Assessment of risk and risk planning and business resilience
DDoS attacks: Understanding the Threat
DDoS Attacks : Understanding the Threat
• Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in theground, assuming that because it cannot see, it cannot be seen.’• Historically, this has been the attitude to DDoS as a Service AvailabilityThreat.• …but this has changed in the past 2-3 years, because of:– AWARENESS : Massive mainstream press aroundAnonymous, Lulzsec, Sony, etc..– RISK : More businesses are reliant on Internet Services for their businesscontinuity.– MOTIVATIONS : Wider spread of attack motivations, broader target set.– EXPERIENCE : Larger, more frequent, more complex attacks.DDoS attack? It’ll Never Happen to Me
Recent DDoS Events In EMEA• Ideologically-motivated DDoS attacks against UK government sites in relationto the extradition of Julian Assange.• Ideologically-motivated DDoS attacks against a British governmentalagricultural research organization in conjunction with a physical demonstrationprotesting the introduction of genetically-modified crops• Ideologically-motivated DDoS attacks against the largest DNS registrar in theUK which was authoritative for domains hosting political content critical of theChinese government• A retaliatory DDoS attack against a software vendor of widely-used customer-service software, after the vendor found and fixed a SQL injection vulnerabilityin their products. A blackhat had discovered this on his own and was actuallyin the process of auctioning it off to prospective attackers in an undergroundcriminal forum as a zero-day exploit when the vendor issued the patch
DDoS Attack Motivations• Distraction from other criminal activity– Phishing for banking credentials with Zeus– DDoS to distract and cover up the crime• DDoS distraction also used to cover up systempenetrations followed by data leaks
8DDoS is Key to Availability Risk PlanningDDoS is the #1 threat to the availability of services – but it isnot part of the risk analysisSite SelectionPhysical SecurityFire Protection & DetectionElectrical & PowerEnvironment & WeatherDDoS Attacks?AvailabilityScorecardWhen measuring the risk tothe availability or resiliency ofservices, where does the riskof DDoS attacks fall on thelist?
Business Impact of DDoS AttacksSource: Ponemon Institute – 2010 State of Web Application SecurityBotnets & DDoSattacks cost anaverage enterprise$6.3M* for a 24-hour outage!* Source: McAfee – Into the Crossfire – January 2010The impact of loss of service availability goes beyond financials:OperationsHow many ITpersonnel willbe tied upaddressingthe attack?Help DeskHow manymore helpdesk calls willbereceived, andat what costper call?RecoveryHow muchmanual workwill need tobe done tore-entertransactions?LostWorkerOutputHow muchemployeeoutput will belost?PenaltiesHow muchwill have tobe paid inservice levelagreement(SLA) creditsor otherpenalties?LostBusinessHow muchwill the abilityto attract newcustomers beaffected?What is thefull value ofthat lostcustomers?Brand &ReputationDamageWhat is thecost to thecompanybrand andreputation?31%43%21%5%0%0%10%20%30%40%50%Very Significant Significant SomewhatSignificantNot Significant NoneBar Chart 9: Significance of revenue loss resulting fromwebsite downtime for one hour
What is a Denial of Service attack?- An attempt to consume finite resources, exploit weaknesses in softwaredesign or implementation, or exploit lack of infrastructure capacity- Effects the availability and utility of computing and network resources- Attacks can be Distributed foreven more significant effect- The collateral damage causedby an attack can be as bad,if not worse, than theattack itself LoadBalancerApplication-LayerDDoS ImpactVolumetricDDoS ImpactDATACENTEREXHAUSTIONOF STATEAttack TrafficGood TrafficState-ExhaustionDDoS Impact(D)DoS Primer
• Volumetric Attacks– Usually botnets or traffic fromspoofed IPs generating high bps /pps traffic volume– UDP based floods from spoofedIP take advantage of connectionless UDP protocol– Take out the infrastructurecapacity –routers, switches, servers, links Reflection Attacks– Use a legitimate resource toamplify an attack to a destination– Send a request to an IP that willyield a big response, spoof thesource IP address to that of theactual victim– DNS Reflective Amplification is agood exampleAttacker ServerDNS RequestVDNS Serverresponds torequest fromspoofedsource.DNSResponse ismany timeslarger thanrequest.Repeated many timesVictimDNS ResponseVInternetBackboneBUK BroadbandUS Corp US BroadbandBJP Corp.ProviderB BBBBBBBSystemsBecomeInfectedControllerConnectsBotnet masterIssues attackCommandBMC&CBots attackBye Bye!Botsconnect to aC&C tocreate anoverlaynetwork(botnet)DDoS Attack Vectors
• TCP state exhaustion– Take advantage of statefulnature of TCP protocol– SYN, FIN, RST Floods– TCP connection attacks– Exhaust resources inservers, load balancers orfirewalls. Application layer attacks– Exploit limitations, scale andfunctionality of specific applications– Can be low-and-slow– HTTP GET / POST, SIP Invite floods– Can be more sophisticated:ApacheKiller, Slowloris, SlowPOST,RUDY, refref, hash collision etc..Client ServerSYNCSYNS, ACKCListening…Store data(connectionstate, etc.)Repeated many times System runsout of TCPlistenersockets or outmemory forstored stateDDoS Attack Vectors
DDoS Attack VectorsThe DDoS weapon of choicefor Anonymous activists isLOIC, downloaded morethan 639,000 times this year(so far). Average 2115downloads daily.
