Upload
dinhdat
View
216
Download
0
Embed Size (px)
Citation preview
Akamai Lunch and Learn: Defending California Agencies Against DDoS Attacks
May 3 , 2012 | Sacramento, CA Thank you for your interest in Akamai’s Lunch and Learn! If you have any questions or would
like additional information, please feel free to contact me:
John Howard
Akamai Government at Carahsoft
703-871-8537 (Direct) | 888-662-2724 (Toll-Free)
[email protected] www.carahsoft.com/akamai
©2012 Akamai Akamai Confidential
Avoid data theft and downtime by extending the
security perimeter outside the data-center and protect
from increasing frequency, scale and sophistication of
web attacks.
©2012 Akamai Akamai Confidential
Akamai — Faster Forward
We remove the complexities of technology so our customers can capture
the opportunity and meet the demands of the hyperconnected world.
©2012 Akamai Akamai Confidential
Akamai: Quick Facts • Pioneered Web Content Delivery (MIT) • $1Billion+ (NASDAQ 100), 11+ years experience • Content Delivery Network of choice for Public
Sector • 100% Managed Service – “cell phone bill pay
structure” • Delivers 30% of all web traffic • No hardware or software to deploy – only days to
implement • No application or code changes – just a DNS
change to deploy
©2012 Akamai Akamai Confidential
Accelerating Daily Traffic of:
• 7+ Tbps
• 12+ million hits per second
• 800+ billion deliveries/day
• 30+ petabytes/day
• 10+ million concurrent streams
30% of the world’s Web traffic
Delivering 130,000+ domains
• All 60 top global eCommerce sites • 9 of the top 10 financial institutions • All top 30 M&E companies
• 105,000+ Servers • 1100+ Networks • 900+ Cities • 84 Countries
A global network:
Akamai Intelligent Platform™
©2012 Akamai Akamai Confidential
Akamai Intelligent Platform™
Cloud Media Mobile
Reduce costs, increase agility
& performance
Reach multiple devices, scale
and monetize
Performance & personalization
Security
Defend without performance
impact
Web Security
Kona Site Defender
©2012 Akamai Akamai Confidential
Kona SiteDefender
• Comprehensive web site and web application defense – All Akamai’s security capabilities in one solution
• Content acceleration is not required – Ideal for customers who only want security
• Sophisticated attack detection and alerting – Based on traffic, errors, application attack rule alerts
• Real time security event visibility and “drill down”
©2012 Akamai Akamai Confidential
Kona SiteDefender Components
• Included: – Kona SiteDefender (non-
accelerated) • Web Application Firewall
– Rate Controls – Custom Rules – RTR
• DDoS Fee Protection • Site Shield • Site Failover • Access Control
– Compliance Management • ISO Security Standard (27002)
– NetStorage – Log Delivery Service
• •
• Optional: – Kona SiteDefender (non-
accelerated) • HTTPS Module (Secure Delivery)
– Compliance Management • PCI, BITS, FISMA, HIPAA • On-Site Audit
– eDNS • DNSSEC Serve • DNSSEC Sign & Serve
– Global Traffic Manager – Kona SiteDefender Service
Management Package
©2012 Akamai Akamai Confidential
Cloud Datacenter
End User
Web Site Without Akamai
1
10
100
10000
Traffic
1000
©2012 Akamai Akamai Confidential
Cloud Datacenter
End User
Web Site Without Akamai
1
10
100
10000
Traffic
1000
X
©2012 Akamai Akamai Confidential
Cloud
Datacenter
End User
Web Site With Akamai
1
10
100
10000
Traffic
1000
Origin offloaded to the
Akamai Edge
©2012 Akamai Akamai Confidential
Web Site with Akamai Site Shield Origin Cloaking
1
10
100
10000
Traffic
1000
Trusted
Connection
Akamai
Site
Shield
End User
Cloud
Datacenter
Defend and cloak
your origin
©2012 Akamai Akamai Confidential
Web Site with Akamai Web Application Firewall Filters SQL Injections, Cross Site Scripting, Other HTTP attacks
1
10
100
10000
Traffic
1000
Trusted
Connection
Akamai
Site
Shield
End User
Cloud
Datacenter
Extend a layer 7 defense
perimeter to the Akamai Edge!
