Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Transcription

1 Don t get DDoSed and Confused Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

2 Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

3 Akamai has unique insight into Web/DDoS Traffic 1 Akamai s Edge carries ~ 20Tbps of Web Traffic at steady state with bursts to 30+Tbps 2 FAST DNS Authoritative DNS Solution DNS servers Edge servers FAST DNS Akamai Web Platform WAF Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Prolexic Scrubbing centers 3 Prolexic BGP-Based DDoS Mitigation 4 Akamai Customer Base. 98 of top 100 Commerce Sites All Braches of US Military All Agencies of the US Gov t 10 of top 10 Banks 30 of top 30 Media Sites 10 of top 10 Asset Managers 10 of top 10 P&C Companies 8 of top 10 Auto Manufacturers

4 Cloud Security Intelligence Visibility Grow revenue opportunities with fast, personalized web 15 to experiences 30 percent of and global manage Web traffic complexity from peak New demand, in Q mobile devices and data collection. Akamai Security Center Data 20 TB of daily attack data; 4 PB / 45 days stored

5 Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

6 CISSP Refresher What: Data Breach, Session Hijacking, Account Hijacking How: Injection, Social Engineering, Brute force login checking What: Site Defacement, Hosting Malware, DNS Zone Hijacking How: Injection, Social Engineering Availability What: Site Unavailable, Unresponsive, Unresolvable How: DDoS (Packet flooding, HTTP request flooding)

7 How most people think of DDoS

8 How we/attackers think of DDoS Users (good/bad) Public Internet ISP xcons IPS/ IDS LB www www DMZ = VPN Concentrator www www Name Servers Relational Database Remote Offices

9 DDoS Techniques Protocol Level Flooding Reflection/Amplification Attacks Dominate these type of attacks Web Application(Layer 7) More Subtle Targeting more fragile Web/Database resources

10 Transport Layer Protocol Abuse: Fun with TCP There are many variations of TCP Handshake Abuse. SYN SYN X 100 SYN-ACK ACK SYN-ACK X 100 SYN?????

11 Network Layer Attacks: Reflection + Amplification Attacks CHARGEN Attack Script a.b.c.d(address doesn t matter. This is UDP. He will spoof it.) Vulnerable Server 1Mbps of Character Gen requests Mbps of this=>

12 Case Study: NTP Reflection Attacks Attack Vector Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function. NTP server replies back to the target IP, direct to origin, at massive scale. Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. 500X RETURN RATE IN TRAFFIC >100GBPS ATTACK TRAFFIC AGAINST ORIGIN 1,000+ INCREASE IN HITS PER SECOND AGAINST ORIGIN

13 NTP Reflection used in attack: (Source/Target in Asia) Day campaign against single customer 39 distinct attacks targeting applications and DNS infrastructure Eight attacks >100 Gbps including record 320 Gbps attack Start Infrastructure (Gbps) Web (Gbps) authdns (Mpps) DNS Reflection (Mpps) End

14 SSDP aka upnp (Universal Plug and Play)

15 So many Amplification vectors for an attacker to choose from.. Most select several. Source:US-Cert.gov

16 DDoS: Attackers find various bottlenecks to target Capacity declines as you move to deeper towards the DB Internet Pipe Load Firewall IPS Application Database Balancer

17 Slow Layer-7 Resource Exhaustion Attacks

18 Attackers are leveraging common IT Mega-Trends IoT Mobile We have detected refrigerators participating in DDoS Attacks BotNets frequently own Mobile Devices Cloud Sourced DDoS Attacks Challenge Legacy Defenses

19 DDoS as a Counter to Tight Security Controls Akamai Advisory

20 DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers Best Practice DNS Locks Client DNS Locks clientupdateprohibited clienttransferprohibited clientdeleteprohibited US DoD s DNS Hijacked Registrar locks serverupdateprohibited servertransferprohibited serverdeleteprohibited

21 China s Great Cannon DDoS Tool

22 DDoS Attack Trends Facts and Figures from Q2 2015

23 In Q2 2015, DDoS attacks were less powerful.. but longer and more frequent Traditional DDoS attacks harness the scale of global botnets Newer attacks target protocol vulnerabilities to amplify size SNMP (6x) DNS (28x-54x) CHARGEN (358x) NTP (556x) Gbps Mpps Q Q2 2015

24 DDoS Attack Instances, Q Q The number of DDoS attacks has more than doubled compared with Q2 2014, though with slightly smaller attack sizes

25 Compared to Q % Total DDoS attacks 11% Average peak bandwidth 77% Average peak volume 122% Application layer DDoS attacks 134% Infrastructure layer attacks 19% Average attack duration 100% Total attacks > 100 Gbps Q2 set a record for the number of DDoS attacks observed over the Akamai Prolexic Routed network, more than doubling the number of attacks observed in Q

26 Types of DDoS Attacks & Relative Distribution in Q2 2015

27 Mega Attacks > 100 Gbps in Q Twelve megaattacks in Q vs. six in Q Most targeted Internet/Telecom. Two targeted Gaming.

