SlideShare a Scribd company logo

How to mitigate DDoS Attack?

QOS Technology
QOS Technology

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal operations by stopping the entry of legitimate users. It brings down networks, Web-based applications, or services by overwhelming these resources with a large amount of data or compromising them in some other way. Download this free ebook and explore best ways to mitigate DDoS Attack. For more information on DDoS Simulation, write to : info@qos.co.in

Internet
1 of 17
Download to read offline
How to Mitigate DDoS? Brought to you by Your Key to Internet Security
What is a DDoS Attack? A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal operations by stopping the entry of legitimate users. It brings down networks, Web-based applications, or services by overwhelming these resources with too much data or compromising them in some other way. Did you Know? According to Radware, DDoS don't require acres of bandwidth to disable your website. In fact, 76 percent of attacks are less than 1Gbps and 32 percent are less than 10 Mbps.
How DDoS works? Distributed Denial Of Service attacks occur when a cyberattacker floods the website and/or Internet facing business apps with so much traffic that the page is no longer able to respond. DDoS mitigation is a set of techniques for blocking a DDoS attack – it seeks to make businesses resilient to such attacks. A DDoS mitigation service is designed to detect, monitor and block DDoS attacks. (Case 2) Web browser's requests can be easily faked. A system can become entirely unresponsive without a proper mitigation system. As Huge floods of traffic, whether legitimate or not, cripples the server. (Case 1) InternetInternetInternet Traffic Attack Traffic Legitemate Traffic Legitemate Traffic Anti DDoS With DDoS Mitigation Service Case 2 Without DDoS Mitigation Service Case 1 www.qostechnology.in info@qos.co.in Attack Traffic
Did you Know? Top 3 Attacking Countries account for almost 57% of total DDoS Attacks 9.11% 37.8% DDoS Overview Amplifications Low & Slow DDoS Attacker Notions DDoS Flood Attacks Source: Incapsula.com
Amplifications Ÿ Millions of Sweet Spots (like PCs with Open DNS Resolvers, etc.) Ÿ Open Market to hire Botnets Ÿ 14 Prevalent Protocols on Internet areAmplification Prone he DDOS Attack vector gets more lethal when it is launched by using the protocols that have the characteristics of TAmplification (The multiplier that amplifies the ingress traffic when rendered on the traffic flow path) and the Reflex (The attacker "A" spoofs itself to be a legitimate host "B", say www.abcBANK.com webserver & generates the requests like DNS query, NTP monlist, etc. towards DNS or NTP infrastructure "C" and the responses from "C" flood the 1 host "B"). As per one of the research papers - There are 14 protocols prevalent on Internet that have the characteristics of Reflex and an Amplification factor of 3 or above. One of the protocols in the Broadband routers has an Amplification factor of 4080; i.e. DDoS Attacker needs to create a traffic of 1Mbps to launch a DDoS traffic of 4Gbps towards the victim organization or from the victim organization towards the Internet. In one of the study it has been depicted that most of the Broadband Routers have enabled DNS Proxy Settings by default, hence serve as sweet spots for the attackers to take the advantage of DNSAmplification attacks. In order to keep such attacks live & evade getting blocked by the victim security controls, the attacker keeps changing it's source IP address and further accelarate the attack by distributing this source IP address changing algorithms to multiple computing devices. These distributed army of computing power across multiple hosts is called as ‘Botnet’ and is in control of single individual commander called as C&C. As a DDoS Attacker, one doesn’t need to create its own Botnet, rather hire the botnet from the grey market where the Botnets are available on Rent. 1- C. R. (n.d.).Amplification Hell: Revisiting Network Protocols for DDoSAbuse. Retrieved from https://www.internetsociety.org/sites/default/files/01_5.pdf www.qostechnology.in info@qos.co.in
