3 34880 ians-arbor_networkscustomreport
Upcoming SlideShare
Loading in...5
×
 

3 34880 ians-arbor_networkscustomreport

on

  • 222 views

 

Statistics

Views

Total Views
222
Views on SlideShare
222
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

3 34880 ians-arbor_networkscustomreport 3 34880 ians-arbor_networkscustomreport Document Transcript

  • DDoS Attacks IANS CUSTOM REPORT WRITTEN BY DAVE SHACKLEFORD JUNE 2013 COMMISSIONED BY:
  • 2 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. Contents Introduction...................................................................................................................................... 3  DDoS Attacks Yesterday and Today............................................................................................... 3  What types of protection are available (focus on internal)? ............................................................ 5  Framework for determining what type of protection you need ........................................................ 9  Conclusion..................................................................................................................................... 12  About Arbor Networks ................................................................................................................... 12  About IANS.................................................................................................................................... 13 
  • 3 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. Introduction At the end of March 2013, the largest Distributed Denial of Service (DDoS) attack in history was seen on the Internet. With anti-spam organization Spamhaus.org in mind, the attackers initially targeted a company called CloudFlare that hosts and helps control traffic for Spamhaus, and later moved on to attack bigger upstream providers. The attack began with a whopping 120 Gbps of traffic, but grew even more to eventually reach a 300 Gbps saturation. Both of these are huge numbers that could bring even the biggest organizations to their knees. In analyzing the attack, IANS believes that there are lessons for every organization here. First, we need to understand what methods were employed by both attackers and defenders. Second, it underscores the need for improved, more layered DDoS defenses than most organizations have traditionally had. If it can happen to Spamhaus, it can happen to anyone. This holds true for any organization, whether online service provider, financial organization, or enterprise with an online business presence. The attacks are changing, even while the classic DDoS attack techniques are still effective. Organizations of all sorts are finding themselves in the crosshairs of malicious attackers with a variety of motivations to cause outages and lead to lost business and reputations. IANS conducted a survey of global enterprises to determine what concerns they have, what tactics they’re using to defeat DDoS, and what kinds of tools and processes they’re using or considering. In this paper, we’ll review the history of DDoS attacks, focusing on the variety of different types we’ve seen, as well as several recent cases where newer methods were employed by the attackers. We will then review the different types of protection available today with an eye toward putting in-house DDoS detection and prevention tools and processes in place, including data from the IANS survey. Finally, we will include a simple framework that can help you to accomplish this, with pointers on what to think about and consider when devising an internal DDoS strategy. DDoS Attacks Yesterday and Today DDoS attacks have been occurring since the mid 1990s (not counting some of the earlier malware-driven DDoS effects from the Morris worm and others). The first DDoS attacks really emerged in 1995-1996, when it was discovered that floods of TCP packets with only the SYN flag set could overwhelm network equipment and many servers and services. This technique, known as the SYN Flood, became much more popular in 1997-1998, along with attacks that crashed services such as the Teardrop and Boink attacks. Reflected ICMP and other replies became popular in 1998-2000 with techniques like Smurf and Fraggle. The first real DDoS attacks, however, started emerging in late 1998 and early 1999, with a number of client-server tools such as Trinoo, Tribe Flood Network (TFN), and Stacheldracht. Attackers could compromise systems, install the software, and then remotely issue commands to multiple owned systems, telling them to simultaneously launch attacks and send malicious traffic to one or more destinations. These tools, along with the attacks they were capable of generating and controlling, served as the precursors to today’s botnets, where a single attacker or group controlled numerous distributed systems, commanding them to perform coordinated actions (in this case, DDoS floods and attacks). In 1999, one of the first publicized DDoS attacks rendered the University of Minnesota’s network almost unusable for close to three days, with 2500 or more
