SlideShare a Scribd company logo

D3LDN17 - A Pragmatists Guide to DDoS Mitigation

Download as PPTX, PDF
Imperva Incapsula
Imperva Incapsula

Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.

Technology
1 of 30
A Pragmatists Guide to DDoS Mitigation Phil Williams
© 2017 Imperva, Inc. All rights reserved.4 How can we approach mitigation intelligently? What do we need to protect? What are the common ‘traps’? Why are we here?
ANDREAS LINDH • Swedish infosec practitioner. • Graciously provided permission to reference his material. • @addelindh on Twitter. • You really should follow him (on Twitter, not in real life). HIS PRESENTATION • March 2015, Heidelberg, Germany. • Really good! • You should find and watch it. First, some food for thought
“An attacker only needs to find one weakness while the defender needs to protect all of them all of the time.” “A skilled and motivated attacker will always find a way.” “Attackers have bosses and budgets too.”
1. If the cost to attack is less than the value of your information / Lack of Service to the attacker, you will be attacked. 2. You don’t need to protect against everything. 3. The attacker’s greatest strength is time. 4. Your greatest strength is space. 5. You need to increase the cost of a successful attack to a point where it’s no longer profitable to the attacker. Some Principles of Defender Economics BREAK THE ATTACKER’S BUDGET WITHOUT BREAKING YOUR OWN.
“1. If the cost to attack is less than the value of your information to the attacker, you will be attacked.”
“2. You don’t need to protect against everything.”
“3. The attacker’s greatest strength is time.” Attacker chooses: • When to start attacking. • When to stop attacking. • Which days to be active. • Which times of day to be active. • Speed / size of attack. • The timeline for any public announcements they make. Defence issues: • Defender has limited timeline awareness. • Controls which are slower to respond than attacker’s evasion speed are of limited value. • 24x7 operation is much more expensive for defence than attack.
“4. The defender’s greatest strength is space.” Defender designs, builds and operates the infrastructure, applications and security controls. DEFENDER SETS THE BUDGET FOR A SUCCESSFUL ATTACK. Attacker: goose. Target: humans. Controls: Window + sign (cheap, effective). Budget: bread for 2 x penetration geese, 8x5 hours of operation.
So lets recap… • A DDoS attacker is after something – Money – Vendetta – Street Cred • They have all the time and space in the world to plan and execute • We have control of the ‘cost’ and therefor the probability © 2017 Imperva, Inc. All rights reserved.12
Lets also agree on what a DDoS is… • DOS = Denial of Service • The extra ‘D’ is just stating that it’s distributed • Normally in IT we are talking about consuming resources • Can be targeted at many ‘layers’ of the network © 2017 Imperva, Inc. All rights reserved.13
DDoS Attacks – Infrastructure Targeted Confidential14
DDoS Attacks – Application Targeted Confidential15
SO! Now what? • We understand that the attacker has goals • We understand the ‘vectors’ that he may use • Lets evaluate our network like attacker would © 2017 Imperva, Inc. All rights reserved.16
© 2017 Imperva, Inc. All rights reserved.17 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s Target = www.philw.uk
© 2017 Imperva, Inc. All rights reserved.18 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s • DNS Service is GoDaddy – Well connected Target = www.philw.uk
© 2017 Imperva, Inc. All rights reserved.19 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s • DNS Service is GoDaddy – Well connected • Other hosts available Target = www.philw.uk
Attack options • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. • Expensive Options – Attack DNS service – Attack ISP © 2017 Imperva, Inc. All rights reserved.20
Attack Costs © 2017 Imperva, Inc. All rights reserved.21
Lets deploy some defenses • Incapsula Website protection • Incapsula DNS Protection © 2017 Imperva, Inc. All rights reserved.22
What does the same Recon how show? © 2017 Imperva, Inc. All rights reserved.23
Attack options Revised • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. – Have a guess at hosts, FTP / VPN / etc • Expensive Options – Attack DNS service = Attack Incapsula – Attack ISP – Attack Incapsula © 2017 Imperva, Inc. All rights reserved.24
A bit more defense • Use an external mail relay – Office365 – Message Labs etc • Use Incapsula Protected IP – Protect the FTP service / Mask IP • Use non predictable names – Connecttooffice.philw.uk – Do not use a hostname © 2017 Imperva, Inc. All rights reserved.25
Attack options Remaining • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. – Have a guess at hosts, FTP / VPN / etc • Expensive Options – Attack DNS service = Attack Incapsula – Attack ISP – Attack Incapsula © 2017 Imperva, Inc. All rights reserved.26
The Attackers Choice © 2017 Imperva, Inc. All rights reserved.27 • Spend time Guessing hosts – Hope that you find one that:- • A) Is actually part of the target network • B) Is valuable enough to target to be effective • Attack what you can see and Hope – Expensive – Low probability of success • Find new target
So where does this leave us? • Push as much as you can away from your network • Hide everything you can • Protect what you can’t • Understand what your ‘viable targets’ are and focus on those © 2017 Imperva, Inc. All rights reserved.28
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS Mitigation