Attacker Notions Ÿ TargetedAttack Ÿ PassThroughAttack Ÿ You’re Victim of Sentiment or Perception againstYour Geo/Industry here are various momentary objectives (notions) behind the DDoSAttack, if you are a victim of the attack.These are: T Ÿ Targeted DDoS: Your organization is a target of interest because you may be a bank, government data center hosting important citizens data, etc. or your organization might have conducted some business act that had not been liked by the bad actors (like Pay Pal blocked the funds to WikiLeaks Org & became the victim of DDoS attack by Anonymous group in Dec 2010) Ÿ Pass-through DDoS: Your organization may be an ISP or a SaaS/PaaS/IaaS Cloud Services provider and some of your customer(s) is a victim of Targeted DDoS. As your network serves as a carrier of traffic to this customer, your organization becomes a victim of PassThrough DDoS. In year 2013, between March 18-26, most of the European carriers experienced a DDoS attack to the scale of 300Gbps owing to the targeted attack on Spamhaus & Cloudflare. Ÿ Industry or Peer DDoS Attacks: Your organization may be a victim of multi-targets attack where the attackers launch an attack against the industry or specific geo in response to some trigger event. For example, the attack on multiple US banks by the Anonymous group was a response to PayPal blocking the money transfer channels to WikiLeaks organization. In another example the cyber attacks against some middle east companies led to Cyber cell of Hamas organized series of attacks against Israel companies including TelAviv Stock Exchange, ElAl (IsraelAirlines) and some Israeli banks. www.qostechnology.in info@qos.co.in
DDoS Floods Ÿ Technology Barriers (like TCP 3-Way Handshake, UDP is stateless) Ÿ Default Configurations (DNS Proxy, NTP Monlist configuration on Router, etc) DoS Floods: Typical DDoS flood attacks target organization resources, like network bandwidth or server compute. DEvery network equipment that comes in the path of the traffic flow is vulnerable to the volume of DDoSAttack owing to following: Ÿ Default Configurations: There are variety of configuration attributes, like DNS Proxy feature enabled by default on many routers & almost all Broadband routers, Monlist configuration feature is enabled by default on many network devices that are configured for NTP(NetworkTime Protocol), etc. Ÿ Technology Barriers: Each technology is bound to work in some defined methodology. DDoS Attackers target the very functioning of these technologies to craft the DDoS Flood Attacks. For example, a TCP communication involves a 3-Way Handshake to build a connection, i.e. Syn, Syn-Ack & Ack messages/packets. DDoS attackers exploit this by generating a high rate of SYN packets from a fake IP hosts towards the Target Server (in the victim organization) & the Server opens the Embryonic TCP connections with the SYN-ACK packets. Subsequently server keeps waiting for at least 2 minutes (default value) for ACK packet for each of these embryonic connection states. As none of the connections is authentic, the server compute resources are wasted until it turns unresponsive. Similarly, UDP is a stateless protocol- Therefore, making it a soft target for the attackers to continue to storm victim resources with the one way traffic. www.qostechnology.in info@qos.co.in
Low & Slow DDoS Ÿ Encryption serves HackersAdvantage. Ÿ Apps Weakness (CVE - Poodle, Heartbleed, ShellShock) Ÿ Internal (Calls betweenApp & dB) ometimes the DDoS Attackers launch the low & slow DDoS attacks that are sophisticated in technology vis-à-vis Sflood attacks. These attacks are launched by exploiting some vulnerability in the application(s) in use by the target server/system. The attacker evades the security controls deployed at the victim location before launching this type of DDoS Attack & pivot themselves inside the Victim network. The attacker keeps learning about the variety of security controls & detection techniques deployed at the victim organization; hence the attacker keeps changing the attack vector and sometimes includes the encryption techniques to stay undetected. In the final stage of this kind of DDoS attack the multiple database query calls or applications calls are launched to saturate the Memory of the victim application or server. Did you Know? For financial services industry in the year 2012, per DDoS Attack caused almost $17 Million Loss Source: verisign.com
Most Common Attacks On most occasions the DDoS attacks target the 4 different components from the IT Infrastructure of the Victim organization, and these are Business Applications; SSL Communication Channels; DNS Infrastructure or Network as a whole by consuming the available bandwidth or the network pipe. Applications SSL Network DNS 3 4 1 2 www.qostechnology.in info@qos.co.in
