Stop DDoS Before They Stop You! CNNIC Conference

Transcription

1 Stop DDoS Before They Stop You! CNNIC Conference 09/2013

2 INTERNET ATTACK(DDOS & WEB) ANALYSIS AND SOLUTIONS

3 The endless war 2013 Mar. 2013, Izz ad din Al Qassam initiated 3rd round attack that target to U.S. Banks, including Bank of America, Citigroup, Wells Fargo, US Bancorp, PNC Financial Services Group Inc, Capital One, Fifth Third Bank, BB&T and HSBC. Mar. JP Morgan Chase website offline due to DDoS; Mar. DDoS attack targed to Czech telecom, banks website; Feb. Anonymous OpEgypt targeted to Egypt government websites; 2012 Jul. Anonymous Operation Japan attacks to Japanese government websites; Mar. DDoS attacks to Hong Kong The Chinese Gold & Silver Exchange Society; Mar. DDoS attacks to NASDAQ; Feb. DDoS attacks to U.S. Department of Justice, U.S. Copyright office, Mexico government websites; Brazil s top financial institutions, including Banco Bradesco and Banco do Brasil; local and global websites of U.K.'s HSBC Holdings PLC 2011 Malaysia Action, over 50 Malaysia government and financial websites bi under attack; Sony lost over 2 billion USD because of Anonymous attack; Visa, Paypal Amazon also underwent attacks and paralysed in revenge for terminating donation account for wikileaks. Korea 40 Government Websites and corporate institutions under attack, which h including Presidential loffice, National Nti lintelligence Service, Foreign Ministry, Defense Ministry

4 We are Anonymous Anonymous: The Unseen Driving ii Force

5 DDoS Trends in 2013 H1 DDoS Attack Frequency 5% 1% 1% Jan Feb Mar Apr May Jun 21% 43% Bank Government Enterprise NPO 29% ISP Other Figure 2 DDoS Attacks Monitored by NSFOCUS Figure 5 Targets of Major DDoS Attacks TCP_FLOOD 38.7% The combination of Hybrid DDoS Attacks HTTP_FLOOD DNS_FLOOD 13.1% 37.2% 9.8% 10.8% HYBRID_FLOOD UDP_FLOOD OTHER ICMP_FLOOD 4.1% 3.5% 10.2% 50.6% 3.0% 18.5% 0.3% ICMP+TCP+UDP ICMP+TCP+UDP+DNS ICMP+TCP TCP HYBRID Other 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% Figure 8 Methods of DDOS Attacks Source: NSFOCUS Mid Year DDoS Threat Report 2013

6 Findings of DDoS Trends Findings from NSFOCUS Mid year DDoS Threat Report 2013 : One major DDoS news event happened every two days and one common DDoS attack happened every two minutes; DDoS motives Hacktivism tops the list; DDoS victims Most likely targets were banks, governments and enterprises; More than 68 percent of victims are suffering multiple attacks; TCP Flood and HTTP Flood remain the most popular attack methods; Most DDoS attacks are short, over 90% less than 30mins Most attacks are not very big, over 90% less than 2Gbps and 69% less than 0.2 Mpps Hybrid attacks are becoming more prevailing 91.1% Hacktivism i Business Crime Cyber War Other 2.2% 2.2% 4.4% Figure 3 Causes for Major DDoS Attacks Source: NSFOCUS Mid Year DDoS Threat Report 2013

7 The Scope of the Damage by DDoS Attacks Motivations: Organized Crime, Political Protest, Hactivism, etc State & Country Telecom Carriers Damage on Infrastructur e IDC & ISP Reputation loss Government & Financial Enterprises Economic loss

