DDoS AttacksAnd What to Do About Them

LKCS

What is a DDoS attack?

• DDoS = Distributed Denial of Service

– A DDoS attacker’s goal is that your web site (or a specific web application) becomes inaccessible – to deny service to your members/customers.

– Distributed across many computers and many internet connections.

– Typically thousands or millions of routine web server requests are made consecutively until they overwhelm the web servers, firewalls, routers, etc. and consume all of the internet bandwidth available.

• There is NO WAY TO PREVENT a DDoS attack.

DDoS Attack Phases

• Phase One: Target Acquisition.

– An attacker picks a company, organization, data center, or server to attack.

– The reason for selection could be financial (someone is paying the attacker), political “hactivism” (the attacker is trying to make a statement), or it could be just for malicious fun.

DDoS Attack Phases (cont.)

• Phase Two: Groundwork.

– The attacker compromises a large number of unsecured computers (typically home user machines with broadband internet connections).

– Software is maliciously installed on each machine that the attacker will later use to target your network.

– Access to these “botnets” can even be rented by the hour!

– Hacker collectives bring scale and expertise to attacks

DDoS Attack Phases (cont.)

• Phase Three: ATTACK.

– The attacker sends a command to each of the compromised hosts (now known as zombie computers) and commands them to flood the target with legitimate web requests, overwhelming the web server(s) or choking the bandwidth to a snail’s pace.

– The attack lasts as long as the attacker wants, or at least for as long as he/she/they can afford.

About Botnets

A botnet can generate

1 Million timesthe available

bandwidth of a business.

It takes just

64,000 PCsinfected with a virus

like Confickerto generate

10 gigabits per second

of traffic.

Mariposa, the largest known

botnet, affected

12 million PCsIt could have

generated a DDoSattack as large as

31.2 terabytes

per second

Source: AT&T

Tooeasy!

• “Low Orbit Ion Cannon” – Just one kind of DDoS attack– Easy to use, online accessible tool for the novice hacker– Menu choices enable the hacker to choose protocols for attack

(TCP, UDP, ICMP)– The rate of attack is also easily adjustable– The hacker can choose to attack a web URL or IP address

A Few Others

Types of Attacks – for the techies

• Volume Based Attacks– Includes UDP floods, ICMP floods, and other spoofed-packet

floods. – The attack’s goal is to saturate the bandwidth of the attacked site.– Magnitude is measured in Bits per Second (Bps).

• Protocol Attacks– Includes SYN floods, fragmented packet attacks, Ping of Death,

Smurf DDoS and more. – This type of attack consumes actual server resources, or those of

intermediate communication equipment, such as firewalls and load balancers.

– Measured in Packets per Second.

Types of Attacks – for the techies

• Application Layer Attacks –– Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that

target Apache, Windows or OpenBSD vulnerabilities and more.

– Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server.

– Magnitude is measured in Requests per Second.

• A DDoS attacker can change attack profiles on the fly to thwart mitigation efforts.

DDoS Attack Growth

• Q4 2012 Compared to Q3 2012– 27.5% increase in total number of attacks

– 17% increase in number of attacks on the network infrastructure

– 72% increase in number of attacks on web sites/ applications

– 67% increase in average attack duration to 32.2 hours from 19.2 hours

– 20% increase in average attack bandwidth from 4.9 to 5.9 Gbps

– China retains its position as the top source country for DDoSattacks

Source: Prolexic

POLL QUESTION

How likely will your company become a victim of a DDoS attack

within the next 12 months?

What’s at stake?

DDoS Attack CostsDamage to Your Brand

• If your site is down, account holders will question if you provide a safe place to bank.

• Ruins years of work building your brand.

Loss of Revenue

• If your website is down, you lose revenue.

• No online banking, bill pay, forms or applications, account opening, etc.

Bad Member/ Customer

Experience• Call centers get

overwhelmed

• Account holder frustration skyrockets.

• People seek alternatives.

