Cybersecurity breakfast tour 2013 (1)

DDoS mi'ga'on Infradata Cybersecurity Breakfast Tour 2013 Nicolai van der Smagt – [email protected]

DDoS..

“A distributed denial-‐of-‐service aGack (DDoS aGack) is an aGempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, mo'ves for, and targets of a DoS aGack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.”

..Mi'ga'on

Mi'ga'on: mi ·∙ ' ·∙ ga ·∙ 'on. /mɪtɪˈgeɪʃ(ə)n/ noun

the ac'on of reducing the severity, seriousness, or painfulness of something.

3

DDoS aGack? It’ll never happen to me

˥  Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in the ground, assuming that because it cannot see, it cannot be seen.’

˥  Historically, this has been the a`tude to DDoS as a Service Availability Threat.

˥  …but this has changed in the past 2-‐3 years, because of: ˥  AWARENESS : Massive mainstream press around Anonymous, ING, other bank aGacks ˥  RISK : More businesses are reliant on Internet Services for their business con'nuity. ˥  MOTIVATIONS : Wider spread of aGack mo'va'ons, broader target set. ˥  EXPERIENCE : Larger, more frequent, more complex aGacks.

DDoS aGack mo'va'ons

Recent DDoS events in Europe

˥  Ideologically mo'vated DDoS aGacks against UK government sites in rela'on to the extradi'on of Julian Assange.

˥  Ideologically mo'vated DDoS aGacks against the largest DNS registrar in the UK which was authorita've for domains hos'ng poli'cal content cri'cal of the Chinese government

˥  Compe==ve advantage was the mo'va'on for DDoS aGacks on a Jersey-‐based provider of online gambling services, las'ng over a week

˥  Retaliatory DDoS aGack against a sokware vendor of widely-‐used customer-‐service sokware, aker the vendor found and fixed a SQL injec'on vulnerability in their products. A blackhat had discovered this on his own and was actually in the process of auc'oning it off to prospec've aGackers in an underground criminal forum as a zero-‐day exploit when the vendor issued the patch

˥  Unknown mo'va'ons inspired the ING bank aGacks (distrac'on from other criminal ac'vi'es?)

DDoS aGack mo'va'ons

˥  Distrac'on from other criminal ac'vity

˥  Phishing for banking creden'als with Zeus ˥  DDoS to distract and cover up the crime

˥  DDoS distrac'on also used to cover up system penetra'ons followed by data leaks

Sophis'ca'on Of Tools & Services

Example: Gwapo's adver'sing

DDoS is Key to availability risk planning

DDoS is the #1 threat to the availability of services – but it is not part of the risk analysis

10

Site Selec'on

Physical Security

Fire Protec'on & Detec'on

Electrical & Power

Environment & Weather

DDoS AFacks?

Availability Scorecard When measuring the risk to the

availability or resiliency of services, where does the risk of DDoS aFacks fall on the list?

Business impact of DDoS aGacks

Source: Ponemon Ins'tute – 2010 State of Web Applica'on Security

Botnets & DDoS aFacks cost an

average enterprise $6.3M* for a 24-‐hour

outage! * Source: McAfee – Into the Crossfire – January 2010

The impact of loss of service availability goes beyond financials:

Opera=ons

How many IT personnel will be 'ed up

addressing the aGack?

Help Desk

How many more help

desk calls will be received, and at what cost per call?

Recovery

How much manual work will need to be done to re-‐

enter transac'ons?

Lost Worker Output

How much employee

output will be lost?

Penal=es

How much will have to be

paid in service level

agreement (SLA) credits or

other penal'es?

Lost Business

How much will the ability to aGract new customers be affected?

What is the full value of that

lost customers?

Brand & Reputa=on Damage

What is the cost to the company brand and reputa'on?

