Testing tools and AI - ideas what to try with some tool examples
A10 issa d do s 5-2014
1. 1
Customer Driven Innovation
1
Do not distribute/edit/copy without the
written consent of A10 Networks
The Growing DDoS Threat
Jim Mason, CISSP
Sr. Systems Engineer
A10 Networks – NC/SC
Ralph Bozzini
Regional Sales Director
A10 Networks – NC/SC
Mark Mormann
Trusted Advisor
Channel Systems
2. 2
2009
1010
3,000+
1.888.822.7210
2004 A10 founded in San Jose, CA by Lee Chen
Our name: “A” in Hexadecimal, “10” in Decimal
Shipped industry’s first “true” 64-bit ADCs
Customer Install Base Worldwide
(1-888-TACS-A10) World-class Customer Support!
A10 (NYSE: ATEN): By the Numbers
3. 3
A10 Products
ADC Product Line
Application Optimization,
Availability & Security for Web
and Data Center Servers
CGN Product Line
Carrier-Grade, RFC Compliant
IPv4 NAT Extension & IPv6
Migration Solutions
TPS Product Line
DDoS Detection & Mitigation
Products Protecting Attack on
Critical Server Infrastructure
A10 provides solutions today in three distinct areas:
Advanced Core OS
4. 4
Impact of DDoS Attacks
v Overwhelmed Internet Links
v Diminished Brand Equity
v Customer Dissatisfaction
v Winding up on “NBC Nightly News”
6. 6
DDoS Crime Timeline
Q3 2010
PayPal
Discloses cost of attack £3.5M
($5.8 Million)
Q1 2013
Nat’l Credit Union Administration
Recommended DDoS protection
to all members
Q4 2012
Bank of the West
$900k stolen
DDoS used as a diversion
Q4 2012
al Qassam Cyber Fighters
10-40 Gbps attacks aimed at
10 major banks over 5-week period
Q4 2013
6.8 million mobile devices
are potential attackers
(LOIC and AnDOSid)
“The average hourly revenue loss during a Layer 7 DDoS attack is $220,000” – Forrester
“Predicted growth in financial impact from cybercrime: 10% (through 2016)” – Gartner
Q2 2014
Federal Financial Institutions
Examination Council (FFIEC)
issues new mandate requiring
banks to monitor for DDoS
7. 7
DDoS Readiness
† Co-Op Financial Services (April 2013)
¿ Conducted a random survey of Credit Unions regarding DDoS planning:
8. 8
DDoS and the Financial Sector
† Federal Financial Institutions Examination Council (FFIEC)
¿ Banks and financial institutions regulated by the federal government must
now monitor for Distributed Denial-of-Service (DDoS) attacks against their
networks and have a plan in place to try and mitigate against such attacks
¿ “…sometimes DDoS attacks will serve as “a diversionary tactic” by criminals
in the course of attempting to commit fraud of various kinds”
† Six step program:
¿ Assess risk to IT systems
¿ Monitor Internet traffic
¿ Prepare to activate response
¿ Ensure sufficient staffing
¿ Share information
¿ Evaluate and adjust
9. 9
† Akamai – Internet Content Delivery network
Headquartered in Cambridge MA (HQ)
Delivers over 2 trillion Internet transactions a day
Name: Hawaiian word meaning “intelligent” or “witty”
† DDoS attacks on websites shot up 75% last quarter
† A 23% Year Over Year increase
† Most of the targets were enterprises
† Chances of a repeat attack: 1 in 3 (35% YOY increase)
† Largest percentage by Country of Origin: China – 43%
The Latest from Akamai Technologies
Source: Akamai Technologies' State of the Internet Report for Q4 2013
(April 23, 2014)
10. 10
† “High-bandwidth (200-400 Gbps) DDoS attacks are becoming
“The new normal” and will continue wreaking havoc on
unprepared enterprises…” - Gartner
† “Despite Volumetric-based attacks remaining most popular,
more advanced hybrid attacks that include
Application Layer and encrypted traffic will grow” – IDC
† “Bot traffic is up to 61.5% of all website traffic” – Incapsula
Analyst Observations: DDoS will keep growing…
Bottom line: Anyone can be targeted now.
11. 11
What is a DDoS Attack?
