Stop DDoS Before They Stop You! CNNIC Conference

Similar documents
Architecture of a new DDoS and Web attack Mitigation System for Data Center

A Living Example of DDoS Mitigation

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

NSFOCUS Web Application Firewall White Paper

TDC s perspective on DDoS threats

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

DDoS Overview and Incident Response Guide. July 2014

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

NSFOCUS Anti-DDoS System White Paper

DDoS Attacks Can Take Down Your Online Services

FortiDDos Size isn t everything

How To Protect A Dns Authority Server From A Flood Attack

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Load Balancing Security Gateways WHITE PAPER

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

AntiDDoS1000 DDoS Protection Systems

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

VALIDATING DDoS THREAT PROTECTION

NSFOCUS Web Application Firewall

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

DDoS Attacks & Mitigation

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

DDoS Attack and Its Defense

Cloud Security In Your Contingency Plans

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

A Primer for Distributed Denial of Service (DDoS) Attacks

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Customer Cases. Andreas Nordenadler, Sales Manager

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Protect Your Infrastructure from Multi-Layer DDoS Attacks

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

How to launch and defend against a DDoS

AntiDDoS8000 DDoS Protection Systems

Understanding and Defending Against the Modern DDoS Threat

Complete Protection against Evolving DDoS Threats

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

INTRODUCTION TO FIREWALL SECURITY

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

TLP WHITE. Denial of service attacks: what you need to know

CS 356 Lecture 16 Denial of Service. Spring 2013

Keyword: Cloud computing, service model, deployment model, network layer security.

Web App Security Audit Services

Attack and Defense Techniques

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

How Cisco IT Protects Against Distributed Denial of Service Attacks

FortiWeb for ISP. Web Application Firewall. Copyright Fortinet Inc. All rights reserved.

Introducing FortiDDoS. Mar, 2013

Application DDoS Mitigation

Arbor s Solution for ISP

Distributed Denial of Service protection

Automated Mitigation of the Largest and Smartest DDoS Attacks

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Chapter 8 Security Pt 2

Network Security Fundamentals

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

What is Web Security? Motivation

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

Guidelines for Web applications protection with dedicated Web Application Firewall

FortiWeb 5.0, Web Application Firewall Course #251

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

Where every interaction matters.

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Application Denial of Service Is it Really That Easy?

Learn Ethical Hacking, Become a Pentester

Stop DDoS Attacks in Minutes

Content Distribution Networks (CDN)

The Hillstone and Trend Micro Joint Solution

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How To Understand A Network Attack

CYBERTRON NETWORK SOLUTIONS

Ranch Networks for Hosted Data Centers

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

How To Block A Ddos Attack On A Network With A Firewall

Transcription:

Stop DDoS Before They Stop You! CNNIC Conference 09/2013

INTERNET ATTACK(DDOS & WEB) ANALYSIS AND SOLUTIONS

The endless war 2013 Mar. 2013, Izz ad din Al Qassam initiated 3rd round attack that target to U.S. Banks, including Bank of America, Citigroup, Wells Fargo, US Bancorp, PNC Financial Services Group Inc, Capital One, Fifth Third Bank, BB&T and HSBC. Mar. JP Morgan Chase website offline due to DDoS; Mar. DDoS attack targed to Czech telecom, banks website; Feb. Anonymous OpEgypt targeted to Egypt government websites; 2012 Jul. Anonymous Operation Japan attacks to Japanese government websites; Mar. DDoS attacks to Hong Kong The Chinese Gold & Silver Exchange Society; Mar. DDoS attacks to NASDAQ; Feb. DDoS attacks to U.S. Department of Justice, U.S. Copyright office, Mexico government websites; Brazil s top financial institutions, including Banco Bradesco and Banco do Brasil; local and global websites of U.K.'s HSBC Holdings PLC 2011 Malaysia Action, over 50 Malaysia government and financial websites bi under attack; Sony lost over 2 billion USD because of Anonymous attack; Visa, Paypal Amazon also underwent attacks and paralysed in revenge for terminating donation account for wikileaks. Korea 40 Government Websites and corporate institutions under attack, which h including Presidential loffice, National Nti lintelligence Service, Foreign Ministry, Defense Ministry