Recommended

D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
Imperva Incapsula
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
DDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShieldDDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShield
Sam Pickles
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
CloudFlare DDoS attacks 101: what are they and how to protect your site?
CloudFlare DDoS attacks 101: what are they and how to protect your site?CloudFlare DDoS attacks 101: what are they and how to protect your site?
CloudFlare DDoS attacks 101: what are they and how to protect your site?
Cloudflare
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
 

Recommended

D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
Imperva Incapsula
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
DDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShieldDDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShield
Sam Pickles
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
CloudFlare DDoS attacks 101: what are they and how to protect your site?
CloudFlare DDoS attacks 101: what are they and how to protect your site?CloudFlare DDoS attacks 101: what are they and how to protect your site?
CloudFlare DDoS attacks 101: what are they and how to protect your site?
Cloudflare
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
 
DNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS ShieldDNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS Shield
Amazon Web Services
 
Business+ DDoS Protection
Business+ DDoS ProtectionBusiness+ DDoS Protection
Business+ DDoS Protection
Imperva Incapsula
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
Cloudflare
 
Cloudflare Argo - Overview
Cloudflare Argo - OverviewCloudflare Argo - Overview
Cloudflare Argo - Overview
Vu Long Tran
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product Overview
Kenneth Chiu
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
Haltdos
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
Cloudflare
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSRunning a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Cloudflare
 
Cdns
CdnsCdns
Cdns
ivoelenchev
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
Cloudflare
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverless
martinfoster
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
 
AWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS ResiliencyAWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS Resiliency
Amazon Web Services
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
Cloudflare
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
Lacework
 
Unexpected Impacts of DDoS Attacks and How to Stop Them
Unexpected Impacts of DDoS Attacks and How to Stop ThemUnexpected Impacts of DDoS Attacks and How to Stop Them
Unexpected Impacts of DDoS Attacks and How to Stop Them
Caitlin Magat
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
Imperva Incapsula
 

More Related Content

What's hot

DNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS ShieldDNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS Shield
Amazon Web Services
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product Overview
Kenneth Chiu
 
AWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS ResiliencyAWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS Resiliency
Amazon Web Services
 

What's hot (20)

DNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS ShieldDNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS Shield
 
Business+ DDoS Protection
Business+ DDoS ProtectionBusiness+ DDoS Protection
Business+ DDoS Protection
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
 
Cloudflare Argo - Overview
Cloudflare Argo - OverviewCloudflare Argo - Overview
Cloudflare Argo - Overview
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product Overview
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNSRunning a Robust DNS Infrastructure with CloudFlare Virtual DNS
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
 
Cdns
CdnsCdns
Cdns
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverless
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
AWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS ResiliencyAWS August Webinar Series - DDoS Resiliency
AWS August Webinar Series - DDoS Resiliency
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
 
Unexpected Impacts of DDoS Attacks and How to Stop Them
Unexpected Impacts of DDoS Attacks and How to Stop ThemUnexpected Impacts of DDoS Attacks and How to Stop Them
Unexpected Impacts of DDoS Attacks and How to Stop Them
 

Similar to D3LDN17 - A Pragmatists Guide to DDoS Mitigation

Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS Protection
Imperva Incapsula
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent Threat
Imperva
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
sanap6
 

Similar to D3LDN17 - A Pragmatists Guide to DDoS Mitigation (20)

Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS Protection
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons LearnedD3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
 
Bay Area Cyber Security Meetup - How To Stay Safe Online
Bay Area Cyber Security Meetup - How To Stay Safe OnlineBay Area Cyber Security Meetup - How To Stay Safe Online
Bay Area Cyber Security Meetup - How To Stay Safe Online
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent Threat
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot Data
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
 

More from Imperva Incapsula

Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Imperva Incapsula
 
Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?
Imperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Understanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessUnderstanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your Business
Imperva Incapsula
 

More from Imperva Incapsula (20)

D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it Safe
 
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
D3LDN17 - Keynote
D3LDN17 - KeynoteD3LDN17 - Keynote
D3LDN17 - Keynote
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnD3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
 
