SlideShare a Scribd company logo

Surviving a DDOS Attack

Download as PPTX, PDF
Jo Bridger
Jo Bridger

A presentation by Matt Johnson from Eduserv on the steps to take when dealing with a denial of service attack.

Technology
1 of 20
www.eduserv.org.uk Surviving a DDoS Attack Matt Johnson, Head of Research, Eduserv January 2015
Agenda  Background  Diary of the DDoS  Attack profiles & social media  Analysis and solution overview  Costs  Lessons learned  Q&A
Background  Eduserv is a registered charity providing IT services to public good organisations  Operates primary services from our Swindon datacentre, secondary and DR services from Slough / London  Providing hosting services since 1996  IT services customer base  20+ customers, across government, health, education and the charity sectors  Some of the government customers are high-profile targets
Day 1  Initial attack was seen on Sunday evening  Lasted around 2 hours  Attack was TCP-based, volumetric, probably HTTP-based  Primary sources in Brazil, Canada  Attack claimed by hacker via Twitter
Day 2  Second attack on Monday afternoon  Against a range of Govt. websites  Attack was UDP-based  Probably DNS-amplification  Diverse source addresses  1 hour DoS for a number of customers  Damage limitation  Re-address and black-hole the address block of the targeted website services  “One sacrificed to save the many”
Day 3  Attacked website brought back online  Separate ISP link to mitigate impact to other services  DDoS attacks resumed immediately  Web service was a 3rd party legacy build, with poor support for caching  HTTP volumetric based attack overwhelmed web server cluster
Attack Methods  Range of attack methods used  Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC)  DNS Amplification, HTTP Idle Attacks,  Scale of the attack  Bandwidth peak estimated >5 Gbps  200+ malformed requests p/sec (normally 2-3 requests p/sec)  Lack of support from upstream ISP for real-time blocking  Without this support, in a volumetric attack, hands are tied
Social Media  Many attackers like to promote their “work” – can give an early insight into what’s happening (or about to happen)  Don’t believe everything you read 
Incident Analysis  Incident Response Team formed  Multi-disciplinary teams – can bring new insight into solutions  Whiteboard-based evaluation of options  Continual comms with the impacted customer  Possible solutions  Block or disable attacking platforms at source  Rebuild the web service to cope with the additional workloads  Filter the DDoS traffic whilst allowing legitimate requests
Starting Situation attack attack attack attack attack attack attack attack web firewalls routers www.customer.gov.uk user
www.customer.gov.uk Proposed Solution web firewalls routers Proxy-2LogServer Load Bal. Proxy-1 attack attack attack attack attack attack attack attack safe.customer.gov.uk user Black Hole www.customer.gov.uk
Web Proxy in the Cloud  Cloud provider choice – Amazon Web Services  Already had expertise in deploying AWS services  Huge bandwidth capacity (estimated at 600 Gbps+)  AWS Marketplace offers quick deployment of application servers  Proxy choice - AiCache  Reviewed options in the AWS Marketplace  AiCache seemed to deliver the functionality required  Available on a PAYG basis with no up-front licensing commitments  Configured and implemented inside of 4 hours
Enabling DDoS protection Total HTTP requests Valid HTTP requests Bad HTTP requests DDoS protection enabled
Enabling IP Throttling Initial (Test) IP throttling started Initial (Test) IP throttling finished Full IP Throttling enabled
Traffic profile before and after proxy implementation Initial DDoS causing outages Ongoing DDoS – proxy in place Normal traffic profile
Costs  IT costs: £350, comprising:  AWS: 150 GB of data transfer, load-balancing; 2 large VMs; 100 GB of data storage: ~$270 over 14 days  AiCache: 2 licences & support: $280, again over 14 days  People costs: £25k, comprising  Incident response: ~£15k  Incident analysis: ~£10k  Indirect costs: ~£20k  Impact on customer services, 3rd party effort, opportunity costs
Lessons Learned  Bandwidth is king  In a sustained attack, whoever has the most, wins  DNS flexibility is vital  Having a well-architected DNS infrastructure allows you to change service endpoints quickly in response to targeted attacks  Make sure you have a diverse route into your DNS management  Watch social media  Can often give you insights into upcoming attacks, motivation  Log everything  Never know what might be needed to support further investigations
AWS Learning  Amazon CloudWatch  Useful near-real time insight into DDoS traffic (via ELB metrics)  Provided evidence for the criminal investigation  Only stores data for 2 weeks – grab the data whilst you can  Needed to write custom CLI/API scripts to extract CloudWatch data  Really could do with a built-in data export capability!  AWS Elastic Load Balancer  Partially mitigated some of the DDoS attack vectors  Supports X-Forwarded-For (XFF) header to track originating IPs
AWS Learning  EC2 capabilities  AWS offers an incredibly easy way to tap into huge data pipes  Incoming bandwidth is free… useful in DDoS situations  Route53 is great!  Supports simple mapping of Zone Apex to ELB target  Geo-distributed endpoints make it incredibly quick and reliable  Amazon Marketplace  Great source of pre-configured AWS-ready services  Use it!
Thank you! Questions?  Matt Johnson  Matt.Johnson@eduserv.org.uk  @mhj_work  www.eduserv.org.uk  www.slideshare.net/eduserv

