Upload
infradata
View
180
Download
1
Embed Size (px)
DESCRIPTION
Cyber Security Tour presentation DDoS Attacks.
Citation preview
DDoS mi'ga'on Infradata Cybersecurity Breakfast Tour 2013 Nicolai van der Smagt – [email protected]
DDoS..
“A distributed denial-‐of-‐service aGack (DDoS aGack) is an aGempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, mo'ves for, and targets of a DoS aGack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.”
..Mi'ga'on
Mi'ga'on: mi ·∙ ' ·∙ ga ·∙ 'on. /mɪtɪˈgeɪʃ(ə)n/ noun
the ac'on of reducing the severity, seriousness, or painfulness of something.
3
DDoS aGack? It’ll never happen to me
˥ Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in the ground, assuming that because it cannot see, it cannot be seen.’
˥ Historically, this has been the a`tude to DDoS as a Service Availability Threat.
˥ …but this has changed in the past 2-‐3 years, because of: ˥ AWARENESS : Massive mainstream press around Anonymous, ING, other bank aGacks ˥ RISK : More businesses are reliant on Internet Services for their business con'nuity. ˥ MOTIVATIONS : Wider spread of aGack mo'va'ons, broader target set. ˥ EXPERIENCE : Larger, more frequent, more complex aGacks.
DDoS aGack mo'va'ons
Recent DDoS events in Europe
˥ Ideologically mo'vated DDoS aGacks against UK government sites in rela'on to the extradi'on of Julian Assange.
˥ Ideologically mo'vated DDoS aGacks against the largest DNS registrar in the UK which was authorita've for domains hos'ng poli'cal content cri'cal of the Chinese government
˥ Compe==ve advantage was the mo'va'on for DDoS aGacks on a Jersey-‐based provider of online gambling services, las'ng over a week
˥ Retaliatory DDoS aGack against a sokware vendor of widely-‐used customer-‐service sokware, aker the vendor found and fixed a SQL injec'on vulnerability in their products. A blackhat had discovered this on his own and was actually in the process of auc'oning it off to prospec've aGackers in an underground criminal forum as a zero-‐day exploit when the vendor issued the patch
˥ Unknown mo'va'ons inspired the ING bank aGacks (distrac'on from other criminal ac'vi'es?)
DDoS aGack mo'va'ons
˥ Distrac'on from other criminal ac'vity
˥ Phishing for banking creden'als with Zeus ˥ DDoS to distract and cover up the crime
˥ DDoS distrac'on also used to cover up system penetra'ons followed by data leaks
Sophis'ca'on Of Tools & Services
Example: Gwapo's adver'sing
DDoS is Key to availability risk planning
DDoS is the #1 threat to the availability of services – but it is not part of the risk analysis
10
Site Selec'on
Physical Security
Fire Protec'on & Detec'on
Electrical & Power
Environment & Weather
DDoS AFacks?
Availability Scorecard When measuring the risk to the
availability or resiliency of services, where does the risk of DDoS aFacks fall on the list?
Business impact of DDoS aGacks
Source: Ponemon Ins'tute – 2010 State of Web Applica'on Security
Botnets & DDoS aFacks cost an
average enterprise $6.3M* for a 24-‐hour
outage! * Source: McAfee – Into the Crossfire – January 2010
The impact of loss of service availability goes beyond financials:
Opera=ons
How many IT personnel will be 'ed up
addressing the aGack?
Help Desk
How many more help
desk calls will be received, and at what cost per call?
Recovery
How much manual work will need to be done to re-‐
enter transac'ons?
Lost Worker Output
How much employee
output will be lost?
Penal=es
How much will have to be
paid in service level
agreement (SLA) credits or
other penal'es?
Lost Business
How much will the ability to aGract new customers be affected?
What is the full value of that
lost customers?
Brand & Reputa=on Damage
What is the cost to the company brand and reputa'on?
