How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks Stop DDoS before they stop you! James Braunegg (Micron 21)
What Is Distributed Denial of Service A Denial of Service attack (DoS) is any intended attempt to prevent legitimate users from reaching a specific network resource, from a single source. Distributed Denial of Service attack (DDoS) is an extension to a DoS attack however is harder to mitigate because source traffic is from multiple source addresses. The attack traffic can be difficult to distinguish from legitimate traffic.
The Open Systems Interconnection model (OSI)
Types of DoS Attacks Layer 3 (Network Protocol) - (DoS, DDoS, DRDoS, CDRDoS) IP Address attacks targeting network bandwidth - UDP Flood style attacks DNS, NTP, SSDP, CHARGEN, SNMP. Layer 7 (Application Protocol) (DoS, DDoS) TCP attacks on server sockets HTTP attacks on Web server threads Protocol Attacks (SYN flood, fragments) Packet Storm (Excessive PPS) Resource Starvation (CPU, I/O, Memory) Stealth/Creeper (Slowloris, Slow POST) Exploit (Application or OS Specific DoS) They attack the top layer OSI model, They have low bandwidth consumption. They have a legitimate and stealth appearance. They re mostly non-volumetric. They re increasingly popular. There are a variety of methods, targets, and open-source tools. They re difficult to defend against.
Common DDoS Defensive Techniques Simple Site Failover Null Route (Black Hole) (Automated or Manual) Anycast BGP Multi Home Onsite Web Application Firewall Load Balancing Appliances Commercial Hardware Solutions On Premises Commercial Solutions In the Cloud
Large Global Denial of Service attacks Largest 400G DDoS Attack in History February 2014 NTP Reflection Attack Second Largest300G DDoS Attack in History March 2013 DNS Reflection Attack Gaben Laser Beam (GLB )
Large Denial of Service attacks Micron21
CDRDoS 40gbit Internationally 1.2gbit Domestic
Micron21 Statistics Long Term Average Since Jan 2013 Long term average attack lasts 34.5 hours China is #1 origin of DDoS traffic, making up 40-50% of all unwanted traffic activity 25% of attacks are against Infrastructure (Layers 3 attacks) 75% against Connection and Applications (layer 4 to 7 attacks) 75% of all attacks are under 1 Gbit 20% of all attacks are under 4 Gbit 5% of all attacks are above 4 Gbit
Layer 4 to 7 Attack Vectors Tools used by Faceless Hacker in Layer 4 to 7 Attacks HTTP GET Flood Syn Flood Attack Ack Flood Attack SSL Based Attacks - CURL back track, THC SSL very hard to detect LOIC Low Orbit Ion Cannon R.U.DY R U Dead Yet Slowloris Pylorius DDoSim THC-SSL-DOS Dirt Jumper Drive2 Method: HTTP flood, SYN flood, POST flood, and more. Tor s Hammer Method: Slow POST Nuclear DDoSer Method: Slow POST Railgun Method: Slow POST HTTP has a 60 known vulnerabilities which can be attacked
Micron21 Total Attacks Since January 2013 Attack Type Attack Count Dropped Traffic Dropped Traffic (packets) Percentage of Dropped Traffic Percentage of Attack Type SYN-Flood 544,272 260.7 G 547.4 M Less than 1.0% 43% ACK-Flood 161,204 175.9 G 227.1 M Less than 1.0% 12.8% UDP-Flood 111,429 2,660,087 G (2597 TB) 47 Billion 98.0% 8.9% ICMP-Flood 2,962 243.2 G 310.6 M Less than 1.0% 0.23% Conn-Flood 173,042 44.2 G 8.6 M Less than 1.0% 13.8% Stream-Flood 131,076 734.8 G 93.4 M Less than 1.0% 10.4% Others 126,926 2979.8 G 12.8 M Less than 1.0% 10.1%