Recommended

Security challenges of cloud computing
Security challenges of cloud computingSecurity challenges of cloud computing
Security challenges of cloud computingMd. Hasibur Rashid
 
Project shield
Project shieldProject shield
Project shieldVishesh Singhal
 
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]Mahmuda Rahman
 
Risk Management in the Cloud
Risk Management in the CloudRisk Management in the Cloud
Risk Management in the CloudDavid X Martin
 
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...Nexgen Technology
 
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...Yashwanth Reddy
 
DDoS
DDoSDDoS
DDoSMilan Petrásek
 
SecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsSecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsNexgen Technology
 

Recommended

Security challenges of cloud computing
Security challenges of cloud computingSecurity challenges of cloud computing
Security challenges of cloud computingMd. Hasibur Rashid
 
Project shield
Project shieldProject shield
Project shieldVishesh Singhal
 
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]
Analysis-of-Security-Algorithms-in-Cloud-Computing [Autosaved]Mahmuda Rahman
 
Risk Management in the Cloud
Risk Management in the CloudRisk Management in the Cloud
Risk Management in the CloudDavid X Martin
 
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...
SECURE DATA SHARING IN CLOUD COMPUTING USING REVOCABLE-STORAGE IDENTITY-BASED...Nexgen Technology
 
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...
Secure Data Sharing in Cloud Computing Using Revocable-Storage Identity-Based...Yashwanth Reddy
 
DDoS
DDoSDDoS
DDoSMilan Petrásek
 
SecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsSecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsNexgen Technology
 
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMA SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMcscpconf
 
Https interception
Https interceptionHttps interception
Https interceptionAndrey Apuhtin
 
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...rahulmonikasharma
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core SecurityCore Security
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
 
Novel cloud computingsecurity issues
Novel cloud computingsecurity issuesNovel cloud computingsecurity issues
Novel cloud computingsecurity issuesJoo Manthar
 
Ensuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeEnsuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeAnusha Chavan
 
Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...Shakas Technologies
 
Identity based secure distributed data storage
Identity based secure distributed data storageIdentity based secure distributed data storage
Identity based secure distributed data storageIEEEFINALYEARPROJECTS
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud ComputingMitesh Katira
 
What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity Blockchain Council
 
Data security using rsa
Data security using rsaData security using rsa
Data security using rsaLAKSHMI TEJA SAYABARAPU
 
Third Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud StorageThird Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud Storageijtsrd
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingEr. Saba karim
 
Security threats in cloud computing
Security threats in cloud computingSecurity threats in cloud computing
Security threats in cloud computingPuneet Arora
 
IJARCCE 20
IJARCCE 20IJARCCE 20
IJARCCE 20Nahan Rahman
 
Blockchain for network engineers
Blockchain for network engineersBlockchain for network engineers
Blockchain for network engineersBlockchain Council
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposium2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposiumsondramilkie
 
Moving on from Dewey
Moving on from DeweyMoving on from Dewey
Moving on from DeweyDiane Macklin
 