8 Operation Malaysia(2) LOIC:Low Orbit Ion Cannon

9 Why Anonymous always win the game? Attack Tools 1 HOIC 2 LOIC Type HTTP GET Flood HTTP GET Flood TCP Flood UDP Flood Methodology Simulates HTTP requests by setting connection threads, editing scripts for random headers or random URLs Simulates requests via selecting different protocols and setting attack connection threads, ports, and etc. 3 R U Dead Yet? HTTP POST Flood A type of connection exhaustion attacks that consume all the resources on the target servers 4 DDoSim 5 Slowloris 6 Pyloris HTTP GET Flood HTTP GET Flood HTTP GET Flood Simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server, and then starts conversations with the listeningapplications (e.g. HTTP servers) Sends partial HTTP requests to hold connection open to exhaust web server resources PyLoris is a scriptable tool for testing connection exhaustion attacks. It is a Python implementation of Slowloris Attackers will employ more diversified and varying attack methods instead of simply sending attack packets in a crazy manner.

10 <Operation Ababil> Attack Case 1

11 Background/Phase Protest Disaster cased by a film clip Attack Cyber Fighters set up DDoS attack to Banks of the U.S. Named as Operation Ababil 2 Phases Phase 1, 5 weeks ( ) Phase 2, 7 weeks ( ) Pause/Continue attack pause attack continue

12 Characteristics Big Traffic Volume 1. Web Servers as Zombie 2. Dozens of G 3. Numerous Zombies Last Long Time DDoS Multiple Attack Methods 1. Network Layer: TCP/UDP/ICMP Flood 2. Application Layer: HTTP/DNS Flood Multiple targets 1. Several months 1. Dozens of finance institute 2. APT alike 2. ISP

13 Operation Steps Vulnerable admin passwords Software Vulnerabilities Known: Zombies are Web Server!! 1. TimThumb of WordPress 2. Joomla Penetrate Web Servers Penetrate numerous high-bandwidth Web Servers Use multilayer attack mode Use some Web servers as C&C servers, the others as zombies; Upload PHP DDoS tools to zombies; Launch DDoS attack Zombies launch DDoS attack to targets

14 Attack Tools Name Itsoknoproblembro Type TCP Flood UDP Flood HTTP Get Flood HTTP Post Flood Kamikaze HTTP Get Flood Amos HTTP Post Flood

15 <Spamhaus VS. Cyberbunker> Attack Case 2

16 ICP VS DC, Cyberbunker has relationship with criminals from East Europe and Russia, is behind recent network attacks 1 2 Spamhaus abused its position, it has no right to decide what content can appear on the Internet and what cannot.

17 MSSP step out, VS DC 5 4 Help! I got attacked DDoS!! Just 75G, got it done, you can do some marketing 3 We have been attacked continuously for 1 week, but we kept standing, never down. You cannot imagine how much efforts our engineers made. Such attack can swallow everything.

18 MSSP became Target 6 5 You dare to help him! I will strike you instead. 4 Help! I got attacked DDoS!! Just 75G, got it done, you can say something about it Attacked from Mar 23, G, targets are not ordinary equipments, but CloudFlare BGP direct peering and IX, attacks are totally out of control. Attacks to IX include London LINK, Amsterdam AMS-IX, HK- IX, Frankfurt DE-CIX, etc. Among them, London IX got influenced most significantly, caused direct effects to Internet Business within.

19 ISP got effected 6 5 You dare to help him! I will strike you instead. 4 Help! I got attacked DDoS!! Just 75G, got it done, you can say something about it If this goes on, the entire network of Europe will down, you have to stop, CloudFlare, we need to talk about how to solve the problem. 7

20 Words after Event We will continue our righteous career, we will not be stroked down, we are the best! There is no evidence saying that we are responsible of the action. We will persist in our belief, Freedom Internet! We should keep low profile, thanks for the collaboration of everyone, we need to improve. You made so much trouble to us, and we did not earn any money from these work. Last year, we have warned that we need to pay attention to the right configuration of DNS server, you see

21 What we got from the event? DDoS and Web attack devastate Data Center Web Hosting business. Both of the 2 attacks are complicated, but in different ways. Data Centers need to mitigate DDoS and Web attack simultaneously, accurately and cost- effectively. How to transfer from DDoS attack mitigation to Web attack mitigation smoothly as the attack changes? For instance, DDoS attack from 1G to 40G to 100G to 400G, and change from DDoS attack to Web attack.