D3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudD3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the Cloud
 
D3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityD3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize Security
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlD3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access Control
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery Rules
 
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
 
D3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients PerformanceD3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients Performance
 
D3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the CurveD3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the Curve
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
Migrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to KnowMigrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to Know
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
 
Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Understanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessUnderstanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your Business
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

D3LDN17 - A Pragmatists Guide to DDoS Mitigation

  • 1.
  • 2.
  • 3. A Pragmatists Guide to DDoS Mitigation Phil Williams
  • 4. © 2017 Imperva, Inc. All rights reserved.4 How can we approach mitigation intelligently? What do we need to protect? What are the common ‘traps’? Why are we here?
  • 5. ANDREAS LINDH • Swedish infosec practitioner. • Graciously provided permission to reference his material. • @addelindh on Twitter. • You really should follow him (on Twitter, not in real life). HIS PRESENTATION • March 2015, Heidelberg, Germany. • Really good! • You should find and watch it. First, some food for thought
  • 6. “An attacker only needs to find one weakness while the defender needs to protect all of them all of the time.” “A skilled and motivated attacker will always find a way.” “Attackers have bosses and budgets too.”
  • 7. 1. If the cost to attack is less than the value of your information / Lack of Service to the attacker, you will be attacked. 2. You don’t need to protect against everything. 3. The attacker’s greatest strength is time. 4. Your greatest strength is space. 5. You need to increase the cost of a successful attack to a point where it’s no longer profitable to the attacker. Some Principles of Defender Economics BREAK THE ATTACKER’S BUDGET WITHOUT BREAKING YOUR OWN.
  • 8. “1. If the cost to attack is less than the value of your information to the attacker, you will be attacked.”
  • 9. “2. You don’t need to protect against everything.”
  • 10. “3. The attacker’s greatest strength is time.” Attacker chooses: • When to start attacking. • When to stop attacking. • Which days to be active. • Which times of day to be active. • Speed / size of attack. • The timeline for any public announcements they make. Defence issues: • Defender has limited timeline awareness. • Controls which are slower to respond than attacker’s evasion speed are of limited value. • 24x7 operation is much more expensive for defence than attack.
  • 11. “4. The defender’s greatest strength is space.” Defender designs, builds and operates the infrastructure, applications and security controls. DEFENDER SETS THE BUDGET FOR A SUCCESSFUL ATTACK. Attacker: goose. Target: humans. Controls: Window + sign (cheap, effective). Budget: bread for 2 x penetration geese, 8x5 hours of operation.
  • 12. So lets recap… • A DDoS attacker is after something – Money – Vendetta – Street Cred • They have all the time and space in the world to plan and execute • We have control of the ‘cost’ and therefor the probability © 2017 Imperva, Inc. All rights reserved.12
  • 13. Lets also agree on what a DDoS is… • DOS = Denial of Service • The extra ‘D’ is just stating that it’s distributed • Normally in IT we are talking about consuming resources • Can be targeted at many ‘layers’ of the network © 2017 Imperva, Inc. All rights reserved.13
  • 14. DDoS Attacks – Infrastructure Targeted Confidential14
  • 15. DDoS Attacks – Application Targeted Confidential15
  • 16. SO! Now what? • We understand that the attacker has goals • We understand the ‘vectors’ that he may use • Lets evaluate our network like attacker would © 2017 Imperva, Inc. All rights reserved.16
  • 17. © 2017 Imperva, Inc. All rights reserved.17 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s Target = www.philw.uk
  • 18. © 2017 Imperva, Inc. All rights reserved.18 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s • DNS Service is GoDaddy – Well connected Target = www.philw.uk
  • 19. © 2017 Imperva, Inc. All rights reserved.19 • Site IP = 88.98.85.58 – Up Stream router not visible • ISP = Zen Internet – Multi Peers ~90Gb/s • DNS Service is GoDaddy – Well connected • Other hosts available Target = www.philw.uk
  • 20. Attack options • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. • Expensive Options – Attack DNS service – Attack ISP © 2017 Imperva, Inc. All rights reserved.20
  • 21. Attack Costs © 2017 Imperva, Inc. All rights reserved.21
  • 22. Lets deploy some defenses • Incapsula Website protection • Incapsula DNS Protection © 2017 Imperva, Inc. All rights reserved.22
  • 23. What does the same Recon how show? © 2017 Imperva, Inc. All rights reserved.23
  • 24. Attack options Revised • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. – Have a guess at hosts, FTP / VPN / etc • Expensive Options – Attack DNS service = Attack Incapsula – Attack ISP – Attack Incapsula © 2017 Imperva, Inc. All rights reserved.24
  • 25. A bit more defense • Use an external mail relay – Office365 – Message Labs etc • Use Incapsula Protected IP – Protect the FTP service / Mask IP • Use non predictable names – Connecttooffice.philw.uk – Do not use a hostname © 2017 Imperva, Inc. All rights reserved.25
  • 26. Attack options Remaining • Cheap options – Volumetric attack against target hosts – Application attack against Website – Mail flood against SMTP. – Have a guess at hosts, FTP / VPN / etc • Expensive Options – Attack DNS service = Attack Incapsula – Attack ISP – Attack Incapsula © 2017 Imperva, Inc. All rights reserved.26
  • 27. The Attackers Choice © 2017 Imperva, Inc. All rights reserved.27 • Spend time Guessing hosts – Hope that you find one that:- • A) Is actually part of the target network • B) Is valuable enough to target to be effective • Attack what you can see and Hope – Expensive – Low probability of success • Find new target
  • 28. So where does this leave us? • Push as much as you can away from your network • Hide everything you can • Protect what you can’t • Understand what your ‘viable targets’ are and focus on those © 2017 Imperva, Inc. All rights reserved.28

