The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies

©2013 AKAMAI | FASTER FORWARD TM The Akamai Platform and Services Daily Traffic: 25+ Tbps peak 19+ million hits per second 600+ million IPv4 clients/day 4+ trillion deliveries/day 30+ petabytes/day 10+ million concurrent streams Delivering 130,000+ Domains All top 60 ecommerce sites All top 30 media & entertainment companies 9 of the top 10 banks All of the top Internet portals 160,000+ Servers 1,100+ Networks 2,500+ Physical Locations 650+ Cities 81 Countries A Global Platform:

Embedded Image Delivery (e.g., Amazon) <html><head> Welcome to xyz.com! Welcome to xyz.com! </head><body> <img src=“ Welcome to our Web site! Welcome to our Web site! Click here to enter Click here to enter </body></html> Embedded URLs are Converted to ARLs ak

End User Akamai DNS Resolution Akamai High-Level DNS Servers 10 g.akamai.net 1 Browser’s Cache OS 2 Local Name Server 3 xyz.com’s nameserver 6 ak.xyz.com 7 a212.g.akamai.net Akamai Low-Level DNS Servers 12 a212.g.akamai.net xyz.com.com.net Root (Verisign) akamai.net8 select cluster select servers within cluster

©2013 AKAMAI | FASTER FORWARD TM Distributed Denial of Service (DDOS) Attacks The attacker hopes to overwhelm the content provider’s resources with requests for service. Sometimes the attacker employs a “bot army” of compromised machines. The attacker tries to issue requests for content that cannot be cached. The attacker looks for “amplification” where an easy-to-generate request requires a difficult-to-generate response.

©2013 AKAMAI | FASTER FORWARD TM Attack Frequency (Attacks Detected and Mitigated)

©2013 AKAMAI | FASTER FORWARD TM Gbps Mpps Largest Attacks by Year

©2013 AKAMAI | FASTER FORWARD TM Attack Types Q3 2014

©2013 AKAMAI | FASTER FORWARD TM US 23.95% China 20.07% Germany 5.78% Korea 6.13% Mexico 14.16% Brazil 17.60% Japan 4.10% Russia 2.97% India 2.81% Thailand 2.43% Attack Origins Q3 2014

©2013 AKAMAI | FASTER FORWARD TM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Targeted Industry Sectors

©2013 AKAMAI | FASTER FORWARD TM Origin Server End User Origin Traffic 1000 Akamai Traffic The Akamai Platform Provides a Perimeter Defense

©2013 AKAMAI | FASTER FORWARD TM Defeating HTTP flooding attacks – Rate Controls 1.Count the number of Forward Requests 2.Block any IP address with excessive forward requests Client Request Forward Request Forward Response Customer Origin Akamai Edge Server X Custom Error page

©2013 AKAMAI | FASTER FORWARD TM Filtering Out Malformed Requests SQL injection attacks Cross-site scripting (XSS) attacks Cache busting attacks

©2013 AKAMAI | FASTER FORWARD TM Relational databases Relational databases store tables consisting of rows and columns. (image from

©2013 AKAMAI | FASTER FORWARD TM Structured Query Language (SQL) Example Query: SELECT * FROM Employees WHERE LName = ’PARKER’; IdNum LName FName JobCode Salary Phone 1354 PARKER MARY FA /

©2013 AKAMAI | FASTER FORWARD TM Example SQL Injection Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page. SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But instead of entering a name like PARKER the user enters ’ or ’1’=’1 Then the query becomes SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’; This query returns all rows in the Employees table!

©2013 AKAMAI | FASTER FORWARD TM A More Destructive Injection Same code as before: SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But now suppose the user enters a’; DROP TABLE Employees Then the query becomes SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees; This query might delete the Employees table! (Not all databases allow two queries in the same string.)

©2013 AKAMAI | FASTER FORWARD TM bobby-tables.com: A guide to preventing SQL injection (from the comic strip xkcd)

©2013 AKAMAI | FASTER FORWARD TM Cross-Site Scripting Attacker types this into text entry form: Attacker hopes that later the site will insert this into the HTML that it outputs, and then the victim’s browser will execute the script.

©2013 AKAMAI | FASTER FORWARD TM Cache Busting Attacker adds query strings to the end of a requested URL, e.g., Attacker hopes that the CDN will view each request with a different query string as a request for a different object, and fetch a new copy from the content provider.

©2013 AKAMAI | FASTER FORWARD TM Operation Ababil Phase 1 Sep 12 – Early Nov 2012 DNS packets with “AAAAA” payload Limited Layer 7 attacks Early-mid Oct 2012 announced names of banks where attacks succeeded (Did not announce bank names if attacks were unsuccessful) Began use of HTTP dynamic content to circumvent static caching defenses Phase 2 Dec 12, 2012 – Jan 29 Incorporate random query strings and values Addition of random query strings against PDFs Additions to bot army Burst probes to bypass rate-limiting controls Addition of valid argument names, random values Phase 3 Multiple probes Multiple targets Increased focus on Layer 7 attacks Target banks where attacks work Fraudsters take advantage Late Feb 2013 – May 2013 “none of the U.S banks will be safe from our attacks” Phase 4 Used fake plug-ins to infect files July 2013 –

©2013 AKAMAI | FASTER FORWARD TM DNS Traffic Handled by Akamai 1.8 M 1.6 M 1.4 M 1.2 M 1.0 M 0.8 M 0.6 M 0.4 M 0.2 M 0.0 Total eDNS Tues 12:00Wed 00:00Wed12:00 s Phase 1 Attack – Sept Attack Traffic: 23 Gbps ( 10,000X normal) Duration: 4.5 Hours High volume of non-standard packets sent to UDP port 53 Packets did not include a valid DNS header Packets consisted of large blocks of repeating “A”s The packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted PDF files Akamai Dynamic Caching Rules offloaded 100% of the traffic No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted marketing web pages Rate controls automatically activated Attack was deflected, far from bank’s datacenter No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted SSL Akamai offloaded 99% of the traffic No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 12:03 PM 9:00 AM Error/Outage—site not responding Gomez agents in 12 cities measuring hourly NOT on Akamai

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 Gomez agents in 12 cities measuring hourly NOT on Akamai 12:44 PM 6:21 PM Error/Outage—site not responding

©2013 AKAMAI | FASTER FORWARD TM Phase 3 Attack Example Attack started at March 5, 2013 morning Peak Attack Traffic > 126 thousand requests per second 70x normal Edge Bandwidth (29Gbps) Origin Traffic stayed at normal levels ~2000 Agents participated in the 20 minute assault 80% of the agents were new IP addresses that had not participated in earlier campaigns

©2013 AKAMAI | FASTER FORWARD TM Attack Tactics - Pre-attack Reconnaissance Attackers test the site with short burst high speed probes Short bursts of attack requests on non-cacheable content every 10 minutes Peak of 18 million requests per second If the site falters, they announce that they will attack that bank and return later with a full scale attack If the site is resilient they move on

©2013 AKAMAI | FASTER FORWARD TM Observations Due to recent attack sizes, infrastructure capacity build out is not economical, and may not work anyway Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume The burst speed of attacks has become too fast for reactive mitigation – a proactive “always-on” defense is necessary