1. DDoS
mi'ga'on
Infradata
Cybersecurity
Breakfast
Tour
2013
Nicolai
van
der
Smagt
–
nicolai@infradata.nl
2. DDoS..
“A
distributed
denial-‐of-‐service
aGack
(DDoS
aGack)
is
an
aGempt
to
make
a
machine
or
network
resource
unavailable
to
its
intended
users.
Although
the
means
to
carry
out,
mo'ves
for,
and
targets
of
a
DoS
aGack
may
vary,
it
generally
consists
of
efforts
to
temporarily
or
indefinitely
interrupt
or
suspend
services
of
a
host
connected
to
the
Internet.”
3. ..Mi'ga'on
Mi'ga'on:
mi
·∙
'
·∙
ga
·∙
'on.
/mɪtɪˈgeɪʃ(ə)n/
noun
the
ac'on
of
reducing
the
severity,
seriousness,
or
painfulness
of
something.
3
4. DDoS
aGack?
It’ll
never
happen
to
me
˥ Ostrich
Mentality
:
‘When
an
ostrich
is
afraid,
it
will
bury
its
head
in
the
ground,
assuming
that
because
it
cannot
see,
it
cannot
be
seen.’
˥ Historically,
this
has
been
the
a`tude
to
DDoS
as
a
Service
Availability
Threat.
˥ …but
this
has
changed
in
the
past
2-‐3
years,
because
of:
˥
˥
˥
˥
AWARENESS
:
Massive
mainstream
press
around
Anonymous,
ING,
other
bank
aGacks
RISK
:
More
businesses
are
reliant
on
Internet
Services
for
their
business
con'nuity.
MOTIVATIONS
:
Wider
spread
of
aGack
mo'va'ons,
broader
target
set.
EXPERIENCE
:
Larger,
more
frequent,
more
complex
aGacks.
6. Recent
DDoS
events
in
Europe
˥ Ideologically
mo'vated
DDoS
aGacks
against
UK
government
sites
in
rela'on
to
the
extradi'on
of
Julian
Assange.
˥ Ideologically
mo'vated
DDoS
aGacks
against
the
largest
DNS
registrar
in
the
UK
which
was
authorita've
for
domains
hos'ng
poli'cal
content
cri'cal
of
the
Chinese
government
˥ Compe==ve
advantage
was
the
mo'va'on
for
DDoS
aGacks
on
a
Jersey-‐based
provider
of
online
gambling
services,
las'ng
over
a
week
˥ Retaliatory
DDoS
aGack
against
a
sokware
vendor
of
widely-‐used
customer-‐service
sokware,
aker
the
vendor
found
and
fixed
a
SQL
injec'on
vulnerability
in
their
products.
A
blackhat
had
discovered
this
on
his
own
and
was
actually
in
the
process
of
auc'oning
it
off
to
prospec've
aGackers
in
an
underground
criminal
forum
as
a
zero-‐day
exploit
when
the
vendor
issued
the
patch
˥ Unknown
mo'va'ons
inspired
the
ING
bank
aGacks
(distrac'on
from
other
criminal
ac'vi'es?)
7. DDoS
aGack
mo'va'ons
˥ Distrac'on
from
other
criminal
ac'vity
˥ Phishing
for
banking
creden'als
with
Zeus
˥ DDoS
to
distract
and
cover
up
the
crime
˥ DDoS
distrac'on
also
used
to
cover
up
system
penetra'ons
followed
by
data
leaks
10. DDoS
is
Key
to
availability
risk
planning
Availability
Scorecard
DDoS
is
the
#1
threat
to
the
availability
of
services
–
but
it
is
not
part
of
the
risk
analysis
Site
Selec'on
Physical
Security
Fire
Protec'on
&
Detec'on
When
measuring
the
risk
to
the
availability
or
resiliency
of
services,
where
does
the
risk
of
DDoS
aFacks
fall
on
the
list?
Electrical
&
Power
Environment
&
Weather
DDoS
AFacks?
10
11. Business
impact
of
DDoS
aGacks
Bar
Chart
9:
Significance
of
revenue
loss
resul=ng
from
website
down=me
for
one
hour
43%
50%
40%
30%
31%
21%
20%
5%
10%
0%
Very
Significant
Significant
Somewhat
Significant
Not
Significant
0%
None
Botnets
&
DDoS
aFacks
cost
an
average
enterprise
$6.3M*
for
a
24-‐hour
outage!
