DDoS Attacks and What to Do About Them


Published on

You’ve seen it in the news. Hackers release malicious code to infect computers to trigger mass attacks against specific websites, causing them to be inaccessible to legitimate traffic.

Unfortunately, financial institutions are becoming more frequent victims of DDoS attacks. Probably the biggest misconception on DDoS attacks is that once you have a firewall or protective software installed and are running at a well-respected data center, you’re already safe.

Unfortunately, recent attacks to major websites have disproved that. DDoS attacks cannot be prevented. But there are steps that you can take to reduce the time to mitigate a DDoS attack once one begins.

About LKCS:
LKCS provides financial institutions with marketing, graphic design, commercial printing, mailing, internet development, e-marketing, newsletter production, database and one-to-one marketing, statement processing, e-statements and transpromotional marketing services. Our clients have counted on us for unrivaled experience, excellent quality, competitive pricing and superior service for over four decades.

LKCS – We do that.

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DDoS Attacks and What to Do About Them

  1. 1. DDoS AttacksAnd What to Do About Them
  2. 2. LKCS
  3. 3. What is a DDoS attack?• DDoS = Distributed Denial of Service – A DDoS attacker’s goal is that your web site (or a specific web application) becomes inaccessible – to deny service to your members/customers. – Distributed across many computers and many internet connections. – Typically thousands or millions of routine web server requests are made consecutively until they overwhelm the web servers, firewalls, routers, etc. and consume all of the internet bandwidth available.• There is NO WAY TO PREVENT a DDoS attack.
  4. 4. DDoS Attack Phases• Phase One: Target Acquisition. – An attacker picks a company, organization, data center, or server to attack. – The reason for selection could be financial (someone is paying the attacker), political “hactivism” (the attacker is trying to make a statement), or it could be just for malicious fun.
  5. 5. DDoS Attack Phases (cont.)• Phase Two: Groundwork. – The attacker compromises a large number of unsecured computers (typically home user machines with broadband internet connections). – Software is maliciously installed on each machine that the attacker will later use to target your network. – Access to these “botnets” can even be rented by the hour! – Hacker collectives bring scale and expertise to attacks
  6. 6. DDoS Attack Phases (cont.)• Phase Three: ATTACK. – The attacker sends a command to each of the compromised hosts (now known as zombie computers) and commands them to flood the target with legitimate web requests, overwhelming the web server(s) or choking the bandwidth to a snail’s pace. – The attack lasts as long as the attacker wants, or at least for as long as he/she/they can afford.
  7. 7. About Botnets Mariposa, the It takes just largest known A botnet can botnet, affected generate 64,000 PCs 12 million PCs1 Million infected with a virus like Conficker It could have generated a DDoS times to generate attack as large as the available 10 gigabits 31.2bandwidth of a per second business. of traffic. terabytes per second Source: AT&T
  8. 8. Too easy!• “Low Orbit Ion Cannon” – Just one kind of DDoS attack – Easy to use, online accessible tool for the novice hacker – Menu choices enable the hacker to choose protocols for attack (TCP, UDP, ICMP) – The rate of attack is also easily adjustable – The hacker can choose to attack a web URL or IP address
  9. 9. A Few Others
  10. 10. Types of Attacks – for the techies• Volume Based Attacks – Includes UDP floods, ICMP floods, and other spoofed-packet floods. – The attack’s goal is to saturate the bandwidth of the attacked site. – Magnitude is measured in Bits per Second (Bps).• Protocol Attacks – Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. – This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers. – Measured in Packets per Second.
  11. 11. Types of Attacks – for the techies• Application Layer Attacks – – Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. – Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server. – Magnitude is measured in Requests per Second.• A DDoS attacker can change attack profiles on the fly to thwart mitigation efforts.
