huge, but what cost to your reputation?

Despite a multi-billion dollar industry computers continue to be compromised…

Money

Intellectual property

Records

Targeted Attacks On The Rise

• Targeted, Deliberate, and Expensive

Fact

• 70% of all threats are at the Web application layer1

• 70+% of organizations have been hacked in the past 2 years through insecure Web apps3

• Yet 66% of breaches took months or more to discover2

Business Impact

• Average cost incurred from a successful breach: £5.5m2

• Average annual cost incurred from a DDoS attack: £2.1M3

Source: 1Gartner; 22012 Cost of Cyber Crime Study, 3Ponemon Institute, 2013

DDoS Attack Vectors

VOLUMETRICANYTHING THAT MAKES THE

RESOURCES BUSY LOW AND SLOW

Source: 1Gartner

• Easy to detect

• Attacks are getting bigger in size

• Frequency of attacks increasing at a moderate rate

• Flash mobs organized via social media

• Overwhelming legitimate requests for tickets for a big event available in a very short period of time

• Growing fast – 25% of attacks in 20131

More sophisticated & difficult to detect

• Target back-end weaknesses

• Small volume of requests can take out a large Web site

Evolving “LOW and SLOW” Attacks

• SLOWLORIS/PYLORIS/ENDLESS HEADERS• Exhausts web server connections by sending HTTP requests with

an infinite amount of headers

• DB QUERIES

• Exhausts web server CPU/resources by repeatedly sending a request that forces web server to query the database for a large number of objects

• COMMONALITY• Does not use a lot of bandwidth, can exhaust web server

connections or exhaust CPU/memory.

• Very difficult to detect in one direction with a “signature”

• Signature involves URL or payload – what if the URL changes?

• Signature can involve header – what if the headers change?

14%

37%42% 44%

Don’t know/not sure

Multi-vector Applications Volumetric

Base: 59 US and UK IT decision-makers at 500+ employee companies that

have been hit by a DDoS or DNS-based attack within the last year

Classification of Attacks on Companies in 2013

Source: “DNS Security Study”, a commissioned study conducted by Forrester Consulting on behalf of Verisign, July, 2013

Approaches To DDoS Protection

Legacy

In-House

Techniques

Technology and expertise may not be current

Only works for certain types of attacks (low-level or network-level

attacks)

ISP Solutions

Network-dependent

Attack type mitigation can be limited

Niche elements of Internet infrastructure management not core

expertise

Cloud-Based

Services

ISP Neutral solution provides global coverage

Reduced operational cost & bandwidth investment due to cloud-

based model

Multi-layer filtering that can identify and block complex, multi-vector

attacks including application layer

Approaches To DDoS Protection, continued

Hybrid: On-PremisesHardware + Cloud

Always-On hybrid mitigation

Lower operational overhead and cost to by performing critical steps to manage mitigation of attacks

Continuous monitoring of inbound and outbound traffic for

malicious behavior

Layered technologies may increase in efficacy compared to alternative solutions

Considerations For Determining Best DDoS Strategy

DDoS protection strategy appropriate for your organisation

• Risk assessment

• What assets are valuable to the organization?

• What is the network and application footprint and exposure points?

• What are the existing protection mechanisms and are they fit for purpose?

• What is the cost of downtime, unavailability or reputational damage?

• Is the threat clearly understood by management?

• Response plan

• Design a solution based on gap analysis and risk assessment

• Fit for purpose – volumetric and application level defenses

• Outsource + insource. Get specialist help.

• Build in proactive defense- threat intelligence and situational awareness

• Response team—people and process

• Budget allocation

Where to stop the attack?

•

•

•

Stopping the attacks - what are the requirements?

Solution 1: ACL

• Ease of implementation and uses well understood

constructs

• Requires high degree of co-ordination between

Sec-Ops and Net-Ops

• Cumbersome to scale in a large network

perimeter

• Mis-configuration possible and expensive

Solution 2: Destination RTBH

Solution 2 : Destination RTBH

• Requires pre-configuration of discard route on all

edge routers

• Monitoring via separate mechanism identifies

destination of attack

• Monitoring router injects a discard route in

forwarding target prefix

• BGP community used to distribute the discard route

• Routers drop traffic taking the target completely

offline

• Attack completed however collateral damage limited

Solution 3 : Source RTBH

• Behavior for match and filtering action defined in

RFC 5635

• Requires pre-configuration of discard route on all

edge routers

• Monitoring identifies source of attack and injects

discard route

• BGP community used to distribute the discard

route

•

–

•

–

•

•

•

•

•

–

•

•

•

–

–

•

Q&A

Thank you