Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Similar documents
Cloud Security In Your Contingency Plans

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

How To Mitigate A Ddos Attack

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

How to launch and defend against a DDoS

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Attack A Website With An Asymmetric Attack

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

First Line of Defense

Akamai Cloud Security Solutions:

How To Block A Ddos Attack On A Network With A Firewall

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Security Solutions for the New Threads

SSDP REFLECTION DDOS ATTACKS

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

VALIDATING DDoS THREAT PROTECTION

FortiDDos Size isn t everything

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Corero Network Security First Line of Defense Executive Overview

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

First Line of Defense

Stop DDoS Attacks in Minutes

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

TDC s perspective on DDoS threats

Arbor s Solution for ISP

Analysis of a DDoS Attack

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

DDoS Mitigation Solutions

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

How To Protect A Dns Authority Server From A Flood Attack

Denial of Service Attacks

/ Staminus Communications

DDoS attacks in CESNET2

Automated Mitigation of the Largest and Smartest DDoS Attacks

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DDoS Attacks & Mitigation

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

DDoS Attacks Can Take Down Your Online Services

September 20, 2013 Senior IT Examiner Gene Lilienthal

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Stop DDoS Attacks in Minutes

How To Understand A Network Attack

CS5008: Internet Computing

First Line of Defense to Protect Critical Infrastructure

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

Reducing the Impact of Amplification DDoS Attack

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

A Layperson s Guide To DoS Attacks

DDoS Protection on the Security Gateway

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

SecurityDAM On-demand, Cloud-based DDoS Mitigation

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Business Case for a DDoS Consolidated Solution

CMPT 471 Networking II

Practical Advice for Small and Medium Environment DDoS Survival

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

Akamai Security Products

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

Complete Protection against Evolving DDoS Threats

Check Point DDoS Protector

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

DoS/DDoS Attacks and Protection on VoIP/UC

Transcription:

Don t get DDoSed and Confused Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

Akamai has unique insight into Web/DDoS Traffic 1 Akamai s Edge carries ~ 20Tbps of Web Traffic at steady state with bursts to 30+Tbps 2 FAST DNS Authoritative DNS Solution DNS servers Edge servers FAST DNS Akamai Web Platform WAF Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Prolexic Scrubbing centers 3 Prolexic BGP-Based DDoS Mitigation 4 Akamai Customer Base. 98 of top 100 Commerce Sites All Braches of US Military All Agencies of the US Gov t 10 of top 10 Banks 30 of top 30 Media Sites 10 of top 10 Asset Managers 10 of top 10 P&C Companies 8 of top 10 Auto Manufacturers

Cloud Security Intelligence Visibility Grow revenue opportunities with fast, personalized web 15 to experiences 30 percent of and global manage Web traffic complexity from peak New demand, in Q1 2015 mobile devices and data collection. Akamai Security Center Data 20 TB of daily attack data; 4 PB / 45 days stored

Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

CISSP Refresher What: Data Breach, Session Hijacking, Account Hijacking How: Injection, Social Engineering, Brute force login checking What: Site Defacement, Hosting Malware, DNS Zone Hijacking How: Injection, Social Engineering Availability What: Site Unavailable, Unresponsive, Unresolvable How: DDoS (Packet flooding, HTTP request flooding)

How most people think of DDoS

How we/attackers think of DDoS Users (good/bad) Public Internet ISP xcons IPS/ IDS LB www www DMZ = VPN Concentrator www www Name Servers Relational Database Remote Offices

DDoS Techniques Protocol Level Flooding Reflection/Amplification Attacks Dominate these type of attacks Web Application(Layer 7) More Subtle Targeting more fragile Web/Database resources

Transport Layer Protocol Abuse: Fun with TCP There are many variations of TCP Handshake Abuse. SYN SYN X 100 SYN-ACK ACK SYN-ACK X 100 SYN?????

Network Layer Attacks: Reflection + Amplification Attacks CHARGEN Attack Script a.b.c.d(address doesn t matter. This is UDP. He will spoof it.) Vulnerable Server 1Mbps of Character Gen requests 10.1.10.128 360Mbps of this=>

Case Study: NTP Reflection Attacks Attack Vector Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function. NTP server replies back to the target IP, direct to origin, at massive scale. Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. 500X RETURN RATE IN TRAFFIC >100GBPS ATTACK TRAFFIC AGAINST ORIGIN 1,000+ INCREASE IN HITS PER SECOND AGAINST ORIGIN

NTP Reflection used in attack: (Source/Target in Asia) 321 312 21 + Day campaign against single customer 39 distinct attacks targeting applications and DNS infrastructure Eight attacks >100 Gbps including record 320 Gbps attack 138 232 177 155 198 217 4 30 8 2 35 33 70 1.5 3 Start Infrastructure (Gbps) Web (Gbps) authdns (Mpps) DNS Reflection (Mpps) End

SSDP aka upnp (Universal Plug and Play)

So many Amplification vectors for an attacker to choose from.. Most select several. Source:US-Cert.gov

DDoS: Attackers find various bottlenecks to target Capacity declines as you move to deeper towards the DB Internet Pipe Load Firewall IPS Application Database Balancer

Slow Layer-7 Resource Exhaustion Attacks

Attackers are leveraging common IT Mega-Trends IoT Mobile We have detected refrigerators participating in DDoS Attacks BotNets frequently own Mobile Devices Cloud Sourced DDoS Attacks Challenge Legacy Defenses

