An Inside Look at a Sophisticated Multi-Vector DDoS Attack

© 2015 Imperva, Inc. All rights reserved.

An Inside Look at a Sophisticated Multi-Vector DDoS AttackNabeel Saeed, Product Marketing Manager, IncapsulaSeptember 2015

© 2015 Imperva, Inc. All rights reserved. Confidential2

Agenda

• What is Imperva Incapsula• Overview of a DDoS attacks• DDoS attack trends• Anatomy of a sophisticated DDoS attack• Lessons learned

© 2015 Imperva, Inc. All rights reserved.3

Speaker Bio for Nabeel Saeed

• Background– 5+ years experience with web application security

and SaaS security solutions– Held product marketing roles at Imperva, Incapsula, Vertical

Systems, etc.

• Contact:• Email: [email protected]


Imperva products

Products that cover both Protect and Comply

Partners

User RightsManagement for File

Data LossPrevention

SecureSphereFile Firewall

File ActivityMonitor

SecureSphere DatabaseAssessment Server

SecureSphereDatabase Firewall

SecureSpherefor Big Data

SecureSphere DatabaseActivity Monitor

User RightsManagement

Data Masking

VulnerabilityAssessment

IncapsulaBack Door Detection

IncapsulaWebsite Security

SecureSphereWAF ThreatRadar

SkyfenceCloud Discovery

SkyfenceCloud Analytics

SkyfenceCloud Protection

SkyfenceCloud Governance

IncapsulaInfrastructure Protection

IncapsulaWebsite Protection

IncapsulaName Server Protection

SecureSphereWAF


Incapsula Overview

PerformanceSecurity Availability

Solving Top Operational Problems

Delivered from the Cloud


Incapsula Application Delivery Cloud

Confidential7 © 2015 Imperva, Inc. All rights reserved.

1An Overview of DDoS Attacks


DDoS Attacks in the News


What is a DDoS Attack

• DDoS attacks– Are performed by large groups of infected computers (botnets)– Usually require special tools or services to defend against

LegitimateTraffic

Your Site

Your Internet

ConnectionYour ISP

DDoS Bots

An attack that makes your websites or online infrastructure completely inaccessible


DDoS Attack Landscape Trends

The number of DDoS attacks in 2014 vs. 2013

2x

Average DDoS attack size in 2014

15Gbps


What Are the Main Types of DDoS Attacks?

• Network layer DDoS attacks• Consume all available upload and download bandwidth to prevent access to websites

“Clogging the Pipe to a website” Your Site

Your Internet

ConnectionYour ISP


What Are the Main Types of DDoS Attacks?

• Application layer DDoS attacks– Application requests overwhelm the Web server or database causing it to crash– The website then becomes unavailable

“OverloadingThe

Server” Your Site

Your Internet

ConnectionYour ISP

Application layer requests


Who Is Performing These DDoS Attacks?

ExtortionistsLooking for ransom money

VandalsLooking to cause trouble

HacktivistsLooking to make a point

CompetitorsLooking to keep you out of a deal


What Is the Impact of a DDoS Attack Cost?

Average Cost ofDDoS Attack

$40,000per hour45%of organizations

are attacked

75%Are attacked

more than once

91%Were attacked in

the last 12 months

10%Are attacked on a weekly basis

15 © 2015 Imperva, Inc. All rights reserved.

The Anatomy of a Sophisticated DDoS Attack2


The Target of the Attack

• Successful SaaS platform

• Very competitive industry – Online trading

• Multi-tenant environment; Attacks on a single tenant impact all other tenants


Attack Phase 1 – SYN Flood

• 30Gbps SYN Flood (Volumetric / Network Layer attack)

• Typical of any DDoS attack– Easy to perform (given the resources)

• No DNS amplification was used


SYN Flood DDoS Trends from Q2 DDoS Report

• SYN floods and Large-SYN floods are two of the top three DDoS attack vectors by– Frequency– Size

Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report


Attack Phase 1 – Mitigation

• Geo-distribution of attack traffic– Sharing the load

• Dedicated networking capabilities to deal with volumetric attacks

• Aggressive blacklisting of offending IP addresses


Attack Phase 2 – HTTP Flood

• HTTP Flood DDoS attack with 10M requests per second• Targeting “resource intensive” pages• “The smoke screen” for other application layer attacks

– This type and level of attack persisted for weeks


Application DDoS Trends from Q2 DDoS Report

• In Q2 2015 we saw that application layer attacks were– Shorter in duration than the

past – More frequently recurring




• Employ anti-bot technology• Use non-intrusive progressive challenges to

differentiate legit browsers vs. bots– IP Address and ASN Info– Cookie Support Variations– JavaScript Challenges– CAPTCHA

Further notes• Be transparent, don’t punish humans• Be bot friendly (good bots like Google, Baidu, still

need access)


Attack Phase 3 – An AJAX Attack

• Primary target – the database

• AJAX requests can sometimes bypass JS Challenges

• Requests were targeting separate sub services in a “registered users only” area of the application

• Used hijacked cookies to make heavy AJAX requests



• Visitor reputation techniques• Detecting abnormal behavioral patterns

– Order and frequency of requests– Interaction between clients and servers– JavaScript Injection to actively classify clients


Attack Phase 4 – On Demand Browser Barrage

• The symptoms:– Huge spike in browser based traffic– Browser windows popping up in people’s PCs– Innocent people contacting Incapsula “You’re hijacking my PC!”

• Initial response – CAPTCHA Challenges • Post-mortem analysis conclusion

– A PushDo botnet with 20k bots was opening real browsers on hijacked computers, pointing them at the target application



• Reverse engineering the trojan• Crafting a signature to identify and block the bots


Attack Phase 5 – Headless Browsers

• The symptoms:– 150 hours of spike in browser based traffic– 180,000 new IP sources– 861 variants

• Headless browsers leveraging “Phantom JS” were being used to emulate real users– Generating 700 Million requests per day


Application DDoS Attack Results from Q2 DDoS Report

In Q2 2015 the largest application layer DDoS attack we saw had 179,712 RPS (that’s 15,527,116,800 requests per day)




• Reverse engineering the Phantom JS kit• Crafting a signature to identify and block all bots using this kit


Findings from Q2 2015 Global DDoS Threat Landscape Report

• In Q2 botnet owners displayed more ability to assume identities to avoid detection

• Roughly 74% of application DDoS attack bots are still primitive


Attack Analysis Conclusions

• DDoS attacks are becoming more like APTs• It is an ongoing cat-and-mouse game• Attacks can last for weeks and reappear repeatedly• Don’t expect to have a silver bullet


Five Lessons Learned3


Attacks are Increasing in Size, So Should Your Defense Capability

• Network layer DDoS attacks are getting bigger• You’re defenses need to be able to deal with multi-

gigabit attacks• Select a provider with a large scrubbing network

Past Present


Don’t Punish Your Users

• Your users don’t need to know or care if you are under attack

• People don’t like to hang out in dangerous places

• DDoS attacks should be mitigated in a way that doesn’t– Cause delays (no hold screens)– Require extra steps (no CAPTCHAs or Splash screens)– Serve outdated content


Fail-open for Humans

• All human users should be able to bypass protection mechanisms

• Legitimate users should be given an opportunity to– Express concern or complain if they are affected– Prove they are legitimate with a CAPTCHA


Automation

• Automated, always on solutions should be used whenever possible– Web assets should be monitored for attacks

24x7– Identification is always on

• Always on doesn’t mean always “locked down”– DDoS rules should be on call but not

implemented until necessary– Mitigation is on when needed


Conclusions

• Ensure you have enough network capacity• Invest in technology:

– Rapid analysis tools– Instant patching infrastructure– Trial and error methodology

• Keep up with your research• Have people at the wheel!


Want to Learn More?

Download the Q2 2015 Global DDoS Threat Landscape Report

orsign up for a free 14 day trial by visiting www.incapsula.com


Questions?

Technology

An Inside Look at a Sophisticated Multi-Vector DDoS Attack