Ÿ Indicators of Attack (IOA) triggers the research.Multiple Consoles move to Active Monitoring from Passive Monitoring and variety of Logs are surfed. Ÿ Different Dashboards and SIEM (if any) are consulted. Ÿ Sometimes Packet Captures are also referred Ÿ Recursion of Attack Research Steps over a longer period of time or Retrospect Log Analysis to Validate the Attack Occurrence. Ÿ Correlation across Dashboard(s)/SIEM or with inputs from 3rd Party DDoS Mitigation Partners to Validate Attack Occurence Ÿ Every DDoS incident costs business loss owing to service unavailability to legitimate users Ÿ Prevention is KEY to succeed hence most attacks to be prevented by 3rd Parties (like Cloudflare, F5 Silverline, Akamai, etc.) Ÿ For effective scrubbing it is important to research correct attack vectors, & have seamless co- ordination Attack Research Validate Attack Mitigate Attack DDoS Atack in Progress www.qostechnology.in info@qos.co.in When the DDoS is in progress, the methodology of Mitigation has three different phases:
Heat Map The next section describes the Heat Map that plots the degree of business impact to the organization with respect to the type of DDoS Attack that is crafted during the DDoS Simulation engagement. This reference heat map is the average of all the DDoS Simulation Activities conducted by QOS Technology in last one year when the 1st engagement was carried out with 8 different types of DDoS Attack Vectors. www.qostechnology.in info@qos.co.in
Business Impact EaseofCrafting Attack 4 1 2 3 5 6 7 8 CraftedAttackSophistication Heat Map: Findings ATTACK SIMULATIONS 1. GET Flood through HTTP Protocol on Corporate Website 2. CMP Flood on Corporate Website 3. HTTP POST Flood on Corporate Website 4. Application Flood Attack on Portal 5. SYN Flood with SSL Attack on Business App (Portal) 6. Application Layer Login Page Flood Attack on Portal App 7. SYN Flood Attack testing intermittent devices (router, load balancer, FW, etc) 8. Slow POST Application DDoS Attack on Business App (Portal) www.qostechnology.in info@qos.co.in Most common seen scenarios with First DDoS Simlation Engagement:
Use of 9 or More Consoles during DDoS DDoS Mitigation Controls Effectiveness Performance Key Issues Observed The most commonly seen issues during the DDoS Simulations that need to be addressed owing to their lack of performance or effectiveness or both. rd Scattered 3 Parties for Complete DDoS Picture www.qostechnology.in info@qos.co.in In-House Research Capability
Recommendations The next section describes two kinds of recommendations, the first one that QOS Technology suggests to most customers when observes the issues similar to depicted in Heatmap during DDoS Simulations. However the next page describes the best practices suggested by networkworld.com. www.qostechnology.in info@qos.co.in
3rd PARTY INCIDENT RESPONSETEAM DDOS SOLUTIONS & SERVICES’ CONSOLIDATION PERIODIC DDoS SIMULATIONS & ADVANCEATTACK SIMULATION SECURITY CONSOLIDATION EXECUTION STRATEGY FASTER EXECUTION BUT TACTICAL In order to strengthen DDoS Mitigation Posture an organization needs to test more scenarios & repeat the failed scenarios after gaps are plugged. Organization should carry on the Advance Attack Simulations for all the applications that fail the DDoS Simulation Attacks. LONG-TERM EXECUTION BUT TRASACTIONAL Security & Ops teams have been seen using many consoles to detect different DDoS vectors during simulation. Performance & Effectiveness suffers when the team has to research the Vector in moreDDoS than 4 consoles. Hence, security consolidation is key to succeed. FASTER EXECUTION BUT STRATEGIC In order to enrich the Attack Research and Attack Forensics Capability of the respective organization to mitigate or remediate the Real DDoS or Advance Attack, it should have in-house Incident Response Team (IRT) rd or hire 3 Party IRTon demand. LONG-TERM EXECUTION & STRATEGIC If the organization has SIEM, should include the loopback feeds from the DDoS Simulation engagement results to have a real-time identification vis-à-vis weakness heat map. The On-Premise DDoS mitigation Solution should be taken from the same vendor delivering DDoS Services. www.qostechnology.in info@qos.co.in Recommendations By QOS
How to Mitigate DDoS? Here are the best practices to Mitigate DDoS Attack. Source: http://www.networkworld.com/article/2162683/infrastr ucture-management/best-practices-to-mitigate-ddos- attacks.html www.qostechnology.in info@qos.co.in 1 Don't count on a firewall to prevent or stop a DDoS attack 2 Bake DDoS into your business continuity and disaster recovery plan 3 Know the signs of an active attack 4 Know your customers and lock out unexpected transactions. 5 Measure the financial impact of being offline for a period of time. 6 If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity. 7 Know who to call to stop an attack
www.qostechnology.in Info@qos.co.in Winner of Revolution Award APAC Partner of the Year 2014 Contact Us Your Key to Internet Security