31%

43%

21%

5% 0%

0%

10%

20%

30%

40%

50%

Very Significant Significant Somewhat Significant

Not Significant None

Bar Chart 9: Significance of revenue loss resul=ng from website down=me for one hour

IPS Firewall

AGack Traffic Good Traffic

ISP 2

ISP 1

Backbone SATURATION

Load Balancer

DATA CENTER

Volumetric, state-‐exhaus'on and applica'on-‐layer aGacks can bring down cri'cal data center services

Exhaus:on of STATE

Exhaus:on of SERVICE

e.g: Layer 4-‐7 Application-‐Layer / Slow&Low AGack

Target Applica'ons &

Services e.g: Layer 4-‐7 / State / Connec'on AGack

e.g.: Volumetric / Flooding AGack

ISP n

DDoS aGack types and targets

•  Volumetric AGacks –  Usually botnets or traffic from

spoofed IPs genera'ng high bps / pps traffic volume

–  UDP based floods from spoofed IP take advantage of connec'on less UDP protocol

–  Take out the infrastructure capacity – routers, switches, servers, links

§  Reflec'on AGacks –  Use a legi'mate resource to amplify

an aGack to a des'na'on

–  Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual vic'm

–  DNS Reflec've Amplifica'on is a good example

AGacker Server

DNS RequestV

DNS Server responds to request from spoofed source. DNS Response is many 8mes larger than request.

Repeated many 'mes

Vic'm

DNS ResponseV

DDoS aGack vectors

Internet Backbone

B

UK Broadband

US Corp US Broadband

B

JP Corp. Provider B B

B

B B

B

B

B

Systems Become Infected

Controller Connects

Botnet master Issues attack Command

BM

C&C

Bots attack

Bye Bye!

Bots connect to a C&C to create an overlay network (botnet)

•  TCP state exhaus'on –  Take advantage of stateful nature

of TCP protocol

–  SYN, FIN, RST Floods

–  TCP connec'on aGacks

–  Exhaust resources in servers, load balancers or firewalls.

•  Applica'on layer aGacks •  Exploit limita'ons, scale and

func'onality of specific applica'ons

•  Can be low-‐and-‐slow

•  HTTP GET / POST, SIP Invite floods

•  Can be more sophis'cated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..

Client Server SYNC

SYNS, ACKC

Listening… Store data (connec8on state, etc.)

Repeated many 'mes System runs out of TCP listener sockets or out memory for stored state

DDoS aGack vectors

DDoS aGack vectors

The DDoS weapon of choice for Anonymous ac'vists is LOIC, downloaded more than 639,000 'mes this year (so far). Average 2115 downloads daily.

So, how is DDoS evolving?

˥  In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.

˥  Two data sources being presented here: ˥  Arbor Worldwide Infrastructure Security Survey, 2011. ˥  Arbor ATLAS Internet Trends data.

˥  Arbor Worldwide Infrastructure Security Survey, 2011 ˥  7th Annual Survey ˥  Concerns, observa'on and experiences of the OpSec community ˥  114 respondents, broad spread of network operators from around the world

˥  Arbor ATLAS Internet Trends ˥  240+ Arbor customers, 37.8Tbps of monitored traffic ˥  Hourly export of anonymized DDoS and traffic sta's'cs

Looking at the Internet threat landscape

§  Average aGack is 1.56Mpps, September 2012 §  190% growth from September 2011

Higher pps rates seen in 2011, have con=nued into 2012

1556

0

500

1000

1500

2000

2500

Average Monthly Kpps of AFacks

2012 ATLAS ini'a've : Anonymous worldwide stats

§  Peak aGack in September 2012 is 63.3Gbps §  136% rise from September 2011 §  Spikes at 75Gb/sec and 100Gb/sec so far this year.

Peak ABack Growth trend in Gbps

63.33

0

20

40

60

80

100

120

Peak Monthly Gbps of AFacks


§  Average aGack is 1.67Gbps, September 2012 §  72% growth from September 2011 §  Average aGacks now consistently over 1Gb/sec

Average ABack Growth trend in Mbps

1670

0

500

1000

1500

2000

2500 Average Monthly Mbps of AFacks


DDoS AGacks are evolving

87% 67%

25% 24%

19% 11%

7%

0% 20% 40% 60% 80% 100%

HTTP DNS

SMTP HTTPS

SIP/VOIP IRC

Other

Services Targeted by Application Layer DDoS Attacks

27%

41%

32%

Have You Experienced Multi-vector Application / Volumetric DDoS Attacks

Don't Know

No

Yes

9%

47%

15% 7% 10% 11%

1% 0%

10%

20%

30%

40%

50%

0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500

> 500

Number of DDoS Attacks per Month

Recent financial aGacks (“Opera'on Ababil”): Mul'-‐vector DDoS on a new level

˥  Compromised PHP, WordPress, & Joomla servers ˥  Oken US or EU based so geo-‐blocking is difficult ˥  Large bandwidths – powerful aGacks

