/ Staminus Communications



Similar documents
DDoS Mitigation Solutions

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Automated Mitigation of the Largest and Smartest DDoS Attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

How To Block A Ddos Attack On A Network With A Firewall

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Cloud Security In Your Contingency Plans

Stop DDoS Attacks in Minutes

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

TDC s perspective on DDoS threats

Service Description DDoS Mitigation Service

How To Mitigate A Ddos Attack

Stop DDoS Attacks in Minutes

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

VALIDATING DDoS THREAT PROTECTION

DDoS Mitigation Techniques

How To Protect A Dns Authority Server From A Flood Attack

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Strategies to Protect Against Distributed Denial of Service (DD

Arbor s Solution for ISP

DDoS Overview and Incident Response Guide. July 2014

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

DDoS attacks in CESNET2

Automated Mitigation of the Largest and Smartest DDoS Attacks

Seminar Computer Security

How To Protect Yourself From A Dos/Ddos Attack

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

How to launch and defend against a DDoS

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Denial of Service Attacks, What They are and How to Combat Them

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Distributed Denial of Service Attack Tools

CS 356 Lecture 16 Denial of Service. Spring 2013

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Mitigating DDoS Attacks at Layer 7

FortiDDos Size isn t everything

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Distributed Denial of Service (DDoS)

Distributed Denial of Service protection

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

SECURING APACHE : DOS & DDOS ATTACKS - I

WAN Traffic Management with PowerLink Pro100

Abstract. Introduction. Section I. What is Denial of Service Attack?

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Chapter 8 Security Pt 2

DDoS Attacks Can Take Down Your Online Services

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

How Cisco IT Protects Against Distributed Denial of Service Attacks

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Denial of Service Attacks

Firewalls P+S Linux Router & Firewall 2013

co Characterizing and Tracing Packet Floods Using Cisco R

Safeguards Against Denial of Service Attacks for IP Phones

Security Toolsets for ISP Defense

Content Distribution Networks (CDN)

Cheap and efficient anti-ddos solution

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

CMPT 471 Networking II

Modern Denial of Service Protection

Putting the Tools to Work DDOS Attack

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Reducing the impact of DoS attacks with MikroTik RouterOS

DDoS Protection on the Security Gateway

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

A Layperson s Guide To DoS Attacks

Network Bandwidth Denial of Service (DoS)

WHITE PAPER Hybrid Approach to DDoS Mitigation

Complete Protection against Evolving DDoS Threats

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Yahoo Attack. Is DDoS a Real Problem?

Transcription:

/ Staminus Communications Global DDoS Mitigation and Technology Provider Whitepaper Series True Cost of DDoS Attacks for Hosting Companies

The most advanced and experienced DDoS mitigation provider in the world.

Staminus Whitepaper Series True Cost of DDoS Attacks for Hosting Companies Online hosting, including data center colocation, dedicated server hosting, cloud hosting, infrastructure as a service (IaaS), and shared hosting operations, supports hundreds of millions of websites and other associated Internet facing application services around the world. Research firms predict the total market for hosting is expected to grow from $76.9B in 2010 to about $210B in 2016. Public Cloud Services Market 2010-2016 Example of Financial Loss from Sustained DDoS Attack DDOS DETAILS BILLIONS OF DOLLARS 250 200 150 100 50 0 210 181 155 131 110 93 77 2010 2011 2012 2013 2014 2015 2016 Size: 110 Gbps Total Duration: 48 hours. Time To RTBH: 30 minutes. HOSTING FACILITY Business: Cloud Hosting Annual Revenue: $10M Network: 4x10 Gbps Transit Target of DDoS: Retail Website SLA 99.99% Violation: 25.68 minutes SLA Policy: 1 day for violation The widespread adoption of the Internet has led to the explosion of online services, and consequently the explosion of hosting companies. Distributed denial of service (DDoS) attacks have become the mechanism of choice for cyber criminals to inflict maximum damage against their desired targets. These targets are often customers of unsuspecting hosting companies who are simply trying to providing reliable infrastructure and platform services to SaaS companies, websites, VoIP, mail, DNS, game servers and other online applications. These attacks are widespread and harm the recipients as well as adjacent customers the hosting company supports, and often are strong enough to spill over so far that they impact an entire hosting operation. Malicious criminals have varying motivations, methods, and backgrounds. Some use an arsenal of vulnerable servers to launch distributed denial of service (DDoS) attacks against their desired target. Some use DDoS as a means to levy their grievances against their former host. Some will see this as a means to extort financial gain. Some simply do it for sport. CUSTOMER MRR for Hosting: $20,000/mo ACV for Hosting: $240,000 Annual Revenue: $5M Downtime: 2 days IMPACT Customer Loss: $28,000 At this point, the client will relocate services due to downtime, resulting in an ACV loss of $240,000 to the hosting company. Hosting SLA Credit: $27,000 Total Impact: $295,000