  12. 12. DDoS Attack Growth• Q4 2012 Compared to Q3 2012 – 27.5% increase in total number of attacks – 17% increase in number of attacks on the network infrastructure – 72% increase in number of attacks on web sites/ applications – 67% increase in average attack duration to 32.2 hours from 19.2 hours – 20% increase in average attack bandwidth from 4.9 to 5.9 Gbps – China retains its position as the top source country for DDoS attacks Source: Prolexic
  13. 13. POLL QUESTION How likely will your companybecome a victim of a DDoS attack within the next 12 months?
  14. 14. What’s at stake? DDoS Attack Costs Damage to Loss of Bad Member/ DDoS Attack Your Brand Revenue Customer Mitigation• If your site is • If your website is Experience • You want to be down, account down, you lose • Call centers get covered but you holders will revenue. overwhelmed have limited staff question if you and budget. • No online • Account holder provide a safe banking, bill pay, frustration • DDoS attack place to bank. forms or skyrockets. mitigation is• Ruins years of applications, inexpensive work building account opening, • People seek compared to your brand. etc. alternatives. the other costs. A DDoS attack can cost a victim organization as much as $10,000 to $50,000 per hour in lost revenue.
  15. 15. And one more…• DDoS attacks are more frequently being used to hide security breaches and data theft. – Attention focuses on the attack. – Log files get massive, too difficult to analyze quickly. – Servers and routers rebooted, often destroying forensic evidence. – Attacks end long before any intrusion is identified.
  16. 16. Alarming Figures• Currently up to 130,000 DDoS attacks PER DAY!• Recent attacks have grown as large as 100 300 Gbps (Gigabits per second) – Small and mid-size banks and credit unions size their bandwidth to handle their average web traffic – NOWHERE CLOSE TO THE SIZE OF THESE DDoS ATTACKS – The 300 Gbps attack on Spamhaus (March 27th) slowed internet traffic WORLDWIDE. – GOOD NEWS: 90% of DDoS attacks are smaller than 1 Gbps
  17. 17. The Latest Bank and CU Attacks• Large banks and credit unions have recently been victims of large scale DDoS attacks – Who did it? • “Cyber Fighters of Izz ad-din Al Qassam” – most likely Iran – And Why? • Retaliation for an anti-Muslim video – That’s less important than the fact it could be done. These attacks were successful. • Web sites were down for days or hours. Brand reputations suffered. Revenue was lost.
  18. 18. These Attacks will Continue “A new class of damaging DDoS attacks and devious criminal social-engineering ploys werelaunched against U.S. banks in the second half of 2012, and this will continue in 2013 as well… Organizations that have a critical Web presenceand cannot afford relatively lengthy disruptions inonline service should employ a layered approach that combines multiple DoS defenses” - Avivah Litan, Vice President, Gartner
  19. 19. What Else was Learned?• Firewalls and Intrusion Detection Systems are ineffective at DDoS Protection. – They provided limited protection up to a point – but quickly got overwhelmed by the amount of malicious HTTP traffic. – When enormous amounts of DNS traffic was received, these systems crashed and were taken offline completely.• Even those institutions with dedicated DDoS mitigation appliances lacked the trained staff to use them effectively.
  20. 20. So, You’re Not a Large Bank or CU…• Smaller financial institutions are MORE vulnerable. – You don’t have the budgets to spend on in-house DDoS protection (hardware, software, and human experience) that you may not need. – Even small attacks (the 90% below 1 Gbps) can currently cripple your online operations. – How much internet bandwidth do you have? How much can you afford? It doesn’t matter, the DDoS attackers have more.
  21. 21. What Can You Do About DDoS Attacks? • Costs of hardware and additional bandwidth Traditional • Only works for certain types of small scale attacks In-House • Not deployed specifically for DDoS protection • High upfront costDDoS Appliance • How many locations need appliances? Is it even feasible? • Needs extensive support and expertise • Rely on traditional firewalls and intrusion detection systems ISP/Web Host • Protection for limited attack types • Larger attacks will be blackholed, making your site unavailable Content • Not designed for DDoS Distribution • DDoS attacks can bypass cache & send requests to origin servers Network • Limited bandwidth • Reduced costs – no capital expenditure Cloud-Based • Multi-layered mitigation solutions and dedicated DDoS Service expertise • Real-time mitigation monitoring and post-event reporting
