DDoS attacks and Cyber-threats Common Misconceptions, Uncommon Defense What s your First Line of Defense?

DDoS attacks and Cyber-threats Common Misconceptions, Uncommon Defense What s your First Line of Defense? Nirav Shah, Director of Product Management Corero Network Security

Presenter and Session Agenda Nirav Shah, Director of Product Management Nirav oversees strategy and roadmap development for Corero's network security products and solutions. He is a 20-year veteran in the networking industry with a unique blend of product management, business development and engineering experience. In the past, Nirav has held product management, engineering leadership, and technical roles in large networking and software companies (Alcatel-Lucent, Bay Networks, Mercury, BMC) as well as venture-backed startups (Xedia, Reva Systems). He is a co-holder of a US patent in configuration and management of RFID systems (patent no. 7,567,179). http://www.linkedin.com/in/niravshah nirav.shah@corero.com Agenda Today s DDoS threat landscape Who is behind them and what is at risk? Demystifying common misconceptions and misnomers about DDoS Demonstrations and defense mechanisms 2

Today s DDoS Threat Landscape

There s No Shortage of Headlines Dirt Jumper DDoS Toolkit Gets Security Evasion Functionality DDoS Attacks Pulling Attention Away from Bank Cyberheists DDoS is Back; 3 Banks Attacked Verizon report: DDoS is a threat to every business sector WordPress Sites Attacked; May Be Prep for DDoS Barrage The largest DDoS attack didn't break the internet, but it did try Bank Attackers Restart Operation Ababil DDoS Disruptions Cyber attack stops access to JPMorgan Chase site Gartner: One in Four DDoS Attacks in 2013 Will Be Application-Based DDoS Attack on Bank Hid $900,000 Cyberheist Survey Reveals That Most Americans Are Uninformed About DDoS Attacks Historic DDoS Attacks Against Major U.S. Banks Continue Automated Toolkits Named in Massive DDoS Attacks Against U.S. Banks US firms over-reliant on firewalls to defend against DDoS attacks DDoS attackers turning to simple server booster scripts The largest DDoS attack didn't break the internet, but it did try

Who is an attack target? Industry Doesn t Matter Financial Retail MFG Services 5 *Verizon 2013 Data Breach Investigations Report

Who is an attack target? Company Size Doesn t Matter SMALL LARGE 6 *Verizon 2013 Data Breach Investigations Report

Who is Attacking and Why? Attack Motives Have Increased Over Time Hacker/Crackers Cyber Criminals Cyber Armies Cyber Terrorist Cyber Hacktivist Notoriety Profit ($) Politics Fear Agenda 7 2013 Corero www.corero.com

What Are The Repercussions? Lost Business, Brand Damage, Threat Exposure, Customer Attrition Damage occurs immediately Recovery takes days to weeks 8 *Verizon 2013 Data Breach Investigations Report 2013 Corero www.corero.com

What is the Real Cost of DDoS? How much will your business lose if your site went down for an hour? What is the manpower cost of figuring out the attack and mitigating it? What will it cost for you to clean up after the attack? Industry Impact of Unplanned Downtime Source Banking Online Retail Gaming In April 2013, Wells Fargo lost $30K per minute due to a DDoS attack During June 2010, Amazon.com lost an estimated $1.75M in a single hour of downtime Earlier in 2013, a sustained DDoS attack on SG Interactive cost its gaming customers 12 hours of downtime Dark Reading Data Center Knowledge Network World Average downtime due to DDoS attacks is 54 minutes Average cost of this downtime is $22,000/minute Source: Ponemon Institute 9 2013 Corero www.corero.com

Common Misconceptions Myth: There is only type of DDoS attack Reality: DDoS attacks come in all shapes and sizes

DDoS Digital Attack Map Google - http://www.digitalattackmap.com/ 11 2013 Corero www.corero.com

Categories of Attacks and Cyber-threats Attack Traffic comes in all Shapes and Sizes Network Level DDoS Attacks Reflective DDoS Attacks Outbound DDoS Attacks Application Layer DDoS Attacks Specially Crafted Packet Attacks Pre- Attack Recon (Scans) Advanced Evasion Techniques (AET) Other Unwanted Traffic Defense Defense Defense Defense Defense Defense Defense Defense IP Threat- Level Assessment Stateful Flow Awareness Bi-Directional Flood Detection Behavior Analysis Protocol Analysis Scan Obfuscation Advanced Evasion Detect Deep Packet Inspection Your Web Presence 12 2013 Corero www.corero.com