28 Mega Attacks > 50 Mpps in Q A 214 million packets per second (Mpps) DDoS attack was among the highest ever recorded. Such attacks can take out tier 1 routers, such as used by Internet service providers (ISPs).

29 Most Commonly Attacked Verticals Q Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

30 Top 10 Source Countries for DDoS Attacks in Q Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

31 Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

32 Attacker Motivation

33 Attacking for the Lulz!

34 Extortion DDoS for BitCoin Campaign: DD4BC

35 DD4BC WHAT TO EXPECT 1. Initial small attack 2. ransom demand Payment in bitcoin Increasing ransom over time 3. Claims of capability 400 Gbps attack sizes Bypass DDoS defenses 4. Continued threats Increasing ransom for countermeasures

36 DD4BC Ransom Note

37 DDoS as a Distraction

38 DDoS as a Distraction Multi-Vector Attacks: 2014 Sochi Olympics 3.5 Tbps event 50% Growth in Average User Connection Speed Compared to More than a Million Malicious Requests Blocked Multi-Vector Attacks Detected Again in 2014 Application DDoS RFI Command Injection Requests from Anonymous Proxy Attacks Again Spiked During Major Events Opening Ceremonies Hockey Semi-Final(US v. Canada)

39 Public Sector/Education DDoS Attacks

40 Large March 2014 Attack: Target was European Media Company Blended Attack, Significant NTP Traffic DDoS Start :: 8MAR14 13:52:00 UTC DDoS Stop :: 9MAR14 02:00:00 UTC Peak Bps :: 200+Gbps Peak Pps :: 65Mpps 2 hosts targeted on Random UDP/TCP/ICMP ports

41 QCF Attacks

42 BroBot: Advanced Attacker Evades Common DDoS Services Attack IP s Changing every ~ 10 minutes Banking site real-time Kona security dashboard view Blocking ~18M HTTPS attacks per minute Attacker requesting URL s with heavy compute burden(search, login, ATM locator) Source IP s are frequently Cloud servers Commandeered using vulnerabilities in well known CMS s

43 QCF Later Stages of Campaign: Targeting small regional banks and Credit Unions

44 Case Study: Augusta County Public Schools Augusta County s Education IT team Mission: Provide IT support for 20+ schools and manage Devices Challenge: Persistent DDoS Attacks impact ability to deliver uninterrupted access to Government Mandated SOL testing SOL testing impacts grades and graduation eligibility for students. Solution: Akamai s Prolexic Routed Cloud-based DDoS Protection

45 Georgia High School Case Study: Sept 2015 School system experiences daily DDoS Attacks disrupting confidence in students/parents in the school s ability to deliver IT Services SOL Systems are at risk, which is a huge concern for School Administrators Akamai Enterprise Security Architect goes on site to speak with school IT Team UDP Flood on port 80 is observed Akamai ESA directs customer to review web-logs and students were observed visiting DDoSas-a-Service Sites kicking off attacks Logs identified which students were logged onto machines at the time of visits to Stressor websites

46 Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

47 How do you defend from these attacks? Architecture Knowledge of Attack Trends A Plan

48 Potential Architectures for Defending from DDoS ISP Data center Transit Network ISP ISP

49 Potential Architectures for Defending from DDoS ISP Data center Transit Network ISP ISP

50 Cloud Security Architecture ISP Data center Transit Network ISP ISP

51 DDoS Mitigation Success: 5 Points To Take Away 1. You Need Data To derive intelligence on current & evolving threats. Avoid data theft and downtime by extending the 2. Scale, Availability & Resilience security perimeter outside the data-center and To be high performing, take the punches, & stay online. protect from increasing frequency, scale and 3. sophistication A Plan of web attacks. To understand how to respond to bad day scenarios. 4. Control & Flexibility To adapt your defenses dynamically. 5. People & Experience To execute every time you come under attack AKAMAI FASTER FORWARD TM

52 Stress Test your Plan

53