DDoS Mitigation Solutions

Transcription

1 DDoS Mitigation Solutions

2

3 The Real Cost of DDOS Attacks Hosting, including colocation at datacenters, dedicated servers, cloud hosting, shared hosting, and infrastructure as a service (IaaS) supports many millions of websites and internet facing services globally. Research suggests the total market for hosted services is expected to grow from about $76B in 2010 to nearly $210B by Public Cloud Services Market Billions of Dollars Example Financial Loss from a Sustained DDoS Attack As usage of the internet has exploded, so has the variety of hosting companies. Distributed Denial of Service (DDoS) attacks have become the vector of choice for criminals to attack their desired targets. Often, these targets are customers of unsuspecting hosting companies who merely provide a reliable infrastructure & platform services to SaaS companies, websites, and other online applications. DDoS attacks are widespread. They harm the target as well as other customers supported by the hosting company. The attacks are often powerful enough to cause service interruption across the entire hosting operation. Criminals have various motivations and means behind their attacks. Some use an arsenal of compromised servers to launch their attacks. Some are motivated by grievances, financial gain, or simply for sport. DDoS Details Size: 110 Gbps Total Duration: 48 hours Time to RTBH: 30 minutes Hosting Facility Business: Cloud Hosting Annual Revenue: $10M Network: 4x10 Gbps Transit Target of DDoS: Retail Website SLA 99.99% Violation: minutes SLA Policy: 1 day for violation Customer MRR for Hosting: $20,000/month ACV for Hosting: $240,000 Annual Revenue: $5M Downtime: 2 days Impact Customer Loss: $28,000 At this point, the client will relocate their services to another provider due to downtime. This results in an ACV loss of $240,000 to the hosting provider. Hosting SLA credit: $27,000 Total Impact: $295,000

4 Networks for Hosting - An Overview The purpose of this paper is to provide you with information about the true costs of a DDoS attack. We will discuss the history of these attacks and their far reaching impacts. Businesses often only see the immediate damage caused by a DDoS attack (bandwidth) and forget to look at the big picture ramifications (SLA violations, customer loss, public image, etc). First, let s have a look at common networks used in hosting. Typically, hosting environments are redundant. In such an environment, a pair of redundant edge networks terminate public IP transit and peering. These networks then feed on-premises firewalls which then go to an aggregation layer. This aggregation layer is then fed into switches in each rack inside of the datacenter. The rack switches then feed end user services & equipment. In this type of network, any single point, up to an entire half of the network can drop without the rest of it experiencing service impact. Network architects identify needs for a firewall which is capable of providing a level of stateful filtering, ACL, and any other necessary security features.

5 Networks for Hosting - RTBH Remote Triggered Black Hole Filtering (RTBH) Remote Triggered Black Hole (RTBH) filtering is a technique that allows a network to block undesirable traffic (i.e. a DDoS) before it enters your network. In the context of network security, a black hole is implemented when an attack is detected. Routing traffic to a black hole can be used to drop all attack traffic at the edge of your network. RTBH is performed on a destination address using BGP. It s effective for quickly dropping traffic that you do not want entering your network. RTBH Problems 1. If the target IP is not identified within several seconds, the network can become saturated. This can result in collateral damage impacting other customers. 2. The customer is effectively taken offline, thus the attackers original goal is achieved. 3. If the attacker attacks hundreds or thousands of IPs simultaneously, black holing becomes impossible due to BGP advertising limitations which are imposed by your upstream provider.

