Working Group 5: Remediation of Server Based DDoS Attacks. Status Update



Similar documents
Working Group 5: Remediation of Server-Based DDoS Attacks. Status Update

Working Group 5: Remediation of Server-Based DDoS Attacks. Status Update. March 20, 2014

Working Group 5: Remediation of Server Based DDoS Attacks. Status Update

September, WORKING GROUP 5 Remediation of Server-Based DDoS Attacks Final Report

CSRIC IV - Working Group 4: Cybersecurity Best Practices Status Update

Final Report. U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs)

CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES WORKING GROUP 4: Final Report March 2015

September 20, 2013 Senior IT Examiner Gene Lilienthal

CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES WORKING GROUP 4: Final Report March 2015

Working Group 7: Legacy Network Best Practices Update. Status Update

Steering Committee. Working Group 2A. Cyber Security Best Practices. March 14, Presented By: Phil Agcaoili, Co Chair Gary Toretti

FG2B Cybersecurity Dr. Bill Hancock, CISSP, CISM SAVVIS Communications FG2B Chair

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

FINAL REPORT. Internet Service Provider (ISP) Network Protection Practices

Before the National Telecommunications and Information Administration DEPARTMENT OF COMMERCE Washington, D.C

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

How To Write A Cybersecurity Framework

CPE Powering Consumer Outreach. Final Report CPE Powering

Defending Against Data Beaches: Internal Controls for Cybersecurity

CSRIC V Working Group Descriptions and Leadership

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

VIA ELECTRONIC FILING Marlene Dortch Secretary Federal Communications Commission th Street, SW. Washington, DC 20554

Denial of Service Attacks

Coordinating Attack Response at Internet Scale (CARIS)

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Cisco Advanced Services for Network Security

DDoS Attacks Can Take Down Your Online Services

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Goals. Understanding security testing

Business Continuity for Cyber Threat

How Cisco IT Protects Against Distributed Denial of Service Attacks

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Before the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency

DDoS Open Threat Signaling (DOTS) Working Group. Operational Requirements. Chris Morrow netman.net> Network Security Engineer, Google

Securing Your Business with DNS Servers That Protect Themselves

NASCIO 2015 State IT Recognition Awards

CERT Seminar March, 2010

SSDP REFLECTION DDOS ATTACKS

Distributed Denial of Service protection

Security Controls Implementation Plan

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Working Group 6: Best Practice Implementation

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Denial of Service (DoS) Technical Primer

Cybersecurity in a Mobile IP World

UNDERSTANDING THE CAUSE AND EFFECT OF DDoS: How to mitigate risk and protect your financial institution

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

The Expanding Role of Service Providers in DDoS Mitigation

Before the DEPARTMENT OF COMMERCE Internet Policy Task Force

I D C T E C H N O L O G Y S P O T L I G H T

Delving Into FCC's 'Damn Important' Cybersecurity Report

How To Mitigate A Ddos Attack

Enterprise Security Tactical Plan

Beyond the Noise: More Complex Issues with Incident Response

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Before the DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, DC ) ) ) ) )

AT&T Cybersecurity Policy Overview

Before the Federal Communications Commission Washington, DC ) ) ) ) ) ) )

Before the National Institute of Standards and Technology DEPARTMENT OF COMMERCE Washington, D.C

Networking for Caribbean Development

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

FIVE PRACTICAL STEPS

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

BlackRidge Technology Transport Access Control: Overview

Why you should adopt the NIST Cybersecurity Framework

Web Application Defence. Architecture Paper

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

The European Platform in Network and Information Security (NIS) Fabio Martinelli

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Cisco Remote Management Services for Security

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Priority III: A National Cyberspace Security Awareness and Training Program

How To Protect A Dns Authority Server From A Flood Attack

Korea s experience of massive DDoS attacks from Botnet

IceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program

ISO27032 Guidelines for Cyber Security

DoS/DDoS Attacks and Protection on VoIP/UC

Denial of Service Attacks and Resilient Overlay Networks

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Regional cyber security considerations for network operations. Eric Osterweil Principal Scientist, Verisign

DDoS Overview and Incident Response Guide. July 2014

I N T E L L I G E N C E A S S E S S M E N T

Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation

Promoting Network Security (A Service Provider Perspective)