We are Anonymous Anonymous: The Unseen Driving ii Force

DDoS Trends in 2013 H1 DDoS Attack Frequency 5% 1% 1% 40000 35000 30000 25000 20000 15000 10000 5000 0 36266 33807 29962 25016 23596 19812 Jan Feb Mar Apr May Jun 21% 43% Bank Government Enterprise NPO 29% ISP Other Figure 2 DDoS Attacks Monitored by NSFOCUS Figure 5 Targets of Major DDoS Attacks TCP_FLOOD 38.7% The combination of Hybrid DDoS Attacks HTTP_FLOOD DNS_FLOOD 13.1% 37.2% 9.8% 10.8% HYBRID_FLOOD UDP_FLOOD OTHER ICMP_FLOOD 4.1% 3.5% 10.2% 50.6% 3.0% 18.5% 0.3% ICMP+TCP+UDP ICMP+TCP+UDP+DNS ICMP+TCP TCP HYBRID Other 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% Figure 8 Methods of DDOS Attacks Source: NSFOCUS Mid Year DDoS Threat Report 2013

Findings of DDoS Trends Findings from NSFOCUS Mid year DDoS Threat Report 2013 : One major DDoS news event happened every two days and one common DDoS attack happened every two minutes; DDoS motives Hacktivism tops the list; DDoS victims Most likely targets were banks, governments and enterprises; More than 68 percent of victims are suffering multiple attacks; TCP Flood and HTTP Flood remain the most popular attack methods; Most DDoS attacks are short, over 90% less than 30mins Most attacks are not very big, over 90% less than 2Gbps and 69% less than 0.2 Mpps Hybrid attacks are becoming more prevailing 91.1% Hacktivism i Business Crime Cyber War Other 2.2% 2.2% 4.4% Figure 3 Causes for Major DDoS Attacks Source: NSFOCUS Mid Year DDoS Threat Report 2013

The Scope of the Damage by DDoS Attacks Motivations: Organized Crime, Political Protest, Hactivism, etc State & Country Telecom Carriers Damage on Infrastructur e IDC & ISP Reputation loss Government & Financial Enterprises Economic loss

Operation Malaysia(2) LOIC:Low Orbit Ion Cannon

Why Anonymous always win the game? Attack Tools 1 HOIC 2 LOIC Type HTTP GET Flood HTTP GET Flood TCP Flood UDP Flood Methodology Simulates HTTP requests by setting connection threads, editing scripts for random headers or random URLs Simulates requests via selecting different protocols and setting attack connection threads, ports, and etc. 3 R U Dead Yet? HTTP POST Flood A type of connection exhaustion attacks that consume all the resources on the target servers 4 DDoSim 5 Slowloris 6 Pyloris HTTP GET Flood HTTP GET Flood HTTP GET Flood Simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server, and then starts conversations with the listeningapplications (e.g. HTTP servers) Sends partial HTTP requests to hold connection open to exhaust web server resources PyLoris is a scriptable tool for testing connection exhaustion attacks. It is a Python implementation of Slowloris Attackers will employ more diversified and varying attack methods instead of simply sending attack packets in a crazy manner.

<Operation Ababil> Attack Case 1

Background/Phase Protest 2012.7 Disaster cased by a film clip Attack 2012.9.18 Cyber Fighters set up DDoS attack to Banks of the U.S. Named as Operation Ababil 2 Phases Phase 1, 5 weeks (9.18-10.23) Phase 2, 7 weeks (12.10-1.28) Pause/Continue 2013.1.29 attack pause 2013.3.5 attack continue

Characteristics Big Traffic Volume 1. Web Servers as Zombie 2. Dozens of G 3. Numerous Zombies Last Long Time DDoS Multiple Attack Methods 1. Network Layer: TCP/UDP/ICMP Flood 2. Application Layer: HTTP/DNS Flood Multiple targets 1. Several months 1. Dozens of finance institute 2. APT alike 2. ISP

Operation Steps Vulnerable admin passwords Software Vulnerabilities Known: Zombies are Web Server!! 1. TimThumb of WordPress 2. Joomla Penetrate Web Servers Penetrate numerous high-bandwidth Web Servers Use multilayer attack mode Use some Web servers as C&C servers, the others as zombies; Upload PHP DDoS tools to zombies; Launch DDoS attack Zombies launch DDoS attack to targets

Attack Tools Name Itsoknoproblembro Type TCP Flood UDP Flood HTTP Get Flood HTTP Post Flood Kamikaze HTTP Get Flood Amos HTTP Post Flood

<Spamhaus VS. Cyberbunker> Attack Case 2

ICP VS DC, 2013.3.18 Cyberbunker has relationship with criminals from East Europe and Russia, is behind recent network attacks 1 2 Spamhaus abused its position, it has no right to decide what content can appear on the Internet and what cannot.

MSSP step out, VS DC 5 4 Help! I got attacked DDoS!! Just 75G, got it done, you can do some marketing 3 We have been attacked continuously for 1 week, but we kept standing, never down. You cannot imagine how much efforts our engineers made. Such attack can swallow everything.