Network Flood Classic DDoS Attack Legitimate users complete the normal TCP 3-way handshake Legitimate User SYN SYN ACK ACK Web Servers Hping3 Attackers send repetitive SYNs without sending ACKs Internet Attacker 1000s of SYNs 1000s of SYN ACKs Web Servers Customer Traffic Customer Traffic Customer Traffic Botnet of attackers overload the servers essentially making legitimate customer transactions impossible 13

Application Layer Attacks HTTP Floods HTTP Flood remains the most popular type of attack (80%) Attackers simultaneously sending a large number of HTTP requests to the site being attacked Popular tools are Low Orbit ION Cannon (LOIC) and High Orbit ION Cannon (HOIC) Low Orbit ION Cannon High Orbit ION Cannon www.yoursite.com 14

15

Some Application Attack Examples Home Page, Home Page, Home Page, Home Page, Cached content, easiest to serve, most common click. Login attempt, user=johndoe, pw=letmein Dynamic lookup on back-end server (encryption) Forgot my password, email=johndoe@anybank.com Backend CGI, email generation (spam) Home Page Search (keyword 1) (keyword 2) Repeat forever, ties up site search database Stock Quote Lookup (quote 1) (quote 2) (quote 3) Request Information - Download PDF guide (repeat) 16

Sample of Attack Tools & Demonstration Hping3 NMAP Low Orbit ION Cannon www.yoursite.com TCP SYN Floods Pre-Attack Recon HTTP & DNS Floods High Orbit ION Cannon KillApache.pl Slowloris Booster Scripts HULK High Memory Consuming Metasploit Low & Slow Resource Hog Dirt Jumper Randomized HTTP Attacks TCP SYN Floods Security Evasion 17

Attacks from Mobile Devices? Can you launch a Denial of Service Attack from a Mobile Phone? YES! Nearly Any Device with an IP address can be used to Launch an Attack. Low Orbit Ion Cannon for Droid Where can you download LOIC for Android? https://play.google.com/store/apps/details?id=l.o.i.c&feature=search_result#?t=w251bgwsmswyldesimwuby5plmmixq 18

Real World Attack Example

Spamhaus Attack DNS Amplification Attackers control a botnet of 1000s of computers Open resolvers respond with a much larger message than originally requested Each computer pretends to be Spamhaus and sends DNS requests to an open resolver Spamhaus is flooded with 300Gbps of traffic and cannot handle legitimate traffic http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-on-spamhaus-unfolded.html 20 2013 Corero www.corero.com

Anatomy of a Successful DDoS Attack Today s sophisticated DDoS Attackers will: 1. Footprint (profile) the Web Presence 2. Scan the infrastructure and Web resources 3. Initiate network-level volumetric attack 4. Test if Web Presence is impacted 5. Maintain Flood spoof all source IPs 6. Initiate low-and-slow application attacks 7. Initiate specially-crafted packet attacks 8. Initiate DNS reflective/amplified attacks 9. Attempt to exploit (compromise) downstream servers 10.Simultaneously launch as many types of attacks as possible.not relent or subside they stand very firm in their resolve A combined attack simply increases the chance of success! 21 2013 Corero www.corero.com

Are You Ready For Today s Attacks? What s Your First Line of Defense?

Common Defense Misconceptions Myth: Firewalls protect against DDoS attacks Reality: Open firewall ports are DDoS entry points

Firewall Locked down: No Service Access Internet Unwanted Traffic Buffer Overflows Internal Network Application Layer DDoS Code Injections 24 Brute-Force Password Specially Crafted Packets Inbound Service Requests Blocked by firewall 2013 Corero www.corero.com Firewall has no inbound holes open

DDoS Entry Points - Open Firewall Ports Attacks pass right through open firewall ports which are intended to allow access to legitimate users Firewall NGFW Services Web TCP Ports 80, 443 Good Users Internet DNS TCP/UDP Port 53 Router Attackers All Firewalls work the exact same way! Mail TCP Port 25 FTP/SSH TCP Ports 21, 22 Firewalls/NGFWs do not protect against DDoS attacks 25 2013 Corero www.corero.com