  • 4 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. attacking hosts involved.1 The Trinoo tool was used to send many 2-byte UDP packets, and the university was largely unable to do anything about it. In 2000, DDoS attacks burst into the mainsteam through a series of attacks against the highest profile Internet sites of that era. None of these attacks were particularly complex or sophisticated, but the sheer volume of traffic and compromised hosts flooding the sites caused the initial identification of the attacks and subsequent response to be somewhat slow. From 2001 to 2003, flood-based DDoS attacks continued, but some of the techniques changed, as well as attacker motivation. Now, attackers started extorting financial and other organizations by threatening continued DDoS until a ransom was paid. The attackers also started actively making use of reflected attacks, particularly spoofed DNS queries. Into 2004, DDoS attacks were starting to be actively carried out by distributed botnets, with fast-spreading worms often seen as the initial attack vector. Up through 2007, these same techniques continued, culminating in the sustained 2007 attacks by Russia against the country of Estonia. Seen as the first true politically motivated DDoS attack, the flood of traffic continued for close to three weeks against high-profile Estonian web sites and government services, leading to an organized response by NATO. This same behavior continued in 2008 when Russia was accused of using DDoS techniques in its war with Georgia. In 2009, security professionals saw the rise of the “crowdsourced” DDoS when Iranian protesters used PHP scripts and other tools to target Iranian government sites. The hacktivism group Anonymous started using DDoS effectively as a retaliation and political strategy, targeting religious groups like Scientology, government sites in the US and UK, and financial firms. The Wikileaks saga has led to numerous DDoS attacks in 2010 and beyond, with groups like LulzSec and Anonymous taking out government and commercial sites. The blogging site WordPress was hit in 2011, as was the Hong Kong Stock Exchange. One of the largest attacks in 2011 was against Sony’s Playstation Network, and was again attributed to Anonymous. The DDoS attack against Sony was intended to both mask data exfiltration by creating a huge amount of “noise”, and also to cause deliberate availability impacts to Sony. 2012 saw a significant rise in attacks against financial organizations. Many of the world’s leading financial service institutions and banks experienced significant outages and slowdowns due to politically-motivated DDoS attacks. Some of these reached sustained 100 Gbps speeds as well, which many in the security community believe to be the foreshadowing of trends we are seeing now. Several hosting providers were victims in 2012, as was the code-sharing site GitHub (which is still under attack into 2013). What has changed in the last several years? Several key trends are occurring now:  The variety and types of attacks are changing. While most attacks are still volume-based, primarily SYN Floods and ICMP and UDP traffic, more and more application-level traffic is seen today, primarily HTTP and HTTPS and DNS queries. Some of these are much “slower” in nature, and focus more on connection handling at the application/service layer then pure volume. This type of attack rose to prominence as far back as 2009, when tools like Slowloris became available to target HTTP services. In addition, many DDoS attacks 1 http://denialofservice.uw.hu/ch03lev1sec3.html
  • 5 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. now target stateful network devices, looking to fill connection queues and cause slowdown and loss of availability.  More tools are becoming available to easily perpetrate DDoS attacks as political statements. The most well known of these include Low-Orbit Ion Cannon (LOIC) and High-Orbit Ion Cannon (HOIC). LOIC was used to great effect against the Church of Scientology and other Anonymous targets. HOIC was used in early 2012 to protest the shutdown of the site Megaupload.  New types of criminal activity are being seen related to DDoS attacks. In addition to the classic extortion and political focus, DDoS attacks are now being used as a distraction mechanism while other attacks (such as fraudulent wire transfers) are underway. Businesses can now attack competitors with DDoS floods by purchasing them online anonymously, as well. So what types of recent high-profile data breaches are survey respondents most concerned with? Figure 1 shows the percentage of respondents concerned with each unique attack variant: Figure 1: High-Profile Attack Concerns While the methods and motivations for DDoS attacks have changed over the years, one thing is for certain: they will continue, and more and more organizations are likely to experience them. What types of protection are available (focus on internal)? There are many different types of DDoS protection available to organizations today, and more and more organizations are starting to look into these options seriously. 53% of respondents to the IANS DDoS survey indicated that they currently have a significant online presence that would be impacted by DDoS, and the remaining 47% are looking at DDoS detection and prevention very soon. 44% 22% 34% 37% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Financial Services/ Bank DDoS attacks like  "operation Ababil" Spamhaus Attacks Mobile Malware Application based DDoS attacks High‐Profile Attack Concerns