MSSP became Target 6 5 You dare to help him! I will strike you instead. 4 Help! I got attacked DDoS!! Just 75G, got it done, you can say something about it Attacked from Mar 23, 300-600G, targets are not ordinary equipments, but CloudFlare BGP direct peering and IX, attacks are totally out of control. Attacks to IX include London LINK, Amsterdam AMS-IX, HK- IX, Frankfurt DE-CIX, etc. Among them, London IX got influenced most significantly, caused direct effects to Internet Business within.

ISP got effected 6 5 You dare to help him! I will strike you instead. 4 Help! I got attacked DDoS!! Just 75G, got it done, you can say something about it If this goes on, the entire network of Europe will down, you have to stop, CloudFlare, we need to talk about how to solve the problem. 7

Words after Event We will continue our righteous career, we will not be stroked down, we are the best! There is no evidence saying that we are responsible of the action. We will persist in our belief, Freedom Internet! We should keep low profile, thanks for the collaboration of everyone, we need to improve. You made so much trouble to us, and we did not earn any money from these work. Last year, we have warned that we need to pay attention to the right configuration of DNS server, you see

What we got from the event? DDoS and Web attack devastate Data Center Web Hosting business. Both of the 2 attacks are complicated, but in different ways. Data Centers need to mitigate DDoS and Web attack simultaneously, accurately and cost- effectively. How to transfer from DDoS attack mitigation to Web attack mitigation smoothly as the attack changes? For instance, DDoS attack from 1G to 40G to 100G to 400G, and change from DDoS attack to Web attack.

Internet Infrastructure and Web Security Solutions

Understanding DDoS/BOTNET Router overloaded Bandwidth consumption DNS Email

DDoS Protection Over Time Stone Age Medieval Age Current Age Block Ips; Black hole; Load balance; Dedicated DDoS System enhancement; IPS/NGFW; Mitigation System; High performance router Multi layer cleaning; and switch; Traffic Diversion;

DDoS Mitigation - Multilayer Traffic Cleaning Algorithm Attacker Internet Traffic Cleaning Center 1 2 3 4 5 Protoco ol Analysi is Access Control List Reputat tion List Layer 4 Flo ood Mitigatio on Layer 7 Flo ood Mitigatio on 6 Rate Limit 1. Protocol Analysis Protocol Validation by RFC Check 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 3. Reputation List White/Black List Dynamic Prioritizing 4. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 5. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 6: Rate Limit Restricts traffic and ensures the critical business.

Out-of-path full-diversion Solution Traffic Cleaning NTA EBGP Attack Detection- NTA ADS Advertisement Router Attack Logs Traffic Diversion, i Attack Mitigation, Traffic Reinjection - ADS Applicable for Telecom Carriers, IDC, and MSSP Benefits: Only the traffic to target server are diverted; Automatic attack detection and cleaning process will simplify operator s work during attack prevention process; High reliability, the out-of-path deployment will not affect other traffic. And the traffic direction will recovered itself if the ADS product out of work Switch ADS-M

The thought of DDoS mitigation from box mitigation to value-added service Multi layered collaboration Internet Mgt. & Operation 100G ISP1 Anti DDOS Solution Traffic Monitoring 10G to 40G Data Center /MSSP ADS ADS ADS Attack Mitigation 1 10G Hosting ADS/WAF Traffic monitoring + DDoS mitigation; Out of path traffic diversion; CPE Web security (WAF) + Cloud cleaning service; Enable Web hosting provider become MSSP;

DDoS Attack Mitigation 100G 10G to 40G 1G Internet ISP1 IDC2 Web Hosting 1. IP address Verification Source/destination IP address check/verification 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 4. Protocol Analysis Protocol Validation by RFC check 3. Reputation List White/Black List Dynamic Prioritizing 5. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 6. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 7: Rate Limit Restricts traffic and ensures the critical business. It has been consensus in Data Center industry that the best place to stop DDoS attack, e.g. SYN flood, is in backbone network, since the attack traffic volume can be large, e.g. 10Gbps. Data Center usually provides DDoS attack mitigation as a part of its infrastructure service.

