DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest

The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2

What is a Distributed Denial of Service Attack? An attempt to make an Internet service unavailable to its users. Saturate the victim machine with external traffic. The victim machine: - can t respond to legitimate traffic or - is so slow as to be essentially unavailable. Address of attacker is spoofed: - victim machine can t block traffic from a known source. Commonly constitutes violations of the laws of nations. Sombers Associates, Inc. 2013 3

What is a Distributed Denial of Service Attack? Malware attacks do not generally pose a threat to availability: - they are aimed at stealing personal information, other data. DDoS attacks are a major threat to availability. - they have been used to take down major sites for days. - they are easy to launch and are difficult to defend. - DDoS attacks are increasing over 50% annually. Sombers Associates, Inc. 2013 4

What is a Distributed Denial of Service Attack? Reasons for DDoS attacks: - revenge - competition - a cover for another attack Sombers Associates, Inc. 2013 5

How Can So Much Traffic Be Generated? By Botnets Typical attacks generate about 10 gbps of malicious traffic. - one PC can generate about one megabit/sec. of traffic. - it takes about 10,000 PCs to generate 10 gbps of traffic. - this is a botnet. A botnet is a collection of computers: - whose security defenses have been breached. - where control is conceded to a third party, the bot master. The bot master controls the activities of the compromised computers. Sombers Associates, Inc. 2013 6

How Can So Much Traffic Be Generated? By Botnets More recently, servers have been included in botnets. A large server can generate a gigabit/sec. of malicious traffic: - one thousand times that of a PC. Ten large servers can generate as much traffic as 10,000 PCs. Servers are infected via network vulnerabilities. The latest attacks have generated 100 gbps of malicious data: - combination of infected PCs and servers. Sombers Associates, Inc. 2013 7

The Anatomy of a DDoS Attack DDoS attackers depend upon infecting thousands of PCs. A typical infection sequence is: - a user succumbs to a phishing attack (opens a malicious email or visits a malicious web site). - a Trojan is injected into the machine, opens a backdoor. - a bot infection is inserted into the PC via the backdoor. - the bot infection establishes connection with the bot master. Sombers Associates, Inc. 2013 8

Phishing Phishing masquerades as a trusted entity in an electronic communication: email, web site. Designed to get sensitive information like account numbers, SSNs by: - tricking users to respond to email. - leading users to a spoofed web site that looks real. Emails can carry malicious executables or web site links. Malicious executables or malicious web sites can infect the PC: - used to inject a Trojan to create a backdoor into the PC. User training send them phishing messages that take them to a web site that informs them that they have been phished. Sombers Associates, Inc. 2013 9

Trojans Creates a back door allowing unauthorized access to the target computer. Main purpose is to make the host system open to access from the Internet. Installed via malicious emails or Internet applications. Consequences: - controlling the computer system remotely (botnets). - also, keystroke logging, data theft, installing other malware. Sombers Associates, Inc. 2013 10

The BYOD Conundrum Sombers Associates, Inc. 2013 11

The BYOD Conundrum Bring Your Own Devices (BYOD) are the new gateways into corporate networks: - employees using smart phones, tablets, notebook computers. - conducting their work at home or on the road. - connecting outside the corporate firewall to servers and databases. Malware can gain access to a company s network by infecting these devices. Mobile malware is becoming a greater threat than direct infections of systems. Sombers Associates, Inc. 2013 12

Android Devices are the Primary Targets Mobile malware most likely is installed via malicious apps. Android is an open operating system modified by each vendor: - security provisions often bypassed. Hundreds of Android app stores not vetted by Google. Number of malicious apps has grown 800% over the last year. 92% directed at Android devices. Apple has tight control over apps: - tests each one thoroughly. - does not allow unvetted apps to be downloaded from the Apple app store. Sombers Associates, Inc. 2013 13

Jail-Broken and Rooted Devices Android and ios prevent unauthorized access to privileged OS commands. Android device can be modified by user to give apps access: - rooted device. - necessary to run some apps. A rooted Android device can be infected with malware that runs at the operating system level: - Trojans - keyloggers Similarly, an ios device can be jail-broken. However: - ios world is tightly controlled. - several security functions must be bypassed. - cannot be done by the ordinary user. Sombers Associates, Inc. 2013 14

Other Mobile Threats Compromised Wi-Fi hot spots: - coffee shops, airports, hotels. - corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot. - frequently configured so that anyone can see all of the network traffic. - commercially available apps provide network monitoring capability. Sombers Associates, Inc. 2013 15

Other Mobile Threats Poisoned DNS servers: - user must trust the DNS server used by a Wi-Fi hot spot. - hackers can hijack a public DNS server. - can direct traffic to a malicious web site. - web site can get users private data passwords, etc. - malware is downloaded to device from the web site. Sombers Associates, Inc. 2013 16

DDoS Strategies Sombers Associates, Inc. 2013 17

DDoS Strategies The Internet Protocol Suite Application Layer used by applications for network communications (FTP, SMTP). Transport Layer end-to-end message transfer (TCP, UDP). Internet Layer best-efforts datagram transmission (IP). Link Layer local network topology (routers, switches, hubs, firewalls). Sombers Associates, Inc. 2013 18