6 Networks for Hosting - Transit Costs Overview of Transit Costs When a hosting company purchases transit from a provider such as Cogent or GTT, they buy based on several paramaters: number of ports, total port capacity desired, and the data rate they commit to over those ports. If you ran a hosting operation, you might have utilization of around 15 Gbps, but have a peak usage of 20 Gbps. To grow, you decide you want 30 Gbps of total capacity from one of the providers mentioned earlier. This lets you burst to 20 Gbps periodically without any problems. In this scenario, you choose to buy 15 Gbps of Committed Data Rate (CDR), 20 Gbps, or 30 Gbps. If you re like most hosts, you ll buy 15 Gbps for around $1/mbit using 95th percentile billing. Using this type of billing, 300 second samples are obtained from your interface and the top 5% are thrown out. The immediate next value is your 95th percentile billed value. You re now paying around $15,000/month for your transit. Because your 20 Gbps bursts are infrequent, you won t be billed for the additional transit. That makes for a fantastic deal. DDoS Impact on Transit Costs Let s assume that you ve got a 30 Gbps network and you are the victim of a 10 Gbps DDoS attack. That s where you can handle the attack. Your network engineers block the attack using ACLs at your border router and they manage to do it once. But, future attacks will not be so easy to thwart. So, you purchase a DDoS appliance. You re now experiencing 10 Gbps DDoS attacks more frequently and you re filtering them for days at a time. Everything appears fine until your transit provider now sends you a bill for your original 15 Gbps and adds another 10 Gbps to it, thus bringing your total monthly bill to $25,000. Not only did you spend a lot on DDoS protection equipment, you ve not got to spend additional money on transit. It seem impractical to expand your network to 100 Gbps and mitigate an 80 Gbps attack. You may be able to obtain the available port capacity from your provider using a 20% CDR, but it s not worth it. The first 80 Gbps DDoS attack that comes in for more than 36 hours will cost you about $80,000.

7 DDoS Attacks Explained Historical Overview: Smurf One of the earliest known DDoS attacks, called Smurf was written by TFreak in The attack was quite popular. In this attack, ICMP packets would be spoofed to originate from the target s destination address and then sent to a network broadcast address. Network devices would respond, by default to this broadcast request and in turn respond to the spoofed source address. If the network contained a sufficient number of host systems to reply to these packets, the victim network would be flooded with an onslaught of ICMP packets. This attack was rendered ineffective via three changes: 1. Routers were configured to not forward packets to the broadcast address. 2. Systems were configured not to respond to broadcast requests or to even reply to ICMP at all. 3. Networks installed ingress & egress ICMP filters or policers. Historical Overview: Bang This attack is less widely known. Bang was a relatively uncommon attack written by Sorcerer. The attack is capable of amplifying TCP by about 2-3x. In a TCP Bang attack, the attacker spoofs the victim s target IP as usual, and sends a TCP SYN (new connection) to any number of public systems with open TCP ports. The system would then reply with 2 to 3 TCP SYN-ACK packets to the intended target. The interesting thing about this attack is that it is relatively simple to launch, requires no vulnerabilities in target hosts, and can leverage any open TCP service. To stop this attack, target systems would have to employ intelligent stateful firewalls that prohibit repetitive connections in quick succession. However, because this attack can leverage any open system, the attack does not need to reuse the same amplifier multiple times in quick succession. The source code to this can be found on A quick review of the code shows that it is very simple, which is why it s such an elegant attack. Historical Overview: NTP Network Time Protocol is used to synchronize systems with centralized servers to within a fraction of a second of coordinated universal time (UTC). NTP operates over the public Internet and achieves fairly high reliability through its algorithm. The protocol is traditionally used as clientserver. NTP is susceptible to man-in-the-middle attacks unless encryption is employed. NTP operates on port 123 TCP and UDP. NTP based attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like monlist which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.

8 DDoS Attacks Explained DDoS Attacks for Hire Building a botnet to mount attacks used to be a complex process that involved hacking many compromised systems and using those systems to attack other servers while maintaining everything. The botnet would be available for the use of the attacker and the attacker s associates. This was a sophisticated process that involved countless hours of work to build an effective large scale botnet. The paradigm for botnets & DDoS attacks has morphed in recent years. Typically, the rate for a DDoS botnet rental is about $175 for about 8,000 to 12,000 bots. The rate varies based on the effectiveness of the bots and the size of the network. The type of attack also figures into prices paid. Some botnets are also specific to a certain geographic region while some are designed for maximum volume impact. Trends in DDoS Attacks In the quarter ending in September 2013, hosts experienced a sharp rise in the number of DDoS attacks. Primary target industries included: Financial Services: Banks & Payment Processors Video Gaming Online Retail That particular quarter showed a dramatic rise in high throughput attacks exceeding 40 Gbps. As mentioned previously, there has been a trend towards larger attacks for over a decade so this is unsurprising. A key point is that September saw a 5x rise in the number of attacks exceeding 40 Gbps and a 2x rise in the number of attacks exceeding 10 mpps. This likely signifies there are more DDos-as-a-Service operators who make their botnets available for a fee. This allows subscribers to launch more large scale attacks. <1 Gbps 1-5 Gbps 5-10 Gbps Gbps Gbps >40 Gbps