Swt eye for the swing guy
Swt eye for the swing guySwt eye for the swing guy
Swt eye for the swing guyIoan Bogdan
 
Coach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful OutcomesCoach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful Outcomessondramilkie
 

More Related Content

What's hot

A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMA SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMcscpconf
 
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...rahulmonikasharma
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core SecurityCore Security
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
 
Novel cloud computingsecurity issues
Novel cloud computingsecurity issuesNovel cloud computingsecurity issues
Novel cloud computingsecurity issuesJoo Manthar
 
Ensuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeEnsuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeAnusha Chavan
 
Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...Shakas Technologies
 
Identity based secure distributed data storage
Identity based secure distributed data storageIdentity based secure distributed data storage
Identity based secure distributed data storageIEEEFINALYEARPROJECTS
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud ComputingMitesh Katira
 
What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity Blockchain Council
 
Third Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud StorageThird Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud Storageijtsrd
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingEr. Saba karim
 
Security threats in cloud computing
Security threats in cloud computingSecurity threats in cloud computing
Security threats in cloud computingPuneet Arora
 
Blockchain for network engineers
Blockchain for network engineersBlockchain for network engineers
Blockchain for network engineersBlockchain Council
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 

What's hot (18)

A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEMA SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM
 
Https interception
Https interceptionHttps interception
Https interception
 
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
Secure Data Sharing in Cloud Computing using Revocable Storage Identity- Base...
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core Security
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
 
Novel cloud computingsecurity issues
Novel cloud computingsecurity issuesNovel cloud computingsecurity issues
Novel cloud computingsecurity issues
 
Ensuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeEnsuring data security in cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha Tuke
 
Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...Secure data sharing in cloud computing using revocable storage identity-based...
Secure data sharing in cloud computing using revocable storage identity-based...
 
Identity based secure distributed data storage
Identity based secure distributed data storageIdentity based secure distributed data storage
Identity based secure distributed data storage
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity What is the future of blockchain in cybersecurity
What is the future of blockchain in cybersecurity
 
Data security using rsa
Data security using rsaData security using rsa
Data security using rsa
 
Third Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud StorageThird Party Public Auditing Scheme for Security in Cloud Storage
Third Party Public Auditing Scheme for Security in Cloud Storage
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Security threats in cloud computing
Security threats in cloud computingSecurity threats in cloud computing
Security threats in cloud computing
 
IJARCCE 20
IJARCCE 20IJARCCE 20
IJARCCE 20
 
Blockchain for network engineers
Blockchain for network engineersBlockchain for network engineers
Blockchain for network engineers
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 

Viewers also liked

2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposium2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposiumsondramilkie
 
Moving on from Dewey
Moving on from DeweyMoving on from Dewey
Moving on from DeweyDiane Macklin
 
Swt eye for the swing guy
Swt eye for the swing guySwt eye for the swing guy
Swt eye for the swing guyIoan Bogdan
 
Coach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful OutcomesCoach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful Outcomessondramilkie
 
Recognition Moments
Recognition MomentsRecognition Moments
Recognition Momentssondramilkie
 
Making Connections and Creating Solidarity with African American Youth
Making Connections and Creating Solidarity with African American YouthMaking Connections and Creating Solidarity with African American Youth
Making Connections and Creating Solidarity with African American Youthsondramilkie
 
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...sondramilkie
 
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...sondramilkie
 
Integrating Sustainability-4
Integrating Sustainability-4Integrating Sustainability-4
Integrating Sustainability-4sondramilkie
 
11 2-10 ratios and proportions
11 2-10 ratios and proportions11 2-10 ratios and proportions
11 2-10 ratios and proportionschelbs
 
Risk Management Education for Wisconsin's Women Farmers
Risk Management Education for Wisconsin's Women FarmersRisk Management Education for Wisconsin's Women Farmers
Risk Management Education for Wisconsin's Women Farmerssondramilkie
 
Regulatory affairs consultants vector pharma
Regulatory affairs consultants vector pharmaRegulatory affairs consultants vector pharma
Regulatory affairs consultants vector pharmaFarr50rocks
 