©2012 Akamai Akamai Confidential
Rate Controls Use Case: Blocking IPs Causing Origin
Errors 1. Count the number of Forward Responses that return a 5XX error code
2. Block any IP address that exceeds 5 errors per second
Client
Request
Forward
Request
Response
code 5XX
Customer
Origin
Akamai
Edge Server
X Custom
Error page
Automatic Origin Abuse Mitigation!
©2012 Akamai Akamai Confidential
Site Defender Provides Real Time Visibility
Timeline of
Requests by Hour
Visual Display of
Requests by Geography
Requests
by WAF
Message
Requests
by WAF Tag
Requests by
WAF Rule ID
©2012 Akamai Akamai Confidential
DDoS Attacks Mitigated by Leading Scrubbing Solution Akamai Handles 100% of These Network Layer Attacks BY DEFAULT!
• Network layer (Layer 3) attacks (~82% total)
• Protection is built into the Akamai Intelligent Platform and is “always on”
UDP Fragments
ICMP Floods
SYN Floods
ACK Floods
RESET Floods
UDP Floods
• No charge for Network Layer attack traffic as it is dropped at our Edge
• Most scalable solution (Tbps NOT Gbps)
• DNS layer attacks (~2% total) • Handled by Akamai eDNS/DNSSEC solution
• Application layer (Layer 7) attacks (~16% total)
• Handled by full featured Akamai WAF solution Deployed in-line
Protects against SQL Injections, Cross-Site Scripting, etc.
Includes Rate Controls and Custom Rules
Putting a web site on the Akamai platform significantly increases it’s security and resiliency
©2012 Akamai Akamai Confidential
The Akamai Security Difference
• 11 years experience defending the largest attacks seen on the Internet
• 100+ security trained personnel, 30+ CISSPs
• 11 of CISSPs are on the Public Sector Team
• Massive scale: 7+Tb/sec; distributed across 1,100 networks
• Defend at one network hop from request - not at your origin
• Security without sacrificing performance
• Natively in path (No rerouting, no added latency, no single point of failure)
• Broadest range of protections in a single platform
• Transport, Application, DDoS, DNS and Data Protection
• PCI & ISO compliant secure delivery platform
©2012 Akamai Akamai Confidential
Top Targets Peak Traffic Times Above Normal Traffic
US Government 1 125 Gbps 598x
US Government 2 32 Gbps 369x
Financial 1 26 Gbps 110x
US Government 3 9 Gbps 39x
US Government 4 9 Gbps 19x
US Government 5 2 Gbps 9x
US Government 6 1.90 Gbps 6x
US Government 7 0.73 Gbps *
The Largest DDoS Ever Recorded July 4th 2009 US Gov’t Targeted and Protected
Few common attackers between spikes. Only 4,284 IP’s Shared Across all Spikes.
125 Gb/sec Peak Bandwidth 795,000 page views a second 98,000 Unique IP’s in 30
minutes
300,000 total unique IP’s
©2012 Akamai Akamai Confidential
July 2011
• City targeted by Anonymous for Political Retribution • DDoS attacks took down city websites
• Budget concerns regarding any solution
• Local governments simply do not need size of solutions used by global enterprises
• Contacted Akamai • Identified 9 target sites
• Within one day, had 9 sites on line with Akamai.
• Worked with City to create packaging which fits the needs of local government
• Result • Attacks were blocked
• 100% availability
• Increased performance
©2012 Akamai Akamai Confidential
©2012 Akamai Akamai Confidential
DDoS Mitigation Playbook
• Agreed upon Plan of Action • Customer, Akamai CCare, and Akamai’s PS team
• Recommended configuration
• Updated quarterly
• Clearly Defined Escalation Process • Identifies key POC in both a customer’s organization and Akamai.
Names, Emails, and Mobile numbers
• Outlines Prepared Mitigation Actions – In case of this type of attack, take this specific action
©2012 Akamai Akamai Confidential
ddosing a federal government site is like throwing rocks at an army tank
Those sites were set up with the possibility of masses flooding them to get information after another
disaster like 9/11
By urself with hoic in never gonna happen
IRC Chat During and Attack
Questions? Contact:
John Howard
Akamai Government at Carahsoft
703-871-8537 (Direct) | 888-662-2724 (Toll-Free)
[email protected] www.carahsoft.com/akamai