Current Active DDoS Attacks - 42 Current 19 th Aug 2014 8:14pm Total Data PPS Target Type Port Peak Speed 0.05GB 49111.223.226.91 Others 80 0.0Mbps 0.0GB 20103.4.18.149 Stream Flood 80 0.0Mbps 0.0GB 4111.223.232.30 SYN-Flood 443 0.0Mbps 0.0GB 127.131.75.35 Conn-Flood 80 0.0Mbps 0.0GB 1111.223.231.34 ACK-Flood 80 0.0Mbps 0.0GB 127.131.75.36 SYN-Flood 80 0.0Mbps 0.0GB 127.131.75.35 Conn-Flood 80 0.0Mbps 0.0GB 127.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 1111.223.231.34 ACK-Flood 80 0.0Mbps 0.0GB 127.131.75.35 SYN-Flood 80 0.0Mbps 0.0GB 127.131.105.189 Conn-Flood 25 0.0Mbps 0.0GB 1111.223.228.186 ACK-Flood 80 0.0Mbps 0.0GB 1111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 1111.223.231.34 ACK-Flood 21 0.0Mbps 0.0GB 127.131.75.36 SYN-Flood 443 0.0Mbps 0.0GB 127.131.75.35 SYN-Flood 80 0.0Mbps 0.0GB 127.131.105.189 ACK-Flood 80 0.0Mbps 0.0GB 1111.223.228.178 SYN-Flood 25 0.0Mbps 0.0GB 1111.223.231.34 Conn-Flood 443 0.0Mbps 0.0GB 1111.223.228.178 Conn-Flood 80 0.0Mbps 0.0GB 127.131.66.209 Others 80 0.0Mbps 0.0GB 127.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 127.131.75.35 ACK-Flood 443 0.0Mbps 0.0GB 127.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1111.223.231.34 Conn-Flood 25 0.0Mbps
Firewalls and Layer 4 to 7 Attacks Why they FAIL
Juniper SSG550M Firewall Specifications ScreenOS version tested ScreenOS 6.2 Firewall Perf (Large Packets) Firewall Performance (IMIX) Firewall Packets Per Second 3DES+SHA-1 VPN Perf 1+ Gbps 1 Gbps 600,000 PPS 600 Mbps Concurrent VPN Tunnels 1,000 Max Concurrent Sessions 256,000 New Sessions/Second 15,000 Max Security Policies 4,000 Max Security Zones 60
Juniper SSG 550m Hardware Firewall
ACK Flood Juniper SSG 550m Firewall BOTNET 983 hosts Each bot sends 8 packets per second at 25 bytes in size 7832 packets per second 1.5mbits of traffic Juniper SSG 550m 0.25m TCP sessions fails in 32 seconds Juniper SRX 1400 / Sonic Wall SuperMassive 9000 1.5m TCP sessions fails in 3.2 minutes Juniper SRX 3400 / Sonic Wall SuperMassive E10200 TCP 3.0m sessions fails in 6.4 minutes Juniper SRX 5800 / 100m sessions (over $1m investment) unlikely to fail with this attack
Layer 4 to 7 Attacks Prevention How Does Micron21 Prevents Stateful devices from failing? IE. Firewalls and Load Balancers?
Micron21 DDoS Mitigation Shield
So How Does NSFOCUS work How Does the ADS Clean Traffic
NSFOCUS ADS - 6020 Collapsar Attack Mitigation 流 量 清 洗 系 列 ADS ADS 2010 (2G) ADS 2020 (4G) ADS 4020(10-20G) ADS 6020 (20-40G) 1,488,000 pps 2,976,000 pps 8,928,000 pps 14,880,000 pps
ADS -- Multilayer Cleaning Attacker Internet Traffic Cleaning Center 1 2 3 4 5 Protocol Analysis Access Control List Reputation List Layer 4 Flood Mitigation Layer 7 Flood Mitigation 6 Rate Limit 1. Protocol Analysis Protocol Validation by RFC Check 2. Access Control List Layer 4 ACL Conn-Exhaustion ACL URL ACL 3. Reputation List White/Black List Dynamic Prioritizing 4. Layer 4 Flood Mitigation Source/destination IP address check/verification Various mitigation algorithms 5. Layer 7 Flood Mitigation Various mitigation algorithms Pattern Matching 6: Rate Limit Restricts traffic and ensures the critical business.
Packet Inspection and Capture Netflow information is useless in application DDoS detection; you need advance packet inspection along with behavioral patterns.
Dr Julian Hirst ACK Attack
Zero Day Real time Defense
Selected Clients - NSFOCUS provides over 4000G+ DDoS mitigation capacity to global customers Hosting, IDC, ISP, MSSP Internet Service Providers/Online Gaming Telecommunications Korea Telecom Banking and Finance Enterprises
About NSFOCUS Corporate Member HQ Overview Regional Subsidiaries Global Business HQ: Santa Clara, USA Place your text here CN HQ: Beijing Founded in 2000 Over 1,600 employees Place your text here Jan. 2014 IPO Over 13 years experience in DDoS mitigation Dedicated to network security Place your text here US: Santa Clara, US EMEA: London, UK Japan: Tokyo, JP APAC: Singapore
THANK YOU! come and talk with us on our booth. Contact James@micron21.com