2012 AKAMAI FASTER FORWARDTM
Extending Your Perimeter of Defense and Visibility Patrick Sullivan, CISSP, GSLC Jonathan Anderson, CISSP, GCED
What We ve Seen 2012 YTD 170 DDoS or Malicious Attacks on Akamai Customers Multiple customers under attack almost every weekend thru June Attack durations varied from hours to days Industry Severity of A;ack Geography 12% 22% 11% 24% 31% Commerce Digital Media 18% High Impact 19% Moderate Impact Enterprise 48% Low Impact High Technology 6% Public Sector 35% 74% Americas APAC EMEA
Agenda Easy things you can do with Akamai to reduce your attack surface Protect your DNS and Top Level Domain Disable unnecessary HTTP Methods and Query Strings Limit unneeded information disclosure about your site Optimize caching policy for Security Don t treat all pages equally Leverage Akamai s insights into attack tools Develop DDoS Runbook
Attacks targeting DNS have increased significantly in 2012 Adversaries are spending more time thinking about DNS than defenders across all adversary classes Recreational Hackers: Attacking for the lulz Chaotic Actors: Hactivism Organized Crime: Profit motivated State Sponsored: Nationalistic agenda Several high profile Managed DNS providers have suffered outages recently following DNS based DDoS attacks
Is Your Top Level Domain Protected? www.example.com is CNAMEd to Akamai and protected DNS RFC s prevent CNAMEing the top level domain example.com Do you serve from http://example.com/? Possibly a direct route around Akamai to origin Options for the Top Level Domain Perform a 301/302 at origin from example.com to www.example.com Establish separate hosting serve the redirects Have Akamai edns manage the Top Level Domain at the Edge Lets Akamai serve the redirects Akamai Primary DNS is currently in Limited Availability
Disable unnecessary HTTP Methods Do you need POST enabled for your entire site? Enabled globally in most Web servers and Akamai configurations Only accept the minimum HTTP Methods that you require Enable POST only on URLs that require it Do not enable PUT, DELETE, OPTIONS, or TRACE unless truly needed Kona Site Defender protects against attacks that use POST Slow POST protection Many WAF rules inspect POSTs for application layer attacks Signature-based controls for many popular attack tools
Coming soon: Slow POST Controls
Increase Reconnaissance Work Effort Akamai can filter responses to eliminate verbose headers Rewrite Server header Remove X-Powered-By headers Whitelist Akamai Debug to specific IP addresses Remember robots.txt! Don t let Google expose vulnerabilities in your site:
Optimizing Configuration for Security Do you need query string s to be included in your cache keys? If not, having Akamai ignore them will reduce attack surface With Kona, Akamai can protect against HTTP Request Floods Rate Controls can be used monitor uncacheable parts of the site Signature based controls can screen for specific attack tools Network Layer and Geographic Controls
Query String Attack Demo
Special Considerations for your Landing Page www is a very frequent target of attacks Is Akamai treating your home page differently for you? Redirects at the edge Dynamic page caching provides very powerful defense for the homepage
Design Considerations for Login Page(s) Our customers are seeing frequent abuse of login pages Attacks appear to be leveraging large databases of compromised credentials
Develop a DDoS Runbook Have a plan ready to execute for when you are attacked Procedures Contacts Akamai can help provide some best practices based on our lessons learned from managing so many DDoS attacks with our customers
Summary Lots of low-hanging fruit to address when hardening your site Top level domain, HTTP Methods, Query Strings Default landing page, login page, etc. DDoS Runbook what would you do if you came under attack? Come visit us at the Security Booth to see more attack demos! Slowloris slow POST Nikto XSS Havij SQLi HOIC with custom booster pack Siege brute-force DDoS Query string manipulation Hydra brute-force login
Edge App Session Evaluations How it works 1 2 Click on the agenda icon Select the session you are currently attending Click on the surveys tab Click on the session survey made available at the start of your session Complete the session survey Get points for the Akamai Conference Game and win prizes 3 4