DDoS Attack Mitigation

• You want to be covered but you have limited staff and budget.

• DDoS attack mitigation is inexpensive compared to the other costs.

A DDoS attack can cost a victim organization as much as $10,000 to $50,000 per hour in lost revenue.

And one more…

• DDoS attacks are more frequently being used to hide security breaches and data theft.

– Attention focuses on the attack.

– Log files get massive, too difficult to analyze quickly.

– Servers and routers rebooted, often destroying forensic evidence.

– Attacks end long before any intrusion is identified.

Alarming Figures

• Currently up to 130,000 DDoS attacks PER DAY!

• Recent attacks have grown as large as 100300 Gbps (Gigabits per second)

– Small and mid-size banks and credit unions size their bandwidth to handle their average web traffic – NOWHERE CLOSE TO THE SIZE OF THESE DDoS ATTACKS

– The 300 Gbps attack on Spamhaus (March 27th) slowed internet traffic WORLDWIDE.

– GOOD NEWS: 90% of DDoS attacks are smaller than 1 Gbps

The Latest Bank and CU Attacks

• Large banks and credit unions have recently been victims of large scale DDoS attacks

– Who did it?• “Cyber Fighters of Izz ad-din Al Qassam” – most likely Iran

– And Why?• Retaliation for an anti-Muslim video

– That’s less important than the fact it could be done. These attacks were successful.

• Web sites were down for days or hours. Brand reputations suffered. Revenue was lost.

These Attacks will Continue

“A new class of damaging DDoS attacks and devious criminal social-engineering ploys were

launched against U.S. banks in the second half of 2012, and this will continue in 2013 as well…

Organizations that have a critical Web presence and cannot afford relatively lengthy disruptions in online service should employ a layered approach

that combines multiple DoS defenses”

- Avivah Litan, Vice President, Gartner

What Else was Learned?

• Firewalls and Intrusion Detection Systems are ineffective at DDoS Protection.

– They provided limited protection up to a point – but quickly got overwhelmed by the amount of malicious HTTP traffic.

– When enormous amounts of DNS traffic was received, these systems crashed and were taken offline completely.

• Even those institutions with dedicated DDoSmitigation appliances lacked the trained staff to use them effectively.

So, You’re Not a Large Bank or CU…

• Smaller financial institutions are MORE vulnerable.

– You don’t have the budgets to spend on in-house DDoSprotection (hardware, software, and human experience) that you may not need.

– Even small attacks (the 90% below 1 Gbps) can currently cripple your online operations.

– How much internet bandwidth do you have? How much can you afford? It doesn’t matter, the DDoS attackers have more.

What Can You Do About DDoS Attacks?

• Costs of hardware and additional bandwidth• Only works for certain types of small scale attacks• Not deployed specifically for DDoS protection

Traditional In-House

• High upfront cost• How many locations need appliances? Is it even feasible?• Needs extensive support and expertise

DDoS Appliance

• Rely on traditional firewalls and intrusion detection systems• Protection for limited attack types• Larger attacks will be blackholed, making your site unavailable

ISP/Web Host

• Not designed for DDoS• DDoS attacks can bypass cache & send requests to origin servers• Limited bandwidth

Content Distribution

Network

• Reduced costs – no capital expenditure• Multi-layered mitigation solutions and dedicated DDoS

expertise• Real-time mitigation monitoring and post-event reporting

Cloud-Based Service

Things to Look for in a DDoS Solution

• Experience and Expertise

• Scrubbing Capacity (Bandwidth)

• Attack / Mitigation Diversity

• Technologies Deployed

• Time to Mitigate / Service Level Agreements

• Cost– Monthly Service– Per Incident Fee– Attack Size / Clean Traffic

Bandwidth– Number of

Domains/Resources– SSL Protection (Layer 7)

• POTENTIAL OVERAGE CHARGES

Cloud-Based DDoS Mitigation Options

• Option 1: Always-On– Your web traffic is continuously

monitored for potential DDoSattacks

– Mitigation can begin as soon as a potential attack is identified

– NO DOWNTIME

– Dedicated server/router required – may not be available with shared web hosting