Web Attack Mitigation Internet On the other hand, Web attack, e.g. SQL Injection, is not large in volume, but its payload goes up to data level. Data Center usually provides Web attack mitigation as a dedicated service to Web Hosting customer. 100G ISP1 1. Network Access Control 6. HTTP Flood Protection 2. TCP Flood Protection 5. Data Normalization 3. HTTP Termination 4. SSL Decryption 10G to 40G 1G IDC2 Web Hosting 7. HTTP Validation 12. Customized Protection Mechanism White List Smart Patch Custom Security Exception Policy 8. HTTP Access Control 11. Behavior-Based Protection Illegal File Upload Illegal Download Information Disclosure Leech CSRF Scanning Cookie Hijacking 9. Web Server and Plug-in Protection 10. Rule-Based Protection Crawler XSS SQL Injection LDAP Injection SSI Command Injection XPath Injection Command Line Injection Path Traverse Remote File Inclusion

Next step - Cloud Pipe End Security Ecosystem Automatic collaboration between DDoS mitigation center, WAF(CPE) and Cloud MSS center. 24 x 7 Monitoring 4 Cloud 1 2 3 4 Assessment: Remote web scanning and collaborates with WAF to provide smart patches to web servers; On premises protection: NSFOCUS WAF (CPE) takes care of application layer web attacks; Traffic Cleaning: WAF collaborates with ADS traffic cleaning cea gcenter e when attack ac scale exceeds its capacity; MSS Platform: All components are able to work with NSFOCUS 7 24 MSS pa platform and depe expert team. Security Experts Application layer attacks Attackers Managed Security Service Platform 1 Smart patches WAF 24x7 Monitoring Volumetric attacks Scanning Cleaning Center 2 Internet Escalation IDC ADS ADS ADS 3 Pipe Server farm End

Scenario 1:Remote Correlation Attack Traffic< CPE WAF Threshold Attack Traffic CPE WAF Threshold Correlation Clean Traffic IDC Botnet Internet Cleaning Center Anti- DDoS Anti- DDoS DDoS GRE Tunnel WAF WAF ADS Online Trading Finance Gaming

Scenario 2:Data Center Internal Correlation Attack Traffic< CPE WAF Threshold Attack Traffic CPE WAF Threshold Correlation Clean Traffic Botnet Internet IDC Anti- DDoS Anti- DDoS Cleaning Center WAF WAF ADS Online Trading Finance Gaming

An Living DDoSMitigation Example

Micron21 DDoS Mitigation Scenario USA DDoS Attack Traffic Cleaned Traffic Cogent IP Transit Direct Peering Direct Peering HE IP Transit nlayer IP Transit DDoS Portal ADS 6020 ADS M Mgt. Southern Cross To M21 DC

A living 17G DDoS attack mitigation example

DNS ATTACKS ANALYSIS AND SOLUTIONS

DNS Attack Event

DNS Cache Poisoning

A Common Example

Recommended Solutions 1. Split the authoritative Name Server and recursive Name Server 2. DNS redundancy 3. Update the OS and DNS Application 4. Firewall Policy Access Control List 5. Hide the OS or DNS Application Version 6. Change and restrict the DNS Root(Chroot) 7. Use random message IDs in queries(use id pool) 8. Running BIND with Least Privilege 9. TSIG (Transaction SIGnature) 10. DNSSEC(DNS Security Extension)

DNS Amplification Attack(DNS reflection attack)

Recommended Solutions Limiting Recursion to Authorized Clients Source IP Verification: spoofed IP Disabling Recursion on Authoritative Name Servers Restricting name server to answer certain queries: Rate Limiting Response of Recursive Name Servers Preventing Unauthorized Zone Transfers

DNS Query Flood DNS Query Flood Pattern Match is the main cause of CPU load DNS server could handle 9,000 dynamic Domain name requests per second. A normal PC can send more than 10,000 requests per second. The Random domain name queries cause DNS server to generate recursive queries to parent DNS and overloaded. DNS server denies normal services, which affects business directly. Targeted DNS Server

NSFOCUS Solution 1 TC Bit Algorithm UDP Limitation Algorithm Instruction Truncate Bit UDP TCP DNS policy setting DNS Query DNS Response with TC Bit SYN (53) SYN+ACK ACK Force the client to use TCP Verify the client during the TCP process FIN+ACK DNS Query Client ADS Server

NSFOCUS Solution -2 ACL RFC PORT LEN FRAG Patten Matching Trigger UDP Threshold Src IP Bandwidth Limit DNS TC -BIT Dst IP Bandwidth Limit

NSFOCUS Solution -3

About NSFOCUS Regional HQ and Offices: R&D Centers Beijing, CN Beijing Santa Clara, US Chengdu Tokyo, Japan Xian London, UK Wuhan KL, Malaysia Microsoft Active Protections Program (MAPP) Partner

NSFOCUS Product Family for Global Market Assessment Protection Monitoring NSFOCUS RSAS WbA Web App Scanning & Vulnerability Mgt. NSFOCUS ADS Anti DDoS System NSFOCUS WAF Web Application Firewall NSFOCUS NIPS Network Intrusion Prevention System CMADS, CMWAF MSS Service ADS 2010/2020 ADS 4020 ADS 6020

THANKS! Info apac@nsfocus.com www.nsfocus.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information