*
Source:
McAfee
–
Into
the
Crossfire
–
January
2010
Source:
Ponemon
Ins'tute
–
2010
State
of
Web
Applica'on
Security
The
impact
of
loss
of
service
availability
goes
beyond
financials:
Opera=ons
How
many
IT
personnel
will
be
'ed
up
addressing
the
aGack?
Help
Desk
How
many
more
help
desk
calls
will
be
received,
and
at
what
cost
per
call?
Recovery
How
much
manual
work
will
need
to
be
done
to
re-‐
enter
transac'ons?
Lost
Worker
Output
How
much
employee
output
will
be
lost?
Penal=es
Lost
Business
Brand
&
Reputa=on
Damage
How
much
will
have
to
be
paid
in
service
level
agreement
(SLA)
credits
or
other
penal'es?
How
much
will
the
ability
to
aGract
new
customers
be
affected?
What
is
the
full
value
of
that
lost
customers?
What
is
the
cost
to
the
company
brand
and
reputa'on?
12. DDoS
aGack
types
and
targets
Volumetric,
state-‐exhaus'on
and
applica'on-‐layer
aGacks
can
bring
down
cri'cal
data
center
services
AGack
Traffic
e.g:
Layer
4-‐7
Application-‐
Layer
/
Slow&Low
AGack
Good
Traffic
ISP
1
DATA
CENTER
ISP
2
ISP
n
Backbone
SATURATION
e.g.:
Volumetric
/
Flooding
AGack
Exhaus:on
of
STATE
Firewall
Exhaus:on
of
SERVICE
IPS
Load
Balancer
e.g:
Layer
4-‐7
/
State
/
Connec'on
AGack
Target
Applica'ons
&
Services
13. DDoS
aGack
vectors
•
Volumetric
AGacks
UK Broadband
– Usually
botnets
or
traffic
from
spoofed
IPs
genera'ng
high
bps
/
pps
traffic
volume
– UDP
based
floods
from
spoofed
IP
take
advantage
of
connec'on
less
UDP
protocol
– Take
out
the
infrastructure
capacity
–
routers,
switches,
servers,
links
BB
B
Bots connect to
a C&C to create
an overlay
Provider
network (botnet)
C&C
B
Systems
Become
Infected
Internet
Backbone
B
B
Server
DNS
RequestV
Repeated
many
'mes
DNS
ResponseV
Vic'm
DNS
Server
responds
to
request
from
spoofed
source.
DNS
Response
is
many
8mes
larger
than
request.
Bots attack
BM
B
B
US Corp
AGacker
JP Corp.
Bye
Bye!
B
Botnet master
Controller B
Issues attack
Connects
Command
US Broadband
§ Reflec'on
AGacks
– Use
a
legi'mate
resource
to
amplify
an
aGack
to
a
des'na'on
– Send
a
request
to
an
IP
that
will
yield
a
big
response,
spoof
the
source
IP
address
to
that
of
the
actual
vic'm
– DNS
Reflec've
Amplifica'on
is
a
good
example
14. DDoS
aGack
vectors
• TCP
state
exhaus'on
– Take
advantage
of
stateful
nature
of
TCP
protocol
– SYN,
FIN,
RST
Floods
– TCP
connec'on
aGacks
Client
SYNC
Server
SYNS,
ACKC
Repeated
many
'mes
– Exhaust
resources
in
servers,
load
balancers
or
firewalls.
Listening…
Store
data
(connec8on
state,
etc.)
System
runs
out
of
TCP
listener
sockets
or
out
memory
for
stored
state
• Applica'on
layer
aGacks
• Exploit
limita'ons,
scale
and
func'onality
of
specific
applica'ons
• Can
be
low-‐and-‐slow
• HTTP
GET
/
POST,
SIP
Invite
floods
• Can
be
more
sophis'cated:
ApacheKiller,
Slowloris,
SlowPOST,
RUDY,
refref,
hash
collision
etc..
15. DDoS
aGack
vectors
The
DDoS
weapon
of
choice
for
Anonymous
ac'vists
is
LOIC,
downloaded
more
than
639,000
'mes
this
year
(so
far).