New Security Solutions are Required Firewalls don't cut it anymore as the first line of defense IT Best Practices Alert By Linda Musthaler, Network World October 19, 2012 Among the key barriers impacting banks' ability to deal with DDoS attacks, 50% cited insufficient personnel and expertise and a lack of effective security technology as the most serious concerns, followed by insufficient budget resources. A Study of Retail Banks & DDoS Attacks - Ponemon Institute January, 2013 By Linda Musthaler, Network World - January, 2013 Don't count on a firewall to prevent or stop a DDoS attack. The first step is to recognize that your firewall is insufficient protection against the types of DDoS attacks that are increasingly common today. Even a nextgeneration firewall that claims to have DDoS protection built-in cannot deal with all types of attacks. The best protection against DDoS attacks is a purpose-built device or service that scrutinizes inbound traffic before it can hit your firewall or other components of the IT infrastructure. While network security devices have matured and are extremely capable of thwarting certain attacks, they are insufficient when it comes to mitigating DDoS attacks. Distributed Denial of service (DDos) attacks: evolution, impact & solutions - VeriSign 26 2013 Corero www.corero.com

DDoS Defense More than a Checkbox Caution: Many security devices claim to have DDoS Protection Most have a single configuration = DDoS On/DDoS Off Ensure that your DDoS defenses can: Provide granular DDoS configurations (policies) Defend against all known DDoS attack vectors Handle the load while under DDoS attack Cannot be DDoS ed itself as part of a DDoS attack Provide access to 24x7 DDoS defense Support Services

What s The Recommendation?

Gartner: Best Practices - Mitigating DDoS Attacks Ensure That Business Continuity/Disaster Recovery and Incident Response Plans Address Planning-for and Response-to DDoS Evaluate ISP "Clean Pipe" Services Evaluate DDoS "Mitigation as a Service" Options Deploy DDoS Detection and Mitigation Equipment on Premises Why does Gartner mention on-premises defenses? On-premises defenses can defeat the broadest spectrum of attacks 24x7! Hybrid Anti-DDoS Cloud + On-Prem Makes the Most Sense 29 2013 Corero www.corero.com

On-Premises DDoS Mitigation Enterprise s new First Line of Defense filters out DDoS attacks and cyberthreats and allows in genuine traffic Firewall NGFW Services Good Users Internet Web TCP Ports 80, 443 DNS TCP/UDP Port 53 Router Attackers Mail TCP Port 25 First Line of Defense FTP/SSH TCP Ports 21, 22 On-premises DDoS Mitigation provides always-on protection and ensures maximum business continuity 30 2013 Corero www.corero.com

Hybrid anti-ddos: On-Premises + Cloud Good Users Good Traffic First Line of Defense On-Premises anti-ddos Always on Attackers DDoS Attacks & Cyber-threats X Full Pipe Attacks Volumetric Attacks X Cloud anti-ddos On demand An always-on on-premises DDoS Defense combined with on-demand cloud-based mitigation provides comprehensive protection & visibility X Encrypted Attacks Protected Critical Infrastructure 31 2013 Corero www.corero.com

Key Steps of Protection Allow only EXPECTED traffic Evaluate AMOUNT of traffic Enforce CORRECTNESS of traffic 1 2 Ethernet IP TCP HTTP Server Side Exploits Advanced Evasions 3 Good Traffic Analyze INTEGRITY of traffic 4 5 Provide VISIBILITY into unwanted traffic Who is attacking, at what rate, and using what attack vectors? 32

Defense-in-Depth Security Solution Landscape Corero stops more attacks and threats than competitor s DDoS products (based on customer tests conducted with Corero) Intelligence Cloud Security as a Service First Line of Defense Firewall NGFW IPS/APT SLB/WAF Service Analytics SIEM Big Data Internet IPS/APT Router SLB WAF Webroot McAfee Symantec Kaspersky Neustar Prolexic Akamai Arbor Corero Radware Arbor Checkpoint Palo Alto Fortinet Juniper Cisco Sourcefire Fortinet IBM HP F5 Fireeye SilverTail Trusteer Acertify ArcSight Splunk Q1 Labs 33 2013 Corero www.corero.com

Thank You For more information please contact us at info@corero.com