Cybersecurity breakfast tour 2013 (1)

Uploaded on

Cyber Security Tour presentation DDoS Attacks.

Cyber Security Tour presentation DDoS Attacks.

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. DDoS  mi'ga'on     Infradata  Cybersecurity  Breakfast  Tour  2013   Nicolai  van  der  Smagt  –  
  • 2. DDoS..   “A  distributed  denial-­‐of-­‐service  aGack  (DDoS  aGack)  is  an  aGempt  to  make  a  machine  or   network  resource  unavailable  to  its  intended  users.  Although  the  means  to  carry  out,   mo'ves  for,  and  targets  of  a  DoS  aGack  may  vary,  it  generally  consists  of  efforts  to   temporarily  or  indefinitely  interrupt  or  suspend  services  of  a  host  connected  to  the   Internet.”  
  • 3. ..Mi'ga'on   Mi'ga'on:  mi  ·∙  '  ·∙  ga  ·∙  'on.  /mɪtɪˈgeɪʃ(ə)n/  noun     the  ac'on  of  reducing  the  severity,  seriousness,  or  painfulness  of   something.   3  
  • 4. DDoS  aGack?  It’ll  never  happen  to  me     ˥  Ostrich  Mentality  :  ‘When  an  ostrich  is  afraid,  it  will  bury  its  head  in  the  ground,   assuming  that  because  it  cannot  see,  it  cannot  be  seen.’       ˥  Historically,  this  has  been  the  a`tude  to  DDoS  as  a  Service  Availability  Threat.   ˥  …but  this  has  changed  in  the  past  2-­‐3  years,  because  of:   ˥  ˥  ˥  ˥  AWARENESS  :  Massive  mainstream  press  around  Anonymous,  ING,  other  bank  aGacks   RISK  :  More  businesses  are  reliant  on  Internet  Services  for  their  business  con'nuity.   MOTIVATIONS  :      Wider  spread  of  aGack  mo'va'ons,  broader  target  set.     EXPERIENCE  :  Larger,  more  frequent,  more  complex  aGacks.    
  • 5. DDoS  aGack  mo'va'ons  
  • 6. Recent  DDoS  events  in  Europe   ˥  Ideologically  mo'vated  DDoS  aGacks  against  UK  government  sites  in  rela'on  to  the   extradi'on  of  Julian  Assange.   ˥  Ideologically  mo'vated  DDoS  aGacks  against  the  largest  DNS  registrar  in  the  UK   which  was  authorita've  for  domains  hos'ng  poli'cal  content  cri'cal  of  the  Chinese   government   ˥  Compe==ve  advantage  was  the  mo'va'on  for  DDoS  aGacks  on  a  Jersey-­‐based   provider  of  online  gambling  services,  las'ng  over  a  week   ˥  Retaliatory  DDoS  aGack  against  a  sokware  vendor  of  widely-­‐used  customer-­‐service   sokware,  aker  the  vendor  found  and  fixed  a  SQL  injec'on  vulnerability  in  their   products.  A  blackhat  had  discovered  this  on  his  own  and  was  actually  in  the  process   of  auc'oning  it  off  to  prospec've  aGackers  in  an  underground  criminal  forum  as  a   zero-­‐day  exploit  when  the  vendor  issued  the  patch   ˥  Unknown  mo'va'ons  inspired  the  ING  bank  aGacks  (distrac'on  from  other  criminal   ac'vi'es?)  