Recommended

DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Seungjoo Kim
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
Seungjoo Kim
 
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
Seungjoo Kim
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TV
Seungjoo Kim
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 

Recommended

DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Seungjoo Kim
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
Seungjoo Kim
 
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
Seungjoo Kim
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TV
Seungjoo Kim
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
Seungjoo Kim
 
PP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemPP for E-Certificate Issuance System
PP for E-Certificate Issuance System
Seungjoo Kim
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Seungjoo Kim
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
Seungjoo Kim
 
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Алексей Арешев
 
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Алексей Арешев
 
Sketch root locus
Sketch root locusSketch root locus
Sketch root locus
mirza asif haider
 
Writing the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandWriting the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New Zealand
Martin McMorrow
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
leminhvuong
 
EECS 441 Company Presentation (Arbor Networks)
EECS 441 Company Presentation (Arbor Networks)EECS 441 Company Presentation (Arbor Networks)
EECS 441 Company Presentation (Arbor Networks)
Rebecca Preib
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
stollen_fusion
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
meghakumariji156
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
rahman018755
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
meghakumariji156
 

More Related Content

Viewers also liked

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 

Viewers also liked (13)

How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
PP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemPP for E-Certificate Issuance System
PP for E-Certificate Issuance System
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
 
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
 
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
 
Sketch root locus
Sketch root locusSketch root locus
Sketch root locus
 
Writing the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandWriting the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New Zealand
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
EECS 441 Company Presentation (Arbor Networks)
EECS 441 Company Presentation (Arbor Networks)EECS 441 Company Presentation (Arbor Networks)
EECS 441 Company Presentation (Arbor Networks)
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 

Recently uploaded

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 

How to mitigate DDoS Attack?

