ISSA Nashville Chapter, May 17 th 2013 Alexander Karstens Senior Systems Engineer IXIA Communications Preparing your organization for DDoS

Agenda  DDoS Trends  DDoS Attacks  DDoS Mitigation  Useful tools  Q&A

DDoS Trends

Motivation Behind DDoS/DoS Attacks – Political/Hacktivism – Ransoms – Retaliation – Competition – Unknown

DDoS Trends Large volume network flood attacks High & Low rate application DoS attacks “Low & Slow” DoS attacks Brute force attack Web application attacks (e.g. XSS, Injections, CSRF) SYN flood Port scan Network scan Intrusion Intrusion, Malware SHUT DOWN

DDoS Trends Volumetric network level Application level, Encrypted Low & Slow Directed Application DoS Intrusions Web attacks (injections, XSS,…)

DDoS Trends These random request techniques force CDNs to “raise the curtain” – All the attack traffic is disembarked directly to the customer premise – More complex to mitigate attacks masked by CDN Internet CDN Customer site

DDoS Trends (future?) What about IPv6? You may not use in your organization, yet most newer desktops (Windows 7 anyone?) –Tunnel IPv6 over IPv4 (Utilities moving to IPv6 to address meters)….and on top of that they are wireless as well. It’s seem feasible for someone to build a botnet using mobile phones. Add 4G to the mix and you have plenty of bandwidth to ‘play’ with. QR codes anyone? WiFi is now carrying critical applications. There are host of WiFi level DDoS attacks (both AP and controller) OpenFlow?

DDoS Mitigation

The Attack Cycle

DDoS Attacks Volume Metric attacks (pipe fillers) – SYN Floods – UDP Floods – DNS Floods – Amplification attacks (mostly DNS, but could also be VoIP) Application layer attacks (low and slow) – SlowLoris – Hash Attack – PyLoris (HTTP, SMTP, IMAP…) – RUDY (R-U-DEAD-YET) – SSL (server has to work 10 times harder than the SSL client)

DDoS Mitigation Internet Ingress Traffic with Attack Network Traffic – In/Out-bound Ingress Clean Traffic Scrubbing centers Protected customer Anti-DDoS 24x7 SOC MSP “CPE” Mitigator Premise Based Scrubbing 1.Better visibility and response time 2.Coverage Low & Slow Application level DoS attacks Encrypted attacks Asymmetrical traffic issues “Local” Mitigation 3. Signaling capabilities Detection Base lines RT signatures Scrubbing center Bandwidth attacks High capacity scrubber Multi-home (Carrier agnostic) Anti-DoS SOC Signaling (Diversion decision) “Always-On” Solution

DDoS Mitigation Who can solve the problem – Firewalls – IPS – WAF – ADC – Web Proxies A single technology does not solve the problem Architecture, Architecture Elements and Architecture need to be sized and verified

DDoS Mitigation Architecture – Cloud Scrubber- volumetric attacks – CPE Scrubber- app attacks, low and slow – Border Routers – Tier 1 FW- presentation – ADC- SSL termination – WAF- application attacks, SQL Injection – IPS- host based attacks – Tier 2 FW- application Border Router SSL Terminator CPE Scrubber SSL Terminator CPE Scrubber Border FW ADC WAF IPS Cloud Scrubber

Helmuth von Moltke Explains Modern DDoS "No plan of operations extends with certainty beyond the first encounter with the enemy's main strength” or "no plan survives initial contact with the enemy”

Usefool tools Logstalgia (visualization tool…reads NCSA formatted server logs) PyLoris (multi purpose application layer attack tool…requires Python) SlowLoris (HTTP only) LOIC (sourceforge.net…Low Orbit because it send attacks at L3/4) HOIC (similar to SlowLoris, but has booster back to ‘adapt’ to countermeasures)

17 How can individual machines cause a big enough distraction with todays typical volume of network traffic? My lowend Core i3 laptop can put out a 12K PPS DDoS Multiply that by even a few thousand machines…

Thank You