DDoS Attacks Can Take Down Your Online Services

Transcription

1 DDoS Attacks Can Take Down Your Online Services Dr. Bill Highleyman Managing Editor, Availability Digest Continuity Insights New York 2014 October 8, 2014

2 Who Am I? Dr. Bill Highleyman Managing Editor of the Availability Digest: - Monthly publication of computer availability topics. - Free subscription Decades of experience building mission-critical systems. Holder of 16 U.S. patents, many on availability techniques. Contributor to Availability Theory: - Many published papers.

3 Who Am I? Dr. Bill Highleyman Coauthor of three-volume book series Breaking the Availability Barrier. Speaker on topics concerning system availability. Availability consulting. Technical and marketing writing services. One-day, two-day, and three-day seminars on Availability Theory and Practice.

4 What is a Distributed Denial of Service Attack? Makes an Internet service unavailable to its users. Saturates the victim machine with external traffic. The victim machine can t respond to legitimate traffic. Address of attacker is spoofed: - victim machine can t block traffic from a known source.

5 What is a Distributed Denial of Service Attack? Malware attacks do not generally pose a threat to availability: - they aim to steal personal information, other data. DDoS attacks are a major threat to availability. - they have been used to take down major sites for days. - they are easy to launch, difficult to defend against.

6 What is a Distributed Denial of Service Attack? Reasons for DDoS attacks: - revenge - competition - ransom - a cover for another attack

7 Major DDoS Attacks Some Examples

8 Major U.S. Banks The online banking web sites of several major U.S. banks were taken down for days by Distributed Denial of Service (DDoS) attacks. The Izz ad-din al-qassam Cyber Warriors attacked major U.S. banks. Vowed to continue the attacks until the video Innocence of Muslims was removed from the Internet. September DDoS attacks were launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank.

9 Major U.S. Banks The online banking web sites of several major U.S. banks were taken down for days by Distributed Denial of Service (DDoS) attacks. The attacks took down their online banking portals for a day. Attacks followed against Capital One, SunTrust Banks, and Regions. The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers. December 2012 Attacks were repeated for several days.

10 History s Largest DDoS Attack Spamhaus is a spam-filtering site: - provides a blacklist of IP addresses of spammers. - used by spam-filtering vendors, ISPs, corporations. Blocked CyberBunker as a spam site: - located in the Netherlands. - will post anything but child pornography, terrorism. In retaliation, CyberBunker launched a 300 gbps DDoS attack against Spamhaus: - lasted for ten days.

11 History s Largest DDoS Attack Spamhaus enlisted CloudFlare to help it weather the attack: - CloudFare spread the DDoS load across its 23 data centers. - scrubbed the data and fed only legitimate data to Spamhaus. CyberBunker extended its attack to CloudFlare. CloudFare was able to withstand the attack. The CEO of CyberBunker was later arrested by the Dutch: - DDoS attacks are illegal in many countries.

12 The Anatomy of a DDoS Attack

13 How Can So Much Traffic Be Generated? By Botnets Typical attacks generate about 10 gbps of malicious traffic: - it takes about 10,000 PCs to generate 10 gbps of traffic. - this is a botnet. A botnet is a collection of infected computers: - control is conceded to a third party, the bot master. The bot master controls the activities of the compromised computers.

14 How Can So Much Traffic Be Generated? By Botnets A large server can generate a gigabit/sec. of malicious traffic: - one thousand times that of a PC. Ten large servers can generate as much traffic as 10,000 PCs. Recent attacks have generated 300 gbps of malicious data: - combination of infected PCs and servers.

15 The Anatomy of a DDoS Attack DDoS attackers depend upon infecting thousands of PCs. A typical infection sequence is: - a user succumbs to a phishing attack (opens a malicious or visits a malicious web site). - a Trojan is injected into the machine, opens a backdoor. - a bot infection is inserted into the PC via the backdoor. - the bot infection establishes a connection with the bot master.

16 The BYOD Conundrum

17 The BYOD Conundrum Bring Your Own Devices (BYOD) are the new gateways into corporate networks: - employees using smart phones, tablets, notebooks. - conducting their work at home or on the road. - connecting outside the corporate firewall to servers and databases inside the firewall. Malware can gain access to a company s network by infecting these devices. Mobile malware is becoming a greater threat than direct infections of systems.