31%
43%
21%
5% 0%
0%
10%
20%
30%
40%
50%
Very Significant Significant Somewhat Significant
Not Significant None
Bar Chart 9: Significance of revenue loss resul=ng from website down=me for one hour
IPS Firewall
AGack Traffic Good Traffic
ISP 2
ISP 1
Backbone SATURATION
Load Balancer
DATA CENTER
Volumetric, state-‐exhaus'on and applica'on-‐layer aGacks can bring down cri'cal data center services
Exhaus:on of STATE
Exhaus:on of SERVICE
e.g: Layer 4-‐7 Application-‐Layer / Slow&Low AGack
Target Applica'ons &
Services e.g: Layer 4-‐7 / State / Connec'on AGack
e.g.: Volumetric / Flooding AGack
ISP n
DDoS aGack types and targets
• Volumetric AGacks – Usually botnets or traffic from
spoofed IPs genera'ng high bps / pps traffic volume
– UDP based floods from spoofed IP take advantage of connec'on less UDP protocol
– Take out the infrastructure capacity – routers, switches, servers, links
§ Reflec'on AGacks – Use a legi'mate resource to amplify
an aGack to a des'na'on
– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual vic'm
– DNS Reflec've Amplifica'on is a good example
AGacker Server
DNS RequestV
DNS Server responds to request from spoofed source. DNS Response is many 8mes larger than request.
Repeated many 'mes
Vic'm
DNS ResponseV
DDoS aGack vectors
Internet Backbone
B
UK Broadband
US Corp US Broadband
B
JP Corp. Provider B B
B
B B
B
B
B
Systems Become Infected
Controller Connects
Botnet master Issues attack Command
BM
C&C
Bots attack
Bye Bye!
Bots connect to a C&C to create an overlay network (botnet)
• TCP state exhaus'on – Take advantage of stateful nature
of TCP protocol
– SYN, FIN, RST Floods
– TCP connec'on aGacks
– Exhaust resources in servers, load balancers or firewalls.
• Applica'on layer aGacks • Exploit limita'ons, scale and
func'onality of specific applica'ons
• Can be low-‐and-‐slow
• HTTP GET / POST, SIP Invite floods
• Can be more sophis'cated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
Client Server SYNC
SYNS, ACKC
Listening… Store data (connec8on state, etc.)
Repeated many 'mes System runs out of TCP listener sockets or out memory for stored state
DDoS aGack vectors
DDoS aGack vectors
The DDoS weapon of choice for Anonymous ac'vists is LOIC, downloaded more than 639,000 'mes this year (so far). Average 2115 downloads daily.
So, how is DDoS evolving?
˥ In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.
˥ Two data sources being presented here: ˥ Arbor Worldwide Infrastructure Security Survey, 2011. ˥ Arbor ATLAS Internet Trends data.
˥ Arbor Worldwide Infrastructure Security Survey, 2011 ˥ 7th Annual Survey ˥ Concerns, observa'on and experiences of the OpSec community ˥ 114 respondents, broad spread of network operators from around the world
˥ Arbor ATLAS Internet Trends ˥ 240+ Arbor customers, 37.8Tbps of monitored traffic ˥ Hourly export of anonymized DDoS and traffic sta's'cs
Looking at the Internet threat landscape
§ Average aGack is 1.56Mpps, September 2012 § 190% growth from September 2011
Higher pps rates seen in 2011, have con=nued into 2012
1556
0
500
1000
1500
2000
2500
Average Monthly Kpps of AFacks
2012 ATLAS ini'a've : Anonymous worldwide stats
§ Peak aGack in September 2012 is 63.3Gbps § 136% rise from September 2011 § Spikes at 75Gb/sec and 100Gb/sec so far this year.
Peak ABack Growth trend in Gbps
63.33
0
20
40
60
80
100
120
Peak Monthly Gbps of AFacks
2012 ATLAS ini'a've : Anonymous worldwide stats
§ Average aGack is 1.67Gbps, September 2012 § 72% growth from September 2011 § Average aGacks now consistently over 1Gb/sec
Average ABack Growth trend in Mbps
1670
0
500
1000
1500
2000
2500 Average Monthly Mbps of AFacks
2012 ATLAS ini'a've : Anonymous worldwide stats
DDoS AGacks are evolving
87% 67%
25% 24%
19% 11%
7%
0% 20% 40% 60% 80% 100%
HTTP DNS
SMTP HTTPS
SIP/VOIP IRC
Other
Services Targeted by Application Layer DDoS Attacks
27%
41%
32%
Have You Experienced Multi-vector Application / Volumetric DDoS Attacks
Don't Know
No
Yes
9%
47%
15% 7% 10% 11%
1% 0%
10%
20%
30%
40%
50%
0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500
> 500
Number of DDoS Attacks per Month
Recent financial aGacks (“Opera'on Ababil”): Mul'-‐vector DDoS on a new level
˥ Compromised PHP, WordPress, & Joomla servers ˥ Oken US or EU based so geo-‐blocking is difficult ˥ Large bandwidths – powerful aGacks
˥ Mul'ple concurrent aGack vectors ˥ GET and POST app layer aGacks on HTTP and HTTPS ˥ DNS query app layer aGack ˥ Floods on UDP, TCP Syn floods, ICMP and other IP protocols
˥ Unique characteris'cs of the aGacks ˥ Very high packet per second rates per individual
source ˥ Large bandwidth aGack on mul'ple companies simultaneously ˥ Very focused
˥ could be false flag ˥ could be Cyberwar ˥ could be hack'vism
DDoS, a growing problem So, how can we minimize the impact of an aGack?