  • 1. How to Mitigate DDoS? Brought to you by Your Key to Internet Security
  • 2. What is a DDoS Attack? A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal operations by stopping the entry of legitimate users. It brings down networks, Web-based applications, or services by overwhelming these resources with too much data or compromising them in some other way. Did you Know? According to Radware, DDoS don't require acres of bandwidth to disable your website. In fact, 76 percent of attacks are less than 1Gbps and 32 percent are less than 10 Mbps.
  • 3. How DDoS works? Distributed Denial Of Service attacks occur when a cyberattacker floods the website and/or Internet facing business apps with so much traffic that the page is no longer able to respond. DDoS mitigation is a set of techniques for blocking a DDoS attack – it seeks to make businesses resilient to such attacks. A DDoS mitigation service is designed to detect, monitor and block DDoS attacks. (Case 2) Web browser's requests can be easily faked. A system can become entirely unresponsive without a proper mitigation system. As Huge floods of traffic, whether legitimate or not, cripples the server. (Case 1) InternetInternetInternet Traffic Attack Traffic Legitemate Traffic Legitemate Traffic Anti DDoS With DDoS Mitigation Service Case 2 Without DDoS Mitigation Service Case 1 www.qostechnology.in info@qos.co.in Attack Traffic
  • 4. Did you Know? Top 3 Attacking Countries account for almost 57% of total DDoS Attacks 9.11% 37.8% DDoS Overview Amplifications Low & Slow DDoS Attacker Notions DDoS Flood Attacks Source: Incapsula.com
  • 5. Amplifications Ÿ Millions of Sweet Spots (like PCs with Open DNS Resolvers, etc.) Ÿ Open Market to hire Botnets Ÿ 14 Prevalent Protocols on Internet areAmplification Prone he DDOS Attack vector gets more lethal when it is launched by using the protocols that have the characteristics of TAmplification (The multiplier that amplifies the ingress traffic when rendered on the traffic flow path) and the Reflex (The attacker "A" spoofs itself to be a legitimate host "B", say www.abcBANK.com webserver & generates the requests like DNS query, NTP monlist, etc. towards DNS or NTP infrastructure "C" and the responses from "C" flood the 1 host "B"). As per one of the research papers - There are 14 protocols prevalent on Internet that have the characteristics of Reflex and an Amplification factor of 3 or above. One of the protocols in the Broadband routers has an Amplification factor of 4080; i.e. DDoS Attacker needs to create a traffic of 1Mbps to launch a DDoS traffic of 4Gbps towards the victim organization or from the victim organization towards the Internet. In one of the study it has been depicted that most of the Broadband Routers have enabled DNS Proxy Settings by default, hence serve as sweet spots for the attackers to take the advantage of DNSAmplification attacks. In order to keep such attacks live & evade getting blocked by the victim security controls, the attacker keeps changing it's source IP address and further accelarate the attack by distributing this source IP address changing algorithms to multiple computing devices. These distributed army of computing power across multiple hosts is called as ‘Botnet’ and is in control of single individual commander called as C&C. As a DDoS Attacker, one doesn’t need to create its own Botnet, rather hire the botnet from the grey market where the Botnets are available on Rent. 1- C. R. (n.d.).Amplification Hell: Revisiting Network Protocols for DDoSAbuse. Retrieved from https://www.internetsociety.org/sites/default/files/01_5.pdf www.qostechnology.in info@qos.co.in
  • 6. Attacker Notions Ÿ TargetedAttack Ÿ PassThroughAttack Ÿ You’re Victim of Sentiment or Perception againstYour Geo/Industry here are various momentary objectives (notions) behind the DDoSAttack, if you are a victim of the attack.These are: T Ÿ Targeted DDoS: Your organization is a target of interest because you may be a bank, government data center hosting important citizens data, etc. or your organization might have conducted some business act that had not been liked by the bad actors (like Pay Pal blocked the funds to WikiLeaks Org & became the victim of DDoS attack by Anonymous group in Dec 2010) Ÿ Pass-through DDoS: Your organization may be an ISP or a SaaS/PaaS/IaaS Cloud Services provider and some of your customer(s) is a victim of Targeted DDoS. As your network serves as a carrier of traffic to this customer, your organization becomes a victim