SlideShare a Scribd company logo

BISC 2013: Hosting and security

Frank Louwers
Frank Louwers

This document discusses security challenges in hosting environments, including DDoS attacks and how they have evolved over time. It also addresses how laws and government surveillance programs can impact hosting providers. Some key points include: - DDoS attacks are increasingly large in scale and use amplification techniques, making them difficult to defend against. External protection services are very expensive. - Traditional firewalls are ineffective against many modern attacks which exploit weaknesses in websites or use stolen credentials. The "onion model" of multiple layers of security is recommended. - Hosting servers located in one country may still be subject to laws and surveillance programs of the country where the hosting company is headquartered or network owner is based. This can allow governments

Technology
1 of 24
Download to read offline
Frank Louwers - Security challenges in a hosting environment - 20131024 Frank Louwers Openminds bvba Co-founder en COO Managed Hosting frank@openminds.be
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS and how they changed
Frank Louwers - Security challenges in a hosting environment - 20131024 (D)DoS attacks are not new Used to be targeted at: •Competing game clans •IRC servers •Political parties
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attack shift •“Occupy movement”: a lot of attacks on banks •Political parties •“companies and organisations with negative press” (Monsanto, Press-agency of the Belgian Catholic Church, ...)
Frank Louwers - Security challenges in a hosting environment - 20131024 Attacks we can’t explain •Radio Stations?! •Software development companies •B2B online shops?
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attacks: new tricks •Amplification attacks: attacker sends 2 Mbps stream, gets multiplied by 20, results in 40 Mbps attack •Now multiply by 100 bots, so 4Gbps attack •Bad configured DNS servers •DNSSec increases the problem
Frank Louwers - Security challenges in a hosting environment - 20131024 Protect against DDoS attacks •UDP: yes, can be blocked by decent routers •SYN flood: difficult: compare to tickets at butcher •Huge amount of bandwidth: impossible: 100000 cars on road built for 100 cars (only option: remove roadsigns)
Frank Louwers - Security challenges in a hosting environment - 20131024 Protection by external firms •Good ones: very very very expensive (but they work!) •Cheaper ones: no “unlimited” protection •2013: large number of new cheap players •Some of them Russian and very cheap •Would you pay the attacker to block the attack?
Frank Louwers - Security challenges in a hosting environment - 20131024 Conclusion: “the new normal” •DDoS attacks are here to stay •Invest in tools to detect the attack •Invest in procedures: know how to respond •Get to know the external players •Insurance? Some insurance companies cover this
Frank Louwers - Security challenges in a hosting environment - 20131024 About that firewall... Or why your firewall isn’t going to help much (in a hosting environment)
Frank Louwers - Security challenges in a hosting environment - 20131024 Traditional big firewall is useless •Will not protect you against 99.5% of break-ins we see •Bad code in CMS/Websites (> 98%) •Stolen credentials (caused by spyware) •Infected customer computers used as launchplatform •Not flexible enough (Cloud, scaling, ...) •Unmaintainable, unupgradeable
Frank Louwers - Security challenges in a hosting environment - 20131024 We are under attack... •All the time •Every server •Impossible to filter signal out of the noise •Or at least very difficult
Frank Louwers - Security challenges in a hosting environment - 20131024 So what does work? The Onion Model
Frank Louwers - Security challenges in a hosting environment - 20131024 Onion model •Maintained website (ask for maintenance contract) •written in the right mindset (“we will be attacked”) •Small, efficient host-firewalls •Try to detect anomalies •Force secure credentials or 2-Factor Authentication •Make customers aware of the problems, teach them ... •Know what happens on the network
Frank Louwers - Security challenges in a hosting environment - 20131024 ... and automate •Human factor weakest link •so take away human factor where possible •Automate configuration management: •Less mistakes •Quickly apply fix to large # of servers
Frank Louwers - Security challenges in a hosting environment - 20131024 Hosting providers and the law
Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws?
Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws apply? •“Laws of country where the server is located, applies” •“Laws of country where company HQ are, applies” •But that’s not always the case!
Frank Louwers - Security challenges in a hosting environment - 20131024 Servers in Europe, US laws •Amazon Ireland, Microsoft Azure Europe, Rackspace UK •Are all American companies, or controlled by US entity •So they must follow US law! •PATRIOT Act •(so FBI can get a copy of your data without a warrant)
Frank Louwers - Security challenges in a hosting environment - 20131024 Networks •Almost all of the big networks are American • So assume “they” can read everything you put on the wire • So use good encryption or VPN links •AMS-IX wanted to open US branch • huge concerns by members!
Frank Louwers - Security challenges in a hosting environment - 20131024 Snowden and the NSA •It has become clear the the NSA has access to a lot of data •why is there no real outrage? •Do we really think this is “normal”? Do we accept this?
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything Last proposal for “Internet tap”: •coffee-bar next door that offers free WiFi •forced to buy 25 000 € tap box •to allow police to tap the “public network”
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •Data-retention law: •Vague, “details” (= entire law) to be filled in by RD •Clearly targeted at the “small fish” •Real criminal rents 30 euro dedicated service, no logs
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •A lot of “Notice and Take Down” proposals: •requires us as a hoster, to be a judge. •We are not judges, and don’t want to be! •Changes the intent of the current law completely! •“mere conduit” vs “judge”

