DIFFUSING DENIAL OF SERVICE

Transcription

1 DIFFUSING DENIAL OF SERVICE DDoS attacks are proving increasingly catastrophic. The paper covers common attack techniques and what organisations can do to avert them.

2 Table of contents 02 Abstract 02 Introduction 03 Who is at risk? 03 Why are these attacks so difficult to detect and prevent? 03 Types of DDoS Attacks 04 How to block /mitigate DDoS attacks? 05 Deploying DDoS Prevention Devices in Premises 05 DDoS Prevention at Edge Level 05 DDoS Response Model for Enterprises 06 Conclusion 06 Reference 1 07 About GIS

3 Abstract: The proliferation of internet connectivity has expanded markets and reduced the inefficiencies associated with doing business across borders. With increasing broadband penetration in emerging markets, services can be delivered to customers from anywhere in the world. While globalization has expanded the possibilities for a business, however, at the same time, this increased reach and access have created many challenges for enterprises. A significant one today is the vulnerability to external attacks. High malware infection rates are common. When malware infected computers are taken over by centralized command-and-control servers, botnets are created which can be used by spurious parties with malicious intentions to disrupt the service of a competitor. Global botnets are currently using Distributed Denial of Service (DDoS) attacks to sabotage web services or a specific server. This paper talks about the different types of DDoS attacks and presents an approach to a DDoS protection strategy that empowers enterprises to better respond to such attacks and mitigate their impact on operations. Introduction: China and the United States, the two biggest economies in the world, are the victims of significant DDoS attacks on a daily basis. Over the last few years, the scope, nature and magnitude of DDoS attacks have only intensified. The Prolexic Quarterly Global DDoS Attack Report (Q1 2013) reveals that the number of attacks rose by 21 percent in Jan-Mar 2013 compared to Q Also, the duration of DDoS attacks grew to 34.5 hours from 28.5 hours while average attack bandwidth increased to a staggering Gbps from 6.1 Gbps in Q This places emerging markets under severe threat as they are characterized by inadequate client control. To emphasize the severity of these attacks, some examples are pertinent. A Hong Kong based provider of sophisticated trading platforms had to deal with the aftermath when one of its UK based clients a brokerage operating in the London financial district using its proprietary trading technology was targeted by a wave of DDoS attacks. The Hong Kong based trading platform provider was unable to provide access to its application platforms leading to disruption of trading services. The company subsequently implemented a DDoS mitigation program to avoid further downtime and financial losses. In another instance, an ecommerce company became the victim of a GET flood attack that lasted for two weeks during its busiest season. The attackers used the circuit between the ecommerce site and the internet service provider to launch the attack. As part of its efforts to protect itself from such attacks and avert business downtime, the company had implemented a DDoS mitigation strategy. Clearly, having a DDoS mitigation program in place is a key business imperative for enterprises to avoid loss of customer confidence, customer defection and prevent adverse impact on revenue and profitability. 02