Taking the Terror out of Writing for Publication
Taking the Terror out of Writing for PublicationTaking the Terror out of Writing for Publication
Taking the Terror out of Writing for Publicationsondramilkie
 
Grant Proposal Writing
Grant Proposal WritingGrant Proposal Writing
Grant Proposal Writingsondramilkie
 
Integrating Sustainability-2
Integrating Sustainability-2Integrating Sustainability-2
Integrating Sustainability-2sondramilkie
 
Envy photography
Envy photographyEnvy photography
Envy photographyrutelopes95
 
Putting New 2008 Farm Bill Programs to Work for Producers
Putting New 2008 Farm Bill Programs to Work for ProducersPutting New 2008 Farm Bill Programs to Work for Producers
Putting New 2008 Farm Bill Programs to Work for Producerssondramilkie
 
Changing Lives through Service Learning
Changing Lives through Service LearningChanging Lives through Service Learning
Changing Lives through Service Learningsondramilkie
 
Microsoft® office outlookcalendarbasics
Microsoft® office outlookcalendarbasicsMicrosoft® office outlookcalendarbasics
Microsoft® office outlookcalendarbasicscaudillsu
 

Viewers also liked (20)

2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposium2010 Department of Community Resource Development Symposium
2010 Department of Community Resource Development Symposium
 
Moving on from Dewey
Moving on from DeweyMoving on from Dewey
Moving on from Dewey
 
Swt eye for the swing guy
Swt eye for the swing guySwt eye for the swing guy
Swt eye for the swing guy
 
Coach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful OutcomesCoach Me! Working with Cultural Differences to Create Successful Outcomes
Coach Me! Working with Cultural Differences to Create Successful Outcomes
 
Recognition Moments
Recognition MomentsRecognition Moments
Recognition Moments
 
Making Connections and Creating Solidarity with African American Youth
Making Connections and Creating Solidarity with African American YouthMaking Connections and Creating Solidarity with African American Youth
Making Connections and Creating Solidarity with African American Youth
 
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...
Creating Aging Friendly Communities in Wisconsin: How Prepared is Your Commun...
 
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...
The Roadmap to Distance Learning Technology: Retooling Traditional Outreach b...
 
Integrating Sustainability-4
Integrating Sustainability-4Integrating Sustainability-4
Integrating Sustainability-4
 
11 2-10 ratios and proportions
11 2-10 ratios and proportions11 2-10 ratios and proportions
11 2-10 ratios and proportions
 
Inspirational
InspirationalInspirational
Inspirational
 
Risk Management Education for Wisconsin's Women Farmers
Risk Management Education for Wisconsin's Women FarmersRisk Management Education for Wisconsin's Women Farmers
Risk Management Education for Wisconsin's Women Farmers
 
Regulatory affairs consultants vector pharma
Regulatory affairs consultants vector pharmaRegulatory affairs consultants vector pharma
Regulatory affairs consultants vector pharma
 
Taking the Terror out of Writing for Publication
Taking the Terror out of Writing for PublicationTaking the Terror out of Writing for Publication
Taking the Terror out of Writing for Publication
 
Grant Proposal Writing
Grant Proposal WritingGrant Proposal Writing
Grant Proposal Writing
 
Integrating Sustainability-2
Integrating Sustainability-2Integrating Sustainability-2
Integrating Sustainability-2
 
Envy photography
Envy photographyEnvy photography
Envy photography
 
Putting New 2008 Farm Bill Programs to Work for Producers
Putting New 2008 Farm Bill Programs to Work for ProducersPutting New 2008 Farm Bill Programs to Work for Producers
Putting New 2008 Farm Bill Programs to Work for Producers
 
Changing Lives through Service Learning
Changing Lives through Service LearningChanging Lives through Service Learning
Changing Lives through Service Learning
 
Microsoft® office outlookcalendarbasics
Microsoft® office outlookcalendarbasicsMicrosoft® office outlookcalendarbasics
Microsoft® office outlookcalendarbasics
 

Similar to Surviving a DDOS Attack

ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationR. Blake Martin
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS ProvidersNeil Hinton
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacksSaptha Wanniarachchi
 