˥ Monitor the network and services so that you can pro-‐ac'vely detect changes at all layers (up to layer 7).
˥ Know who to call.
˥ Develop an incident handling process and run fire-‐drills
˥ U'lise the security capabili'es built into other network and security infrastructure to minimise impact where possible
˥ Use a Dedicated OOB Management Network
The failure of exis'ng security devices
CPE-‐based security devices focus on integrity and confiden'ality and not on availability
DATA CENTER
IPS Load Balancer
Informa'on Security Triangle
Product Family Triangle Benefit
Firewalls Integrity Enforce network policy to prevent unauthorized access to data
Intrusion Preven'on System Integrity Block break-‐in aGempts causing data thek
Firewalls and IPS device do not solve the DDoS problem because they (1) are op'mized for other security problems, (2) can’t detect or stop distributed aGacks, and (3) can not integrate with in-‐cloud security solu'ons.
Because they are stateful and inline, they are part of the DDoS problem and not the solu8on.
Many DDoS aCacks target firewalls and IPS devices directly!
Industry solu'on A: CPE-‐based protec'on
˥ A CPE is placed inline with traffic. Because the device has full visibility of traffic des'ned for the customer it is in a unique posi'on to quickly detect and mi'gate DDoS aGacks. The CPE: ˥ Detects DDoS aGacks immediately ˥ Starts blocking without delay ˥ Has finite capacity ˥ Requires hands-‐on knowledge to operate
24
Industry solu'on B: Out-‐of-‐path protec'on
25
ISP 2
ISP 1
ISP n
Local ISP
DATA CENTER
Firewall IPS
SCRUBBING CENTER
˥ A monitoring device receives L3/L4 traffic informa'on from routers in the network (via Ne�low/BGP). DDoS traffic can be diverted to a scrubbing center for “cleaning”. Other traffic con'nues unaffected. ˥ Detects DDoS aGacks immediately ˥ Works in large and complex networks with lots of traffic and internet links ˥ Has finite capacity ˥ Requires hands-‐on knowledge to operate
Monitoring system
Industry solu'on C: Cloud-‐based protec'on
˥ Cloud-‐based protec'on works by intercep'ng aGack traffic ‘in-‐the-‐cloud’, long before it reaches the network under aGack. It provides: ˥ Almost infinite capacity (currently 1 Tbps) ˥ Upstream blocking so customer networks never see DDoS traffic ˥ Effec've blocking within minutes of star'ng mi'ga'on ˥ DDoS mi'ga'on “as-‐a-‐Service”
Arbor Peakflow, Out-‐of-‐path protec'on Pervasive and cost-‐effec've visibility and security ˥ Pervasive network visibility and deep insight
into services ˥ Leverage Ne�low technology for broad traffic
visibility across service provider networks.
˥ Comprehensive threat management
˥ Granular threat detec'on, surgical mi'ga'on and repor'ng of DDoS aGacks that threaten business services.
˥ Managed service enabler
˥ A pla�orm which offers the ability to deliver new, profitable, revenue-‐genera'ng services i.e DDoS Protec'on and traffic analysis
Prolexic cloud-‐based DDoS mi'ga'on
Scrubbing Centers (peering): § San Jose, CA § Ashburn, VA § London, UK § Frankfurt, DE § Hong Kong, China § Tokyo, Sydney (2014) Carrier reach: § A minimum of 3 Tier 1
Carriers Per Site § 500+ peers Global Reach: § Staff on four con'nents § 800 Gigabits/sec
dedicated for aGack traffic
Scrubbing Center
Headquarters & SOC
Regional offices
Botnet Concentra=on