DDoS Strategies Attacks Occur at Various Levels Network Level: - network is bombarded with traffic. - consumes available bandwidth needed by legitimate requests. Infrastructure Level: - network devices such as firewalls, routers, maintain state in internal tables. - fill state tables of network devices. - network devices cannot handle legitimate traffic. Application Level: - invoke application services. - consume processing and disk resources. - illegitimate logins. - searches (if attacker has obtained user names, passwords). Sombers Associates, Inc. 2013 19

DDoS Strategies Attacks Occur at Various Levels ICMP Flood: - Internet Control Message Protocol (ICMP) returns error messages. - attacker sends messages to random ports. - most ports will not be used. - victim system must respond with port unreachable. - victim system so busy responding with ICMP messages that it can t handle legitimate traffic. Ping Attack - ICMP attack in which victim is flooded with pings. - victim must respond with ping-response messages. Sombers Associates, Inc. 2013 20

DDoS Strategies Attacks Occur at Various Levels SYN Flood: - attacker begins the initiation of a connection with a spoofed client address. - sends a SYN connection request. - server assigns resources to connection, responds with SYN-ACK to spoofed client. - attacker never sends ACK to complete the connection. - spoofed client ignores SYN-ACK since it did not send SYN. - victim holds resources for three minutes awaiting connection completion. - victim runs out of resources, cannot make legitimate connections. Sombers Associates, Inc. 2013 21

DDoS Strategies Attacks Occur at Various Levels GET/POST Flood: - commands to retrieve and update data. - uses extensive compute and disk resources of computer. - typically needs user names, passwords. - consumes all resources of server. Sombers Associates, Inc. 2013 22

DDoS Strategies Amplified Attacks The most vicious kind of attack: - generates a great deal of attack data with little effort. Example DNS Reflection: - depends upon DNS Open Resolvers. - these respond to any DNS request, no matter its source. - send DNS URL request with spoofed IP address of victim. - DNS sends URL response (IP address of URL) to victim. - typical request message is 30 bytes. - typical response message is 3,000 bytes. - 100 times amplification. Publicly available toolkit itsoknoproblembro for DNS attacks. Open DNS Resolvers were supposed to be phased out: - still 27 million Open Resolvers on the Internet. - their IP addresses have all been published. Sombers Associates, Inc. 2013 23

Major DDoS Attacks Some Examples Sombers Associates, Inc. 2013 24

Major U.S. Banks September, 2012 The online banking web sites of six major U.S. banks are taken down for days by Distributed Denial of Service (DDoS) attacks. The Izz ad-din al-qassam Cyber Warriors attacked major U.S. banks. Vowed continue the attadks until the video Innocence of Muslims is removed from the Internet. September 2012 - DDoS attacks are launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank. The attacks take down their online banking portals for a day. Attacks followed against Capital One, SunTrust Banks, and Regions. The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers. December 2012 Attacks were repeated for several days. Intelligence officials say that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the U.S. Sombers Associates, Inc. 2013 25

History s Largest DDoS Attack Spamhaus is a spam-filtering site: - provides a blacklist of IP addresses for email spammers. - used by spam-filtering vendors, ISPs, corporations. Blocked CyberBunker: - CyberBunker claims to host anything but terrorism, child pornography. CyberBunker launched a 300 gbps attack against Spamhaus: - used DNS amplification. - lasted for ten days. Spamhaus enlisted CloudFlare to help it weather the attack: - CloudFare spread the DDoS load across its 23 data centers. - scrubbed the data and fed only legitimate data to Spamhaus. CyberBunker extended its attack to CloudFlare. Sombers Associates, Inc. 2013 26

Summary Sombers Associates, Inc. 2013 27

Botnets Until recently, DDoS attacks were in the 10 gbps range: - infected PC botnets. Islamic hackers 100 gbps: - used tens of thousands of volunteered PCs. - added infected servers. CyberBunker 300 gbps: - used PC/server botnet. - used DNS refection. Sombers Associates, Inc. 2013 28

Mitigation DDoS attacks are easy to launch, difficult to defend. Firewalls and intrusion-prevention (IPV) systems can be overwhelmed. Spread load across several data centers to scrub data. Use the services of a DDoS mitigation company that can scrub data over several data centers. - Prolexic - Tata - AT&T - Verisign - CloudFare Include DDoS attacks in your Business Continuity Plan. Sombers Associates, Inc. 2013 29

Mitigation An excellent resource for evaluating a DDoS mitigation service: 12 Questions to Ask a DDoS Mitigation Provider - a Prolexic White Paper http://www.prolexic.com/pdf/12_questions_to_ask_a_ddos_mitigation_provider - -Technical_Series-Prolexic_White_Paper_071212.pdf Sombers Associates, Inc. 2013 30

Thanks for Coming The material for this presentation came from the archived articles of the (www.availabilitydigest.com) a monthly periodical on availability topics. Go to www.availabilitydigest.com/signups for your free subscription. Follow us on @availabilitydig. Sombers Associates, Inc. 2013 31