4 Who is at risk? DDoS is a favorite ploy of attackers to shut down organizations at their whims and fancies. Not long ago, DDoS attacks were mainly targeted at household names and other obvious targets, but, today, any organization with money to lose, political interests or active enemies is susceptible to such attacks. In fact, anyone is a potential target! Based on our experience, we have found that some industries such as banking and financial services, internet service providers, internet data centers, cloud service providers and ecommerce are more vulnerable to DDoS attacks than others. The banking and financial services sector characterized by large volumes of transactions, data and traffic is especially susceptible to DDoS attacks with frequency as high as one every week. According to industry analyst reports, during 2012, out of 50 publicly documented DDoS attacks, the financial services sector accounted for 26 suffering an average outage of seven hours and average estimated loss of $17,057,214 per incident. Internet data centers play a key role in providing real time business-critical functions such as sales, communications, technical support etc., at the same time they also create new security challenges rendering traditional security mechanisms obsolete. According to the Worldwide Infrastructure Security Report 2012 released by Arbor Networks, DDoS attacks targeted at internet data centers have increased in frequency as well as severity and pose a significant risk to enterprises using such hosted services. Furthermore, with more and more companies moving their services to the cloud, the shared infrastructure model of cloud computing can result in attacks on a specific target negatively impacting many or all tenants using the same infrastructure. Why are these attacks so difficult to detect and prevent? There are multiple reasons that make DDoS attacks dangerous. First, the attacks are becoming more frequent and bigger in magnitude than ever before. Second, the type of attacks and the targeted components are so varied that they are not easy to detect. Third, DDoS attacks are usually targeted at a variety of network components such as routers, appliances, firewalls, applications, ISPs or data centers in different ways. Also, the increase in DDoS attacks is partly due to a gap in mitigation controls in enterprises industry research shows that about 20% of organizations have implemented a mitigation strategy. While there is no easy solution to prevent such attacks, implementing a proven DDoS protection approach is one way of tackling this issue. The solution should have the capability to restrict damage and allow your system to carry on business-as-usual during an attack. To tackle this problem, organizations learned to detect and mitigate the damage caused by DDoS attacks that used a common code. However, DDoS attackers adapted quickly and began encrypting their code again making it more difficult for enterprises to detect an attack and control the damage. Types of DDoS Attacks: It is useful to understand the various types of DDoS attacks possible and prepare better to tackle them. 1. TCP Connection Flood: A TCP connection flood tries to occupy all the available TCP connections on a server. It floods the server with requests for new connections, thereby preventing valid requests from being established and served. 2. ICMP Flood, Ping Flood, Smurf Attack: These attacks deluge the server with ICMP requests without waiting for a response. The objective is to overburden the server and adversely impact its ability to respond thereby blocking legitimate requests. 3. PUSH and ACK Flood: A PUSH or ACK flood DDoS attack inundates the server with fake PUSH and ACK requests to prevent the server from responding to legitimate traffic. 4. SYN Flood: During a SYN flood attack, huge numbers of SYN requests are sent by the client. When the server returns SYN-ACK messages, the client does not respond which leaves the server with open connections while it waits for further communication from the client. The TCP connection table tracks each of these half-open connections so that the table is filled up thereby blocking additional connection attempts, valid or otherwise. 5. Teardrop Attack: In a teardrop attack, the client sends a malformed information packet which has the ability to take advantage of the error that occurs when the packet is reassembled. This could lead to a crash in the operating system or the application that handles the packet. 6. UDP Flood: In a UDP flood attack, the server is overwhelmed with requests. The connection tables are saturated with requests on every accessible port on a server blocking legitimate requests from being served. Also, legitimate clients may not be able to access the server. 03

5 7. DNS flood: NXDOMAIN Flood: The DNS server receives a deluge of requests for invalid or nonexistent records and wastes time looking for records that do not exist instead of serving valid requests. The cache on the DNS server is filled with bad requests and clients are unable to find the servers they need. 8. DNS flood: Query Flood: In a DNS query flood attack, a network of clients is utilized to send a flood of valid requests to a single DNS server. DNS servers are unable to differentiate this from normal traffic as the requests are valid and targeted at a single DNS server. 9. SSL Flood and SSL Renegotiation Attacks: While making a request for a secure connection from a server is a simple task for the client, the server uses significant processing power while responding to such a request. An SSL flood or renegotiation attack exploits this imbalance in workload by asking for a secure connection, and subsequently renegotiating the relationship. 10. GET Flood: In this type of attack, two different kinds of attacks can be mounted by using the same request either by requesting static URLs at a high rate or by successively asking for every single object on the website. The objective is to overburden the server with a multitude of requests so that its resources are exhausted leaving it incapable of serving legitimate traffic. 11. Hash Denial of Service (DoS) Attack: The main web service platforms such as Java, ASP.NET, and Apache use a common algorithm for their dictionary tables. In a Hash DoS attack, a single POST message with thousands of variables is sent so that the hashing function overloads and the server is engaged in processing a single such request for around an hour. How to block /mitigate DDoS attacks? There are several ways to block DDoS attacks using multiple security products. DDoS Mitigation Mitigation - In premises Mitigation - At Edge Level Attacker Attacker User User ISP ISP Mitigation Mitigation Reference 1 gives an expansion of terms used in this section. 04

