Protect your network: planning for (DDoS), Distributed Denial of Service attacks
|
|
|
- Jacob Newman
- 10 years ago
- Views:
Transcription
1 Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.
2 Mark Goldenberg (CISSP) Security Solutions Architect - CenturyLink Mark is a veteran of CenturyLink s security business with over 15 years experience working with clients to solve security challenges, and with internal teams to build and launch products that fit with market needs. Today Mark works as a Security Architect supporting complex and customized security solutions for global customers. He has also had roles as director of security product management, and earlier as the director of managed security operations for the company, leading the global security implementations team. He began his journey at CenturyLink through Exodus, one of the first true Managed Security Services Providers in the industry.
3 AGENDA - Distributed Denial of Service DDoS Attacks Demystified What is a DDoS attack? How Does it Work? Who is at Risk? Why is DDoS a Threat to your Clients? DDoS Mitigation & Protection Overview What questions to ask in planning for an attack Resources 3
4 DDoS Demystified What is it? WHAT IS A DDOS ATTACK? When an attacker overwhelms a server or network device with requests, overloading it and causing it to slow or become unavailable. C&C C&C WHY IS IT DANGEROUS Attacks are on the rise! - 28 recognized DDoS attacks happened each hour in 2014! Attacks are increasingly complex! Modern attackers use techniques to limit detection or approaches that generate even larger volumetric attacks. Its easy to do! Anyone can learn how to DDoS attack on YouTube! Real money is at stake! DDoS can down websites, impact ecommerce, and customer trust. Zomb ie Zomb ie Zomb ie Victim Zomb ie Zomb ie WHAT IS DDOS MITIGATION SERVICE Zomb ie A monitoring service that proactively detects attacks and re-routes and scrubs traffic before it causes damage, mitigating downtime. 4
5 What Happens in a DDoS Attack? Anatomy of a Threat Users unknowingly infect their computer via , download or media containing malware. Botnet menu 1 Bot - $$/attack, $$/min Botnet - $$$$/attack, $$$$/min Attack du jour - $$$$/attack Bulk spam distribution discount The infected computer known as a bot will join a network of similarly infected computers to form a botnet. The botnet will await orders from a central command and control server. The botnet server controller an individual will monetize the network of zombie machines by renting them out to conduct attacks, distribute SPAM or conduct other nefarious activities. 5
6 Do the Math! DDoS Can Cripple a network Data assumes each bot generates 128Kbps of attack traffic (e.g. broadband customer with a compromised computer) Botnets typically have more than 10,000 zombie machines Enterprise Access Speed Number of Bots to Saturate Link DS1 (1.54Mbps) 12 DS3 (45Mbps) 351 Gigabit Ethernet 7813 Number of bots needed to saturate enterprise customer link 6
7 Results of Distributed Denial of Service Once an attack overloads a computer resource (servers, applications or entire networks) it becomes unavailable to its intended users. Attacks attempt to find a limited resource and flood it. They: Flood the server if the network isn t a limiting factor Flood the application if the network or server can handle the load. Floods make servers & apps unavailable for visitors! Attack sizes are growing exponentially month after month! Latest attacks are often well above 100 Gbps Source: Arbor Networks Copyright 2011 CenturyLink. All rights reserved. Confidential Use Only Discloses and 7distribute only to CenturyLink employees having a legitimate business need to know. Disclosure outside of CenturyLink is prohibited without authorization
8 Why is DDoS So Dangerous to Companies? Many Attackers use DDoS as a Smokescreen to distract IT staff while inserting malware to breach bank accounts and customer data, resulting in theft of funds, data or intellectual property! Companies who get hit have an 87% chance of getting hit again Studies show 2/3rd of companies fight DDoS with ineffective tools Firewalls and IPS systems aren t designed for DDoS and can actually accelerate outages by bottlenecking traffic! Companies need purpose-built services for DDoS protection. COST! An average cost per hour of a DDoS attack on a financial company exceeds $100k/ hour Source: Neustar 2014 Annual DDoS Attacks Report 8
9 DDoS Market 70% OF DATA CENTER OPERATORS REPORTED A DDOS ATTACK IN THE LAST YEAR 21 NEARLY A QUARTER OF SURVEY RESPONDENTS INDICATED 21 OR MORE DDOS ATTACKS IN A SINGLE MONTH 9