DDoS as a Counter to Tight Security Controls Akamai Advisory

DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers Best Practice DNS Locks Client DNS Locks clientupdateprohibited clienttransferprohibited clientdeleteprohibited US DoD s DNS Hijacked Registrar locks serverupdateprohibited servertransferprohibited serverdeleteprohibited

China s Great Cannon DDoS Tool

DDoS Attack Trends Facts and Figures from Q2 2015

In Q2 2015, DDoS attacks were less powerful.. but longer and more frequent 350 300 250 Traditional DDoS attacks harness the scale of global botnets Newer attacks target protocol vulnerabilities to amplify size 320 270 240 200 150 SNMP (6x) DNS (28x-54x) CHARGEN (358x) NTP (556x) 190 144 171 214 Gbps Mpps 100 50 0 11 2 39 18 22 8 11 15 48 29 68 38 79 82 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Q1 2015 45 69 89 Q2 2015

DDoS Attack Instances, Q1 2013 - Q2 2015 The number of DDoS attacks has more than doubled compared with Q2 2014, though with slightly smaller attack sizes

Compared to Q2 2014 132% Total DDoS attacks 11% Average peak bandwidth 77% Average peak volume 122% Application layer DDoS attacks 134% Infrastructure layer attacks 19% Average attack duration 100% Total attacks > 100 Gbps Q2 set a record for the number of DDoS attacks observed over the Akamai Prolexic Routed network, more than doubling the number of attacks observed in Q2 2014.

Types of DDoS Attacks & Relative Distribution in Q2 2015

Mega Attacks > 100 Gbps in Q2 2015 Twelve megaattacks in Q2 2015 vs. six in Q2 2014. Most targeted Internet/Telecom. Two targeted Gaming.

Mega Attacks > 50 Mpps in Q2 2015 A 214 million packets per second (Mpps) DDoS attack was among the highest ever recorded. Such attacks can take out tier 1 routers, such as used by Internet service providers (ISPs).

Most Commonly Attacked Verticals Q1 2015 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Top 10 Source Countries for DDoS Attacks in Q2 2015 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

Attacker Motivation

Attacking for the Lulz!

Extortion DDoS for BitCoin Campaign: DD4BC

DD4BC WHAT TO EXPECT 1. Initial small attack 2. Email ransom demand Payment in bitcoin Increasing ransom over time 3. Claims of capability 400 Gbps attack sizes Bypass DDoS defenses 4. Continued email threats Increasing ransom for countermeasures

DD4BC Ransom Note

DDoS as a Distraction

DDoS as a Distraction Multi-Vector Attacks: 2014 Sochi Olympics 3.5 Tbps event 50% Growth in Average User Connection Speed Compared to 2012. More than a Million Malicious Requests Blocked Multi-Vector Attacks Detected Again in 2014 Application DDoS RFI Command Injection Requests from Anonymous Proxy Attacks Again Spiked During Major Events Opening Ceremonies Hockey Semi-Final(US v. Canada)

Public Sector/Education DDoS Attacks

Large March 2014 Attack: Target was European Media Company Blended Attack, Significant NTP Traffic DDoS Start :: 8MAR14 13:52:00 UTC DDoS Stop :: 9MAR14 02:00:00 UTC Peak Bps :: 200+Gbps Peak Pps :: 65Mpps 2 hosts targeted on Random UDP/TCP/ICMP ports

QCF Attacks 2013-2014

BroBot: Advanced Attacker Evades Common DDoS Services Attack IP s Changing every ~ 10 minutes Banking site real-time Kona security dashboard view Blocking ~18M HTTPS attacks per minute Attacker requesting URL s with heavy compute burden(search, login, ATM locator) Source IP s are frequently Cloud servers Commandeered using vulnerabilities in well known CMS s

QCF Later Stages of Campaign: Targeting small regional banks and Credit Unions

Case Study: Augusta County Public Schools Augusta County s Education IT team Mission: Provide IT support for 20+ schools and manage 7500+ Devices Challenge: Persistent DDoS Attacks impact ability to deliver uninterrupted access to Government Mandated SOL testing SOL testing impacts grades and graduation eligibility for students. Solution: Akamai s Prolexic Routed Cloud-based DDoS Protection

Georgia High School Case Study: Sept 2015 School system experiences daily DDoS Attacks disrupting confidence in students/parents in the school s ability to deliver IT Services SOL Systems are at risk, which is a huge concern for School Administrators Akamai Enterprise Security Architect goes on site to speak with school IT Team UDP Flood on port 80 is observed Akamai ESA directs customer to review web-logs and students were observed visiting DDoSas-a-Service Sites kicking off attacks Logs identified which students were logged onto machines at the time of visits to Stressor websites

Agenda Intro/Data Collection DDoS Basics Trends and Statistics Adversarial Groups/Motivations Defense

How do you defend from these attacks? Architecture Knowledge of Attack Trends A Plan

Potential Architectures for Defending from DDoS ISP Data center Transit Network ISP ISP

Potential Architectures for Defending from DDoS ISP Data center Transit Network ISP ISP

Cloud Security Architecture ISP Data center Transit Network ISP ISP

DDoS Mitigation Success: 5 Points To Take Away 1. You Need Data To derive intelligence on current & evolving threats. Avoid data theft and downtime by extending the 2. Scale, Availability & Resilience security perimeter outside the data-center and To be high performing, take the punches, & stay online. protect from increasing frequency, scale and 3. sophistication A Plan of web attacks. To understand how to respond to bad day scenarios. 4. Control & Flexibility To adapt your defenses dynamically. 5. People & Experience To execute every time you come under attack. 2014 AKAMAI FASTER FORWARD TM

Stress Test your Plan

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information