Average
2115
downloads
daily.
16. So,
how
is
DDoS
evolving?
Looking
at
the
Internet
threat
landscape
˥ In
order
to
understand
the
DDoS
threat
(and
how
to
protect
ourselves)
we
need
to
know
what
is
going
on
out
there.
˥ Two
data
sources
being
presented
here:
˥ Arbor
Worldwide
Infrastructure
Security
Survey,
2011.
˥ Arbor
ATLAS
Internet
Trends
data.
˥ Arbor
Worldwide
Infrastructure
Security
Survey,
2011
˥ 7th
Annual
Survey
˥ Concerns,
observa'on
and
experiences
of
the
OpSec
community
˥ 114
respondents,
broad
spread
of
network
operators
from
around
the
world
˥ Arbor
ATLAS
Internet
Trends
˥ 240+
Arbor
customers,
37.8Tbps
of
monitored
traffic
˥ Hourly
export
of
anonymized
DDoS
and
traffic
sta's'cs
17. 2012
ATLAS
ini'a've
:
Anonymous
worldwide
stats
Higher
pps
rates
seen
in
2011,
have
con=nued
into
2012
§ Average
aGack
is
1.56Mpps,
September
2012
§ 190%
growth
from
September
2011
Average
Monthly
Kpps
of
AFacks
2500
2000
1500
1000
500
0
1556
18. 2012
ATLAS
ini'a've
:
Anonymous
worldwide
stats
Peak
ABack
Growth
trend
in
Gbps
§ Peak
aGack
in
September
2012
is
63.3Gbps
§ 136%
rise
from
September
2011
§ Spikes
at
75Gb/sec
and
100Gb/sec
so
far
this
year.
Peak
Monthly
Gbps
of
AFacks
120
100
80
60
40
20
0
63.33
19. 2012
ATLAS
ini'a've
:
Anonymous
worldwide
stats
Average
ABack
Growth
trend
in
Mbps
§ Average
aGack
is
1.67Gbps,
September
2012
§ 72%
growth
from
September
2011
§ Average
aGacks
now
consistently
over
1Gb/sec
2500
Average
Monthly
Mbps
of
AFacks
2000
1500
1000
500
0
1670
20. DDoS
AGacks
are
evolving
Have You Experienced Multi-vector Application /
Volumetric DDoS Attacks
27%
32%
Don't Know
No
Yes
41%
Number of DDoS Attacks per Month
47%
50%
40%
30%
20%
10%
9%
15%
7%
10%
11%
1%
0%
0
1 - 10 10 - 20 20 - 50 50 - 100 100 500
> 500
Services Targeted by Application
Layer DDoS Attacks
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
7%
11%
19%
24%
25%
67%
87%
0%
20%
40%
60%
80%
100%
21. Recent
financial
aGacks
(“Opera'on
Ababil”):
Mul'-‐vector
DDoS
on
a
new
level
˥ Compromised
PHP,
WordPress,
&
Joomla
servers
˥ Oken
US
or
EU
based
so
geo-‐blocking
is
difficult
˥ Large
bandwidths
–
powerful
aGacks
˥ Mul'ple
concurrent
aGack
vectors
˥ GET
and
POST
app
layer
aGacks
on
HTTP
and
HTTPS
˥ DNS
query
app
layer
aGack
˥ Floods
on
UDP,
TCP
Syn
floods,
ICMP
and
other
IP
protocols
˥ Unique
characteris'cs
of
the
aGacks
˥ Very
high
packet
per
second
rates
per
individual
source
˥ Large
bandwidth
aGack
on
mul'ple
companies
simultaneously
˥ Very
focused
˥ could
be
false
flag
˥ could
be
Cyberwar
˥ could
be
hack'vism
22. DDoS,
a
growing
problem
So,
how
can
we
minimize
the
impact
of
an
aGack?
˥ Monitor
the
network
and
services
so
that
you
can
pro-‐ac'vely
detect
changes
at
all
layers
(up
to
layer
7).
˥ Know
who
to
call.
