An Inside Look at a Sophisticated, Multi-vector DDoS Attack

© 2015 Imperva, Inc. All rights reserved.

An Inside Look at a Sophisticated, Multi-vector DDoS Attack Orion Cassetto, Dir. of Product Marketing, Incapsula June 2015


Agenda

•  What is Imperva Incapsula •  Overview of DDoS attacks •  DDoS attack trends •  Anatomy of a sophisticated DDoS attack •  Lessons learned

2


Speaker Bio for Orion Cassetto

•  Background –  8+ years experience with web application security

and SaaS security solutions –  Held product marketing roles at Imperva, Incapsula, Armorize

Technologies, etc.

•  Contact: •  Twitter:@orionevolution •  Email: [email protected]

3

Imperva products

Products that cover both Protect and Comply

Partners

User Rights Management for File

Data Loss Prevention

SecureSphere File Firewall

File Activity Monitor

SecureSphere Database Assessment Server

SecureSphere Database Firewall

SecureSphere for Big Data

SecureSphere Database Activity Monitor

User Rights Management

Data Masking

Vulnerability Assessment

Incapsula Back Door Detection

Incapsula Website Security

SecureSphere WAF ThreatRadar

Skyfence Cloud Discovery

Skyfence Cloud Analytics

Skyfence Cloud Protection

Skyfence Cloud Governance

Incapsula Infrastructure Protection

Incapsula Website Protection

Incapsula Name Server Protection

SecureSphere WAF


Incapsula Overview

5

Performance Security Availability

Solving Top Operational Problems

Delivered from the Cloud


Incapsula Application Delivery Cloud

6


An Overview of DDoS Attacks 1

7


DDoS Attacks in the News

8


What is a DDoS Attack

•  DDoS attacks –  Are performed by large groups of infected computers (botnets) –  Usually require special tools or services to defend against

9

Legitimate Traffic

Your Site

Your Internet Connection

Your ISP

DDoS Bots

An attack that makes your websites or online infrastructure completely inaccessible


DDoS Attack Landscape Trends

10

The number of DDoS attacks in 2014 vs. 2013

2x

Average DDoS attack size in 2014

15Gbps


What Are the Main Types of DDoS Attacks?

11

• Network layer DDoS attacks •  Consume all available upload and download bandwidth to prevent access to websites

“Clogging the Pipe to a website” Your Site


Your ISP


What Are the Main Types of DDoS Attacks?

12

• Application layer DDoS attacks –  Application requests overwhelm the Web server or database causing it to crash –  The website then becomes unavailable

“Overloading The

Server” Your Site


Your ISP

Application layer requests


Who Is Performing These DDoS Attacks?

13

Extortionists Looking for ransom money

Vandals Looking to cause trouble

Hacktivists Looking to make a point

Competitors Looking to keep you out of a deal


What Is the Impact of a DDoS Attack Cost?

14

Average Cost of DDoS A0ack

$40,000 per hour 45% of organizations

are attacked

75% Are attacked

more than once

91% Were attacked in

the last 12 months

10% Are attacked on a weekly basis


The Anatomy of a Sophisticated DDoS Attack 2

15


The Target of the Attack

•  Successful SaaS platform

•  Very competitive industry – Online trading

•  Multi-tenant environment; Attacks on a single tenant impact all other tenants

16


Attack Phase 1 – SYN Flood

•  30Gbps SYN Flood (Volumetric / Network Layer attack)

•  Typical of any DDoS attack –  Easy to perform (given the resources)

•  No DNS amplification was used

17


SYN Flood DDoS Trends from Q2 DDoS Report

•  SYN floods and Large-SYN floods are two of the top three DDoS attack vectors by –  Frequency –  Size

18

Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report


Attack Phase 1 – Mitigation

•  Geo-distribution of attack traffic –  Sharing the load

•  Dedicated networking capabilities to deal with volumetric attacks

•  Aggressive blacklisting of offending IP addresses

19


Attack Phase 2 – HTTP Flood

•  HTTP Flood DDoS attack with 10M requests per second •  Targeting “resource intensive” pages •  “The smoke screen” for other application layer attacks

