DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Transcription

1 DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest

2 The Anatomy of a DDoS Attack Sombers Associates, Inc

3 What is a Distributed Denial of Service Attack? An attempt to make an Internet service unavailable to its users. Saturate the victim machine with external traffic. The victim machine: - can t respond to legitimate traffic or - is so slow as to be essentially unavailable. Address of attacker is spoofed: - victim machine can t block traffic from a known source. Commonly constitutes violations of the laws of nations. Sombers Associates, Inc

4 What is a Distributed Denial of Service Attack? Malware attacks do not generally pose a threat to availability: - they are aimed at stealing personal information, other data. DDoS attacks are a major threat to availability. - they have been used to take down major sites for days. - they are easy to launch and are difficult to defend. - DDoS attacks are increasing over 50% annually. Sombers Associates, Inc

5 What is a Distributed Denial of Service Attack? Reasons for DDoS attacks: - revenge - competition - a cover for another attack Sombers Associates, Inc

6 How Can So Much Traffic Be Generated? By Botnets Typical attacks generate about 10 gbps of malicious traffic. - one PC can generate about one megabit/sec. of traffic. - it takes about 10,000 PCs to generate 10 gbps of traffic. - this is a botnet. A botnet is a collection of computers: - whose security defenses have been breached. - where control is conceded to a third party, the bot master. The bot master controls the activities of the compromised computers. Sombers Associates, Inc

7 How Can So Much Traffic Be Generated? By Botnets More recently, servers have been included in botnets. A large server can generate a gigabit/sec. of malicious traffic: - one thousand times that of a PC. Ten large servers can generate as much traffic as 10,000 PCs. Servers are infected via network vulnerabilities. The latest attacks have generated 100 gbps of malicious data: - combination of infected PCs and servers. Sombers Associates, Inc

8 The Anatomy of a DDoS Attack DDoS attackers depend upon infecting thousands of PCs. A typical infection sequence is: - a user succumbs to a phishing attack (opens a malicious or visits a malicious web site). - a Trojan is injected into the machine, opens a backdoor. - a bot infection is inserted into the PC via the backdoor. - the bot infection establishes connection with the bot master. Sombers Associates, Inc

9 Phishing Phishing masquerades as a trusted entity in an electronic communication: , web site. Designed to get sensitive information like account numbers, SSNs by: - tricking users to respond to . - leading users to a spoofed web site that looks real. s can carry malicious executables or web site links. Malicious executables or malicious web sites can infect the PC: - used to inject a Trojan to create a backdoor into the PC. User training send them phishing messages that take them to a web site that informs them that they have been phished. Sombers Associates, Inc

10 Trojans Creates a back door allowing unauthorized access to the target computer. Main purpose is to make the host system open to access from the Internet. Installed via malicious s or Internet applications. Consequences: - controlling the computer system remotely (botnets). - also, keystroke logging, data theft, installing other malware. Sombers Associates, Inc

11 The BYOD Conundrum Sombers Associates, Inc

12 The BYOD Conundrum Bring Your Own Devices (BYOD) are the new gateways into corporate networks: - employees using smart phones, tablets, notebook computers. - conducting their work at home or on the road. - connecting outside the corporate firewall to servers and databases. Malware can gain access to a company s network by infecting these devices. Mobile malware is becoming a greater threat than direct infections of systems. Sombers Associates, Inc

13 Android Devices are the Primary Targets Mobile malware most likely is installed via malicious apps. Android is an open operating system modified by each vendor: - security provisions often bypassed. Hundreds of Android app stores not vetted by Google. Number of malicious apps has grown 800% over the last year. 92% directed at Android devices. Apple has tight control over apps: - tests each one thoroughly. - does not allow unvetted apps to be downloaded from the Apple app store. Sombers Associates, Inc

14 Jail-Broken and Rooted Devices Android and ios prevent unauthorized access to privileged OS commands. Android device can be modified by user to give apps access: - rooted device. - necessary to run some apps. A rooted Android device can be infected with malware that runs at the operating system level: - Trojans - keyloggers Similarly, an ios device can be jail-broken. However: - ios world is tightly controlled. - several security functions must be bypassed. - cannot be done by the ordinary user. Sombers Associates, Inc

15 Other Mobile Threats Compromised Wi-Fi hot spots: - coffee shops, airports, hotels. - corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot. - frequently configured so that anyone can see all of the network traffic. - commercially available apps provide network monitoring capability. Sombers Associates, Inc

16 Other Mobile Threats Poisoned DNS servers: - user must trust the DNS server used by a Wi-Fi hot spot. - hackers can hijack a public DNS server. - can direct traffic to a malicious web site. - web site can get users private data passwords, etc. - malware is downloaded to device from the web site. Sombers Associates, Inc