10 How DDoS Mitigation Service Works Cleansing center DDoS Mitigation Service minimizes the impact of DDoS attacks by detecting bad traffic and redirecting it away from a network, keeping the good traffic flowing without incident. Protected Zone 1: Web Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application 10
11 How DDoS Mitigation Service Works Cleansing center Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 1. Attack Detected by Customer or CenturyLink. 11
12 How DDoS Mitigation Service Works Cleansing center 2. Activate Scrubbing 1. Attack Detected Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 12
13 How DDoS Mitigation Service Works BGP Announcement 3. Divert Only Target Traffic Cleansing center 2. Activate Scrubbing 1. Attack Detected Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 13
14 How DDoS Mitigation Service Works BGP Announcement Traffic Destined to the Target 4. Identify and Filter Malicious Traffic 3. Divert Only Target Traffic Cleansing center 2. Activate Scrubbing 1. Attack Detected Protected Zone 1: Web Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application 14
15 How DDoS Mitigation Service Works BGP Announcement Traffic Destined to the Target 4. Identify and Filter Malicious Traffic 3. Divert Only Target Traffic Legitimate Traffic to Target Cleansing center 2. Activate Scrubbing 5. Forwards Legit Traffic 1. Attack Detected Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 15
16 How DDoS Mitigation Service Works 6. Non- Targeted Traffic Flows Freely BGP Announcement Traffic Destined to the Target Legitimate Traffic to Target Cleansing center 4. Identify and Filter Malicious Traffic 3. Divert Only Target Traffic 2. Activate Scrubbing 5. Forwards Legit Traffic Protected Zone 1: Web Protected Zone 2: Name Servers Target Protected Zone 3: E-Commerce Application 1. Attack Detected 16
17 In-Depth Portal Reports 17
18 What questions to ask a DDoS mitigation provider What is their mitigation cleansing capacity? Do they have a strategy for large scale volumetric based attacks? Do they offer DNS and infrastructure based protection options? Can a DDoS strategy be customized to my needs? Do you have 24/7 monitoring with human analysts? Do you have geographical diverse cleansing centers?
19 Resources The Forrester Wave DDoS Services Providers, Q Forrester Research; The Forrester Wave DDoS Service Providers, Q3 2015; Ed Ferrara and Rick Holland; July 22, 2015
20 What questions to ask in planning for an attack What critical information is available from your public servers? How would it impact your users if the information was unavailable For one hour? Or one week? Have you identified a DDoS strategy? Have you researched DDoS mitigation solutions?
21 21 Questions?
22 Appendix
23 Distributed Denial of Service Mitigation service versus Black Hole Filtering DDoS Mitigation service Black Hole Filtering DDoS Mitigation is designed to drop only bad traffic destined to an IP address Black Hole Filtering allows your business to drop all traffic destined to an IP address under attack on your network 23
24 What are the Different Types of DDos Attacks? Network Layer DDoS Attacks (very high bandwidth) 1) SYN flood - TCP SYN packets requesting a connection are sent to the target network with a spoofed source address 2) ICMP flood - Large numbers of ICMP packets (usually echo request) are sent to the target network to consume customer bandwidth or system resources 3) UDP flood - Large number of UDP packets are sent to a network to consume system resources or bandwidth, making the attack site unavailable to legitimate users Reflective DDoS Attacks (very high bandwidth) 1) DNS / SNMP Amplification and Reflection Attacks ( DNS amplification and reflection attackers use DNS open resolvers to increase the volume of attacks and hide the true source of their attack. Amplification and reflection attacks use SNMP open services to increase the volume of attacks and hide the true source of an attack. Layer 7 / Application Layer Attacks (low bandwidth) These attacks use tools such as High Orbit Ion Cannon, Slowloris 24
25 Advantages of Distributed Denial of Service Mitigation service over traditional IDS/IPS Access loop saturation IDS/IPS solutions can detect and mitigate at your business s perimeter; however, a flood of attack packets can saturate the access loop denying legitimate traffic access to the loop DDoS Mitigation service identifies and mitigates attack traffic in the cloud before it reaches your access loop, this blocks the attack traffic and allows legitimate traffic to use the loop Secondary validation Traditional IPS technology s auto block capability lacks secondary threat validation and can block legitimate traffic that causes anomalies. CenturyLink DDoS Mitigation validates any suspected attack prior to scrubbing. Even when DDoS scrubbing is activated, you should receive legitimate traffic destined to your network. 25