–  This type and level of attack persisted for weeks

20


Application DDoS Trends from Q2 DDoS Report

•  In Q2 2015 we saw that application layer attacks were –  Shorter in duration than the

past –  More frequently recurring

21




•  Employ anti-bot technology •  Use non-intrusive progressive challenges to

differentiate legit browsers vs. bots –  IP Address and ASN Info –  Cookie Support Variations –  JavaScript Challenges –  CAPTCHA

Further notes •  Be transparent, don’t punish humans •  Be bot friendly (good bots like Google, Baidu, still

need access)

22


Attack Phase 3 – An AJAX Attack

•  Primary target – the database

•  AJAX requests can sometimes bypass JS Challenges

•  Requests were targeting separate sub services in a “registered users only” area of the application

•  Used hijacked cookies to make heavy AJAX requests

23



•  Visitor reputation techniques •  Detecting abnormal behavioral patterns

–  Order and frequency of requests –  Interaction between clients and servers –  JavaScript Injection to actively classify clients

24


Attack Phase 4 – On Demand Browser Barrage

•  The symptoms: –  Huge spike in browser based traffic –  Browser windows popping up in people’s PCs –  Innocent people contacting Incapsula “You’re hijacking my PC!”

•  Initial response – CAPTCHA Challenges •  Post-mortem analysis conclusion

–  A PushDo botnet with 20k bots was opening real browsers on hijacked computers, pointing them at the target application

25



•  Reverse engineering the trojan •  Crafting a signature to identify and block the bots

26


Attack Phase 5 – Headless Browsers

•  The symptoms: –  150 hours of spike in browser based traffic –  180,000 new IP sources –  861 variants

•  Headless browsers leveraging “Phantom JS” were being used to emulate real users –  Generating 700 Million requests per day

27


Application DDoS Attack Results from Q2 DDoS Report

In Q2 2015 the largest application layer DDoS attack we saw had 179,712 RPS (that’s 15,527,116,800 requests per day)

28




•  Reverse engineering the Phantom JS kit •  Crafting a signature to identify and block all bots using this kit

29


Findings from Q2 2015 Global DDoS Threat Landscape Report

•  In Q2 botnet owners displayed more ability to assume identities to avoid detection

•  Roughly 74% of application DDoS attack bots are still primitive

30


Attack Analysis Conclusions

•  DDoS attacks are becoming more like APTs •  It is an ongoing cat-and-mouse game •  Attacks can last for weeks and reappear repeatedly •  Don’t expect to have a silver bullet

31


Five Lessons Learned 3

32


Attacks are Increasing in Size, So Should Your Defense Capability

•  Network layer DDoS attacks are getting bigger •  You’re defenses need to be able to deal with multi-

gigabit attacks •  Select a provider with a large scrubbing network

33

Past Present


Don’t Punish Your Users

•  Your users don’t need to know or care if you are under attack

•  People don’t like to hang out in dangerous places

•  DDoS attacks should be mitigated in a way that doesn’t –  Cause delays (no hold screens) –  Require extra steps (no CAPTCHAs or Splash screens) –  Serve outdated content

34


Fail-open for Humans

•  All human users should be able to bypass protection mechanisms

•  Legitimate users should be given an opportunity to –  Express concern or complain if they are affected –  Prove they are legitimate with a CAPTCHA

35


Automation

•  Automated, always on solutions should be used whenever possible –  Web assets should be monitored for attacks

24x7 –  Identification is always on

•  Always on doesn’t mean always “locked down” –  DDoS rules should be on call but not

implemented until necessary –  Mitigation is on when needed

36


Conclusions

•  Ensure you have enough network capacity •  Invest in technology:

–  Rapid analysis tools –  Instant patching infrastructure –  Trial and error methodology

•  Keep up with your research •  Have people at the wheel!

37


Want to Learn More?

Download the Q2 2015 Global DDoS Threat Landscape Report

or sign up for a free 14 day trial

by visiting www.incapsula.com

38

Technology

An Inside Look at a Sophisticated, Multi-vector DDoS Attack