How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Transcription

1 How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks Stop DDoS before they stop you! James Braunegg (Micron 21)

2 What Is Distributed Denial of Service A Denial of Service attack (DoS) is any intended attempt to prevent legitimate users from reaching a specific network resource, from a single source. Distributed Denial of Service attack (DDoS) is an extension to a DoS attack however is harder to mitigate because source traffic is from multiple source addresses. The attack traffic can be difficult to distinguish from legitimate traffic.

3 The Open Systems Interconnection model (OSI)

4 Types of DoS Attacks Layer 3 (Network Protocol) - (DoS, DDoS, DRDoS, CDRDoS) IP Address attacks targeting network bandwidth - UDP Flood style attacks DNS, NTP, SSDP, CHARGEN, SNMP. Layer 7 (Application Protocol) (DoS, DDoS) TCP attacks on server sockets HTTP attacks on Web server threads Protocol Attacks (SYN flood, fragments) Packet Storm (Excessive PPS) Resource Starvation (CPU, I/O, Memory) Stealth/Creeper (Slowloris, Slow POST) Exploit (Application or OS Specific DoS) They attack the top layer OSI model, They have low bandwidth consumption. They have a legitimate and stealth appearance. They re mostly non-volumetric. They re increasingly popular. There are a variety of methods, targets, and open-source tools. They re difficult to defend against.

5 Common DDoS Defensive Techniques Simple Site Failover Null Route (Black Hole) (Automated or Manual) Anycast BGP Multi Home Onsite Web Application Firewall Load Balancing Appliances Commercial Hardware Solutions On Premises Commercial Solutions In the Cloud

6 Large Global Denial of Service attacks Largest 400G DDoS Attack in History February 2014 NTP Reflection Attack Second Largest300G DDoS Attack in History March 2013 DNS Reflection Attack Gaben Laser Beam (GLB )

7 Large Denial of Service attacks Micron21

8 CDRDoS 40gbit Internationally 1.2gbit Domestic

9 Micron21 Statistics Long Term Average Since Jan 2013 Long term average attack lasts 34.5 hours China is #1 origin of DDoS traffic, making up 40-50% of all unwanted traffic activity 25% of attacks are against Infrastructure (Layers 3 attacks) 75% against Connection and Applications (layer 4 to 7 attacks) 75% of all attacks are under 1 Gbit 20% of all attacks are under 4 Gbit 5% of all attacks are above 4 Gbit

10 Layer 4 to 7 Attack Vectors Tools used by Faceless Hacker in Layer 4 to 7 Attacks HTTP GET Flood Syn Flood Attack Ack Flood Attack SSL Based Attacks - CURL back track, THC SSL very hard to detect LOIC Low Orbit Ion Cannon R.U.DY R U Dead Yet Slowloris Pylorius DDoSim THC-SSL-DOS Dirt Jumper Drive2 Method: HTTP flood, SYN flood, POST flood, and more. Tor s Hammer Method: Slow POST Nuclear DDoSer Method: Slow POST Railgun Method: Slow POST HTTP has a 60 known vulnerabilities which can be attacked

11 Micron21 Total Attacks Since January 2013 Attack Type Attack Count Dropped Traffic Dropped Traffic (packets) Percentage of Dropped Traffic Percentage of Attack Type SYN-Flood 544, G M Less than 1.0% 43% ACK-Flood 161, G M Less than 1.0% 12.8% UDP-Flood 111,429 2,660,087 G (2597 TB) 47 Billion 98.0% 8.9% ICMP-Flood 2, G M Less than 1.0% 0.23% Conn-Flood 173, G 8.6 M Less than 1.0% 13.8% Stream-Flood 131, G 93.4 M Less than 1.0% 10.4% Others 126, G 12.8 M Less than 1.0% 10.1%

12 Current Active DDoS Attacks - 42 Current 19 th Aug :14pm Total Data PPS Target Type Port Peak Speed 0.05GB Others Mbps 0.0GB Stream Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB Conn-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB Conn-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB Conn-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB Conn-Flood Mbps 0.0GB Conn-Flood Mbps 0.0GB Others Mbps 0.0GB SYN-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB ACK-Flood Mbps 0.0GB SYN-Flood Mbps 0.0GB Conn-Flood Mbps

13 Firewalls and Layer 4 to 7 Attacks Why they FAIL

14 Juniper SSG550M Firewall Specifications ScreenOS version tested ScreenOS 6.2 Firewall Perf (Large Packets) Firewall Performance (IMIX) Firewall Packets Per Second 3DES+SHA-1 VPN Perf 1+ Gbps 1 Gbps 600,000 PPS 600 Mbps Concurrent VPN Tunnels 1,000 Max Concurrent Sessions 256,000 New Sessions/Second 15,000 Max Security Policies 4,000 Max Security Zones 60

15 Juniper SSG 550m Hardware Firewall

16 ACK Flood Juniper SSG 550m Firewall BOTNET 983 hosts Each bot sends 8 packets per second at 25 bytes in size 7832 packets per second 1.5mbits of traffic Juniper SSG 550m 0.25m TCP sessions fails in 32 seconds Juniper SRX 1400 / Sonic Wall SuperMassive m TCP sessions fails in 3.2 minutes Juniper SRX 3400 / Sonic Wall SuperMassive E10200 TCP 3.0m sessions fails in 6.4 minutes Juniper SRX 5800 / 100m sessions (over $1m investment) unlikely to fail with this attack

17 Layer 4 to 7 Attacks Prevention How Does Micron21 Prevents Stateful devices from failing? IE. Firewalls and Load Balancers?

18 Micron21 DDoS Mitigation Shield

19 So How Does NSFOCUS work How Does the ADS Clean Traffic

20 NSFOCUS ADS Collapsar Attack Mitigation 流 量 清 洗 系 列 ADS ADS 2010 (2G) ADS 2020 (4G) ADS 4020(10-20G) ADS 6020 (20-40G) 1,488,000 pps 2,976,000 pps 8,928,000 pps 14,880,000 pps

21 ADS -- Multilayer Cleaning Attacker Internet Traffic Cleaning Center Protocol Analysis Access Control List Reputation List Layer 4 Flood Mitigation Layer 7 Flood Mitigation 6 Rate Limit 1. Protocol Analysis Protocol Validation by RFC Check 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 3. Reputation List White/Black List Dynamic Prioritizing 4. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 5. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 6: Rate Limit Restricts traffic and ensures the critical business.

22 Packet Inspection and Capture Netflow information is useless in application DDoS detection; you need advance packet inspection along with behavioral patterns.

23 Dr Julian Hirst ACK Attack

24 Zero Day Real time Defense

25 Selected Clients - NSFOCUS provides over 4000G+ DDoS mitigation capacity to global customers Hosting, IDC, ISP, MSSP Internet Service Providers/Online Gaming Telecommunications Korea Telecom Banking and Finance Enterprises

26 About NSFOCUS Corporate Member HQ Overview Regional Subsidiaries Global Business HQ: Santa Clara, USA Place your text here CN HQ: Beijing Founded in 2000 Over 1,600 employees Place your text here Jan IPO Over 13 years experience in DDoS mitigation Dedicated to network security Place your text here US: Santa Clara, US EMEA: London, UK Japan: Tokyo, JP APAC: Singapore

27 THANK YOU! come and talk with us on our booth. Contact