  • 6 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. The following are common DDoS protection tools:  Dedicated DDoS Detection and Prevention Appliances: Today, there are very sophisticated security platforms available that are dedicated solely to detecting and defending against DDoS attacks. These platforms are purpose-built to evaluate more sophisticated application-layer DDoS attacks and also defend against state and protocol- focused attacks, since they are closer to the network equipment and services they’re defending.  Network IDS/IPS: Many organizations look to their existing IDS/IPS installations to help defend against DDoS. While IDS/IPS can help identify anomalous traffic, including classic obfuscation techniques like fragmentation, IP Options abuse, and others. These platforms are not built to handle large volumes of traffic, and may not respond to “legitimate” requests that fill connection queues. In addition, IPS/IDS often rely on session state to inspect traffic, making them susceptible to attacks intent on overwhelming session state in inline devices, effectively taking down the network that way. 30% of respondents stated that they are leveraging network IDS/IPS for defense against DDoS.  Firewalls: Traditional network firewalls can mitigate some attacks by using layer three and four rules. However, firewalls are frequent targets for protocol attacks today, and can often become major bottlenecks during sustained DDoS floods. Like IPS/IDS, firewalls rely on session state for inspection and can be taken offline during these types of attacks. 42% of survey respondents stated that they are leveraging network firewalls for defense against DDoS.  Routers: Some basic access control methods and packet filtering and shaping can be done at the border router level. 19% of survey respondents stated that they are leveraging routers for defense against DDoS.  Load Balancers: Close to 15% of survey respondents stated that they are leveraging network/application load balancers for defense against DDoS. Load balancers can help handle some aspects of application load, but are still not well-suited to handling huge floods, and don’t help much with certain types of application and protocol attacks, such as DNS reflection. Load balancers are designed for maintaining network uptime by sharing bandwidth, not by stopping attacks. As such, lower volume attacks may be missed.  Cloud-based DDoS Protection Services: These services are primarily focused on detecting volume-based attacks and controlling bandwidth. Some of these services can also balance load across multiple data centers, making very large traffic volumes manageable. Cloud providers may require extra time to detect and mitigate attacks – attacks that could be causing service interruption. While extremely useful, this may not be ideal as a singular solution to DDoS.  Internet Service Providers: “Clean pipe” Internet Service Provider (ISP) offerings sanitize
  • 7 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. traffic before it ever reaches you. These services are good for cleansing volume attacks and some obvious signatures of DDoS, but still cannot handle protocol and application attacks that leverage “normal” requests. Like cloud providers, relying on a service provider to protect availability is good, but not as a sole solution. Service providers cannot detect lower volume attacks that may cause issues with your IPS or firewall that are still causing network outage situations. Response times to DDoS attacks can also take anywhere from 45-60 minutes – which can be devastating during peak hours. 51% of respondents indicated that they are using firewalls, routers, IDS/IPS, and load balancers in some combination for DDoS defense today. Based on survey results, it’s obvious that organizations are shifting towards an in-house strategy. 72% of respondents stated that they have some sort of on-premise protection, while only 28% indicated that they were relying solely on external providers to help them with DDoS attacks. The reasons organizations provided for focusing on having on-premise protection varied, however. Figure 2 shows the breakdown of these reasons: Figure 2: Reasons for On-Premise DDoS Protection For those organizations not making use of an on-premise DDoS protection solution, 45.5% have a cloud-based solution or DDoS protection with their ISP, while 54.5% indicated that they did not have any external services (insinuating that they don’t have any real DDoS defenses at the moment). When asked why they were not using on-premise solutions, survey respondents replied with the following reasons: 30.40% 30.40% 30.40% 7.60% 1.30% Reasons for On‐Premise DDoS Protection Maintaining uptime Compliance Stopping and recording attacks Blocking botnets Other (please specify)