˥  Mul'ple concurrent aGack vectors ˥  GET and POST app layer aGacks on HTTP and HTTPS ˥  DNS query app layer aGack ˥  Floods on UDP, TCP Syn floods, ICMP and other IP protocols

˥  Unique characteris'cs of the aGacks ˥  Very high packet per second rates per individual

source ˥  Large bandwidth aGack on mul'ple companies simultaneously ˥  Very focused

˥  could be false flag ˥  could be Cyberwar ˥  could be hack'vism

DDoS, a growing problem So, how can we minimize the impact of an aGack?

˥  Monitor the network and services so that you can pro-‐ac'vely detect changes at all layers (up to layer 7).

˥  Know who to call.

˥  Develop an incident handling process and run fire-‐drills

˥  U'lise the security capabili'es built into other network and security infrastructure to minimise impact where possible

˥  Use a Dedicated OOB Management Network

The failure of exis'ng security devices

CPE-‐based security devices focus on integrity and confiden'ality and not on availability

DATA CENTER

IPS Load Balancer

Informa'on Security Triangle

Product Family Triangle Benefit

Firewalls Integrity Enforce network policy to prevent unauthorized access to data

Intrusion Preven'on System Integrity Block break-‐in aGempts causing data thek

Firewalls and IPS device do not solve the DDoS problem because they (1) are op'mized for other security problems, (2) can’t detect or stop distributed aGacks, and (3) can not integrate with in-‐cloud security solu'ons.

Because they are stateful and inline, they are part of the DDoS problem and not the solu8on.

Many DDoS aCacks target firewalls and IPS devices directly!

Industry solu'on A: CPE-‐based protec'on

˥  A CPE is placed inline with traffic. Because the device has full visibility of traffic des'ned for the customer it is in a unique posi'on to quickly detect and mi'gate DDoS aGacks. The CPE: ˥  Detects DDoS aGacks immediately ˥  Starts blocking without delay ˥  Has finite capacity ˥  Requires hands-‐on knowledge to operate

24

Industry solu'on B: Out-‐of-‐path protec'on

25

ISP 2

ISP 1

ISP n

Local ISP

DATA CENTER

Firewall IPS

SCRUBBING CENTER

˥  A monitoring device receives L3/L4 traffic informa'on from routers in the network (via Ne�low/BGP). DDoS traffic can be diverted to a scrubbing center for “cleaning”. Other traffic con'nues unaffected. ˥  Detects DDoS aGacks immediately ˥  Works in large and complex networks with lots of traffic and internet links ˥  Has finite capacity ˥  Requires hands-‐on knowledge to operate

Monitoring system

Industry solu'on C: Cloud-‐based protec'on

˥  Cloud-‐based protec'on works by intercep'ng aGack traffic ‘in-‐the-‐cloud’, long before it reaches the network under aGack. It provides: ˥  Almost infinite capacity (currently 1 Tbps) ˥  Upstream blocking so customer networks never see DDoS traffic ˥  Effec've blocking within minutes of star'ng mi'ga'on ˥  DDoS mi'ga'on “as-‐a-‐Service”

Arbor Peakflow, Out-‐of-‐path protec'on Pervasive and cost-‐effec've visibility and security ˥  Pervasive network visibility and deep insight

into services ˥  Leverage Ne�low technology for broad traffic

visibility across service provider networks.

˥  Comprehensive threat management

˥  Granular threat detec'on, surgical mi'ga'on and repor'ng of DDoS aGacks that threaten business services.

˥  Managed service enabler

˥  A pla�orm which offers the ability to deliver new, profitable, revenue-‐genera'ng services i.e DDoS Protec'on and traffic analysis

Prolexic cloud-‐based DDoS mi'ga'on

Scrubbing Centers (peering): §  San Jose, CA §  Ashburn, VA §  London, UK §  Frankfurt, DE §  Hong Kong, China §  Tokyo, Sydney (2014) Carrier reach: §  A minimum of 3 Tier 1

Carriers Per Site §  500+ peers Global Reach: §  Staff on four con'nents §  800 Gigabits/sec

dedicated for aGack traffic

Scrubbing Center

Headquarters & SOC

Regional offices

Botnet Concentra=on