17 DDoS Strategies Sombers Associates, Inc

18 DDoS Strategies The Internet Protocol Suite Application Layer used by applications for network communications (FTP, SMTP). Transport Layer end-to-end message transfer (TCP, UDP). Internet Layer best-efforts datagram transmission (IP). Link Layer local network topology (routers, switches, hubs, firewalls). Sombers Associates, Inc

19 DDoS Strategies Attacks Occur at Various Levels Network Level: - network is bombarded with traffic. - consumes available bandwidth needed by legitimate requests. Infrastructure Level: - network devices such as firewalls, routers, maintain state in internal tables. - fill state tables of network devices. - network devices cannot handle legitimate traffic. Application Level: - invoke application services. - consume processing and disk resources. - illegitimate logins. - searches (if attacker has obtained user names, passwords). Sombers Associates, Inc

20 DDoS Strategies Attacks Occur at Various Levels ICMP Flood: - Internet Control Message Protocol (ICMP) returns error messages. - attacker sends messages to random ports. - most ports will not be used. - victim system must respond with port unreachable. - victim system so busy responding with ICMP messages that it can t handle legitimate traffic. Ping Attack - ICMP attack in which victim is flooded with pings. - victim must respond with ping-response messages. Sombers Associates, Inc

21 DDoS Strategies Attacks Occur at Various Levels SYN Flood: - attacker begins the initiation of a connection with a spoofed client address. - sends a SYN connection request. - server assigns resources to connection, responds with SYN-ACK to spoofed client. - attacker never sends ACK to complete the connection. - spoofed client ignores SYN-ACK since it did not send SYN. - victim holds resources for three minutes awaiting connection completion. - victim runs out of resources, cannot make legitimate connections. Sombers Associates, Inc

22 DDoS Strategies Attacks Occur at Various Levels GET/POST Flood: - commands to retrieve and update data. - uses extensive compute and disk resources of computer. - typically needs user names, passwords. - consumes all resources of server. Sombers Associates, Inc

23 DDoS Strategies Amplified Attacks The most vicious kind of attack: - generates a great deal of attack data with little effort. Example DNS Reflection: - depends upon DNS Open Resolvers. - these respond to any DNS request, no matter its source. - send DNS URL request with spoofed IP address of victim. - DNS sends URL response (IP address of URL) to victim. - typical request message is 30 bytes. - typical response message is 3,000 bytes times amplification. Publicly available toolkit itsoknoproblembro for DNS attacks. Open DNS Resolvers were supposed to be phased out: - still 27 million Open Resolvers on the Internet. - their IP addresses have all been published. Sombers Associates, Inc

24 Major DDoS Attacks Some Examples Sombers Associates, Inc

25 Major U.S. Banks September, 2012 The online banking web sites of six major U.S. banks are taken down for days by Distributed Denial of Service (DDoS) attacks. The Izz ad-din al-qassam Cyber Warriors attacked major U.S. banks. Vowed continue the attadks until the video Innocence of Muslims is removed from the Internet. September DDoS attacks are launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank. The attacks take down their online banking portals for a day. Attacks followed against Capital One, SunTrust Banks, and Regions. The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers. December 2012 Attacks were repeated for several days. Intelligence officials say that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the U.S. Sombers Associates, Inc

26 History s Largest DDoS Attack Spamhaus is a spam-filtering site: - provides a blacklist of IP addresses for spammers. - used by spam-filtering vendors, ISPs, corporations. Blocked CyberBunker: - CyberBunker claims to host anything but terrorism, child pornography. CyberBunker launched a 300 gbps attack against Spamhaus: - used DNS amplification. - lasted for ten days. Spamhaus enlisted CloudFlare to help it weather the attack: - CloudFare spread the DDoS load across its 23 data centers. - scrubbed the data and fed only legitimate data to Spamhaus. CyberBunker extended its attack to CloudFlare. Sombers Associates, Inc

27 Summary Sombers Associates, Inc

28 Botnets Until recently, DDoS attacks were in the 10 gbps range: - infected PC botnets. Islamic hackers 100 gbps: - used tens of thousands of volunteered PCs. - added infected servers. CyberBunker 300 gbps: - used PC/server botnet. - used DNS refection. Sombers Associates, Inc

29 Mitigation DDoS attacks are easy to launch, difficult to defend. Firewalls and intrusion-prevention (IPV) systems can be overwhelmed. Spread load across several data centers to scrub data. Use the services of a DDoS mitigation company that can scrub data over several data centers. - Prolexic - Tata - AT&T - Verisign - CloudFare Include DDoS attacks in your Business Continuity Plan. Sombers Associates, Inc

30 Mitigation An excellent resource for evaluating a DDoS mitigation service: 12 Questions to Ask a DDoS Mitigation Provider - a Prolexic White Paper - -Technical_Series-Prolexic_White_Paper_ pdf Sombers Associates, Inc

31 Thanks for Coming The material for this presentation came from the archived articles of the ( a monthly periodical on availability topics. Go to for your free subscription. Follow us Sombers Associates, Inc