• In order to understand the DDoS threat (and how toprotect ourselves) we need to know what is going on outthere.• Two data sources being presented here:– Arbor Worldwide Infrastructure Security Survey, 2011.– Arbor ATLAS Internet Trends data.• Arbor Worldwide Infrastructure Security Survey, 2011– 7th Annual Survey– Concerns, observation and experiences of the OpSec community– 114 respondents, broad spread of network operators from around theworld• Arbor ATLAS Internet Trends– 240+ Arbor customers, 37.8Tbps of monitored traffic– Hourly export of anonymized DDoS and traffic statisticsSo, how is DDoS Evolving?Looking at the Internet Threat Landscape
Average attack is 1.56Mpps, September 2012 190% growth from September 20112012 ATLAS Initiative : Anonymous Stats, WorldwideHigher pps rates seen in 2011, have continued into 2012155605001000150020002500Average Monthly Kpps of Attacks
Peak attack in September 2012 is 63.3Gbps 136% rise from September 2011 Spikes at 75Gb/sec and 100Gb/sec so far this year.2012 ATLAS Initiative : Anonymous Stats, WorldwidePeak Attack Growth trend in Gbps63.33020406080100120Peak Monthly Gbps of Attacks
Average attack is 1.67Gbps, September 2012 72% growth from September 2011 Average attacks now consistently over 1Gb/sec2012 ATLAS Initiative : Anonymous Stats, WorldwideAverage Attack Growth trend in Mbps167005001000150020002500Average Monthly Mbps of Attacks
Recent Financial Attacks:Multi-vector DDoS On A New Level• Compromised PHP, WordPress, & Joomlaservers• Multiple concurrent attack vectors– GET and POST app layer attacks on HTTP andHTTPS– DNS query app layer attack– Floods on UDP, TCP Syn floods, ICMP and other IPprotocols• Unique characteristics of the attacks– Very high packet per second rates per individualsource– Large bandwidth attack on multiple companiessimultaneously– Very focused• could be false flag• could be Cyberwar• could be hacktivism
• Monitor the network and services so that you can pro-actively detectchanges at all layers (up to layer 7).• Know who to call.• Develop an incident handling process and run fire-drills• Utilise the security capabilities built into other network and securityinfrastructure to minimise impact where possible• Use a Dedicated OOB Management NetworkDDoS, a Growing ProblemSo, how can we minimize the impact of an attack?
• Intelligent DDoS Mitigation Systems (IDMS) are specifically designedto detect and mitigate DDoS attacks using more advanced techniques.• IDMS equipment uses a combination of Deep Packet Inspection(DPI), proxy inspection and heuristic based techniques to separatemalicious traffic from good traffic.– Counter-measures to deal with the specific DDoS threats.– Minimal state, so the device does not become a target.– Actionable intelligence / automation.• Services and solutions utilizing IDMS technologies can protect anorganization from the DDoS threat.The Solution : IDMSIntelligent DDoS Mitigation Systems
Stopping Smart Attacks• Perimeter-based: L4-7 DDoS mitigationmust be done at the Data Center• Specifically configured around protectedservices• Always ON: immediate mitigation23ISP 2ISP 1ISP nISPFirewall IPSLoadBalancerTargetApplications &ServicesDATA CENTERPerimeter-basedDDoS Protection
Stopping Brute Force Attacks24Cloud-basedDDoS ProtectionISP 2ISP 1ISP nLocal ISPDATA CENTERFirewall IPSPeakflowSP/TMSSCRUBBING CENTER• Cloud-based: Volumetric DDoS mitigation mustbe done up stream, before traffic gets to DataCenter• Activated “on demand”: only active when anattack is detected or reported
25Threat EcosystemThe Arbor ecosystem between service providers & enterprises offerscomprehensive protection from active threatsEnterprise NetworksService Providers25Integrated protection forgovernment, business, financial and gamingservices
• Pervasive Network Visibility & DeepInsight into Services– Leverage Cisco Netflow technology forbroad traffic visibility across serviceprovider networks.• Comprehensive Threat Management- Granular threat detection, surgicalmitigation and reporting of DDoSattacks that threaten business services. In-Cloud Services Enabler– A platform which offers the ability todeliver new, profitable, revenue-generating services i.e DDoS ProtectionPeakflow, Cloud Based ProtectionPervasive and cost-effective visibility and security
Arbor NetworksThe only source ofknowledge is experience.Albert EinsteinArbor has 12 years experienceand some of the “worlds” leadingexperts on DDoS, Botnet andCyber attacks