Recommended

The 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasThe 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasKeytek Locksmiths
 
Innovative Security Group Official Flyer
Innovative Security Group Official FlyerInnovative Security Group Official Flyer
Innovative Security Group Official FlyerPaul Mashauri
 
Network Security
Network SecurityNetwork Security
Network SecurityADVA
 
concox gsm alarm products
concox gsm alarm productsconcox gsm alarm products
concox gsm alarm productsconcox
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsFrank Louwers
 
Iso9001 Agile Teams
Iso9001 Agile TeamsIso9001 Agile Teams
Iso9001 Agile TeamsFrank Louwers
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNSFrank Louwers
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoeFrank Louwers
 

Recommended

The 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasThe 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasKeytek Locksmiths
 
Innovative Security Group Official Flyer
Innovative Security Group Official FlyerInnovative Security Group Official Flyer
Innovative Security Group Official FlyerPaul Mashauri
 
Network Security
Network SecurityNetwork Security
Network SecurityADVA
 
concox gsm alarm products
concox gsm alarm productsconcox gsm alarm products
concox gsm alarm productsconcox
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsFrank Louwers
 
Iso9001 Agile Teams
Iso9001 Agile TeamsIso9001 Agile Teams
Iso9001 Agile TeamsFrank Louwers
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNSFrank Louwers
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoeFrank Louwers
 
Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportCyren, Inc
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationuisgslide
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherVerein FM Konferenz
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutAdvanced Technology Consulting (ATC)
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefencePro Mrkt
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessLucy Denver
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 
GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019Frank Louwers
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Frank Louwers
 

More Related Content

Similar to BISC 2013: Hosting and security

Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportCyren, Inc
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationuisgslide
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherVerein FM Konferenz
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefencePro Mrkt
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessLucy Denver
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 

Similar to BISC 2013: Hosting and security (20)

Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
 

More from Frank Louwers

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019Frank Louwers
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Frank Louwers
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwersFrank Louwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Frank Louwers
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Frank Louwers
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Frank Louwers
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieFrank Louwers
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3Frank Louwers
 

More from Frank Louwers (9)

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En Optimalisatie
 
Africa On Rails
Africa On RailsAfrica On Rails
Africa On Rails
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
 

