TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC
TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012) One Nordic network 20 offices across the country 825 employees (Feb. 2013) Turnover: 3,1 billion SEK (2012) 100 % owned by TDC A/S (Denmark) Coordinated Nordic SLA Coordinated Nordic support 2
Our products and services Local network Local network Internet Public access Operatörstjänster Hosting Mobile Local office Local network Head office Local office Mobility Unified Communications Networking Services Mobile integration Mobile access Mobile applications Device Management Product support Telephony access Number services Meeting services Virtual exchange services Business exchanges and UC system Video-conferencing Contact Centre Telephony applications IP VPN Ethernet VPN Internet-access Services such as firewalls, VPN, secure DNS etc. Local network wireless or wired Consultative services Communication as service Service concept Operational services Installation services Consulting services Financing Hosting TDC Service online 3
Agenda 1. The DDoS threat picture from a TDC perspective 2. The pros and cons of various types of DDoS solutions 3. The TDC DoS Protection solution 4
Agenda 1. The DDoS threat picture from a TDC perspective 2. The pros and cons of various types of DDoS solutions 3. The TDC DoS Protection solution 5
Motivation for DDoS attacks Why? Finance/blackmailing Political/ethical/protests ( hacktivism ) Revenge (e.g. from old employees) Competitor attacks Diversion tactics for even more serious attacks Impact on victim Economical Image/goodwill/trust Source: Radware, Global Application & Network Security Report, 2012 6
Blackmail samples 7
Media covered DDoS attacks in the Nordics 8
DDoS software agents 9
DDoS software agents 10
DDoS-as-a-service 11
Most frequent attack types seen by TDC #1 Volumetric / flood attacks The primary goal is to overwhelm network capacity Large floods of traffic, sometimes from spoofed source addresses For example: UDP flood, ICMP flood, DNS amplification attack DNS amplification attack This is by far the most frequent attack type 12
Most frequent attack types seen by TDC #2 Connection attacks Takes advantage of the stateful nature of TCP to exhaust resources in a load balancer, firewall, IPS, web server, Fills up connection table For example: TCP SYN flood SYN flood attack 13
Most frequent attack types seen by TDC #3 Application layer attacks Mimics normal traffic Exploit specific aspects of applications or services Can be very effective at relatively low bandwidth For example: SlowLoris, SlowPost GET for large files CPU intensive SQL queries non-cacheable page requests Source: Arbor Network, World Wide Infrastructure Security Report, 2012 The future: More sophisticated and more targeted attacks at the application layer 14
Which services or network elements are the bottleneck during DDoS attacks? Source: Radware, Global Application & Network Security Report, 2012 15
The DDoS threat picture from a TDC perspective In 2012 DDoS attacks have really hit the headlines in the Nordics The attackers From script kiddy to organized criminal activity You don t have to be a techie to set up DDoS attacks The targets Organizations/companies from all market segments and of all sizes Businesses, government agencies, academic institutions, Are you dependent on internet presence? You are in the danger zone! The typical attack Source: A botnet (maybe using a DNS server for amplification) Target: A web server (but the bottleneck might be the firewall or the internet pipe) Type: A volumetric / flood attack 16
Agenda 1. The DDoS threat picture from a TDC perspective 2. The pros and cons of various types of DDoS solutions 3. The TDC DoS Protection solution 17
DDoS protection methods - #1 Extra capacity Capacity for the legitimate and malicious traffic Over-provisioning of bandwidth Larger firewalls, load balancers, servers etc. Addresses flood attacks, not targeted application layer attacks Attack will be scaled accordingly by the IT criminals 18
DDoS protection methods - #2 Traditional perimeter protection (firewall / IPS) Firewalls allow traffic that attackers use for application layer attacks Stateful devices like firewalls and IPS can become a bottleneck in case of connection attacks Do not handle bandwidth flood attacks Attack is already exhausting the network when it hits the firewall Source: Arbor Network, World Wide Infrastructure Security Report, 2012 19 Dedicated DDoS protection solution is needed as supplement to existing security solutions!!!
