Your SlideShare is downloading. ×
The Rising Threat of DDoS Attacks: Is Your Business at Risk?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The Rising Threat of DDoS Attacks: Is Your Business at Risk?

328
views

Published on

Presented originally by NetStandard's Daniel Fluke, Ph.D. at INTERFACE Kansas City, this presentation defines the differences between DoS and DDoS attacks and provides tips for identifying and …

Presented originally by NetStandard's Daniel Fluke, Ph.D. at INTERFACE Kansas City, this presentation defines the differences between DoS and DDoS attacks and provides tips for identifying and mitigating attacks on your business.

Published in: Technology, Economy & Finance

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
328
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The whole point of a Denial of Service (DoS) attack is to deny your legitimate users access to those resources.
  • The process of compromising a host and installing the tool is automated. The process can be divided into these steps, in which the attackers: Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability. Compromise the vulnerable hosts to gain access. Install the tool on each host. Use the compromised hosts for further scanning and compromises.
  • Because an automated process is used, attackers can compromise and install the tool on a single host in under five seconds. In other words, several thousand hosts can be compromised in under an hour. In essence, the Attacker, using a command and control system may create subordinate systems that can control the attacking machines.Very large attacks may have multiple subordinate control systems and hundred or thousands of Bots that will actually be the originating attacking machines.Commands can be passed along to initiate and control the attacking machines, thus denying access to your resources.
  • According to the Prolexic Global DDoS Attack Report, Q1 2013: The top 10 Attack Source Countries are
  • Attackers can be motivated by any number of reasons.Revenge against your company for some policy you may haveRevenge against your company for something that your company posted on a social media siteDamaging your business to elicit payment from you to stop the attackAttackers may be seeking to ransom your bandwidth and availability, and if you pay them off they will stop the attack.Sometimes it is just BECAUSE THEY CAN!
  • Just about every type of business can be a target, and likely have been in some fashion over the course of the last 10 years or so.Some of the favorite targets are:Banks and other financial institutionsConsumer goods retailers and manufacturersCompanies that are in the newsCompanies that have just made someone or some group mad because of their policies, comments in social media or any number of other reasons
  • How do you know you are being attacked.Regularly monitor your web site performance. If loads are abnormally high and unexpected, you may be under attack.You may start seeing Service Unavailable messages that might indicate that you services are heavily loaded.Pay attention to your web statistics reviewing them for anomalies that might indicate unusual activity.Check your log files for suspicious activity.Monitor bandwidth utilization to identify potential attack activity.
  • Attacks are cheap to launch and expensive to combat!
  • Attacks are cheap to launch and expensive to combat!
  • Attacks are cheap to launch and expensive to combat!
  • Independent Newspapers has confirmed a report that it has come under a cyber attack. The online division, IOL, was offline on Wednesday amid reports that it had sustained a DDOS attack for publishing an article in support of Zimbabwean president Robert Mugabe.Distributed denial-of-service (DDoS) attacks that could be related have …. slammed the DNS servers of at least three providers of domain name management and DNS hosting services. DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason.Spam crusaders The Spamhaus Project have been battling massive distributed denial of service (DDoS) attacks that have reportedly resulted in a slowdown of the entire Web.An Islamic group that launched a third wave of high-powered dedicated denial-of-service (DDoS) attacks against U.S. banks in March has started targeting other financial organizations, including credit card companies and financial brokerages, security experts say.
  • Transcript