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C Comments of CTIA The Wireless Association

Transcription:

Working Group 5: Remediation of Server Based DDoS Attacks Status Update September 24, 2014 Peter Fonash (DHS), Co Chair Michael Glenn (CenturyLink), Co Chair

WG5 Objectives Description: Critical infrastructure sectors, including the financial sector, have been under assault from a barrage of DDoS attacks emanating from data centers and hosting providers. This Working Group will examine and make recommendations to the Council regarding network level best practices and other measures to mitigate the effects of DDoS attacks from large data centers and hosting sites. These recommendations should include technical and operational methods and procedures to facilitate stakeholder implementation of the recommended solution(s). Deliverable: Recommended measures communications providers can take to mitigate the incidence and impact of DDoS attacks from data centers and hosting providers, particularly those targeting the information systems of critical sectors. 2

WG5 Members WG5 has assembled a team of 40 members, including representatives from ISPs, financial institutions, hosting providers, non profits, associations, academia, federal and state governments, and security experts to accomplish the CSRIC IV charge Name Organization Name Organization Name Organization Peter Fonash (Co Chair) DHS David Fernandez Prolexic Technologies Wayne Pacine Fed Reserve Board of Governors Mike Glenn (Co Chair) CenturyLink Mark Ghassemzadeh ACS Glen Pirrotta Comcast Paul Diamond (Co Editor) CenturyLink Darren Grabowski NTT R.H. Powell Akamai Bob Thornberry (Co Editor) Bell Labs, Alcatel Lucent Sam Grosby Wells Fargo Nick Rascona Sprint Vern Mosley (FCC Liaison) FCC Rodney Joffe Neustar Chris Roosenraad Time Warner Cable Jared Allison Verizon John Levine CAUCE Craig Spiezle Online Trust Alliance Don Blumenthal Public Interest Registry Greg Lucak Windstream Joe St Sauver Univ of Oregon/Internet2 Chris Boyer AT&T John Marinho CTIA Kevin Sullivan Microsoft Matt Carothers Cox Communications Dan Massey IEEE Bernie Thomas CSG International Roy Cormier Nsight Ron Mathis Intrado Matt Tooley NCTA Dave DeCoster Shadowserver Bill McInnis Internet Identity Errol Weiss FSSCC John Denning FSSCC Chris Morrow Google Pam Witmer PA PUC Roland Dobbins Arbor Networks Mike O'Reirdan MAAWG Martin Dolly ATIS Eric Osterweil VeriSign, Inc. 3

WG5 Status WG5 held a 1 day face to face meeting in July, hosted by CenturyLink (Arlington, VA) reviewed draft final server based DDoS attack remediation best practices, barriers to implementation, and findings and recommendations to be included in the Final Report WG5 delivered its Final Report Sept 22 nd 4

Table of Contents 5

Methodology WG5 identified subgroups to focus on case studies and identification of server based BPs ISPs, Financial Community, Internet Security Experts, and Best Practices Review subgroups WG5 held biweekly conference calls and three faceto face meetings to execute CSRIC charge WG5 reviewed in excess of 600 BPs, performed a gap analysis, and identified 50 BPs to address server based DDoS attack remediation (Appendix E) 6

Methodology (cont.) WG5 Applied Six Phase Model (adaptation of Arbor Networks model) 7

Appendix E Best Practices WG5 reviewed in excess of 600 BPs, performed a gap analysis, and identified 50 BPs to address server based DDoS attack remediation (Appendix E) BPs by the numbers NIST Cybersecurity Framework Functions Implementation Effectiveness Implementation Difficulty Sweet Spot Identify Protect Detect Respond Recover High Medium Low Low Medium High High/Low Network Operators 0 16 6 1 2 12 9 4 3 10 12 1 Hosting Providers 0 9 4 2 2 6 6 5 3 6 8 2 Targets 0 5 1 0 2 3 5 0 1 1 6 1 Sub Totals 0 30 11 3 6 21 20 9 7 17 26 4 DDoS prevention and mitigation is a shared responsibility between the network operators, hosting providers, targets and other members of the Internet ecosystem. 8