of PassThrough DDoS. In year 2013, between March 18-26, most of the European carriers experienced a DDoS attack to the scale of 300Gbps owing to the targeted attack on Spamhaus & Cloudflare. Ÿ Industry or Peer DDoS Attacks: Your organization may be a victim of multi-targets attack where the attackers launch an attack against the industry or specific geo in response to some trigger event. For example, the attack on multiple US banks by the Anonymous group was a response to PayPal blocking the money transfer channels to WikiLeaks organization. In another example the cyber attacks against some middle east companies led to Cyber cell of Hamas organized series of attacks against Israel companies including TelAviv Stock Exchange, ElAl (IsraelAirlines) and some Israeli banks. www.qostechnology.in info@qos.co.in
  • 7. DDoS Floods Ÿ Technology Barriers (like TCP 3-Way Handshake, UDP is stateless) Ÿ Default Configurations (DNS Proxy, NTP Monlist configuration on Router, etc) DoS Floods: Typical DDoS flood attacks target organization resources, like network bandwidth or server compute. DEvery network equipment that comes in the path of the traffic flow is vulnerable to the volume of DDoSAttack owing to following: Ÿ Default Configurations: There are variety of configuration attributes, like DNS Proxy feature enabled by default on many routers & almost all Broadband routers, Monlist configuration feature is enabled by default on many network devices that are configured for NTP(NetworkTime Protocol), etc. Ÿ Technology Barriers: Each technology is bound to work in some defined methodology. DDoS Attackers target the very functioning of these technologies to craft the DDoS Flood Attacks. For example, a TCP communication involves a 3-Way Handshake to build a connection, i.e. Syn, Syn-Ack & Ack messages/packets. DDoS attackers exploit this by generating a high rate of SYN packets from a fake IP hosts towards the Target Server (in the victim organization) & the Server opens the Embryonic TCP connections with the SYN-ACK packets. Subsequently server keeps waiting for at least 2 minutes (default value) for ACK packet for each of these embryonic connection states. As none of the connections is authentic, the server compute resources are wasted until it turns unresponsive. Similarly, UDP is a stateless protocol- Therefore, making it a soft target for the attackers to continue to storm victim resources with the one way traffic. www.qostechnology.in info@qos.co.in
  • 8. Low & Slow DDoS Ÿ Encryption serves HackersAdvantage. Ÿ Apps Weakness (CVE - Poodle, Heartbleed, ShellShock) Ÿ Internal (Calls betweenApp & dB) ometimes the DDoS Attackers launch the low & slow DDoS attacks that are sophisticated in technology vis-à-vis Sflood attacks. These attacks are launched by exploiting some vulnerability in the application(s) in use by the target server/system. The attacker evades the security controls deployed at the victim location before launching this type of DDoS Attack & pivot themselves inside the Victim network. The attacker keeps learning about the variety of security controls & detection techniques deployed at the victim organization; hence the attacker keeps changing the attack vector and sometimes includes the encryption techniques to stay undetected. In the final stage of this kind of DDoS attack the multiple database query calls or applications calls are launched to saturate the Memory of the victim application or server. Did you Know? For financial services industry in the year 2012, per DDoS Attack caused almost $17 Million Loss Source: verisign.com
  • 9. Most Common Attacks On most occasions the DDoS attacks target the 4 different components from the IT Infrastructure of the Victim organization, and these are Business Applications; SSL Communication Channels; DNS Infrastructure or Network as a whole by consuming the available bandwidth or the network pipe. Applications SSL Network DNS 3 4 1 2 www.qostechnology.in info@qos.co.in
  • 10. Ÿ Indicators of Attack (IOA) triggers the research.Multiple Consoles move to Active Monitoring from Passive Monitoring and variety of Logs are surfed. Ÿ Different Dashboards and SIEM (if any) are consulted. Ÿ Sometimes Packet Captures are also referred Ÿ Recursion of Attack Research Steps over a longer period of time or Retrospect Log Analysis to Validate the Attack Occurrence. Ÿ Correlation across Dashboard(s)/SIEM or with inputs from 3rd Party DDoS Mitigation Partners to Validate Attack Occurence Ÿ Every DDoS incident costs business loss owing to service unavailability to legitimate users Ÿ Prevention is KEY to succeed hence most attacks to be prevented by 3rd Parties (like Cloudflare, F5 Silverline, Akamai, etc.) Ÿ For effective scrubbing it is important to research correct attack vectors, & have seamless co- ordination Attack Research Validate Attack Mitigate Attack DDoS Atack in Progress www.qostechnology.in info@qos.co.in When the DDoS is in progress, the methodology of Mitigation has three different phases:
  • 11. Heat Map The next section describes the Heat Map that plots the degree of business impact to the organization with respect to the type of DDoS Attack that is crafted during the DDoS Simulation engagement. This reference heat map is the average of all the DDoS Simulation Activities conducted by QOS Technology in last one year when the 1st engagement was carried out with 8 different types of DDoS Attack Vectors. www.qostechnology.in info@qos.co.in
  • 12. Business Impact EaseofCrafting Attack 4 1 2 3 5 6 7 8 CraftedAttackSophistication Heat Map: Findings ATTACK SIMULATIONS 1. GET Flood through HTTP Protocol on Corporate Website 2. CMP Flood on Corporate Website 3. HTTP POST Flood on Corporate Website 4. Application Flood Attack on Portal 5. SYN Flood with SSL Attack on Business App (Portal) 6. Application Layer Login Page Flood Attack on Portal App 7. SYN Flood Attack testing intermittent devices (router, load balancer, FW, etc) 8. Slow POST Application DDoS Attack on Business App (Portal) www.qostechnology.in info@qos.co.in Most common seen scenarios with First DDoS Simlation Engagement:
  • 13. Use of 9 or More Consoles during DDoS DDoS Mitigation Controls Effectiveness Performance Key Issues Observed The most commonly seen issues during the DDoS Simulations that need to be addressed owing to their lack of performance or effectiveness or both. rd Scattered 3 Parties for Complete DDoS Picture www.qostechnology.in info@qos.co.in In-House Research Capability
  • 14. Recommendations The next section describes two kinds of recommendations, the first one that QOS Technology suggests to most customers when observes the issues similar to depicted in Heatmap during DDoS Simulations. However the next page describes the best practices suggested by networkworld.com. www.qostechnology.in info@qos.co.in
  • 15. 3rd PARTY INCIDENT RESPONSETEAM DDOS SOLUTIONS & SERVICES’ CONSOLIDATION PERIODIC DDoS SIMULATIONS & ADVANCEATTACK SIMULATION SECURITY CONSOLIDATION EXECUTION STRATEGY FASTER EXECUTION BUT TACTICAL In order to strengthen DDoS Mitigation Posture an organization needs to test more scenarios & repeat the failed scenarios after gaps are plugged. Organization should carry on the Advance Attack Simulations for all the applications that fail the DDoS Simulation Attacks. LONG-TERM EXECUTION BUT TRASACTIONAL Security & Ops teams have been seen using many consoles to detect different DDoS vectors during simulation. Performance & Effectiveness suffers when the team has to research the Vector in moreDDoS than 4 consoles. Hence, security consolidation is key to succeed. FASTER EXECUTION BUT STRATEGIC In order to enrich the Attack Research and Attack Forensics Capability of the respective organization to mitigate or remediate the Real DDoS or Advance Attack, it should have in-house Incident Response Team (IRT) rd or hire 3 Party IRTon demand. LONG-TERM EXECUTION & STRATEGIC If the organization has SIEM, should include the loopback feeds from the DDoS Simulation engagement results to have a real-time identification vis-à-vis weakness heat map. The On-Premise DDoS mitigation Solution should be taken from the same vendor delivering DDoS Services. www.qostechnology.in info@qos.co.in Recommendations By QOS
  • 16. How to Mitigate DDoS? Here are the best practices to Mitigate DDoS Attack. Source: http://www.networkworld.com/article/2162683/infrastr ucture-management/best-practices-to-mitigate-ddos- attacks.html www.qostechnology.in info@qos.co.in 1 Don't count on a firewall to prevent or stop a DDoS attack 2 Bake DDoS into your business continuity and disaster recovery plan 3 Know the signs of an active attack 4 Know your customers and lock out unexpected transactions. 5 Measure the financial impact of being offline for a period of time. 6 If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity. 7 Know who to call to stop an attack
  • 17. www.qostechnology.in Info@qos.co.in Winner of Revolution Award APAC Partner of the Year 2014 Contact Us Your Key to Internet Security