Download to read offline
Uploaded byJo Bridger
Surviving a DDOS Attack
The document details a case study on how Eduserv managed multiple DDoS attacks against its services in January 2015, highlighting attack profiles, mitigation strategies, and lessons learned. It outlines the nature of the attacks, their impact on government websites, and the incident response process including the use of AWS for protection. Key takeaways emphasize the importance of bandwidth, DNS flexibility, real-time monitoring, and social media for preemptive insight into attacks.
More Related Content
![Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]](https://cdn.slidesharecdn.com/ss_thumbnails/feaf8b66-8e98-45b4-8298-a83f6bac4c28-160203141835-thumbnail.jpg?width=640&height=640&fit=bounds)
Surviving a DDOS Attack
- 1. www.eduserv.org.uk Surviving a DDoSAttack Matt Johnson, Head of Research, Eduserv January 2015
- 2. Agenda Background Diaryof the DDoS Attack profiles & social media Analysis and solution overview Costs Lessons learned Q&A
- 3. Background Eduserv isa registered charity providing IT services to public good organisations Operates primary services from our Swindon datacentre, secondary and DR services from Slough / London Providing hosting services since 1996 IT services customer base 20+ customers, across government, health, education and the charity sectors Some of the government customers are high-profile targets
- 4. Day 1 Initialattack was seen on Sunday evening Lasted around 2 hours Attack was TCP-based, volumetric, probably HTTP-based Primary sources in Brazil, Canada Attack claimed by hacker via Twitter
- 5. Day 2 Secondattack on Monday afternoon Against a range of Govt. websites Attack was UDP-based Probably DNS-amplification Diverse source addresses 1 hour DoS for a number of customers Damage limitation Re-address and black-hole the address block of the targeted website services “One sacrificed to save the many”
- 6. Day 3 Attackedwebsite brought back online Separate ISP link to mitigate impact to other services DDoS attacks resumed immediately Web service was a 3rd party legacy build, with poor support for caching HTTP volumetric based attack overwhelmed web server cluster
- 7. Attack Methods Rangeof attack methods used Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC) DNS Amplification, HTTP Idle Attacks, Scale of the attack Bandwidth peak estimated >5 Gbps 200+ malformed requests p/sec (normally 2-3 requests p/sec) Lack of support from upstream ISP for real-time blocking Without this support, in a volumetric attack, hands are tied
- 8. Social Media Manyattackers like to promote their “work” – can give an early insight into what’s happening (or about to happen) Don’t believe everything you read
- 9. Incident Analysis IncidentResponse Team formed Multi-disciplinary teams – can bring new insight into solutions Whiteboard-based evaluation of options Continual comms with the impacted customer Possible solutions Block or disable attacking platforms at source Rebuild the web service to cope with the additional workloads Filter the DDoS traffic whilst allowing legitimate requests
- 10. Starting Situation attack attackattack attack attack attack attack attack web firewalls routers www.customer.gov.uk user
- 11. www.customer.gov.uk Proposed Solution web firewalls routers Proxy-2LogServer Load Bal. Proxy-1 attackattack attack attack attack attack attack attack safe.customer.gov.uk user Black Hole www.customer.gov.uk
- 12. Web Proxy inthe Cloud Cloud provider choice – Amazon Web Services Already had expertise in deploying AWS services Huge bandwidth capacity (estimated at 600 Gbps+) AWS Marketplace offers quick deployment of application servers Proxy choice - AiCache Reviewed options in the AWS Marketplace AiCache seemed to deliver the functionality required Available on a PAYG basis with no up-front licensing commitments Configured and implemented inside of 4 hours
- 13. Enabling DDoS protection TotalHTTP requests Valid HTTP requests Bad HTTP requests DDoS protection enabled
- 14. Enabling IP Throttling Initial(Test) IP throttling started Initial (Test) IP throttling finished Full IP Throttling enabled
- 15. Traffic profile beforeand after proxy implementation Initial DDoS causing outages Ongoing DDoS – proxy in place Normal traffic profile
- 16. Costs IT costs:£350, comprising: AWS: 150 GB of data transfer, load-balancing; 2 large VMs; 100 GB of data storage: ~$270 over 14 days AiCache: 2 licences & support: $280, again over 14 days People costs: £25k, comprising Incident response: ~£15k Incident analysis: ~£10k Indirect costs: ~£20k Impact on customer services, 3rd party effort, opportunity costs
- 17. Lessons Learned Bandwidthis king In a sustained attack, whoever has the most, wins DNS flexibility is vital Having a well-architected DNS infrastructure allows you to change service endpoints quickly in response to targeted attacks Make sure you have a diverse route into your DNS management Watch social media Can often give you insights into upcoming attacks, motivation Log everything Never know what might be needed to support further investigations
- 18. AWS Learning AmazonCloudWatch Useful near-real time insight into DDoS traffic (via ELB metrics) Provided evidence for the criminal investigation Only stores data for 2 weeks – grab the data whilst you can Needed to write custom CLI/API scripts to extract CloudWatch data Really could do with a built-in data export capability! AWS Elastic Load Balancer Partially mitigated some of the DDoS attack vectors Supports X-Forwarded-For (XFF) header to track originating IPs
- 19. AWS Learning EC2capabilities AWS offers an incredibly easy way to tap into huge data pipes Incoming bandwidth is free… useful in DDoS situations Route53 is great! Supports simple mapping of Zone Apex to ELB target Geo-distributed endpoints make it incredibly quick and reliable Amazon Marketplace Great source of pre-configured AWS-ready services Use it!
- 20. Thank you! Questions? Matt Johnson Matt.Johnson@eduserv.org.uk @mhj_work www.eduserv.org.uk www.slideshare.net/eduserv