DDoS attacks: Understanding the Threat


Published on

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Assessment of risk and risk planning and business resilience
  • DDoS attacks: Understanding the Threat

    1. 1. DDoS Attacks : Understanding the Threat
    2. 2. • Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in theground, assuming that because it cannot see, it cannot be seen.’• Historically, this has been the attitude to DDoS as a Service AvailabilityThreat.• …but this has changed in the past 2-3 years, because of:– AWARENESS : Massive mainstream press aroundAnonymous, Lulzsec, Sony, etc..– RISK : More businesses are reliant on Internet Services for their businesscontinuity.– MOTIVATIONS : Wider spread of attack motivations, broader target set.– EXPERIENCE : Larger, more frequent, more complex attacks.DDoS attack? It’ll Never Happen to Me
    3. 3. DDoS Attack Motivations
    4. 4. Recent DDoS Events In EMEA• Ideologically-motivated DDoS attacks against UK government sites in relationto the extradition of Julian Assange.• Ideologically-motivated DDoS attacks against a British governmentalagricultural research organization in conjunction with a physical demonstrationprotesting the introduction of genetically-modified crops• Ideologically-motivated DDoS attacks against the largest DNS registrar in theUK which was authoritative for domains hosting political content critical of theChinese government• A retaliatory DDoS attack against a software vendor of widely-used customer-service software, after the vendor found and fixed a SQL injection vulnerabilityin their products. A blackhat had discovered this on his own and was actuallyin the process of auctioning it off to prospective attackers in an undergroundcriminal forum as a zero-day exploit when the vendor issued the patch
    5. 5. DDoS Attack Motivations• Distraction from other criminal activity– Phishing for banking credentials with Zeus– DDoS to distract and cover up the crime• DDoS distraction also used to cover up systempenetrations followed by data leaks
    6. 6. Sophistication Of Tools & Services
    7. 7. Example: Gwapos Advertising
    8. 8. 8DDoS is Key to Availability Risk PlanningDDoS is the #1 threat to the availability of services – but it isnot part of the risk analysisSite SelectionPhysical SecurityFire Protection & DetectionElectrical & PowerEnvironment & WeatherDDoS Attacks?AvailabilityScorecardWhen measuring the risk tothe availability or resiliency ofservices, where does the riskof DDoS attacks fall on thelist?
    9. 9. Business Impact of DDoS AttacksSource: Ponemon Institute – 2010 State of Web Application SecurityBotnets & DDoSattacks cost anaverage enterprise$6.3M* for a 24-hour outage!* Source: McAfee – Into the Crossfire – January 2010The impact of loss of service availability goes beyond financials:OperationsHow many ITpersonnel willbe tied upaddressingthe attack?Help DeskHow manymore helpdesk calls willbereceived, andat what costper call?RecoveryHow muchmanual workwill need tobe done tore-entertransactions?LostWorkerOutputHow muchemployeeoutput will belost?PenaltiesHow muchwill have tobe paid inservice levelagreement(SLA) creditsor otherpenalties?LostBusinessHow muchwill the abilityto attract newcustomers beaffected?What is thefull value ofthat lostcustomers?Brand &ReputationDamageWhat is thecost to thecompanybrand andreputation?31%43%21%5%0%0%10%20%30%40%50%Very Significant Significant SomewhatSignificantNot Significant NoneBar Chart 9: Significance of revenue loss resulting fromwebsite downtime for one hour
    10. 10.  What is a Denial of Service attack?- An attempt to consume finite resources, exploit weaknesses in softwaredesign or implementation, or exploit lack of infrastructure capacity- Effects the availability and utility of computing and network resources- Attacks can be Distributed foreven more significant effect- The collateral damage causedby an attack can be as bad,if not worse, than theattack itself LoadBalancerApplication-LayerDDoS ImpactVolumetricDDoS ImpactDATACENTEREXHAUSTIONOF STATEAttack TrafficGood TrafficState-ExhaustionDDoS Impact(D)DoS Primer