9 Reducing the Risk How can hosts reduce their risk? Hosts provide the fundamental infrastructure that allows the Internet to function properly. As such, they will always be targeted by criminal attackers resulting in impacts to their customers. While this may be true, hosts are always improving and expanding their infrastructure to serve an ever growing connected population. This improves uptime and functionality. Unfortunately, such growth is usually done with little thought put toward security. As the hosting industry grows, attacks will likely become more prevalent. Criminals will continue to exploit any means of impacting their selected targets and the black market makes it easy for DDoS attacks to be launched. The black market has only begun to mature and take shape so we expect rapid growth over the next several years. Facilitating DDoS attacks has become a profitable business. To help mitigate the risks discussed throughout this paper, the following countermeasures should be employeed: Cloud based DDoS Protection. This service can help buffer the impact of large-scale attacks. Cloud providers would receive prefix advertisement over BGP to protect your network. On-premises DDoS Detection Appliances. These appliances serve to automatically blackhole the target IP thus allowing your cloud mitigation system to be activated to protect your network. Tightly Controlled Firewalls. Limiting unnecessary traffic and allowing only what is required can help reduce the overall impact of DDoS attacks. How can hosts reduce their risk? Ignoring the threat posed by DDoS attacks can be a costly and risky decision. The cost of a single attack can easily violate an SLA, forcing hosts to pay out large sums in SLA credits. It can result in damage to your brand as well as a direct loss of customers. At the very least, a RTBH strategy is necessary. Appliances can help as well. This can dramatically reduce the potential for network downtime caused by DDoS attacks. Cloud based mitigation is another strategy. This is like an insurance policy in that rather than paying for large amounts of transit as a hosting provider, you offload your company s DDoS expenses to a cloud provider. The provider pays for the massive bandwidth charges which shields you from this risk. You ve also got the added benefit of not requiring any DDoS mitigation equipment of your own. The most comprehensive solution is the combination of DDoS monitoring appliances on premises coupled with cloud-based mitigation. This allows the flexibility of protecting your network while only having specific resources routed through cloud-based mitigation.

10 We have partnered with Staminus A solid partner is the best defense. At Total Server Solutions we have researched numerous DDoS mitigation strategies. After carefully examining all other solutions, we have chosen Staminus to be our partner in helping with DDoS mitigation. Their solutions are a perfect fit for our customers and the way we do business. Like us, they pride themselves on providing the best experience to their customers. We want to protect you, and Staminus wants that too. It s a perfect fit. Who is Staminus? Staminus provides the most advanced automated DDoS mitigation system in the industry. They re powered by an ever-growing network that is dedicated solely to DDoS mitigation. With three patent-pending mitigation technologies, Staminus is capable of providing robust DDoS mitigation to customers of all sizes. Staminus has over 15 years of experience developing mitigation solutions that maximize performance, scalability, flexibility, and reliability. At its core, Staminus is powered by people. Everyone on the Staminus team has been selected for their understanding of network security concepts as well as their ability to build and contribute to a tight-knit, focused, and committed team of experts. You trust your data to Total Server Solutions so trust our choices that will help keep you safe

11 How much does it cost? DDoS Mitigation Pricing DDoS protection is something that we can provide to our customers on an as needed basis. Plans are based on a commitment cost per mbps of clean, inbound traffic. Please contact our sales team if you have any questions about our DDoS mitigation services. Bandwidth Cost Per Megabit Total Commit Cost Under 100 mbps $10.00 $1, Under 75 mbps $11.00 $ Under 50 mbps $12.00 $ Under 20 mbps $14.00 $ Under 10 mbps $18.00 $ Under 5 mbps $20.00 $100.00

12 Atlanta, GA, USA Chicago, IL, USA Dallas, TX, USA Los Angeles, CA, USA Phoenix, AZ, USA Weehawken, NJ, USA Salt Lake City, UT, USA Seattle, WA, USA London, United Kingdom Toronto, Canada Amsterdam, Netherlands