DDoS protection methods - #3 Dedicated DDoS solution in customer s network (CPE) Extra defense layer in the perimeter and placed in front of firewall / IPS Protects against a broad array of DDoS attacks, at network and application layer Does not handle bandwidth flood attacks Attack is already exhausting the network when it hits the dedicated DDoS solution in customer s network 20
DDoS protection methods - #4 Internet service provider (or in the cloud) solution Malicious traffic is blocked before it enters the customer s network Only legitimate traffic is seen on-site ( clean pipe ) Supports mitigation of all the different attack types, both at the network and application layer Bandwidth flood attacks can only be mitigated in ISP network or in the cloud Mitigation of bandwidth flood attacks inside customer s network is too late Scalable solution TDC DoS Protection is a Internet service provider solution 21
Agenda 1. The DDoS threat picture from a TDC perspective 2. The pros and cons of various types of DDoS solutions 3. The TDC DoS Protection solution 22
TDC DoS Protection MONITORING & MITIGATION & REPORTING 23
TDC DoS Protection - Introduction Product launched November 2011 Launched as a pan-nordic product Protecting TDC s infrastructure and critical services since 2004 Product consists of three parts Monitoring Mitigation Reporting 24
Normal conditions 25
Attack 1) Attack detected (threshold exceeded) 2) Alert generated and sent to SOC 3) Customer contacted and informed by SOC 4) Start of mitigation agreed 26
Mitigation 5) Traffic routed via TDC Scrubber Center 6) Malicious traffic is blocked, legitimate traffic delivered to server 7) Availability of server maintained 27
TDC DoS Protection highlights Attack is mitigated in TDCs high-capacity backbone before entering customer s network The closer to the source you can mitigate an attack the better Clean pipe is delivered to the customer 24/7/365 service operated by TDC SOC Network operation employees with mitigation experience No impact on Internet traffic under normal conditions No changes at customer s premises No additional equipment No changes to network setup No changes to configuration of servers 28
TDC DoS Protection MONITORING 29
Monitoring 1. Traffic to customer s IP addresses is monitored Monitoring is based on netflow data from TDC s peering routers 2. In case traffic exceeds threshold value, an alert is generated An alert signals an attack Attacks are detected on a per-host basis 3. The alert is sent to the SOC 4. The SOC contacts the customer to decide on mitigation Note: In case the customer detects an attack, the customer can contact the SOC directly 30
31
Thresholds Thresholds are set so alerts are generated when traffic gets abnormal and critical Threshold values are set based on Normal traffic pattern Max load in bps for servers Max concurrent TCP connections for servers Threshold values can be set for: ICMP (pps) IP NULL (Proto 0) (pps) IP Fragmentation (pps) IP Private Address Space (pps) TCP NULL Flag (pps) TCP SYN Flag (pps) TCP RST Flag (pps) UDP (pps) DNS (pps) Total Traffic (bps and pps) Configuration is done by TDC SOC partly based on technical input from customer 32
TDC DoS Protection MITIGATION 33
Mitigation 1: Detection of attack 2: Rerouting of traffic 3: Mitigation of attack Traffic is routed via scrubber boxes during the mitigation Scrubber boxes connected directly to TDC high-capacity backbone network Mitigation has only impact on incoming traffic 34
Mitigation methods Scrubbing Filtering based on source IP or country (GeoIP) Dynamic blocking of bots TCP/UDP protection DNS protection HTTP protection And others Blackhole Routing Source based (Destination based) Source: Radware, Global Application & Network Security Report, 2012 35
Scrubber functionality filtering and shaping GeoIP filter Filtering based on source location, e.g. drop traffic originating from Korea Zombie detection Exceeded threshold -> source IP is interpreted as a zombie/bot and all packets from the source IP is dropped Traffic shaping After all mitigations are processed, the scrubber adds the ability to rate limit traffic originated from the defined source 36
Scrubber functionality TCP & UDP TCP SYN authentication Scrubber acts as a proxy, intercepts and authenticates all inbound TCP connections to the protected hosts Verification of 3-way TCP handshake completion If the source is verified, the source is allowed to connect to the protected host Protection against TCP SYN flood (connection table exhaustion) Protection against IP spoofing TCP connection reset Dropping TCP connections idle for more than a timeout period Protection against server connection table exhaustion Payload regular expressions TCP/UDP payload regex (header and payload filter) 37
Scrubber functionality - HTTP HTTP rate limiting Limiting the rates at which a host can send HTTP requests Protection against overwhelming the resources of a web server HTTP/URL regular expressions Drop the HTTP packets which header matches the defined criteria Protection against certain HTTP specific attacks AIF Signature based blocking of known botnet and application layer attacks Based on continuously updated signatures from Arbor Networks Header from HTTP GET flood attack from YoYoDDoS botnet 38
Mitigation processing order 1. Invalid Packet List 2. IP Address Filter Lists 3. Black / White List 4. GeoIP Filter Lists 5. Zombie Detection 6. TCP SYN Authentication 7. DNS Scoping 8. DNS Authentication 9. TCP Connection Reset 10. Payload Regular Expression 11. Source /24 Baselines 12. Protocol Baselines 13. DNS Malformed 14. DNS Rate Limiting 15. DNS NXDomain Rate Limiting 16. DNS Regular Expression 17. HTTP Malformed 18. HTTP Scoping 19. HTTP Rate Limiting 20. AIF and HTTP/URL Regular Expression 21. SSL Negotiation 22. SIP Malformed 23. SIP Request Limiting 24. Traffic Shaping 25. GeoIP Policing Attack type: Mitigation used: TCP SYN flood GeoIP Zombie detection (>2 Mbps) TCP SYN Authentication 39
TDC DoS Protection Reporting 40
Reporting Monthly status report Graphs showing customer s traffic patterns Average and highest traffic volumes observed (bits/s and packets/s) Summary of DDoS attacks targeting customer s network (list of alerts) Mitigation report Attack Timestamps, start and end of attack Source and destination addresses Attack type and impact Mitigation Timestamps, start and end of mitigation Used mitigation methods Mitigation impact 41
TDC DoS Protection Time schedule 42
Baselining mode (4 weeks) 43
Some considerations to do Do you need to protect yourself against DDoS attacks? Ask yourself questions like: If a DDoS attack hit us right now, and a critical system was not responding, what would we do? DoS protection solution is like an assurance. and when you need it, you need it instantly! Make a risk assessment View protection against DDoS attacks as part of your business continuity and disaster recovery plan and remember handling DDoS attacks is not only about technique, it is also about processes Make sure you have an emergency plan in place with well-defined processes 44
Questions? 45