    11. 11. • Volumetric Attacks– Usually botnets or traffic fromspoofed IPs generating high bps /pps traffic volume– UDP based floods from spoofedIP take advantage of connectionless UDP protocol– Take out the infrastructurecapacity –routers, switches, servers, links Reflection Attacks– Use a legitimate resource toamplify an attack to a destination– Send a request to an IP that willyield a big response, spoof thesource IP address to that of theactual victim– DNS Reflective Amplification is agood exampleAttacker ServerDNS RequestVDNS Serverresponds torequest fromspoofedsource.DNSResponse ismany timeslarger thanrequest.Repeated many timesVictimDNS ResponseVInternetBackboneBUK BroadbandUS Corp US BroadbandBJP Corp.ProviderB BBBBBBBSystemsBecomeInfectedControllerConnectsBotnet masterIssues attackCommandBMC&CBots attackBye Bye!Botsconnect to aC&C tocreate anoverlaynetwork(botnet)DDoS Attack Vectors
    12. 12. • TCP state exhaustion– Take advantage of statefulnature of TCP protocol– SYN, FIN, RST Floods– TCP connection attacks– Exhaust resources inservers, load balancers orfirewalls. Application layer attacks– Exploit limitations, scale andfunctionality of specific applications– Can be low-and-slow– HTTP GET / POST, SIP Invite floods– Can be more sophisticated:ApacheKiller, Slowloris, SlowPOST,RUDY, refref, hash collision etc..Client ServerSYNCSYNS, ACKCListening…Store data(connectionstate, etc.)Repeated many times System runsout of TCPlistenersockets or outmemory forstored stateDDoS Attack Vectors
    13. 13. DDoS Attack VectorsThe DDoS weapon of choicefor Anonymous activists isLOIC, downloaded morethan 639,000 times this year(so far). Average 2115downloads daily.
    14. 14. • In order to understand the DDoS threat (and how toprotect ourselves) we need to know what is going on outthere.• Two data sources being presented here:– Arbor Worldwide Infrastructure Security Survey, 2011.– Arbor ATLAS Internet Trends data.• Arbor Worldwide Infrastructure Security Survey, 2011– 7th Annual Survey– Concerns, observation and experiences of the OpSec community– 114 respondents, broad spread of network operators from around theworld• Arbor ATLAS Internet Trends– 240+ Arbor customers, 37.8Tbps of monitored traffic– Hourly export of anonymized DDoS and traffic statisticsSo, how is DDoS Evolving?Looking at the Internet Threat Landscape
    15. 15.  Average attack is 1.56Mpps, September 2012 190% growth from September 20112012 ATLAS Initiative : Anonymous Stats, WorldwideHigher pps rates seen in 2011, have continued into 2012155605001000150020002500Average Monthly Kpps of Attacks
    16. 16.  Peak attack in September 2012 is 63.3Gbps 136% rise from September 2011 Spikes at 75Gb/sec and 100Gb/sec so far this year.2012 ATLAS Initiative : Anonymous Stats, WorldwidePeak Attack Growth trend in Gbps63.33020406080100120Peak Monthly Gbps of Attacks
    17. 17.  Average attack is 1.67Gbps, September 2012 72% growth from September 2011 Average attacks now consistently over 1Gb/sec2012 ATLAS Initiative : Anonymous Stats, WorldwideAverage Attack Growth trend in Mbps167005001000150020002500Average Monthly Mbps of Attacks
    18. 18. DDoS Attacks are Evolving87%67%25%24%19%11%7%0% 20% 40% 60% 80% 100%HTTPDNSSMTPHTTPSSIP/VOIPIRCOtherServices Targeted byApplication Layer DDoS Attacks27%41%32%Have You Experienced Multi-vector Application /Volumetric DDoS AttacksDont KnowNoYes9%47%15%7%10% 11%1%0%10%20%30%40%50%0 1 - 10 10 - 20 20 - 50 50 -100100 -500> 500Number of DDoS Attacks per Month
    19. 19. Recent Financial Attacks:Multi-vector DDoS On A New Level• Compromised PHP, WordPress, & Joomlaservers• Multiple concurrent attack vectors– GET and POST app layer attacks on HTTP andHTTPS– DNS query app layer attack– Floods on UDP, TCP Syn floods, ICMP and other IPprotocols• Unique characteristics of the attacks– Very high packet per second rates per individualsource– Large bandwidth attack on multiple companiessimultaneously– Very focused• could be false flag• could be Cyberwar• could be hacktivism
    20. 20. • Monitor the network and services so that you can pro-actively detectchanges at all layers (up to layer 7).• Know who to call.• Develop an incident handling process and run fire-drills• Utilise the security capabilities built into other network and securityinfrastructure to minimise impact where possible• Use a Dedicated OOB Management NetworkDDoS, a Growing ProblemSo, how can we minimize the impact of an attack?
