Embed Size (px)
Citation preview
DDoS Attacks : Understanding the Threat
• Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in the ground, assuming that because it cannot see, it cannot be seen.’
• Historically, this has been the attitude to DDoS as a Service Availability Threat.
• …but this has changed in the past 2-3 years, because of:– AWARENESS : Massive mainstream press around Anonymous, Lulzsec, Sony,
etc..– RISK : More businesses are reliant on Internet Services for their business
continuity.– MOTIVATIONS : Wider spread of attack motivations, broader target set.
– EXPERIENCE : Larger, more frequent, more complex attacks.
DDoS attack? It’ll Never Happen to Me
DDoS Attack Motivations
Recent DDoS Events In EMEA
• Ideologically-motivated DDoS attacks against UK government sites in relation to the extradition of Julian Assange.
• Ideologically-motivated DDoS attacks against a British governmental agricultural research organization in conjunction with a physical demonstration protesting the introduction of genetically-modified crops
• Ideologically-motivated DDoS attacks against the largest DNS registrar in the UK which was authoritative for domains hosting political content critical of the Chinese government
• A retaliatory DDoS attack against a software vendor of widely-used customer-service software, after the vendor found and fixed a SQL injection vulnerability in their products. A blackhat had discovered this on his own and was actually in the process of auctioning it off to prospective attackers in an underground criminal forum as a zero-day exploit when the vendor issued the patch
DDoS Attack Motivations
• Distraction from other criminal activity
– Phishing for banking credentials with Zeus– DDoS to distract and cover up the crime
• DDoS distraction also used to cover up system penetrations followed by data leaks
Sophistication Of Tools & Services
Example: Gwapo's Advertising
8
DDoS is Key to Availability Risk Planning
DDoS is the #1 threat to the availability of services – but it is not part of the risk analysis
Site Selection
Physical Security
Fire Protection & Detection
Electrical & Power
Environment & Weather
DDoS Attacks?
Ava
ilab
ility
Sco
reca
rd When measuring the risk to the availability or resiliency of services, where does the risk of DDoS attacks fall on the list?
Business Impact of DDoS Attacks
Source: Ponemon Institute – 2010 State of Web Application Security
Botnets & DDoS attacks cost an
average enterprise $6.3M* for a 24-
hour outage!* Source: McAfee – Into the Crossfire – January 2010
The impact of loss of service availability goes beyond financials:
Operations
How many IT personnel will
be tied up addressing the attack?
Help Desk
How many more help
desk calls will be received, and at what
cost per call?
Recovery
How much manual work will need to be done to
re-enter transactions?
Lost Worker Output
How much employee
output will be lost?
Penalties
How much will have to be paid in
service level agreement
(SLA) credits or other
penalties?
Lost Business
How much will the ability to attract new customers be
affected? What is the full value of
that lost customers?
Brand & Reputation
Damage
What is the cost to the company brand and
reputation?
Very Significant Significant Somewhat Significant Not Significant None0%
10%
20%
30%
40%
50%
31%
43%
21%
5%0%
Bar Chart 9: Significance of revenue loss resulting from website downtime for one hour
So, what d
o we need to know to
protect our s
ervices?
What is a Denial of Service attack?
- An attempt to consume finite resources, exploit weaknesses in software design or implementation, or exploit lack of infrastructure capacity
- Effects the availability and utility of computing and network resources
- Attacks can be Distributed foreven more significant effect
- The collateral damage caused by an attack can be as bad,if not worse, than theattack itself
Load Balancer
Application-Layer DDoS Impact
Volumetric DDoS Impact
DATA CENTER
EXHAUSTION OF STATE
Attack Traffic
Good Traffic
State-ExhaustionDDoS Impact
(D)DoS Primer
• Volumetric Attacks – Usually botnets or traffic from
spoofed IPs generating high bps / pps traffic volume
– UDP based floods from spoofed IP take advantage of connection less UDP protocol
– Take out the infrastructure capacity – routers, switches, servers, links
Reflection Attacks
– Use a legitimate resource to amplify an attack to a destination
– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual victim
– DNS Reflective Amplification is a good example
Attacker Server
DNS RequestV
DNS Server responds to request from spoofed source.DNS Response is many times larger than request.
Repeated many times
Victim
DNS ResponseV
InternetBackbone
B
UK Broadband
US Corp US Broadband
B
JP Corp.ProviderB B
B
BB
B
B
B
SystemsBecomeInfected
ControllerConnects
Botnet masterIssues attackCommand
BM
C&C
Bots attack
Bye Bye!
Bots connect to a C&C to create an overlay network (botnet)
DDoS Attack Vectors
• TCP state exhaustion– Take advantage of stateful
nature of TCP protocol
– SYN, FIN, RST Floods
– TCP connection attacks
– Exhaust resources in servers, load balancers or firewalls.
Application layer attacks– Exploit limitations, scale and
functionality of specific applications
– Can be low-and-slow
– HTTP GET / POST, SIP Invite floods
– Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
Client ServerSYNC
SYNS, ACKC
Listening…Store data(connection state, etc.)
Repeated many times System runs out of TCP listener sockets or out memory for stored state
DDoS Attack Vectors
DDoS Attack Vectors
The DDoS weapon of choice for Anonymous activists is LOIC, downloaded more than 639,000 times this year (so far). Average 2115 downloads daily.
• In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.
• Two data sources being presented here:– Arbor Worldwide Infrastructure Security Survey, 2011.– Arbor ATLAS Internet Trends data.