    • 1. The Rising Threat of DDoS Attacks Is Your Business At Risk? NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Daniel Fluke, Ph.D NetStandard Inc.
    • 2. What Is A DoS or DDoS Attack? A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack is an attempt by a malicious party to make a machine or network resource (like a website) unavailable to its intended users (your customers). Targets: • Financial Institutions • Small/Midsized Businesses • Retail NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
    • 3. DoS or DDoS: What’s the Difference? DoS – Denial of Service A Denial of Service attack is an attempt by a single machine to prevent others from utilizing your website resources. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
    • 4. DoS or DDoS: What’s the Difference? NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | DDoS – Distributed Denial of Service A Distributed Denial of Service attack is an attempt by multiple machines to prevent others from utilizing your website resources.
    • 5. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks There are multiple types of attacks that can effectively make your systems inaccessible or unresponsive to users. Three general types of attacks: 1. Volume-Based Attacks 2. Protocol Attacks 3. Application Layer Attacks
    • 6. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks Volume-Based Attacks Goal: To saturate the bandwidth of the attacked site. The magnitude of this type of attack is typically measured in bits per second. Attack Includes: • UDP Floods • ICMP Floods • Spoofed Packet Floods
    • 7. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks Protocol Attacks Goal: To consume the resources of either the servers or the intermediate communication equipment, such as routers, load balancers and/or firewalls. Protocol attacks are usually measured in packets per second. Attack Includes: • SYN Floods • Fragmented Packet Attacks • The Ping of Death • Smurf DDoS
    • 8. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks Application Layer Attacks Goal: To crash web servers. Arguably the most dangerous form of DDoS attack, these attacks are often comprised of seemingly legitimate and innocent requests. Application layer attacks are often measured in requests per second. Attack Includes: • Slowloris • Zero-day DDoS attacks • DDoS attacks on Apache, Windows or OpenBSD vulnerabilities
    • 9. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks In Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown of the types of attacks being carried out:
    • 10. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Types of DDoS Attacks In Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown of the types of attacks being carried out: • Syn Flood – Spoofed Syn packets fill the connection tables of your servers • ICMP Flood – ICMP packets overload servers and inbound bandwidth • Non-Service Port Flood – TCP/UDP packets overload servers and inbound bandwidth on ports not being used for services (i.e., Port 81) • Service Port Flood – Packets overload servers and inbound bandwidth on ports being used for services (i.e., Port 80) • Fragmented Flood – Fragmented packets are sent to servers, causing them to overload as they process those packets • HTTP Get Flood – HTTP Get requests flood servers and incoming bandwidth on in-use service ports, mimicking valid traffic
    • 11. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | How Is An Attack Launched? • In order to launch a DDoS attack, attackers need between several hundred and several thousand compromised hosts. Hosts are usually Linux and SUN computers, but tools can be ported to other platforms • Compromising a host and installing tools is automated. The process can be divided into four steps: 1. Attackers initiate scan phase 2. Identified vulnerable hosts are compromised 3. Tools installed on each host 4. Compromised hosts are used for further scanning and compromising
    • 12. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | How Is An Attack Controlled? Using a command and control system, attackers create subordinate systems that can control the attacking machines. • Attackers can compromise and install tools on a single host in under 5 seconds • Several thousand hosts can be compromised in less than an hour • Large attacks may have multiple subordinate control systems and thousands of Bots • Commands can be passed on to initiate and control attacking machines
    • 13. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | The Origins of Attacks Top 10 Attack Source Countries: *Prolexic Global DDoS Attack Report, Q1 2013
    • 14. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | What Motivates Attackers? • Revenge against a company’s policies or practices • Revenge against a company for something posted on social media • Eliciting ransom money to stop the attack • Ransoming bandwidth and availability • Because they can
    • 15. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Are You A Target? • Banks and financial institutions • Consumer goods retailers • Manufacturers • Companies in the news • Companies engaging in political, cultural or social hot-button issues, whether through comments in social media or day-to-day practices. EVERY BUSINESS IS A TARGET. Some, however, are more popular targets than others:
    • 16. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Know When You’re Under Attack • Abnormally high or unexpected loads on websites • “Service Unavailable” messages • Abnormalities or unusual activity in website statistics • Suspicious activity in log files • Abnormally high bandwidth utilization Key signs your business is under attack: If your company is in the cloud, you could be affected when another company hosted by your provider is attacked. Selecting a provider with plenty of additional bandwidth can help absorb the bandwidth of the demands and mitigate the impact to your business.
    • 17. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Prepare Before An Attack • Know Your Vulnerabilities – What is happening internally that might make attackers aware of your presence? • Increase Resiliency and Availability – Implement industry best practices for network infrastructure, applications, critical support services and DNS. • Secure Potential Bottlenecks – Ensure systems are configured correctly. • Watch Your Systems and Network – Use automated tools to monitor and alert on suspicious activity. • Small Attacks Happen, Too – Nearly 50% of attacks are less than 5GB, and 25% are 1GB or less. • Beware of Application Attacks – These are much harder to recognize than network layer attacks. Create a plan before an attack:
    • 18. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Prepare Before An Attack • Beware Blended Attacks – Attackers are increasingly combining network and application layer attacks. • Look for Suspicious Activity – Be aware of the possibilities of suspicious activity, like social engineering, during an attack. Sometimes DDoS is used as a distraction. • Make Friends Upstream – Your ISP can help identify and mitigate attacks. Work with them to implement various strategies that can help before an attack and after. • Sign Up For DoS/DDoS Mitigation Services – Consider signing up for a DoS/DDoS mitigation service, like those provided by AT&T, Verisign, Arbor Networks and Prolexic. Create a plan before an attack, cont.:
    • 19. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | What If I’m Attacked? • Block the attack with packet filters on your routers. If possible, do this at the border of your network or through your ISP. • Null route, or blackhole, the IP address being attacked on your border routers or on your ISP’s border routers. This will effectively shut down the service running attached to that IP address, but it could keep other systems online and available. • Use Anycast and Multicast Source Discovery Protocol (MSDP) if your company has websites co-hosted at several locations. Your response to an attack is dependent upon what type of attack is being waged. Initial steps should include:
    • 20. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | DDoS In The News Independent Newspapers – Received attack following the publishing of an article in support of Zimbabwean President Robert Mugabe. The Spamhaus Project – Spam crusaders have been battling massive DDoS attacks that have reportedly resulted in a slowdown of the entire Web. Attacks on U.S. Banks – An Islamic group launched a third wave of high-powered DDoS attacks against U.S. banks in March 2013 and is reportedly targeting other financial institutions.
    • 21. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | Questions? Contact us!