˥ Develop
an
incident
handling
process
and
run
fire-‐drills
˥ U'lise
the
security
capabili'es
built
into
other
network
and
security
infrastructure
to
minimise
impact
where
possible
˥ Use
a
Dedicated
OOB
Management
Network
23. The
failure
of
exis'ng
security
devices
CPE-‐based
security
devices
focus
on
integrity
and
confiden'ality
and
not
on
availability
Product
Family
Triangle
Benefit
Firewalls
Integrity
Enforce
network
policy
to
prevent
unauthorized
access
to
data
Intrusion
Preven'on
System
Integrity
Block
break-‐in
aGempts
causing
data
thek
Informa'on
Security
Triangle
Firewalls
and
IPS
device
do
not
solve
the
DDoS
problem
because
they
(1)
are
op'mized
for
other
security
problems,
(2)
can’t
detect
or
stop
distributed
aGacks,
and
(3)
can
not
integrate
with
in-‐cloud
security
solu'ons.
DATA
CENTER
IPS
Load
Balancer
Because
they
are
stateful
and
inline,
they
are
part
of
the
DDoS
problem
and
not
the
solu8on.
Many
DDoS
aCacks
target
firewalls
and
IPS
devices
directly!
24. Industry
solu'on
A:
CPE-‐based
protec'on
˥ A
CPE
is
placed
inline
with
traffic.
Because
the
device
has
full
visibility
of
traffic
des'ned
for
the
customer
it
is
in
a
unique
posi'on
to
quickly
detect
and
mi'gate
DDoS
aGacks.
The
CPE:
˥
˥
˥
˥
Detects
DDoS
aGacks
immediately
Starts
blocking
without
delay
Has
finite
capacity
Requires
hands-‐on
knowledge
to
operate
24
25. Industry
solu'on
B:
Out-‐of-‐path
protec'on
˥ A
monitoring
device
receives
L3/L4
traffic
informa'on
from
routers
in
the
network
(via
Neƒlow/BGP).
DDoS
traffic
can
be
diverted
to
a
scrubbing
center
for
“cleaning”.
Other
traffic
con'nues
unaffected.
˥
˥
˥
˥
Detects
DDoS
aGacks
immediately
Works
in
large
and
complex
networks
with
lots
of
traffic
and
internet
links
Has
finite
capacity
Requires
hands-‐on
knowledge
to
operate
SCRUBBING
CENTER
ISP
1
DATA
CENTER
ISP
2
Local
ISP
Firewall
IPS
ISP
n
Monitoring
system
25
26. Industry
solu'on
C:
Cloud-‐based
protec'on
˥ Cloud-‐based
protec'on
works
by
intercep'ng
aGack
traffic
‘in-‐the-‐cloud’,
long
before
it
reaches
the
network
under
aGack.
It
provides:
˥
˥
˥
˥
Almost
infinite
capacity
(currently
1
Tbps)
Upstream
blocking
so
customer
networks
never
see
DDoS
traffic
Effec've
blocking
within
minutes
of
star'ng
mi'ga'on
DDoS
mi'ga'on
“as-‐a-‐Service”
27. Arbor
Peakflow,
Out-‐of-‐path
protec'on
Pervasive
and
cost-‐effec've
visibility
and
security
˥ Pervasive
network
visibility
and
deep
insight
into
services
˥ Leverage
Neƒlow
technology
for
broad
traffic
visibility
across
service
provider
networks.
˥ Comprehensive
threat
management
˥ Granular
threat
detec'on,
surgical
mi'ga'on
and
repor'ng
of
DDoS
aGacks
that
threaten
business
services.
˥ Managed
service
enabler
˥ A
plaƒorm
which
offers
the
ability
to
deliver
new,
profitable,
revenue-‐genera'ng
services
i.e
DDoS
Protec'on
and
traffic
analysis
28. Prolexic
cloud-‐based
DDoS
mi'ga'on
Scrubbing
Centers
(peering):
§ San
Jose,
CA
§ Ashburn,
VA
§ London,
UK
§ Frankfurt,
DE
§ Hong
Kong,
China
§ Tokyo,
Sydney
(2014)
Carrier
reach:
§ A
minimum
of
3
Tier
1
Carriers
Per
Site
§ 500+
peers
Global
Reach:
§ Staff
on
four
con'nents
§ 800
Gigabits/sec
dedicated
for
aGack
traffic
Scrubbing
Center
Regional
offices
Headquarters
&
SOC
Botnet
Concentra=on