Editor's Notes

  1. Now on to the Applied Defender Economics part of the preso. Andreas Lindh is a nice guy, very smart, follow him, did a talk a few months ago. Our talk is inspired by his, we’re not using his content but we have his blessing anyway if anyone asks. By all means remove this slide if you want but if anyone challenges you, I do have Andreas’ written permission.
  2. Let’s start with some truisms. I normally show them one by one, ask if people agree that they’re true. Be prepared to discuss. First one is usually unanimously true, second one starts a discussion. I end it by saying “Let’s assume it is true – why then do we go to work in the morning if there’s always a way for an attacker to get in? It’s because… [CLICK] attackers have bosses and budgets too”
  3. Let’s establish some principles (1, 2 and 5 come from Andreas and work by Dino Dai Zovi, 3 and 4 are mine). Organisations who don’t think about these either explicitly or implicitly end up like this guy – clinging desperately to their traditional security controls like AV and firewall, hoping and praying for them to step in and actually do something useful. Meanwhile the attacker is just going at them with nothing to stop them. So I quickly step through the principles because we go into more detail on the following slides.
  4. Common mistake in risk management equations is to use the value of data TO YOU. Instead you should use the value of data to AN ATTACKER. A lot of organisations are under-spending on controls because their data is worth much more to an attacker than it is to themselves. Use the example of hotel check-ins which have long and detailed forms asking for all kinds of PII, but in reality all they need is a CC authorisation. Mention how a lot of hotel staff don’t even ask you to fill in all these details any more but some still do out of habit – they’re collecting data they don’t need which is of no value to them but worth a lot to an attacker. Remember our goal is to break the attacker’s budget – this helps us to understand what that budget might be, both qualitatively and quantitatively. (Replace these with screenshots of examples relevant to your audience)
  5. Shock! Horror! A security vendor who isn’t telling you you need to protect against everything all the time! As defenders we should invest wisely in controls. If your website is purely informational but you maintain a database of customer records, don’t listen to the DDoS vendor when he comes knocking, spend that money on database activity monitoring instead. If on the other hand you do most of your business through your website in the cloud and your staff are mostly mobile – why on earth would you spend $$$ on a perimeter IPS? Remember, our constraint is not to break our own budget, this helps.
  6. This should be fairly obvious, especially to anyone who has ever done pen testing or red teaming (or actually hacked something) but so many defenders seem oblivious to this and it’s fundamentally important.
  7. But it’s not all bad. As defenders our control of the “battlespace” means that we are setting the budget for a successful attack. That’s what we do when we buy, implement and operate security controls. We’re not trying to block everything all of the time from all adversaries – that’s not possible for anyone – we’re saying to our chosen adversaries that “the bar for getting to our data is here; you need to spend that much for your attack to be successful” and if they don’t have that much bread, we win.
  8. As this image shows… bandwidth (or rode width) do not help as the firewall needs to have the capacity to cope
  9. Make sure they GET the difference ! Why an ISP based cant work for layer 7 Also you can explain that while the volumetric attacks are getting bigger quarter on quarter application layer attacks are CHEAPER for the ATTACKER. We are seeing in the region of 20% more application layer attacks Q1 2016 than volumetric and this is up about 10% on Q4 2015