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

BISC 2013: Hosting and security

  • 1. Frank Louwers - Security challenges in a hosting environment - 20131024 Frank Louwers Openminds bvba Co-founder en COO Managed Hosting frank@openminds.be
  • 2. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS and how they changed
  • 3. Frank Louwers - Security challenges in a hosting environment - 20131024 (D)DoS attacks are not new Used to be targeted at: •Competing game clans •IRC servers •Political parties
  • 4. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attack shift •“Occupy movement”: a lot of attacks on banks •Political parties •“companies and organisations with negative press” (Monsanto, Press-agency of the Belgian Catholic Church, ...)
  • 5. Frank Louwers - Security challenges in a hosting environment - 20131024 Attacks we can’t explain •Radio Stations?! •Software development companies •B2B online shops?
  • 6. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attacks: new tricks •Amplification attacks: attacker sends 2 Mbps stream, gets multiplied by 20, results in 40 Mbps attack •Now multiply by 100 bots, so 4Gbps attack •Bad configured DNS servers •DNSSec increases the problem
  • 7. Frank Louwers - Security challenges in a hosting environment - 20131024 Protect against DDoS attacks •UDP: yes, can be blocked by decent routers •SYN flood: difficult: compare to tickets at butcher •Huge amount of bandwidth: impossible: 100000 cars on road built for 100 cars (only option: remove roadsigns)
  • 8. Frank Louwers - Security challenges in a hosting environment - 20131024 Protection by external firms •Good ones: very very very expensive (but they work!) •Cheaper ones: no “unlimited” protection •2013: large number of new cheap players •Some of them Russian and very cheap •Would you pay the attacker to block the attack?
  • 9. Frank Louwers - Security challenges in a hosting environment - 20131024 Conclusion: “the new normal” •DDoS attacks are here to stay •Invest in tools to detect the attack •Invest in procedures: know how to respond •Get to know the external players •Insurance? Some insurance companies cover this
  • 10. Frank Louwers - Security challenges in a hosting environment - 20131024 About that firewall... Or why your firewall isn’t going to help much (in a hosting environment)
  • 11. Frank Louwers - Security challenges in a hosting environment - 20131024 Traditional big firewall is useless •Will not protect you against 99.5% of break-ins we see •Bad code in CMS/Websites (> 98%) •Stolen credentials (caused by spyware) •Infected customer computers used as launchplatform •Not flexible enough (Cloud, scaling, ...) •Unmaintainable, unupgradeable
  • 12. Frank Louwers - Security challenges in a hosting environment - 20131024 We are under attack... •All the time •Every server •Impossible to filter signal out of the noise •Or at least very difficult
  • 13. Frank Louwers - Security challenges in a hosting environment - 20131024 So what does work? The Onion Model
  • 14. Frank Louwers - Security challenges in a hosting environment - 20131024 Onion model •Maintained website (ask for maintenance contract) •written in the right mindset (“we will be attacked”) •Small, efficient host-firewalls •Try to detect anomalies •Force secure credentials or 2-Factor Authentication •Make customers aware of the problems, teach them ... •Know what happens on the network
  • 15. Frank Louwers - Security challenges in a hosting environment - 20131024 ... and automate •Human factor weakest link •so take away human factor where possible •Automate configuration management: •Less mistakes •Quickly apply fix to large # of servers
  • 16. Frank Louwers - Security challenges in a hosting environment - 20131024 Hosting providers and the law
  • 17. Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws?
  • 18. Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws apply? •“Laws of country where the server is located, applies” •“Laws of country where company HQ are, applies” •But that’s not always the case!
  • 19. Frank Louwers - Security challenges in a hosting environment - 20131024 Servers in Europe, US laws •Amazon Ireland, Microsoft Azure Europe, Rackspace UK •Are all American companies, or controlled by US entity •So they must follow US law! •PATRIOT Act •(so FBI can get a copy of your data without a warrant)
  • 20. Frank Louwers - Security challenges in a hosting environment - 20131024 Networks •Almost all of the big networks are American • So assume “they” can read everything you put on the wire • So use good encryption or VPN links •AMS-IX wanted to open US branch • huge concerns by members!
  • 21. Frank Louwers - Security challenges in a hosting environment - 20131024 Snowden and the NSA •It has become clear the the NSA has access to a lot of data •why is there no real outrage? •Do we really think this is “normal”? Do we accept this?
  • 22. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything Last proposal for “Internet tap”: •coffee-bar next door that offers free WiFi •forced to buy 25 000 € tap box •to allow police to tap the “public network”
  • 23. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •Data-retention law: •Vague, “details” (= entire law) to be filled in by RD •Clearly targeted at the “small fish” •Real criminal rents 30 euro dedicated service, no logs
  • 24. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •A lot of “Notice and Take Down” proposals: •requires us as a hoster, to be a judge. •We are not judges, and don’t want to be! •Changes the intent of the current law completely! •“mere conduit” vs “judge”