How to protect your network from the escalating threat of DDoS Kleber Carriello de Oliveira Consulting Engineer
Distributed Denial of Service (DDoS) DDoS – Explicacao bastante simplistica, o atacante vai “ENTUPIR” um gargalo, seja de banda, de processamento, de tabelas de estado.. Filling up your network capacity
Key Findings of the Survey Threat severity and complexity continue to increase Attack size increases dramatically, impacting underlying network infrastructure Application layer attacks continue with some new applications being targeted more frequently. The Threat-to-Defense gap is the widest observed to date DDoS attack capabilities of miscreants are outpacing the defensive measures taken by network service providers Firewall and IPS equipment represents critical points of failure during DDoS attacks Mobile network growth is a game changer – availability of limitless botnets with greater bandwidth and few network control points New technologies affect fragility of Internet Infrastructure
DDoS Attack Sizes Over Time
Attack Motivation
Attack Frequency
Attack target
Application Layer
Failure of Firewall and IPS in the IDC Nearly half of all respondents have experienced a failure of their firewalls or IPS due to DDoS attack
The IPv6 Security Arms Race Vendors and network operators are rushing to introduce IPv6 visibility and security as networks scale up
The IPv6 Security Arms Race
The IPv6 Security Arms Race
DDoS Defense – No longer an Ostrich Mentality The attitude to DDoS as a Service Availability Threat has traditionally been to bury your head and hope that it doesn’t happen to you. The attitude is quickly changing because of attack: Frequency Scope Motivation Source: Arbor Networks 2011 Worldwide Infrastructure Security Report
Impact of DDoS Attacks on the Business Botnets & DDoS attacks cost an average enterprise $6.3M* for a 24-hour outage! Source: Ponemon Institute – 2010 State of Web Application Security * Source: McAfee – Into the Crossfire – January 2010 The impact of loss of service availability goes beyond financials: Operations How many IT personnel will be tied up addressing the attack? Help Desk How many more help desk calls will be received, and at what cost per call? Recovery How much manual work will need to be done to re-enter transactions? Lost Worker Output How much employee output will be lost? Penalties How much will have to be paid in service level agreement (SLA) credits or other penalties? Lost Business How much will the ability to attract new customers be affected? What is the full value of that lost customers? Brand & Reputation Damage What is the cost to the company brand and reputation? Mais do que SOMENTE o impacto direto de estar for a do ar (um site de ecommerce), imagine o dano a Reputacao de um governo que nao pode se defender, ou de uma empresa de telecomunicacoes, que nao pode se comunicar.
DDoS Tool Landscape – Easy Access for Everyone Many malware families have added DDoS capabilities Attackers now have hundreds of tools to choose from at varying costs and complexities Single user flooding tools Host booters Shell booters DDoS bots of varying complexity There are no hard-and-fast lines between one threat class and another. The intent behind a tool and the motive for it’s use play a part in how it has been classified. This is not intended to be an exhaustive list of DDoS threats, only a sample.
Understanding DDoS
What is a DDoS Attack? During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from distributed sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
High Bandwidth Volumetric DDoS
Protocol Attacks
Connection Based Attacks
Reflection Attacks
Application-Layer Attacks
How to Protect Against DDoS
A Solution Needs to Handle All Attack Types Different defenses are needed for different types of threats
DDoS Overwhelming Traditional Defenses Current DDoS attacks are designed to thwart general defenses Use large, distributed botnets Employ low-and-slow application layer attacks Combine the above for obfuscation
Intelligent DDoS Mitigation Systems Block common and complex attacks using a variety of counter-measures such as the ones listed here Detect and stop application-layer DDoS attacks that are hard to detect in the cloud General Single Source Attack Distributed DDoS Spoofed / Non-Spoofed Attacks TCP Attacks TCP SYN Floods Invalid TCP Flag Combinations Window Size Attacks (Sockstress, etc) Slow TCP Connections (TCP Idling, etc) HTTP / Web Attacks Slow HTTP Connections (Slowloris / Pyloris) HTTP GET / POST URL Floods DNS DNS Floods DNS Authentication Other UDP / ICMP Floods IP / TCP / UDP Fragment Floods IP NULL Floods Stop advanced attacks including application-layer DDoS attacks using multiple counter-measures Multiple dimensions of counter-measures can be leveraged to stop dynamic and diverse threats
Intelligent, Layered DDoS Protection Solution DATA CENTER IPS Load Balancer ISP Based Mitigation Firewall Peakflow SP TMS Pravail APS In-Cloud DDoS Protection Protect Against all attack types Protect datacenter links Leverage expertise of the ISP CPE-Based DDoS Protection Always On Protection Keep services running when attacked Cloud signal to ISP system when overwhelmed
September 2012 Financial Sector Attacks Case Study: September 2012 Financial Sector Attacks
The beginning of “Operation Ababil” "Cyber fighters of Izz ad-din Al qassam” posted a call to action on Pastebin on September 18, calling for Muslims to attack the Bank of America and the New York Stock Exchange Four days earlier, messages linked to the same group called for attacks against Google's YouTube citing their refusal to take down a movie that offended some Muslims These attacks have continued over the past few weeks towards varying targets In spite of claims of responsibility tied to specific groups, Arbor has found no evidence to link these attacks to any particular group or nation-state. Time will tell the true motivations but the source is not relevant because the goal is to maintain availability and integrity of the applications and services. We must remain vigilant because there will always be another threat.
Attacks Take Major Financials Off-line
Triple Crown Attack – Multi-vector on a New Level Three new tools being used Tool.Brobot, Tool.Kamikaze and Tool.Amos Multiple concurrent attack vectors GET and POST app layer attacks on HTTP and HTTPS DNS query app layer attack TCP SYN floods Floods on UDP, TCP, ICMP and other IP protocols Unique characteristics of the attacks Use of Shell booters (infected web servers) with high upstream b/w Very high packet per second rates per individual source Large bandwidth attack on multiple companies simultaneously
Lessons Learned Enterprise Firewalls/IPS truly don’t offer any protection All companies attacked have these devices Carrier/MSSPs coverage has limits Resource strain when customers get attacked simultaneously Slower to upgrade to the latest releases/protections Need to deploy DDoS security in multiple layers On premise for control and speed Multiple upstream options MSSPs Capacity models need to be re-evaluated as larger multi-vector multi-customer attacks have become a reality Increase speed of new technology adoption
Thank You Kleber Carriello de Oliveira kco@arbor.net