  • 8 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. Figure 3: Reasons for Not Employing On-Premise DDoS Protection Those that answered “other” included reasons like employee skillset gaps and upcoming network upgrades and changes which would prohibit such a solution at the moment. Many organizations rely on ISPs and service providers as their first line of defense for DDoS attacks, and there are quite a few different types of DDoS protection techniques that these external providers (ISPs or cloud services) can employ. When asked which techniques their providers used, survey respondents replied as follows: Figure 4: Cloud-Based DDoS Protection Techniques 9.10% 18.20% 9.10% 36.40% 27.30% Reasons for Not Employing On‐Premise DDoS  Protection Cost Complexity Other (please specify) Cost and Complexity We don't feel the need for on‐ premise protection. 0% 5% 10% 15% 20% 25% 30% 35% Not Sure None of the Above All of the Above DNS redirection "Clean pipe", or packet scrubbing, techniques Overprovisioning Cloud‐Based DDoS Protection Techniques
  • 9 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. 18% of survey respondents indicated that they had experienced a significant DDoS attack in the past 12 months. 60% stated that they could not identify the attackers or their motives for the attacks. 17% successfully identified the attacks as being business-driven; in other words, their competitors had initiated some sort of DDoS to cause harm or availability loss to their online presence and services. 15% of attacks were directly related to criminal extortion attempts, and 8% were politically motivated in one way or another. Survey respondents have been experiencing a variety of different types of traffic in recent DDoS attacks. Figure 5 shows the breakdown of traffic types as seen by respondents: Figure 5: Traffic Types Seen in Recent DDoS Attacks There are a number of different types of controls organizations can implement to combat DDoS attacks today. Many of these are often existing security and network products and platforms that organizations have in-house, and with the rise in more sophisticated application, protocol, and volume-based attacks, routers, firewalls, IDS/IPS, and load balancers just aren’t well-suited to sustained defense efforts. Organizations need to evaluate more robust DDoS protection tools and services, but what do they need to consider? Framework for determining what type of protection you need As more organizations are looking into implementing an on-premise DDoS detection and prevention strategy, it should help to have a sound framework for what type of protection capabilities you need, and how to best establish a DDoS protection program that fits in with your existing security operations teams. By following the simple framework here, you can start to evaluate the proper approach and steps that fit best for your organization. 13.5% 11.2% 51.7% 25.8% 22.5% 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% ICMP UDP HTTP/HTTPS TCP Other TCP SYN packets Traffic Types Seen in DDoS Attacks
  • 10 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. Evaluate the financial impact of losing your organization’s online presence. While this may seem difficult (and may be, depending on the business model you have), there are some rough estimates you can rely on. In the Arbor Networks paper, “the Risk vs. Cost of Enterprise DDoS Protection”, a model that ties together business loss with operational overhead cost leads to some simple and usable numbers.2 The number of attacks over a three-year period can dramatically affect the total cost, too. If you experience only one attack in a 15-year span, then the cost of an on-premise DDoS solution will break even. Any more attacks than this, and you will likely get a more significant return on your investment, especially if you depend heavily on your online presence. Evaluate Current Incident Response Plans and Processes The next phase of evaluating DDoS defense readiness and how you should go about preparing for an on-premise DDoS defense program is to develop an incident response plan for responding to DDoS attacks. This response plan should accommodate network engineering and operations, security policy and processes related to availability, and business continuity and disaster recovery (DR). The following considerations include items in the Preparation and Identification phases of the NIST SP800-61 publication’s incident handling process. These will help to determine your level of current readiness: Criteria Phase Do you have a clearly defined DDoS defense strategy? Preparation Do you have contacts within your ISP when dealing with a DDoS attack? Preparation Do you have a sound understanding of normal traffic patterns coming into your environment? Preparation Do you have a good inventory and configuration/vulnerability management program in place for DNS services? Preparation Do you have a Defense-in-Depth approach to DDoS defense controls? Preparation Does your information security team regularly research and monitor new DDoS varieties and threat vectors? Preparation Can your current incident response process accommodate DDoS attacks today? Identification Can your response team currently identify and mitigate volume-based DDoS attacks? Identification 2 http://www.arbornetworks.com/component/docman/doc_download/497-the-risk-vs-cost-of-enterprise-ddos- protection?Itemid=442