22 Internet Infrastructure and Web Security Solutions

23 Understanding DDoS/BOTNET Router overloaded Bandwidth consumption DNS

24 DDoS Protection Over Time Stone Age Medieval Age Current Age Block Ips; Black hole; Load balance; Dedicated DDoS System enhancement; IPS/NGFW; Mitigation System; High performance router Multi layer cleaning; and switch; Traffic Diversion;

25 DDoS Mitigation - Multilayer Traffic Cleaning Algorithm Attacker Internet Traffic Cleaning Center Protoco ol Analysi is Access Control List Reputat tion List Layer 4 Flo ood Mitigatio on Layer 7 Flo ood Mitigatio on 6 Rate Limit 1. Protocol Analysis Protocol Validation by RFC Check 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 3. Reputation List White/Black List Dynamic Prioritizing 4. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 5. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 6: Rate Limit Restricts traffic and ensures the critical business.

26 Out-of-path full-diversion Solution Traffic Cleaning NTA EBGP Attack Detection- NTA ADS Advertisement Router Attack Logs Traffic Diversion, i Attack Mitigation, Traffic Reinjection - ADS Applicable for Telecom Carriers, IDC, and MSSP Benefits: Only the traffic to target server are diverted; Automatic attack detection and cleaning process will simplify operator s work during attack prevention process; High reliability, the out-of-path deployment will not affect other traffic. And the traffic direction will recovered itself if the ADS product out of work Switch ADS-M

27 The thought of DDoS mitigation from box mitigation to value-added service Multi layered collaboration Internet Mgt. & Operation 100G ISP1 Anti DDOS Solution Traffic Monitoring 10G to 40G Data Center /MSSP ADS ADS ADS Attack Mitigation 1 10G Hosting ADS/WAF Traffic monitoring + DDoS mitigation; Out of path traffic diversion; CPE Web security (WAF) + Cloud cleaning service; Enable Web hosting provider become MSSP;

28 DDoS Attack Mitigation 100G 10G to 40G 1G Internet ISP1 IDC2 Web Hosting 1. IP address Verification Source/destination IP address check/verification 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 4. Protocol Analysis Protocol Validation by RFC check 3. Reputation List White/Black List Dynamic Prioritizing 5. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 6. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 7: Rate Limit Restricts traffic and ensures the critical business. It has been consensus in Data Center industry that the best place to stop DDoS attack, e.g. SYN flood, is in backbone network, since the attack traffic volume can be large, e.g. 10Gbps. Data Center usually provides DDoS attack mitigation as a part of its infrastructure service.

29 Web Attack Mitigation Internet On the other hand, Web attack, e.g. SQL Injection, is not large in volume, but its payload goes up to data level. Data Center usually provides Web attack mitigation as a dedicated service to Web Hosting customer. 100G ISP1 1. Network Access Control 6. HTTP Flood Protection 2. TCP Flood Protection 5. Data Normalization 3. HTTP Termination 4. SSL Decryption 10G to 40G 1G IDC2 Web Hosting 7. HTTP Validation 12. Customized Protection Mechanism White List Smart Patch Custom Security Exception Policy 8. HTTP Access Control 11. Behavior-Based Protection Illegal File Upload Illegal Download Information Disclosure Leech CSRF Scanning Cookie Hijacking 9. Web Server and Plug-in Protection 10. Rule-Based Protection Crawler XSS SQL Injection LDAP Injection SSI Command Injection XPath Injection Command Line Injection Path Traverse Remote File Inclusion