    21. 21. • Intelligent DDoS Mitigation Systems (IDMS) are specifically designedto detect and mitigate DDoS attacks using more advanced techniques.• IDMS equipment uses a combination of Deep Packet Inspection(DPI), proxy inspection and heuristic based techniques to separatemalicious traffic from good traffic.– Counter-measures to deal with the specific DDoS threats.– Minimal state, so the device does not become a target.– Actionable intelligence / automation.• Services and solutions utilizing IDMS technologies can protect anorganization from the DDoS threat.The Solution : IDMSIntelligent DDoS Mitigation Systems
    22. 22. Getting Protected : Layered DDoS Defense22ISP 2ISP 1ISP nISPFirewall IPSLoadBalancerTargetApplications &ServicesDATA CENTERPeakflowSP/TMSSCRUBBING CENTERCloudSignalingCloud-basedDDoS ProtectionPerimeter-basedDDoS Protection
    23. 23. Stopping Smart Attacks• Perimeter-based: L4-7 DDoS mitigationmust be done at the Data Center• Specifically configured around protectedservices• Always ON: immediate mitigation23ISP 2ISP 1ISP nISPFirewall IPSLoadBalancerTargetApplications &ServicesDATA CENTERPerimeter-basedDDoS Protection
    24. 24. Stopping Brute Force Attacks24Cloud-basedDDoS ProtectionISP 2ISP 1ISP nLocal ISPDATA CENTERFirewall IPSPeakflowSP/TMSSCRUBBING CENTER• Cloud-based: Volumetric DDoS mitigation mustbe done up stream, before traffic gets to DataCenter• Activated “on demand”: only active when anattack is detected or reported
    25. 25. 25Threat EcosystemThe Arbor ecosystem between service providers & enterprises offerscomprehensive protection from active threatsEnterprise NetworksService Providers25Integrated protection forgovernment, business, financial and gamingservices
    26. 26. Pravail APS, Network Perimeter Protection26“Out-of-the-box”ProtectionImmediateprotection fromthreats withmore controlBlock Complex DDoS AttacksBlock complex state-exhausting &app-layer DDoSSecurity Feed forNew ThreatsBlock dynamicbotnet-basedDDoS attacksCloud SignalingStop flood DDoS attacks bysignaling upstream MSSPsEasy Install andDeploymentEasily installed in front offirewalls
    27. 27. • Pervasive Network Visibility & DeepInsight into Services– Leverage Cisco Netflow technology forbroad traffic visibility across serviceprovider networks.• Comprehensive Threat Management- Granular threat detection, surgicalmitigation and reporting of DDoSattacks that threaten business services. In-Cloud Services Enabler– A platform which offers the ability todeliver new, profitable, revenue-generating services i.e DDoS ProtectionPeakflow, Cloud Based ProtectionPervasive and cost-effective visibility and security
    28. 28. Arbor NetworksThe only source ofknowledge is experience.Albert EinsteinArbor has 12 years experienceand some of the “worlds” leadingexperts on DDoS, Botnet andCyber attacks
    29. 29. Thank You