Key Findings 1. DDoS attacks are becoming large enough to overwhelm a single ISP s ability to absorb. 2. Server based attacks harness data center computational and networking resources to stage DDoS attacks of unprecedented volume. 3. Because of the increased volume of DDoS attacks, collateral damage (impacts to others not targeted by DDoS attack) is common packet loss, delays, high latency for Internet traffic of uninvolved parties whose traffic simply happens to traverse networks saturated by these attacks. 4. DDoS attacks are being used not only to disrupt services, but to distract security resources while other attacks are being attempted, e.g., fraudulent transactions. 5. Adaptive DDoS attacks are prevalent. Attackers vary attack traffic on the fly to avoid identification and to challenge and confuse mitigation strategies. 6. Reflective and amplification attacks are still common, leveraging misconfigured DNS, NTP, and other network resources with the ability to spoof (forge) source (target) IP addresses. 9

Key Findings (cont.) 7. The botnet architecture is becoming more sophisticated and difficult to trace and command and control (C 2 ) systems are increasingly tiered using proxy servers and peer to peer networking to obfuscate the location of the system that is executing the commands. Additionally, some botnets have the ability to impair a compromised system after it has completed an attack. 8. Devices are increasingly spread out globally making the coordination of shutting down these systems difficult due to the fact that countries often have different and sometimes conflicting laws. 9. DDoS traffic builds quickly so automated mitigation capabilities are needed to protect the infrastructure. 10. In order to support automated mitigation capabilities, a standardized taxonomy to express information required to mitigate DDoS server based attacks needs to be followed. 11. Anti spoofing (anti forging) technologies need to be more widely deployed to protect against amplification attacks. 10

Key Findings (cont.) 12. DDoS mitigation capability needs to be deployed throughout the network since it is difficult to predict where the attack will originate. 13. DDoS mitigation requires multiple tools. ISPs need destination blackhole filtering capability to protect their networks recognizing that blackhole filtering completes the DDoS attack to the target. Attack mitigators need multiple types of less intrusive capabilities to minimize the effectiveness of DDoS attacks. 14. DDoS attacks need to be addressed by the entire networking ecosystem, not just the Network Operators. This includes hosting center and data center providers, the DDoS targets, software vendors, open source organizations, as well as equipment manufacturers (the entire supply chain). 11

Key Findings (cont.) 15. DDoS mitigation requires close cooperation of targets, Hosting Providers, and the Network Operators. As new DDoS mitigation techniques become more effective, attackers will continue to adapt their techniques to find new ways to attack their targets. 16. The development of potential success measures to determine the effectiveness of following voluntary server based DDoS attack best practices must be addressed not only by Network Operators, but by the broader Internet ecosystem stakeholders in order to provide meaningful, holistic interpretations of effectiveness. 12

Conclusions Working Group 5 has documented its findings, made recommendations, suggested best practices to address server based DDoS attacks, addressed barriers to implementation, and suggested a path forward to holistically address measures of effectiveness for following the recommended BPs. We conclude in this final report that action will be required, not only by Network Operators, but by the entire ecosystem of stakeholders impacted by server based DDoS attacks, in order to prevent, detect, and mitigate the attacks. 13

Recommendations 1. FCC encourage ISPs to consider voluntary implementation, in a prioritized manner, of the recommended best practices and new recommendations (Appendix E) to address server based DDoS attacks by promoting awareness and benefits of these best practices. 2. FCC encourage the development of best practices for Hosting Providers to promote safe computing practices, reduce vulnerabilities, and reduce the threat of exploiting vulnerabilities, thereby reducing incidence of server based DDoS attacks. 3. FCC encourage voluntary, private sector relationships, to the extent they do not exist already, between peers to collaborate on DDoS response best practices and mitigation support. 14

Recommendations (cont.) 4. FCC encourage the development of a voluntary central clearing house for DDoS mitigation information within the existing DHS information sharing structure that can be a resource among ISPs, Hosting Providers, targets, response organizations (CERTS & ISACs) and governments to mitigate DDoS attacks in real time. 5. FCC encourage ecosystem stakeholders to share DDoS server based attack information between themselves or through a centralize clearing house using a standardized taxonomy, such as the Structured Threat Information expression (STIX) or a similar construct, to assist in automated mitigation of the attacks. 6. FCC encourage the sharing of DDoS mitigation best practices, threat, vulnerability, and incident response actions among Network Operators in the Comm ISAC. 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information