30 Next step - Cloud Pipe End Security Ecosystem Automatic collaboration between DDoS mitigation center, WAF(CPE) and Cloud MSS center. 24 x 7 Monitoring 4 Cloud Assessment: Remote web scanning and collaborates with WAF to provide smart patches to web servers; On premises protection: NSFOCUS WAF (CPE) takes care of application layer web attacks; Traffic Cleaning: WAF collaborates with ADS traffic cleaning cea gcenter e when attack ac scale exceeds its capacity; MSS Platform: All components are able to work with NSFOCUS 7 24 MSS pa platform and depe expert team. Security Experts Application layer attacks Attackers Managed Security Service Platform 1 Smart patches WAF 24x7 Monitoring Volumetric attacks Scanning Cleaning Center 2 Internet Escalation IDC ADS ADS ADS 3 Pipe Server farm End

31 Scenario 1:Remote Correlation Attack Traffic< CPE WAF Threshold Attack Traffic CPE WAF Threshold Correlation Clean Traffic IDC Botnet Internet Cleaning Center Anti- DDoS Anti- DDoS DDoS GRE Tunnel WAF WAF ADS Online Trading Finance Gaming

32 Scenario 2:Data Center Internal Correlation Attack Traffic< CPE WAF Threshold Attack Traffic CPE WAF Threshold Correlation Clean Traffic Botnet Internet IDC Anti- DDoS Anti- DDoS Cleaning Center WAF WAF ADS Online Trading Finance Gaming

33 An Living DDoSMitigation Example

34 Micron21 DDoS Mitigation Scenario USA DDoS Attack Traffic Cleaned Traffic Cogent IP Transit Direct Peering Direct Peering HE IP Transit nlayer IP Transit DDoS Portal ADS 6020 ADS M Mgt. Southern Cross To M21 DC

35 A living 17G DDoS attack mitigation example

36 DNS ATTACKS ANALYSIS AND SOLUTIONS

37 DNS Attack Event

38 DNS Cache Poisoning

39 A Common Example

40 Recommended Solutions 1. Split the authoritative Name Server and recursive Name Server 2. DNS redundancy 3. Update the OS and DNS Application 4. Firewall Policy Access Control List 5. Hide the OS or DNS Application Version 6. Change and restrict the DNS Root(Chroot) 7. Use random message IDs in queries(use id pool) 8. Running BIND with Least Privilege 9. TSIG (Transaction SIGnature) 10. DNSSEC(DNS Security Extension)

41 DNS Amplification Attack(DNS reflection attack)

42 Recommended Solutions Limiting Recursion to Authorized Clients Source IP Verification: spoofed IP Disabling Recursion on Authoritative Name Servers Restricting name server to answer certain queries: Rate Limiting Response of Recursive Name Servers Preventing Unauthorized Zone Transfers

43 DNS Query Flood DNS Query Flood Pattern Match is the main cause of CPU load DNS server could handle 9,000 dynamic Domain name requests per second. A normal PC can send more than 10,000 requests per second. The Random domain name queries cause DNS server to generate recursive queries to parent DNS and overloaded. DNS server denies normal services, which affects business directly. Targeted DNS Server

44 NSFOCUS Solution 1 TC Bit Algorithm UDP Limitation Algorithm Instruction Truncate Bit UDP TCP DNS policy setting DNS Query DNS Response with TC Bit SYN (53) SYN+ACK ACK Force the client to use TCP Verify the client during the TCP process FIN+ACK DNS Query Client ADS Server

45 NSFOCUS Solution -2 ACL RFC PORT LEN FRAG Patten Matching Trigger UDP Threshold Src IP Bandwidth Limit DNS TC -BIT Dst IP Bandwidth Limit

46 NSFOCUS Solution -3

47 About NSFOCUS Regional HQ and Offices: R&D Centers Beijing, CN Beijing Santa Clara, US Chengdu Tokyo, Japan Xian London, UK Wuhan KL, Malaysia Microsoft Active Protections Program (MAPP) Partner

48 NSFOCUS Product Family for Global Market Assessment Protection Monitoring NSFOCUS RSAS WbA Web App Scanning & Vulnerability Mgt. NSFOCUS ADS Anti DDoS System NSFOCUS WAF Web Application Firewall NSFOCUS NIPS Network Intrusion Prevention System CMADS, CMWAF MSS Service ADS 2010/2020 ADS 4020 ADS 6020

49 THANKS! Info