• Arbor Worldwide Infrastructure Security Survey, 2011– 7th Annual Survey– Concerns, observation and experiences of the OpSec community– 114 respondents, broad spread of network operators from around the
world
• Arbor ATLAS Internet Trends– 240+ Arbor customers, 37.8Tbps of monitored traffic– Hourly export of anonymized DDoS and traffic statistics
So, how is DDoS Evolving? Looking at the Internet Threat Landscape
Average attack is 1.56Mpps, September 2012 190% growth from September 2011
2012 ATLAS Initiative : Anonymous Stats, Worldwide
Higher pps rates seen in 2011, have continued into 2012
0
500
1000
1500
2000
2500
1556
Average Monthly Kpps of Attacks
Peak attack in September 2012 is 63.3Gbps 136% rise from September 2011 Spikes at 75Gb/sec and 100Gb/sec so far this year.
2012 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Gbps
0
20
40
60
80
100
120
63.33
Peak Monthly Gbps of Attacks
Average attack is 1.67Gbps, September 2012 72% growth from September 2011 Average attacks now consistently over 1Gb/sec
2012 ATLAS Initiative : Anonymous Stats, Worldwide
Average Attack Growth trend in Mbps
0200400600800
100012001400160018002000
1670
Average Monthly Mbps of Attacks
DDoS Attacks are Evolving
HTTPDNS
SMTPHTTPS
SIP/VOIPIRC
Other
0% 10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
87%67%
25%24%
19%11%
7%
Services Targeted by Applica-tion Layer DDoS Attacks
27%
41%
32%
Have You Experienced Multi-vector Application / Volumetric DDoS Attacks
Don't Know
No
Yes
0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500
> 5000%
10%
20%
30%
40%
50%
9%
47%
15%7% 10% 11%
1%
Number of DDoS Attacks per Month
Recent Financial Attacks: Multi-vector DDoS On A New Level
• Compromised PHP, WordPress, & Joomla servers
• Multiple concurrent attack vectors– GET and POST app layer attacks on HTTP and
HTTPS– DNS query app layer attack– Floods on UDP, TCP Syn floods, ICMP and other IP
protocols
• Unique characteristics of the attacks– Very high packet per second rates per individual
source – Large bandwidth attack on multiple companies
simultaneously– Very focused
• could be false flag• could be Cyberwar• could be hacktivism
• Monitor the network and services so that you can pro-actively detect changes at all layers (up to layer 7).
• Know who to call.
• Develop an incident handling process and run fire-drills
• Utilise the security capabilities built into other network and security infrastructure to minimise impact where possible
• Use a Dedicated OOB Management Network
DDoS, a Growing ProblemSo, how can we minimize the impact of an attack?
• Intelligent DDoS Mitigation Systems (IDMS) are specifically designed to detect and mitigate DDoS attacks using more advanced techniques.
• IDMS equipment uses a combination of Deep Packet Inspection (DPI), proxy inspection and heuristic based techniques to separate malicious traffic from good traffic.– Counter-measures to deal with the specific DDoS threats. – Minimal state, so the device does not become a target. – Actionable intelligence / automation.
• Services and solutions utilizing IDMS technologies can protect an organization from the DDoS threat.
The Solution : IDMSIntelligent DDoS Mitigation Systems
Getting Protected : Layered DDoS Defense
22
ISP 2
ISP 1
ISP n
ISP
Firewall IPSLoad
Balancer
TargetApplications &
Services
DATA CENTER
Peakflow SP/TMS
SCRUBBING CENTER
Cloud Signaling
Cloud-based DDoS Protection
Perimeter-based DDoS Protection
Stopping Smart Attacks
• Perimeter-based: L4-7 DDoS mitigation must be done at the Data Center
• Specifically configured around protected services
• Always ON: immediate mitigation23
ISP 2
ISP 1
ISP n
ISP
Firewall IPSLoad
Balancer
TargetApplications &
Services
DATA CENTER
Perimeter-based DDoS Protection
Stopping Brute Force Attacks
24
Cloud-based DDoS Protection
ISP 2
ISP 1
ISP n
Local ISP
DATA CENTER
Firewall IPS
Peakflow SP/TMS
SCRUBBING CENTER
• Cloud-based: Volumetric DDoS mitigation must be done up stream, before traffic gets to Data Center
• Activated “on demand”: only active when an attack is detected or reported
25
Threat Ecosystem
The Arbor ecosystem between service providers & enterprises offers comprehensive protection from active threats
Enterprise NetworksService Providers
25
Integrated protection for government, business, financial and gaming services
Pravail APS, Network Perimeter Protection
26
“Out-of-the-box” ProtectionImmediate
protection from threats with more control
Block Complex DDoS AttacksBlock complex state-exhausting &
app-layer DDoS
Security Feed for New ThreatsBlock dynamic botnet-based DDoS attacks
Cloud SignalingStop flood DDoS attacks by signaling upstream MSSPs
Easy Install and Deployment
Easily installed in front of firewalls
• Pervasive Network Visibility & Deep Insight into Services– Leverage Cisco Netflow technology for
broad traffic visibility across service provider networks.
• Comprehensive Threat Management
- Granular threat detection, surgical mitigation and reporting of DDoS attacks that threaten business services.
In-Cloud Services Enabler– A platform which offers the ability to
deliver new, profitable, revenue-generating services i.e DDoS Protection
Peakflow, Cloud Based ProtectionPervasive and cost-effective visibility and security
Arbor Networks
The only source of knowledge is experience.Albert Einstein
Arbor has 12 years experience and some of the “worlds” leading experts on DDoS, Botnet and Cyber attacks
Thank You