In this installment of a series of white papers about the true cost of DDoS attacks, StamSOC (Staminus Security Operation Center) will discuss the history of these attacks, the wide reaching impacts, and the true costs associated with DDoS attacks. Business operators often overlook the repercussions of DDoS attacks. They look at the immediate damage in terms of bandwidth and forget to look at SLA violations, customer loss, and brand damage. You ll learn why these attacks are so prominent today. Hosting Networks: A Brief Overview A typical redundant hosting environment is pictured above. In this environment, a pair of redundant edge networks terminate public IP transit and peering. They then feed into on-premises firewalls which then go to an aggregation layer. The aggregation layer feeds into rack switches which then feed into end user services. In this redundant design, any single node, up to an entire side of the network can go down without sustaining service impact. The network architect has also properly identified a need for a firewall. The firewall is capable of delivering some level of stateful filtering, access control lists, and other necessary features.

Hosting Network: Overview of Transit Costs When a company goes to a wholesale IP transit provider such as Level3, TeliaSonora, NTT, GTT, or Cogent, they purchase transit based on several qualities: the number of ports, total port capacity they want, and the committed data rate they want on those ports. For example, if you run a hosting operation, you may have typical utilization around 15 Gbps but have peak utilization around 20 Gbps. You decide you want to obtain 30 Gbps of total capacity from one of the aforementioned providers. This allows you to burst to 20 Gbps from time to time without a problem. In this scenario, you can then choose to buy 15 Gbps of committed data rate (CDR), 20 Gbps, or 30 Gbps. If you re like most hosting companies, you ll buy 15 Gbps at about $1/megabit using 95th percentile billing. At 95th, 300 second samples are obtained from your interface and the top 5% are thrown out. The immediate next value is your 95th billed value. You re now paying about $15,000/mo for your circuit and because your bursts to 20 Gbps occur infrequently, you will not be billed for additional IP transit. This is a great deal! Hosting Network: Impact of DDoS on Transit Cost You now have a 30 Gbps hosting network and you receive a 10 Gbps DDoS attack. That s just where you can handle the attacks. You decide to block the attack using access control lists at your border router. You manage to do it once but realize that future attacks will not be so easy, so you go out and buy yourself a DDoS appliance from Radware or Arbor. You re now seeing 10 Gbps DDoS attacks come in more frequently and you re filtering them for days at a time. Everything looks great until your IP transit provider now sends you a bill for your original 15 Gbps and adds another 10 Gbps to it, bringing your total to $25,000. So not only did you have to spend hundreds of thousands, if not millions of dollars on DDoS protection appliances, you now also have to spend additional money on transit. Suddenly, it seems impractical to expand your network to 100 Gbps and mitigate an 80 Gbps attack, as demonstrated below. You may be able to obtain the available port capacity from your transit provider using a 20% CDR, but is it worth it? The first 80 Gbps DDoS attack that comes in for more than about 36 hours will end up costing you about $80,000.

Remote Triggered Black Hole Filtering Remote triggered black hole (RTBH) filtering is a technique that allows a network to deny undesirable traffic before it enters a network. Black holes, from the perspective of network security, are implemented once an attack has been detected. The black holing of traffic can be used to drop all attack traffic at the edge of an ISP network. RTBH is performed on a destination address generally and utilizes BGP. It is effective for quickly dropping undesirable traffic. RTBH Problems 1) If the target IP is not identified within a few seconds, the network can be saturated. This can result in collateral damage where other customers are also impacted. 2) The customer is effectively taken offline, accomplishing the attacker s ultimate goal. 3) If the attacker attacks hundreds or thousands of IPs at once, often times black holing becomes impossible due to BGP advertising limitations imposed by the upstream provider.

DDoS Attacks Explained Historical Overview: Smurf One of the first known amplification DDoS attacks was Smurf written by TFreak in 1997. This attack was wildly popular. The attacker would spoof ICMP packets to originate from the target s destination address and send these to a network broadcast address. Network devices would by default respond to this broadcast request and in turn respond to the spoofed source address. If the network contained sufficient host systems that would reply to these packets, the victim network would be flooded with an onslaught of ICMP packets. This attack mechanism was ultimately rendered ineffective via three changes: 1. Routers were configured not to forward packets to the broadcast address. 2. Systems were configured not to respond to broadcast requests, or even to reply to ICMP at all. 3. Networks installed ingress and egress ICMP filters or policers. Historical Overview: Bang! This attack is less widely known around the world currently. Bang was a relatively obscure attack written by Sorcerer. The attack is capable of amplifying TCP by about 2-3x. In a TCP bang attack, the attacker spoofs the victim s target IP as usual, and sends a TCP SYN (new connection) to any number of public systems with open TCP ports. The system would then reply with 2 to 3 TCP SYN-ACK packets to the intended target. The interesting thing about this attack is that it is relatively easy to launch, requires no vulnerabilities in target hosts, and can leverage literally any open TCP service. To stop this attack, the target systems would have to employ intelligent stateful firewalls that do not permit repetitive connections in quick succession. However, because this attack can leverage any open system, the attack does not really need to reuse the same amplifier multiple times in quick succession. The source code to this can be found on that it is very simple, which is why it s such an elegant attack.. A quick review of the code shows Historical Overview: NTP Network Time Protocol is used to synchronize computers across the world against centralized servers to within a fraction of a second of coordinated universal time (UTC). NTP operates over the public Internet and can achieve fairly high reliability through its algorithm. The protocol is traditionally used as client-server. NTP is susceptible to man-inthe-middle attacks unless cryptographic security is employed. NTP operates on port 123 TCP and UDP. NTP amplification attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like monlist which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.