  22. 22. Things to Look for in a DDoS Solution• Experience and Expertise • Cost – Monthly Service• Scrubbing Capacity – Per Incident Fee (Bandwidth) – Attack Size / Clean Traffic• Attack / Mitigation Bandwidth Diversity – Number of Domains/Resources• Technologies Deployed – SSL Protection (Layer 7)• Time to Mitigate / Service • POTENTIAL OVERAGE Level Agreements CHARGES
  23. 23. Cloud-Based DDoS Mitigation Options• Option 1: Always-On • Option 2: On-Demand – Your web traffic is continuously – Your web traffic is diverted to monitored for potential DDoS the DDoS provider when you attacks are under attack – Mitigation can begin as soon as – Mitigation begins within minutes a potential attack is identified of traffic diversion (DNS change) – NO DOWNTIME – Typically 5-15 minutes downtime (depends on attack – Dedicated server/router complexity) required – may not be available with shared web hosting – Available for any web site or web application – Expensive – Economical
  24. 24. Cloud-Based DDoS Mitigation Options• Option 3: Emergency Mitigation – Your web traffic is diverted at the – Ranges from Expensive to time of attack Very Expensive – Mitigation begins within minutes of traffic diversion (DNS change) – Downtime depends on vendor provisioning and attack complexity (4 hours estimated) – Available for any web site or web application – Emergency setup fees may apply
  25. 25. POLL QUESTION Which of these options seem to be the best fit for you?
  26. 26. One Thing You Should Do NOW• Reduce the TTL on Your DNS A Records – Let me explain… – During a DDoS attack, you will need to redirect your web site traffic to your DDoS provider. – This is done by changing the IP address that your domain name points to. – This is a Domain Name System (DNS) change to an “A” record which provides servers around the world with the IP address of your domain. – These IP addresses are cached by servers worldwide for a period of time known as the Time to Live (TTL). – You can control this TTL value. It is listed in seconds.
  27. 27. One Thing You Should Do NOW (cont.)• Reduce the TTL on Your DNS A Records – A long TTL will enable DNS servers to cache your IP Address for several hours/days and reduce the number of requests made to your primary DNS host. However, these servers will continue to direct traffic to that cached IP address until the TTL expires. • Example: A TTL of 259200 = 3 Days – A short TTL will increase the load on your DNS host – BUT will enable you to redirect all web site requests to a new IP address within a few minutes (to your DDoS provider or back to normal, for example). • Example: A TTL of 300 = 5 Minutes
  28. 28. Who Manages Your DNS?The Possibilities: What You Need to Do: – You do 1. Find Out Who Manages Your DNS – Your ISP or web host (LKCS) 2. Ask if there is a minimum TTL value – Your core processor or home 3. Ask if the TTL value will revert to a banking provider default value on its own – Your domain name registrant 4. Check the TTL value on the A – Your computer consultant record(s) (or prior consultant) 5. Change them if necessary (LKCS recommends a value of 300-600) 6. Change DNS providers if necessary (NOT EXPENSIVE) LKCS CAN HELP!
  29. 29. POLL QUESTION Has your financial institutionbudgeted for DDoS protection or mitigation expenses?
  30. 30. What does DDoS Mitigation cost?• It’s the wild, wild west out there…• Pricing can vary widely – but so can both the quality and level of DDoS mitigation service• We’ve spoken to dozens of DDoS providers. Here are very rough costs that we’ve seen FROM OTHER PROVIDERS: – Always-On Protection: starting at $2,000 per month – On-Demand Protection: starting at $700 per month (relatively low bandwidth) but could be up to $6,000 per attack mitigation – Emergency Mitigation: starting at $10,000 AND UP
  31. 31. DDoS Mitigation from LKCS• LKCS partnering with a major DDoS mitigation provider.• Designing our solution to include: • On-Demand Solution with Always-On and Emergency Mitigation Options • Unlimited attack size (no overage costs) • Service Level Agreement guarantees for fast response • Multiple DDoS mitigation technologies protecting all TCP web services (web sites, e-mail, home banking, etc.) • Layer 7 SSL mitigation available
  32. 32. DDoS Mitigation from LKCS (cont.)• Pricing to be based on clean traffic bandwidth (the internet traffic that you are already getting)• Low monthly cost with per mitigation fee (don’t pay for what you don’t need)• Real-time and post-mitigation reporting• Premium DNS hosting
  33. 33. Interested?• Contact me for more details: Sid Haas Vice President of Business Development Direct: 815-220-3904 sid.haas@lk-cs.com THANK YOU for attending today’s webinar!