18 Mobile Threats Compromised Wi-Fi hot spots: - coffee shops, airports, hotels. - corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot. - frequently configured so that anyone can see all of the network traffic. - commercially available apps provide network monitoring capability.

19 Other Mobile Threats Poisoned DNS servers: - user must trust the DNS server used by a Wi-Fi hot spot. - hackers can hijack a public DNS server. - can direct traffic to a malicious web site. - web site can get user s private data passwords, etc. - malware is downloaded to device from the web site.

20 Android Devices are the Primary Targets Mobile malware most likely is installed via malicious apps. Android is an open operating system modified by each vendor: - security provisions often bypassed. Hundreds of Android app stores not vetted by Google. Google security patches take months to be distributed by vendors.

21 Android Devices are the Primary Targets Number of malicious apps has grown 800% over the last year. 92% directed at Android devices. Apple has tight control over apps: - tests each one thoroughly. - does not allow unvetted apps to be downloaded from the Apple app store.

22 DDoS Strategies

23 DDoS Strategies Attacks Occur at Various Levels Network Level: - network is bombarded with traffic. - consumes available bandwidth. Infrastructure Level: - network devices such as firewalls, routers, maintain state in internal tables. - fill state tables of network devices. Application Level: - invoke application services. - consume processing and disk resources.

24 DDoS Strategies Attacks Occur at Various Levels ICMP Flood: - Internet Control Message Protocol (ICMP) sends error messages. - messages sent to random ports. - most ports will not be used. - victim system must respond with Port Unreachable. - victim system so busy responding that it can t handle legitimate traffic. Ping Attack: - victim is flooded with pings. - victim must respond to each.

25 DDoS Strategies Attacks Occur at Various Levels SYN Flood: - attacker initiates a connection. - sends a SYN connection request with a spoofed client address. - server assigns resources, responds with SYN-ACK to spoofed client. - attacker never sends ACK to complete the connection. - spoofed client ignores SYN-ACK since it did not send SYN. - victim holds resources for three minutes awaiting connection completion. - victim runs out of resources, cannot make legitimate connections.

26 DDoS Strategies Attacks Occur at Various Levels GET/POST Flood: - attacker send commands to retrieve and update data. - uses extensive compute and disk resources of server. - typically needs user names, passwords. - consumes all resources of server.

27 DDoS Strategies Amplified Attacks The most vicious kind of attack: - generates a great deal of attack data with little effort. Example DNS Reflection: - sends DNS URL request with spoofed IP address of victim. - DNS sends URL response (IP address of URL) to victim. - typical request message is 30 bytes. - typical response message is 3,000 bytes times amplification.

28 DDoS Strategies Amplified Attacks DNS Reflection attacks depend upon DNS Open Resolvers: - they respond to any DNS request, no matter its source. Open DNS Resolvers were supposed to be phased out: - still 27 million Open Resolvers on the Internet. - their IP addresses have all been published. Publicly available toolkit itsoknoproblembro for DNS attacks.

29 Summary

30 Botnets Until recently, DDoS attacks were in the 10 gbps range: - infected PC botnets. Islamic hackers 100 gbps: - used tens of thousands of volunteered PCs. - added infected servers. CyberBunker 300 gbps: - used PC/server botnet. - used DNS reflection.

31 DDoS Attacks are Easy to Launch Botnets can be rented cheaply: 10,000 PCs 100,000 PCs 10 gbps 100 gbps $500 per month $200 per day DDoS malware is available on the Web: - low cost, easy to use. - itsoknoproblembro.

32 Mitigation DDoS attacks are easy to launch, difficult to defend against. Firewalls and intrusion-prevention (IPV) systems can be overwhelmed. Spread load across several data centers to scrub data. Use the services of a DDoS mitigation company that can scrub data over several data centers: - Prolexic - Verisign - Tata - CloudFare - AT&T Include DDoS attacks in your Business Continuity Plan.

33 Mitigation An excellent resource for evaluating a DDoS mitigation service: 12 Questions to Ask a DDoS Mitigation Provider - a Prolexic White Paper

34 Thanks for Coming The material for this presentation came from the archived articles of ( a monthly periodical on availability topics. Go to for your free subscription. Follow us