6 Deploying DDoS Prevention Devices in Premises: Security firewalls and intrusion prevention system devices which support prevention of DDoS attacks can be deployed or the existing devices can be upgraded with the latest version of images to help mitigate small scale DDoS attacks. These measures ensure that DDoS attacks do not allow traffic to reach destination servers/applications. However, the attack disrupts business as it increases consumption of internet bandwidth tremendously as mitigation occurs at in-house device levels. Also, this type of downstream response only helps protect against small attacks and is inadequate against attacks of a longer duration. Enterprises would need to solution with access to upstream traffic to prevent large scale attacks. DDoS Prevention at Edge Level: In this method, malicious traffic gets blocked at the service provider network level itself so that your internet bandwidth is used for original/real traffic. To ensure that legitimate traffic does not get blocked, security professionals continuously analyze customer traffic. Usually, the internet service provider can prevent DDoS attacks on your network. DDoS Response Model for Enterprises So, what are the components of a comprehensive internal DDoS mitigation plan? Engaging with a third party service provider to implement a hybrid solution which incorporates cloud based services and appliances will improve visibility of the network. While the cloud aspect will provide the versatility required for always-on threat monitoring and detection as well as the agility to handle a DDoS attack in real time, using appliances will help identify the compromised host in the network besides logging all the communications and transactions. Implementing a hybrid solution would enable real-time threat notification and detection, quick remediation, better damage control and limit post event costs. Organizations need to put in place a strategy to counter DDoS attacks or they risk losing valuable time that could potentially delay recovery after an attack. Figure 2 shows the steps involved in an effective incident response plan: Preparation: list the services that your ISP can provide and understand what can be done at the provider level Identification: detect the attack, define its scope and engage with the appropriate parties Mitigation: contain the effects of the attack on the targeted environment and initiate remedial measures Post incident analysis: record the details of the attack, identify gaps in preparation and mitigation Improvement: assess the efficacy of your response plan and rework your strategy based on the post event analysis report The complex and dynamic nature of the DDoS threat landscape makes it imperative for enterprises to adopt a services based internal defence strategy to protect against such attacks. The complexity as well as the increasing number of DDoS attacks have rendered deploying anti-malware platforms and firewalls an inadequate defence. 05

7 Preparation Attack Identification / Analysis Mitigation / Impact Reduction Learning s & Action Plan Continuous Improvement Have Detailed List of IP s/ Device/ Srevice ISP s DDos Services ISP Contacts Law/Legal Business Implications Hardening - OS/ NW / FW / Apps / DB IT resources Performance data. Vulnerability History / Trend of various business / technology risk User Awareness Review Logs/ Load Perform traffic Analysis Differentiate Malicious Vs Business traffic Conatct ISP for support Identify Root Cause Identify Damage Identify the infra component affected Involve legal/ Execute team for involving law enforcement team Restore form backup stop unwanted services/processes Dosable service / feature for sometime Block the IP/ rate-limit attack traffic bandwith at GW Increase bandwidth temporarily Traffic routing Implement pending security controls/fix Implementation of planned technologies WAF / IPS / DDoS etc. Preparation gaps Support gaps Attack identification / Analysis gaps Skill gaps Mitigation delay if any Limitations in containing / mitigating Relationship within and outside org Technology / Product requirement Risk simulation and analysis External VA / PT Review and take corrective action on preperation, analysis and mitigation gaps Implement the pending actionables on risk / vulnerabilities Hire the skills if anything is required User awareness New technology implementations Conclusion Today, more and more companies are dependent on their websites to meet revenue goals and provide customer support. Keeping in mind the dynamic nature of DDoS attacks and their huge impact, engaging with an expert to implement a DDoS mitigation program is critical to preventing business downtime. Reference 1 Expansions of Acronyms/Abbreviations TCP ICMP Flood PUSH and ACK Flood SYN Flood UDP Flood DNS Flood DNS Flood: NXDOMAIN Flood: DNS Flood: Query Flood SSL Flood GET Flood Transmission Control Protocol Internet control message protocol Flood Push and Acknowledgement Flood Synchronize sequence number Flood User Datagram Protocol Flood Domain Name Server Flood Non Existent Domain Flood Query Flood Secure Sockets Layer Flood Layer 7 - application layer Flood 06

8 About GIS Global Infrastructure Services (GIS), a unit of Wipro Limited, is an end to end IT infrastructure & outsourcing services provider to global customers across 61 countries. Its suite of Technology Infrastructure services spanning Data Center, End User Computing, Networks, Managed Services, Business Advisory and Global System Integration. Wipro, is a pioneer in Infrastructure Management services and is amongst the fastest-growing providers across the world. GIS enables customers to do business better by enabling innovation via standardization and automation, so that businesses can be more agile & scalable, so that they can find growth and succeed in their global business. Backed by our strong network of Integrated ServiceNXT Operation Centers and 11 owned data centres spread across US, Europe and APAC, this unit serves more than 500+ clients across with a global team of 23,800 professionals and contributes to over 30% of Wipro s IT Services revenues of Wipro Limited. About Wipro Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 O view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For information visit 07

9 DO BUSINESS BETTER NYSE:WIT OVER 140,000 EMPLOYEES 61 COUNTRIES CONSULTING SYSTEM INTEGRATION OUTSOURCING WIPRO LIMITED, DODDAKANNELLI, SARJAPUR ROAD, BANGALORE , INDIA TEL : +91 (80) , FAX : +91 (80) , reachus@wipro.com WIPRO LIMITED No part of this booklet may be reproduced in any form by any electronic or mechanical means (including photocopying, recording and printing) without permission in writing from the publisher, except for reading and browsing via the world wide web. Users are not permitted to mount this booklet on any network server. IND/TMPL/DEC2013