  • 7. DDoS  aGack  mo'va'ons   ˥  Distrac'on  from  other  criminal  ac'vity   ˥  Phishing  for  banking  creden'als  with  Zeus   ˥  DDoS  to  distract  and  cover  up  the  crime   ˥  DDoS  distrac'on  also  used  to  cover  up  system  penetra'ons  followed  by  data   leaks      
  • 8. Sophis'ca'on  Of  Tools  &  Services  
  • 9. Example:  Gwapo's  adver'sing  
  • 10. DDoS  is  Key  to  availability  risk  planning   Availability  Scorecard   DDoS  is  the  #1  threat  to  the  availability  of  services  –  but  it  is  not   part  of  the  risk  analysis   Site  Selec'on   Physical  Security   Fire  Protec'on  &  Detec'on   When  measuring  the  risk  to  the   availability  or  resiliency  of   services,  where  does  the  risk  of   DDoS  aFacks  fall  on  the  list?   Electrical  &  Power   Environment  &  Weather   DDoS  AFacks?   10  
  • 11. Business  impact  of  DDoS  aGacks     Bar  Chart  9:  Significance  of  revenue  loss  resul=ng  from  website   down=me  for  one  hour   43%   50%   40%   30%   31%   21%   20%   5%   10%   0%   Very  Significant   Significant   Somewhat   Significant   Not  Significant   0%   None   Botnets  &  DDoS   aFacks  cost  an   average  enterprise   $6.3M*  for  a  24-­‐hour   outage!   *  Source:  McAfee  –  Into  the  Crossfire  –  January  2010   Source:  Ponemon  Ins'tute  –  2010  State  of  Web  Applica'on  Security   The  impact  of  loss  of  service  availability  goes  beyond  financials:   Opera=ons   How  many  IT   personnel  will   be  'ed  up   addressing  the   aGack?   Help  Desk   How  many   more  help   desk  calls  will   be  received,   and  at  what   cost  per  call?     Recovery   How  much   manual  work   will  need  to  be   done  to  re-­‐ enter   transac'ons?     Lost  Worker   Output   How  much   employee   output  will  be   lost?     Penal=es   Lost   Business   Brand  &   Reputa=on   Damage   How  much  will   have  to  be   paid  in  service   level   agreement   (SLA)  credits  or   other   penal'es?     How  much  will   the  ability  to   aGract  new   customers  be   affected?   What  is  the  full   value  of  that   lost   customers?     What  is  the   cost  to  the   company   brand  and   reputa'on?    
  • 12. DDoS  aGack  types  and  targets   Volumetric,  state-­‐exhaus'on  and  applica'on-­‐layer   aGacks  can  bring  down  cri'cal  data  center  services   AGack  Traffic   e.g:  Layer  4-­‐7  Application-­‐ Layer  /  Slow&Low  AGack   Good  Traffic   ISP  1   DATA  CENTER   ISP  2   ISP  n   Backbone   SATURATION   e.g.:   Volumetric  /   Flooding   AGack   Exhaus:on  of   STATE   Firewall   Exhaus:on  of   SERVICE   IPS   Load   Balancer   e.g:   Layer  4-­‐7  /   State  /  Connec'on   AGack   Target   Applica'ons  &   Services  
  • 13. DDoS  aGack  vectors   •  Volumetric  AGacks     UK Broadband –  Usually  botnets  or  traffic  from   spoofed  IPs  genera'ng  high  bps  /   pps  traffic  volume   –  UDP  based  floods  from  spoofed  IP   take  advantage  of  connec'on  less   UDP  protocol     –  Take  out  the  infrastructure  capacity   –  routers,  switches,  servers,  links   BB B Bots connect to a C&C to create an overlay Provider network (botnet) C&C B Systems Become Infected Internet Backbone B B Server   DNS  RequestV   Repeated  many  'mes   DNS  ResponseV   Vic'm   DNS  Server   responds  to   request  from   spoofed  source.   DNS  Response  is   many  8mes   larger  than   request.     Bots attack BM B B US Corp AGacker   JP Corp. Bye  Bye!   B Botnet master Controller B Issues attack Connects Command US Broadband §  Reflec'on  AGacks   –  Use  a  legi'mate  resource  to  amplify   an  aGack  to  a  des'na'on   –  Send  a  request  to  an  IP  that  will  yield  a   big  response,  spoof  the  source  IP   address  to  that  of  the  actual  vic'm   –  DNS  Reflec've  Amplifica'on  is  a  good   example  
  • 14. DDoS  aGack  vectors   •  TCP  state  exhaus'on   –  Take  advantage  of  stateful  nature   of  TCP  protocol   –  SYN,  FIN,  RST  Floods   –  TCP  connec'on  aGacks   Client   SYNC   Server   SYNS,  ACKC   Repeated  many  'mes   –  Exhaust  resources  in  servers,  load   balancers  or  firewalls.   Listening…   Store  data   (connec8on   state,  etc.)   System  runs  out   of  TCP  listener   sockets  or  out   memory  for   stored  state   •  Applica'on  layer  aGacks   •  Exploit  limita'ons,  scale  and   func'onality  of  specific  applica'ons   •  Can  be  low-­‐and-­‐slow   •  HTTP  GET  /  POST,  SIP  Invite  floods     •  Can  be  more  sophis'cated:   ApacheKiller,  Slowloris,  SlowPOST,   RUDY,  refref,  hash  collision  etc..  