† Denial of Service (DoS) is an attack to make a service unusable
† Distributed DoS (DDoS) leveraged by botnets: many “Zombie” hosts
send a high volume of traffic to a target server/service/website
† “Botnets-for-hire” are a reality for on-demand attacks
Attacker
Zombie
Target
Zombie Zombie
Zombie
12. 12
Attack Percentages
Source:
Prolexic - Q4 2013
75% Network Layer
20%
Application Layer
TCP/UDP
Floods – 37%
† Largest attack increase: 33%
300 Gbps (Q2 2013)
400 Gbps (Q1 2014)*
† 60 Gbps regularly seen
100 Gbps not uncommon**
† Average attack:
35 Million Packets-per-second
13. 13
DDoS Network Attack Traits
† Common characteristics
¿ Exploits layer Layer 3-4 protocols
¿ Does not require a
full connection (often spoofed)
¿ High volume attacks can
overwhelm pipes and/or
connection capabilities
¿ Simple to create the
high volumes necessary
for such attacks
† Types
¿ Malformed requests
¿ Spoofing
¿ High PPS rates
¿ Connection exhaustion
14. 14
SYN Flood Attack
• The attacker or botnet sends multiple TCP SYN requests to the target
• Target responds to each SYN with a SYN-ACK to establish a valid connection, waits for ACKs
• Connection table of the server fills up with “half-opens”, new connections are dropped
• Server/service effectively “DDoSed” at that point, legitimate users shut out
• Why it works – Exploits the TCP 3-Way Handshake weakness (blind trust)
15. 15
DNS Amplification Attacks
• Valid UDP-based DNS requests using a spoofed IP address (similar to Smurf attack)
are sent to the intended target (victim)
• Type of attack executed against Spamhaus (300Gbps) in 2013
• Why it works: DNS is heavily used (Web, Email, VoIP) and generally unrestricted
Nature of DNS results in larger response volume than request volume
16. 16
† Common characteristics
¿ Legit TCP/UDP connections
(Not spoofed)
Thus harder to differentiate
¿ Operates at L7
(Protocol and packet payload)
¿ Exploits flaws in
or limitations of applications
¿ More efficient and lethal
¿ Sophisticated:
Evades simple countermeasures
† Types
¿ High host processing
¿ Application floods
¿ Application exploits
¿ Amplification attacks
DDoS Application Attack Traits
17. 17
HTTP GET Flood
• Huge flood of HTTP GET packets, requesting large amounts of data/objects from the target server
• Due to the amount of requests coming from botnets, the target system is overwhelmed
and cannot respond to legitimate requests from users
• Why it works: Since the 3-way TCP handshake has been completed, these requests look legitimate
18. 18
Slow POST/RUDY Attack
• A common attack, where attacker sends HTML “POSTs” at slow rates under the same session
Slow POST tool RUDY uses long-form field submissions to perform these attacks
• Causes server application threads to await the end of boundless POSTs in order to process them
• This results in exhaustion of web server resources and prevents service for legitimate traffic
19. 19
Slowloris Attack
• Slowloris holds many connections to the target web server open as possible, for as long as possible.
Creates connections to the target server, but sends only a partial request at a very slow rate.
• The targeted server keeps each of these false connections open, eventually overflowing the
maximum concurrent connection pool and shutting out legitimate clients.
20. 20
Network Time Protocol (NTP) Amplification Attack
• Attacker gains control of a server on a network that allows Source IP address spoofing
(i.e., it does not follow IETF BCP38 (Best Current Practices) for ingress filtering)
• Large number of spoofed UDP packets sent appearing to come from the intended target
• UDP packets are sent to NTP servers (port 123) that support the MONLIST command
• CloudFlare attacker used 4,529 NTP servers running on 1,298 different networks
Each server sent an average 87Mbps of traffic to CloudFlare = 400Gbps!
21. 21
What’s Needed for Effective DDoS Mitigation?
