A Pragmatists Guide to DDoS Mitigation

Phil Williams

© 2017 Imperva, Inc. All rights reserved.4

How can we approach mitigation intelligently?

What do we need to protect?

What are the common ‘traps’?

Why are we here?

ANDREAS LINDH• Swedish infosec practitioner.• Graciously provided permission to reference his material.• @addelindh on Twitter.• You really should follow him (on Twitter, not in real life).

HIS PRESENTATION• March 2015, Heidelberg, Germany.• Really good!• You should find and watch it.

First, some food for thought

“An attacker only needs to find

one weakness while the

defender needs to protect all of

them all of the time.”

“A skilled and motivated

attacker will always find a

way.”

“Attackers have bosses and

budgets too.”

1. If the cost to attack is less than the value of your information / Lack of Service to the attacker, you will be attacked.

2. You don’t need to protect against everything.

3. The attacker’s greatest strength is time.

4. Your greatest strength is space.

5. You need to increase the cost of a successful attack to a point where it’s no longer profitable to the attacker.

Some Principles of Defender Economics

BREAK THE ATTACKER’S BUDGET WITHOUT BREAKING YOUR OWN.

“1. If the cost to attack is less than the value of your information to the attacker, you will be attacked.”

“2. You don’t need to protect against everything.”

“3. The attacker’s greatest strength is time.”

Attacker chooses:

• When to start attacking.

• When to stop attacking.

• Which days to be active.

• Which times of day to be active.

• Speed / size of attack.

• The timeline for any public announcements they make.

Defence issues:

• Defender has limited timeline awareness.

• Controls which are slower to respond than attacker’s evasion speed are of limited value.

• 24x7 operation is much more expensive for defence than attack.

“4. The defender’s greatest strength is space.”

Defender designs, builds and operates the

infrastructure, applications and security controls.

DEFENDER SETS THE BUDGET FOR A SUCCESSFUL ATTACK.

Attacker: goose.

Target: humans.

Controls: Window + sign (cheap, effective).

Budget: bread for 2 x penetration geese, 8x5 hours of operation.

So lets recap…

• A DDoS attacker is after something– Money

– Vendetta

– Street Cred

• They have all the time and space in

the world to plan and execute

• We have control of the ‘cost’ and

therefor the probability

© 2017 Imperva, Inc. All rights reserved.12

Lets also agree on what a DDoS is…

• DOS = Denial of Service

• The extra ‘D’ is just stating that it’s

distributed

• Normally in IT we are talking about

consuming resources

• Can be targeted at many ‘layers’ of

the network

© 2017 Imperva, Inc. All rights reserved.13

DDoS Attacks – Infrastructure Targeted

Confidential14

DDoS Attacks – Application Targeted

Confidential15

SO! Now what?

• We understand that the attacker has

goals

• We understand the ‘vectors’ that he

may use

• Lets evaluate our network like

attacker would

© 2017 Imperva, Inc. All rights reserved.16

© 2017 Imperva, Inc. All rights reserved.17

• Site IP = 88.98.85.58– Up Stream router not visible

• ISP = Zen Internet– Multi Peers ~90Gb/s

Target = www.philw.uk

© 2017 Imperva, Inc. All rights reserved.18

• Site IP = 88.98.85.58– Up Stream router not visible

• ISP = Zen Internet– Multi Peers ~90Gb/s

• DNS Service is GoDaddy– Well connected

Target = www.philw.uk

© 2017 Imperva, Inc. All rights reserved.19

• Site IP = 88.98.85.58– Up Stream router not visible

• ISP = Zen Internet– Multi Peers ~90Gb/s

• DNS Service is GoDaddy– Well connected

• Other hosts available

Target = www.philw.uk

Attack options

• Cheap options– Volumetric attack against target hosts

– Application attack against Website

– Mail flood against SMTP.

• Expensive Options– Attack DNS service

– Attack ISP

© 2017 Imperva, Inc. All rights reserved.20

Attack Costs

© 2017 Imperva, Inc. All rights reserved.21

Lets deploy some defenses

• Incapsula Website protection

• Incapsula DNS Protection

© 2017 Imperva, Inc. All rights reserved.22

What does the same Recon how show?

© 2017 Imperva, Inc. All rights reserved.23

Attack options Revised

• Cheap options– Volumetric attack against target hosts

– Application attack against Website

– Mail flood against SMTP.

– Have a guess at hosts, FTP / VPN / etc

• Expensive Options– Attack DNS service = Attack Incapsula

– Attack ISP

– Attack Incapsula

© 2017 Imperva, Inc. All rights reserved.24

A bit more defense

• Use an external mail relay– Office365

– Message Labs etc

• Use Incapsula Protected IP– Protect the FTP service / Mask IP

• Use non predictable names– Connecttooffice.philw.uk

– Do not use a hostname

© 2017 Imperva, Inc. All rights reserved.25

Attack options Remaining

• Cheap options– Volumetric attack against target hosts

– Application attack against Website

– Mail flood against SMTP.

– Have a guess at hosts, FTP / VPN / etc

• Expensive Options– Attack DNS service = Attack Incapsula

– Attack ISP

– Attack Incapsula

© 2017 Imperva, Inc. All rights reserved.26

The Attackers Choice

© 2017 Imperva, Inc. All rights reserved.27

• Spend time Guessing hosts– Hope that you find one that:-

• A) Is actually part of the target network

• B) Is valuable enough to target to be effective

• Attack what you can see and

Hope– Expensive

– Low probability of success

• Find new target

So where does this leave us?

• Push as much as you can away from

your network

• Hide everything you can

• Protect what you can’t

• Understand what your ‘viable targets’

are and focus on those

© 2017 Imperva, Inc. All rights reserved.28