DDoS Attacks for Hire At one point, building a botnet was a complex process that involved hacking many machines, using those machines to hack other machines, and maintaining all these machines. The botnet would be available for use to the attacker and attacker s circle of associates. This was not a trivial process as it involved thousands of hours of work to build effective large-scale botnets. The paradigm for botnets and DDoS attacks has changed in recent years. A typical rate for a DDoS botnet rental is around $150-$250 for about 8,000 to 12,000 bots. The rate is variable based on the effectiveness of the bots, the size of the network, and the type of attacks that can be launched. Some botnets are specific to a geographic region. Some are designed for maximum volumetric impact. Trends in DDoS In the quarter ending September 2013, Staminus global client base experienced a sharp rise in the number of Distributed Denial of Service (DDoS) attacks. Primary target industries included: Financial Services: Banks Financial Services: Payment Processors Video Gaming Online Retail This quarter showed a sharp rise in high throughput attacks exceeding 40 Gbps. As previously mentioned, we have seen a trend towards larger attacks for over a decade, so this is not surprising. What is interesting though is that September saw a 5x rise in the number of attacks exceeding 40 Gbps and a 2x rise in the number of attacks exceeding 10 mpps. This likely signifies that there are more DDoS-as-a-Service operators making available their large botnets for a fee. This in turn enables subscribers to launch more largescale attacks that devastate networks.

What Can Hosting Providers Do To Reduce Risk? Hosting companies provide fundamental infrastructure for the operation of the Internet. They will constantly be targeted by malicious cyber criminals seeking to impact their customers. Hosting providers are constantly improving and expanding their infrastructure to cater to a growing Internet population. This is done to improve uptime and functionality (latency, bandwidth, locations). Often times, this takes precedence over security. As the industry grows, attacks will become more prevalent, impacting more hosting companies than ever. Cyber criminals will continue to exploit effective means of impacting their desired targets. The black market makes it easy for them to launch these attacks. This market has just taken shape and we expect it to grow rapidly over the next few years. DDoS is simply a profitable business. In order to assist in the mitigation of the risk discussed in this whitepaper, StamSOC recommends the implementation of several measures: Cloud-based DDoS Protection. This service can serve as a buffer to help alleviate the impact of large-scale attacks. The cloud provider would receive your prefix advertisement over BGP and protect your network. On-premises DDoS Detection Appliances. These appliances can serve to automatically blackhole the target IP, allowing your cloud mitigation system to be activated to protect your client. Tightly Controlled Firewalls. Limiting unnecessary traffic and allowing only what is required can reduce the overall impact of DDoS attacks dramatically. Conclusion Ignoring DDoS attacks can be a dangerous and risky decision. The cost of a single attack can easily violate your company s SLA, forcing you to pay out large sums in SLA credits. It can result in the loss of image and customers. At the very least, an RTBH strategy is necessary. Appliances similar to the Staminus SecureNet M1200 can do this. This can dramatically reduce potential network-wide downtime caused by DDoS attacks. A second strategy is the integration of cloud-based mitigation. This is similar to an insurance policy. Rather than paying for large amounts of transit charges as a hosting provider, you offload your company s DDoS expenses to a cloud provider. The cloud provider pays for the exorbitant bandwidth charges, shielding you from this risk. You also have the added benefit of not needing DDoS mitigation equipment on premises. A third solution is the combination of DDoS monitoring appliances on premises and cloud-based mitigation. This allows you the flexibility of protecting your entire network while only having specific customers and resources routed through cloud mitigation.

/ Who is Staminus? Founded in 1998, Staminus Communications provides industryleading DDoS mitigation and secured hosting services to thousands of users and companies around the globe. Staminus SecurePort:Global technology is the most advanced, affordable, and automated DDoS mitigation solution in the industry. Powered by an everexpanding 200+ Gbps network dedicated to DDoS mitigation and three patent-pending mitigation technologies, SecurePort:Global helps clients ranging from casual gamers to enterprise businesses protect their services availability. With over 15 years of development, SecurePort:Global outshines other mitigation solutions in performance, scalability, flexibility and reliability. At its core, Staminus is powered by its employees. Each member of the Staminus team is selected based on both their understanding of modern security technology, and their ability to build and contribute to a tight-knit, focused, and committed team of experts. See why thousands of clients with mission-critical infrastructures choose Staminus to defend their services from DDoS attacks.

/ Staminus 4695 MacArthur Court, 11th Floor Newport Beach, CA 92660 1 866 323 8306 sales@staminus.net www.staminus.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information