Mitigation device with higher
Packet Per Second (PPS)
and throughput capacity
Fast, dedicated hardware to
combat frequent network attacks
Attacks are now
very high volume
Existing solutions
cannot keep up
Advanced L7 intelligence
and high processing capacity
More sophisticated
Layer-7 attacks
22. 22
ACOS: Optimal Platform for DDoS Mitigation
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
Efficient &
Accurate Memory
Architecture
64-bit Multi-Core
Optimized
Optimized
Flow Distribution
Hardware DDoS Mitigation Assist
• Packet Integrity Check
• SYN Cookie
• More…
Unparalleled Packet Processing
and Throughput Capacity
64K Protected Object Capacity
Large Capacity
Threat Intelligence List
(8 x 16 Million lines)
Sub-second Traffic Rate Control
for Burst Traffic
23. 23
Thunder TPS: Next Generation DDoS Protection
Multi-vector
Application &
Network Protection
High
Performance
Mitigation
Broad Deployment
Options & 3rd Party
Integration
High performance
155 Gbps of attack mitigation
throughput, 200 Million PPS
(5x today’s average) in 1 RU
Up to 1.2 Tbps in 8-device cluster
Broad Deployment and 3rd Party
Symmetric, Asymmetric,
Out-of-band (TAP) Modes
Open SDK/RESTful API
for 3rd party integration
Multi-vector protection
Detect & mitigate application
& network attacks
Flexible scripting & DPI
for rapid response
24. 24
Mitigating DDoS Attacks
Five principal methods for effective mitigation:
• Packet Anomaly Check
Network level packet sanity check (Conformity)
• Black/White Lists
Network level high speed inspection and control
• Authentication Challenge:
Network & application level validation of client origination integrity
• Traffic Rate Control
Network and application monitoring to rate limit traffic
• Protocol and Application Check
25. 25
Packet Anomaly Check
† Packet sanity check (conformity)
in hardware and software
¿ Prevents volumetric attacks
and protocol attacks
¿ Network checks (Layer 3-4)
for standard behavior
¿ No configuration required
† Auto detects (HW) 30+ attacks such as:
¿ Empty Fragment, Invalid IP Fragment,
LAND Attack, Ping of Death, No IP Payload,
Runt IP Header, TCP XMAS, UDP Short Header,
and many more…
Denied Allowed
Packet Anomaly
Inspection
26. 26
Black and White Lists
† High speed inspection & control
of good and bad sources
¿ Prevents known bad clients
¿ List capacity of 8 x 16 Million entries
¿ Network level enforcement (Layer 3-4)
† Options to build Black/White Lists
¿ Import 3rd party lists
e.g. ThreatSTOP, Spamhaus
¿ Manual configuration
¿ Dynamic creation with:
° Authentication challenges
° Protocol and application checks
Denied Allowed
Large List Look-up
With Multiple Actions
Known Bad IP
27. 27
Authentication Challenge
† Validates client origination integrity
¿ Prevents volumetric and protocol attacks
¿ Network and application checks (Layer 3-7)
† Examples
¿ DNS Authentication
¿ HTTP Challenge
¿ TCP SYN packet authentication
¿ TCP SYN Cookie
Denied Allowed
29. 29
Protocol and Application Check
† Monitor and check traffic behavior
¿ Prevents resource attacks
and application attacks
¿ Enforce specific values
¿ Network and application checks (Layer 3-7)
† Examples
¿ TCP template, HTTP template,
DNS template, UDP template,
SSL-L4 template more…
¿ HTTP example - Slowloris
Denied Allowed
DPI and Application
Awareness for
L7 Protection
30. 30
Thunder TPS Release Quotes
"As an early user of the Thunder TPS, we believe
A10 is delivering a high-value product, with rich
features and really great performance," said
Gerold Arheilger, CTO Xantaro Group. "In order
to sufficiently protect against large-scale, multi-
vector DDoS attacks, mitigation solutions must
provide very high packet-per-second processing
power. Thunder TPS is built for these extreme
environments."
"The Microsoft Digital Crimes Unit and A10
Networks have a shared vision to protect the
Internet from large-scale threats," said Richard
Boscovich, assistant general counsel, Microsoft
Digital Crimes Unit. "We will continue to partner
to mitigate future threats leveraging DCU's
expertise and A10's advanced threat protection
technologies."
31. 31
CPE class platform
MSSP integrated solution
Thunder TPS Hardware Appliances
Price
Performance
Thunder 5435(S) TPS
77 Gbps
16x10/1G (SFP+)
4x40G (QSFP+)
SSL Processor*
Hardware FTA Mitigation
Thunder 6435(S) TPS
155 Gbps
16x10/1G (SFP+)
4x40G (QSFP+)
SSL Processor*
Hardware FTA Mitigation
Thunder 3030S TPS
10 Gbps (TBC)
6x1G Copper, 2x1G (SFP)
4x10/1G (SFP+)
SSL Processor
Thunder 4435(S) TPS
38 Gbps
16x10/1G (SFP+)
SSL Processor*
Hardware FTA Mitigation
High performance extended platforms for
Financial, Gaming, Government, Large Enterprise,
MSSPs, Service Providers & Web Giants
* “S” model must be purchased