  • 15. DDoS  aGack  vectors   The  DDoS  weapon  of  choice  for   Anonymous  ac'vists  is  LOIC,   downloaded  more  than   639,000  'mes  this  year  (so  far).   Average  2115  downloads  daily.  
  • 16. So,  how  is  DDoS  evolving?     Looking  at  the  Internet  threat  landscape   ˥  In  order  to  understand  the  DDoS  threat  (and  how  to  protect   ourselves)  we  need  to  know  what  is  going  on  out  there.     ˥  Two  data  sources  being  presented  here:   ˥  Arbor  Worldwide  Infrastructure  Security  Survey,  2011.   ˥  Arbor  ATLAS  Internet  Trends  data.     ˥  Arbor  Worldwide  Infrastructure  Security  Survey,  2011   ˥  7th  Annual  Survey   ˥  Concerns,  observa'on  and  experiences  of  the  OpSec  community   ˥  114  respondents,  broad  spread  of  network  operators  from  around  the  world   ˥  Arbor  ATLAS  Internet  Trends   ˥  240+  Arbor  customers,  37.8Tbps  of  monitored  traffic   ˥  Hourly  export  of  anonymized  DDoS  and  traffic  sta's'cs  
  • 17. 2012  ATLAS  ini'a've  :  Anonymous  worldwide  stats   Higher  pps  rates  seen  in  2011,  have  con=nued  into  2012   §  Average  aGack  is  1.56Mpps,  September  2012   §  190%  growth  from  September  2011   Average  Monthly  Kpps  of  AFacks   2500   2000   1500   1000   500   0   1556  
  • 18. 2012  ATLAS  ini'a've  :  Anonymous  worldwide  stats   Peak  ABack  Growth  trend  in  Gbps   §  Peak  aGack  in  September  2012  is  63.3Gbps   §  136%  rise  from  September  2011   §  Spikes  at  75Gb/sec  and  100Gb/sec  so  far  this  year.     Peak  Monthly  Gbps  of  AFacks   120   100   80   60   40   20   0   63.33  
  • 19. 2012  ATLAS  ini'a've  :  Anonymous  worldwide  stats   Average  ABack  Growth  trend  in  Mbps   §  Average  aGack  is  1.67Gbps,  September  2012   §  72%  growth  from  September  2011   §  Average  aGacks  now  consistently  over  1Gb/sec   2500   Average  Monthly  Mbps  of  AFacks   2000   1500   1000   500   0   1670  
  • 20. DDoS  AGacks  are  evolving   Have You Experienced Multi-vector Application / Volumetric DDoS Attacks 27% 32% Don't Know No Yes 41% Number of DDoS Attacks per Month 47% 50% 40% 30% 20% 10% 9% 15% 7% 10% 11% 1% 0% 0 1 - 10 10 - 20 20 - 50 50 - 100 100 500 > 500 Services Targeted by Application Layer DDoS Attacks Other IRC SIP/VOIP HTTPS SMTP DNS HTTP 7% 11% 19% 24% 25% 67% 87% 0% 20% 40% 60% 80% 100%
  • 21. Recent  financial  aGacks  (“Opera'on  Ababil”):     Mul'-­‐vector  DDoS  on  a  new  level   ˥  Compromised  PHP,  WordPress,  &  Joomla  servers   ˥  Oken  US  or  EU  based  so  geo-­‐blocking  is  difficult   ˥  Large  bandwidths  –  powerful  aGacks     ˥  Mul'ple  concurrent  aGack  vectors   ˥  GET  and  POST  app  layer  aGacks  on  HTTP  and  HTTPS   ˥  DNS  query  app  layer  aGack   ˥  Floods  on  UDP,  TCP  Syn  floods,  ICMP  and  other  IP  protocols   ˥  Unique  characteris'cs  of  the  aGacks   ˥  Very  high  packet  per  second  rates  per  individual   source     ˥  Large  bandwidth  aGack  on  mul'ple  companies            simultaneously   ˥  Very  focused   ˥  could  be  false  flag   ˥  could  be  Cyberwar   ˥  could  be  hack'vism  
  • 22. DDoS,  a  growing  problem   So,  how  can  we  minimize  the  impact  of  an  aGack?         ˥  Monitor  the  network  and  services  so  that  you  can  pro-­‐ac'vely  detect   changes  at  all  layers  (up  to  layer  7).     ˥  Know  who  to  call.   ˥  Develop  an  incident  handling  process  and  run  fire-­‐drills   ˥  U'lise  the  security  capabili'es  built  into  other  network  and  security   infrastructure  to  minimise  impact  where  possible   ˥  Use  a  Dedicated  OOB  Management  Network  
  • 23. The  failure  of  exis'ng  security  devices   CPE-­‐based  security  devices  focus  on  integrity  and  confiden'ality   and  not  on  availability   Product  Family   Triangle    Benefit   Firewalls   Integrity   Enforce  network  policy  to  prevent   unauthorized  access  to  data   Intrusion  Preven'on  System   Integrity   Block  break-­‐in  aGempts  causing  data   thek   Informa'on  Security  Triangle   Firewalls  and  IPS  device  do  not   solve  the  DDoS  problem   because  they  (1)  are  op'mized   for  other  security  problems,  (2)   can’t  detect  or  stop  distributed   aGacks,  and  (3)  can  not   integrate  with  in-­‐cloud  security   solu'ons.     DATA  CENTER   IPS   Load  Balancer   Because  they  are  stateful  and   inline,  they  are  part  of  the  DDoS   problem  and  not  the  solu8on.   Many  DDoS  aCacks  target  firewalls  and  IPS  devices  directly!  