– Expensive

• Option 2: On-Demand– Your web traffic is diverted to

the DDoS provider when you are under attack

– Mitigation begins within minutes of traffic diversion (DNS change)

– Typically 5-15 minutes downtime (depends on attack complexity)

– Available for any web site or web application

– Economical

Cloud-Based DDoS Mitigation Options

• Option 3: Emergency Mitigation– Your web traffic is diverted at the

time of attack

– Mitigation begins within minutes of traffic diversion (DNS change)

– Downtime depends on vendor provisioning and attack complexity (4 hours estimated)

– Available for any web site or web application

– Emergency setup fees may apply

– Ranges from Expensive to Very Expensive

POLL QUESTION

Which of these options seem to be the best fit for you?

One Thing You Should Do NOW

• Reduce the TTL on Your DNS A Records

– Let me explain…

– During a DDoS attack, you will need to redirect your web site traffic to your DDoS provider.

– This is done by changing the IP address that your domain name points to.

– This is a Domain Name System (DNS) change to an “A” record which provides servers around the world with the IP address of your domain.

– These IP addresses are cached by servers worldwide for a period of time known as the Time to Live (TTL).

– You can control this TTL value. It is listed in seconds.

One Thing You Should Do NOW (cont.)

• Reduce the TTL on Your DNS A Records– A long TTL will enable DNS servers to cache your IP Address for several

hours/days and reduce the number of requests made to your primary DNS host. However, these servers will continue to direct traffic to that cached IP address until the TTL expires.

• Example: A TTL of 259200 = 3 Days

– A short TTL will increase the load on your DNS host – BUT will enable you to redirect all web site requests to a new IP address within a few minutes (to your DDoS provider or back to normal, for example).

• Example: A TTL of 300 = 5 Minutes

Who Manages Your DNS?

The Possibilities:– You do– Your ISP or web host (LKCS)– Your core processor or home

banking provider– Your domain name registrant– Your computer consultant

(or prior consultant)

What You Need to Do:1. Find Out Who Manages Your DNS

2. Ask if there is a minimum TTL value

3. Ask if the TTL value will revert to a default value on its own

4. Check the TTL value on the A record(s)

5. Change them if necessary (LKCS recommends a value of 300-600)

6. Change DNS providers if necessary (NOT EXPENSIVE)

LKCS CAN HELP!

POLL QUESTION

Has your financial institution budgeted for DDoS protection or

mitigation expenses?

What does DDoS Mitigation cost?

• It’s the wild, wild west out there…

• Pricing can vary widely – but so can both the quality and level of DDoS mitigation service

• We’ve spoken to dozens of DDoS providers. Here are very rough costs that we’ve seen FROM OTHER PROVIDERS:

– Always-On Protection: starting at $2,000 per month

– On-Demand Protection: starting at $700 per month (relatively low bandwidth) but could be up to $6,000 per attack mitigation

– Emergency Mitigation: starting at $10,000 AND UP

DDoS Mitigation from LKCS

• LKCS partnering with a major DDoS mitigation provider.

• Designing our solution to include:

• On-Demand Solution with Always-On and Emergency Mitigation Options

• Unlimited attack size (no overage costs)

• Service Level Agreement guarantees for fast response

• Multiple DDoS mitigation technologies protecting all TCP web services (web sites, e-mail, home banking, etc.)

• Layer 7 SSL mitigation available

DDoS Mitigation from LKCS (cont.)

• Pricing to be based on clean traffic bandwidth (the internet traffic that you are already getting)

• Low monthly cost with per mitigation fee (don’t pay for what you don’t need)

• Real-time and post-mitigation reporting

• Premium DNS hosting

Interested?

• Contact me for more details:

Sid HaasVice President of Business Development

Direct: 815-220-3904sid.haas@lk-cs.com

THANK YOU for attending today’s webinar!