This document describes a simulated DDoS attack scenario. It introduces Widgets LLC, the victim company, which relies on its website for business. It also introduces Thomas Scriptkid, the attacker, who has a small botnet capable of DDoS attacks. After port scanning reveals open services, various attack vectors are identified, including SYN floods, reflection floods, and application layer attacks. A SYN flood is launched, severely degrading the website's performance. Finally, various mitigation options are discussed, each with deficiencies for fully addressing DDoS attacks.

1. STORM SURGESTORM SURGE
: A DDoS Attack and Defend: A DDoS Attack and Defend
ScenarioScenario
Background photo courtesy of Ben Salter https://creativecommons.org/licenses/by/2.0/legalcode

2. ANDY SHOEMAKER - NimbusDDOS Founder
Contact:
andy@nimbusddos.com
781.591.2575
www.nimbusddos.com
Bio:

Over 15 years of operations experience in massive-scale consumer websites

Past Gigs

TripAdvisor.com - Massive online travel website

Harmonix Music Corp / MTV Games - Video game studio

Cambridge Interactive Development Corp - Online poker and casinos

WorldWinner.com / GSN - Online gaming destination

3. NimbusDDOS Overview

4. Why Perform DDoS Simulations?

Assess environment susceptibility to DDoS
Am I susceptible to DDoS?
What are the DDoS risk areas in my organization?

Evaluate various mitigation solutions prior to purchase
DDoS mitigation vendors are a partner in your infrastructure, so you better like them!

Validate DDoS mitigation hardware and services once installed
Don't wait for the next DDoS to find out whether your mitigation strategy works!

Train IT staff in identification and mitigation of DDoS
Preparedness drills can be invaluable in creating strategies that can be used during a crisis.

Compliance
Vendors and suppliers are increasingly being asked whether they have a DDoS strategy.

5. The Victim: Introducing Widgets LLC
Overview

A major manufacturer of custom Widgets

Mid-sized company with 200 employees and a 3 person IT team

The website is the primary marketing/sales/support channel for the organization
http://widgetsllc.nimbusddos.com/
Technology Stack

Amazon Web Services (AWS) hosted infrastructure

Wordpress CMS

Quad core, 7.5GB RAM, SSD storage (c3.xlarge)

Approximately 500Mbps of network capacity
Security Preparedness

Has defined procedures for software updates to ensure prompt patching of vulnerabilities

Periodic vulnerability scans with Nessus or similar

Was told by an AWS account representative that DDoS will not effect them due to Amazon's size

6. The Victim: Introducing Widgets LLC
(cont.)

7. The Victim: Introducing Widgets LLC (cont.)

8. The Attacker: Introducing Thomas Scriptkid
Overview

Uses DDoS to extort money (via Bitcoin) from companies

Sometimes performs DDoS for hire using “darknet” marketplaces
Botnet Capabilities

A very small botnet of 50 compromised hosts

Capable of 5Gbps of traffic for bandwidth DDoS

Capable of 5 million packets per second SYN floods

Capable of 50,000 requests per second layer7 HTTP
Sense of Scale

BredoLab botnet initiated a DDoS using 220,000 hosts in 2010

In Q1 2015 there were 25 attacks in excess of 100Gbps globally

9. Let's See that Website Again....this time as our attacker

Search likely hits DB

Search tends to use
lots of CPU

Log-in likely hits DB

Log-in tends to use
lots of CPU

Large media is a juicy
target (122K)

10. The facts:

Port scanners allow an attacker to see what services are accessible from the Internet

Multiple applications are freely available, just a mouse click away
https://nmap.org/

Most scanners support a variety of cloaking modes

Scanners are very quick with only a single packet sent/received being necessary to scan a port
- A modest linux server capable of processing 200k packets/sec scanning all ports
Single host: <1 second
Class C (254 hosts): <3 minutes
Class B (65,534 hosts): 12 hours
Class A (16,777,214 hosts): 127 days
- MASSCAN can reportedly scan the entire Internet in under 6 minutes given sufficient
resources https://github.com/robertdavidgraham/masscan
Port Scanners: the primary tool of all attackers

11. Port Scanners: the primary tool of all attackers (cont.)

12. What are our possible attack vectors?

Bandwidth DDoS

UDP flood

ICMP flood

DNS reflection flood

NTP reflection flood

Protocol Attacks

TCP SYN flood targeting HTTP

TCP SYN flood targeting HTTPS

Application/Layer7 Attacks

HTTP/S request flood targeting large objects

SSL renegotiation flood

Log-in request flood to overwhelm the database

Search request flood to overwhelm the database
....All of these options discovered in under 5 minutes

13. SYN Flood : pre-attack performance

14. SYN Flood : attack running

15. SYN Flood : post-attack performance

16. Mitigation Options (and their deficiencies)
Block via firewall

SYN floods are often spoofed from random IPs making them difficult to block

Substantial administrative overhead

Blocking must occur upstream of the bottleneck, which may not be possible
Auto-scale resources in the cloud

May not be possible with older applications, or those with monolithic databases

Now becomes a DDoS on your wallet as you need to pay for the cloud resources
Dedicated on-premise DDoS mitigation hardware

Requires time and resources to setup

Requires in-house DDoS expertise which can be challenging even for large IT teams

Blocking must occur upstream of the bottleneck, which may not be possible
Hide behind a content distribution network (CDN)

Will not protect against layer7 DDoS as these will pass through the CDN to the origin
DDoS “clean pipe” vendor (proxy solutions)

Will not prevent attacks directly targeting the origin
DDoS “clean pipe” vendor (BGP routed solutions)

Only available to organizations that talk BGP

17. ANDY SHOEMAKER - NimbusDDOS Founder
Contact:
andy@nimbusddos.com
781.591.2575
www.nimbusddos.com
THANK YOU!