  • 11 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. Can your response team currently identify and mitigate protocol anomaly DDoS attacks? Identification Can your response team currently identify and mitigate application-based DDoS attacks? Identification Can your network monitoring team identify anomalous DNS or other inbound and outbound traffic quickly? Identification Have you incorporated DDoS attack indicators into your log and event monitoring? Identification These are just a few of the types of questions you should ask your team to evaluate DDoS defense readiness. When asked whether their current enterprise teams knew how to identify and respond to DDoS attacks, 92% of survey respondents said, “yes”. Some combination of operations and security seems most applicable, with Figure 6 demonstrating the percentage of respondents indicating which teams played a role in defending against these attacks: Figure 6: Enterprise Teams Handling DDoS Attacks Select the appropriate services and product offerings to mitigate DDoS Attacks Depending on your business scenario and risk appetite, you will need some combination of service-based and on-premise DDoS defense controls. Cloud and ISP-based DDoS defense services may be helpful for handling larger bandwidth-hogging attacks, especially if you don’t have enough staff in-house or the right expertise to handle this. However, the trend in DDoS attacks is heading toward application-layer and protocol attacks, which are much better handled 7% 43% 32% 60% 0% 10% 20% 30% 40% 50% 60% 70% I don't know Network engineering  teams Incident response  teams Information security  teams (general) Enterprise Teams Handling DDoS Attacks
  • 12 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. and mitigated close to the platforms and services they protect in most cases. Look for the following attributes of DDoS detection and protection products that you may employ onsite:  Regular updates to DDoS detection signatures and automated defense mechanisms: An enterprise-class DDoS platform should be backed by a research team that provides regular updates to combat the constantly changing threats and attack variants. Also, any on-premise solution should be capable of detecting and defending against all three major DDoS types today: volumetric attacks, protocol and state attacks, and application-layer attacks that target specific services.  Performance: In-house platforms should be capable of very robust performance, never contributing to latency and lost packets.  Ease of Deployment and Use: Many DDoS solutions are believed to be unnecessarily complicated. These devices need to be flexible in how they are deployed within an existing network architecture, and should not require extensive training to get up and running. The management interface should be intuitive and simple, and reporting should be customizable.  Easily customizable to your environment: Every network is different, from the infrastructure down to the applications in use. It is important to have a solution that can easily adapt to the attacks that target each unique system, as well as broad based protection. Conclusion More and more organizations are experiencing DDoS attacks today. The largest and most intense traffic floods on record have been seen in 2013, and this trend will likely continue in high- profile cases. While the majority of attacks are still less than 1 Gbps in size, the variety of blended attacks using more than one technique can cripple many services and network devices just as effectively as volumetric attacks. Organizations need to understand the variety of attacks that are possible, as well as the different types of DDoS defense services and products available. Now is the right time for most enterprises to evaluate their current detection and response plans with DDoS in mind, and consider the potential costs and other business impacts from experiencing multiple sustained outages over a short period of time. The capabilities of on-premise DDoS platforms have grown significantly, and organizations interested in a proper Defense-in-Depth model should look at a combination of controls that best meets their needs of both today and tomorrow. About Arbor Networks Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world's Internet service providers and many of the largest enterprise networks in use today. Arbor's proven network security and management solutions help grow and protect customer networks,
  • 13 © 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to info@iansresearch.com. businesses and brands. Through its unparalleled, privileged relationships with worldwide service providers and global network operators, Arbor provides unequalled insight into and perspective on Internet security and traffic trends via the ATLAS® Active Threat Level Analysis System. Representing a unique collaborative effort with 250+ network operators across the globe, ATLAS enables the sharing of real-time security, traffic and routing information that informs numerous business decisions. About IANS IANS is the leading provider of in-depth security insights delivered through its research, community, and consulting offerings. Fueled by interactions among IANS Faculty and end users, IANS provides actionable advice to information security, risk management, and compliance executives. IANS powers better and faster technical and managerial decisions through experience-driven advice. IANS was founded in June 2001 as the Institute for Applied Network Security. Inspired by the Harvard Business School experience of interactive discussions driving collective insights, IANS adapted that format to fit the needs of information security professionals.