  • 24. Industry  solu'on  A:  CPE-­‐based  protec'on   ˥  A  CPE  is  placed  inline  with  traffic.  Because  the  device  has  full  visibility  of   traffic  des'ned  for  the  customer  it  is  in  a  unique  posi'on  to  quickly  detect   and  mi'gate  DDoS  aGacks.  The  CPE:   ˥  ˥  ˥  ˥  Detects  DDoS  aGacks  immediately   Starts  blocking  without  delay   Has  finite  capacity   Requires  hands-­‐on  knowledge  to  operate   24  
  • 25. Industry  solu'on  B:  Out-­‐of-­‐path  protec'on   ˥  A  monitoring  device  receives  L3/L4  traffic  informa'on  from  routers  in  the   network  (via  Neƒlow/BGP).  DDoS  traffic  can  be  diverted  to  a  scrubbing   center  for  “cleaning”.  Other  traffic  con'nues  unaffected.   ˥  ˥  ˥  ˥  Detects  DDoS  aGacks  immediately   Works  in  large  and  complex  networks  with  lots  of  traffic  and  internet  links   Has  finite  capacity   Requires  hands-­‐on  knowledge  to  operate   SCRUBBING  CENTER   ISP  1   DATA   CENTER   ISP  2   Local  ISP     Firewall   IPS   ISP  n   Monitoring  system   25  
  • 26. Industry  solu'on  C:  Cloud-­‐based  protec'on   ˥  Cloud-­‐based  protec'on  works  by  intercep'ng  aGack  traffic  ‘in-­‐the-­‐cloud’,   long  before  it  reaches  the  network  under  aGack.  It  provides:   ˥  ˥  ˥  ˥  Almost  infinite  capacity  (currently  1  Tbps)   Upstream  blocking  so  customer  networks  never  see  DDoS  traffic   Effec've  blocking  within  minutes  of  star'ng  mi'ga'on   DDoS  mi'ga'on  “as-­‐a-­‐Service”  
  • 27. Arbor  Peakflow,  Out-­‐of-­‐path  protec'on   Pervasive  and  cost-­‐effec've  visibility  and  security     ˥  Pervasive  network  visibility  and  deep  insight   into  services   ˥  Leverage  Neƒlow  technology  for  broad  traffic   visibility  across  service  provider  networks.     ˥  Comprehensive  threat  management   ˥  Granular  threat  detec'on,  surgical  mi'ga'on   and  repor'ng  of  DDoS  aGacks  that  threaten   business  services.   ˥  Managed  service  enabler   ˥  A  plaƒorm  which  offers  the  ability  to  deliver   new,  profitable,  revenue-­‐genera'ng  services   i.e  DDoS  Protec'on  and  traffic  analysis  
  • 28. Prolexic  cloud-­‐based  DDoS  mi'ga'on   Scrubbing  Centers  (peering):   §  San  Jose,  CA   §  Ashburn,  VA     §  London,  UK   §  Frankfurt,  DE   §  Hong  Kong,  China   §  Tokyo,  Sydney  (2014)   Carrier  reach:   §  A  minimum  of  3  Tier  1     Carriers  Per  Site   §  500+  peers   Global  Reach:   §  Staff  on  four  con'nents   §  800  Gigabits/sec     dedicated  for  aGack     traffic   Scrubbing  Center   Regional  offices   Headquarters  &  SOC   Botnet  Concentra=on