D do s_white_paper_june2015
D do s_white_paper_june2015D do s_white_paper_june2015
D do s_white_paper_june2015saifam
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSIJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Sharon Lee
 
comparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-papercomparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-paperRenny Shen
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
ddo-s attacks in cloud computing issued taxonomy and future direction
ddo-s attacks in cloud computing issued taxonomy and future directionddo-s attacks in cloud computing issued taxonomy and future direction
ddo-s attacks in cloud computing issued taxonomy and future directionmoataz82
 
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...Amazon Web Services
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016TierPoint
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSSuzanne Aldrich
 
Study of System Attacks- DoS.pptx
Study of System Attacks- DoS.pptxStudy of System Attacks- DoS.pptx
Study of System Attacks- DoS.pptxvasep68958
 
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfSolution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfمنیزہ ہاشمی
 
Using the Web or another research tool, search for alternative means.pdf
Using the Web or another research tool, search for alternative means.pdfUsing the Web or another research tool, search for alternative means.pdf
Using the Web or another research tool, search for alternative means.pdffms12345
 

Similar to Surviving a DDOS Attack (20)

ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
 
D do s_white_paper_june2015
D do s_white_paper_june2015D do s_white_paper_june2015
D do s_white_paper_june2015
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )
 
comparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-papercomparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-paper
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
ddo-s attacks in cloud computing issued taxonomy and future direction
ddo-s attacks in cloud computing issued taxonomy and future directionddo-s attacks in cloud computing issued taxonomy and future direction
ddo-s attacks in cloud computing issued taxonomy and future direction
 
Ix3615551559
Ix3615551559Ix3615551559
Ix3615551559
 
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Check Point Ddos protector
Check Point Ddos protectorCheck Point Ddos protector
Check Point Ddos protector
 
Study of System Attacks- DoS.pptx
Study of System Attacks- DoS.pptxStudy of System Attacks- DoS.pptx
Study of System Attacks- DoS.pptx
 
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfSolution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
 
Using the Web or another research tool, search for alternative means.pdf
Using the Web or another research tool, search for alternative means.pdfUsing the Web or another research tool, search for alternative means.pdf
Using the Web or another research tool, search for alternative means.pdf
 
D do s_white_paper
D do s_white_paperD do s_white_paper
D do s_white_paper
 

Recently uploaded

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 

Recently uploaded (20)

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 

Surviving a DDOS Attack

  • 1. www.eduserv.org.uk Surviving a DDoS Attack Matt Johnson, Head of Research, Eduserv January 2015
  • 2. Agenda  Background  Diary of the DDoS  Attack profiles & social media  Analysis and solution overview  Costs  Lessons learned  Q&A
  • 3. Background  Eduserv is a registered charity providing IT services to public good organisations  Operates primary services from our Swindon datacentre, secondary and DR services from Slough / London  Providing hosting services since 1996  IT services customer base  20+ customers, across government, health, education and the charity sectors  Some of the government customers are high-profile targets
  • 4. Day 1  Initial attack was seen on Sunday evening  Lasted around 2 hours  Attack was TCP-based, volumetric, probably HTTP-based  Primary sources in Brazil, Canada  Attack claimed by hacker via Twitter
  • 5. Day 2  Second attack on Monday afternoon  Against a range of Govt. websites  Attack was UDP-based  Probably DNS-amplification  Diverse source addresses  1 hour DoS for a number of customers  Damage limitation  Re-address and black-hole the address block of the targeted website services  “One sacrificed to save the many”
  • 6. Day 3  Attacked website brought back online  Separate ISP link to mitigate impact to other services  DDoS attacks resumed immediately  Web service was a 3rd party legacy build, with poor support for caching  HTTP volumetric based attack overwhelmed web server cluster
  • 7. Attack Methods  Range of attack methods used  Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC)  DNS Amplification, HTTP Idle Attacks,  Scale of the attack  Bandwidth peak estimated >5 Gbps  200+ malformed requests p/sec (normally 2-3 requests p/sec)  Lack of support from upstream ISP for real-time blocking  Without this support, in a volumetric attack, hands are tied
  • 8. Social Media  Many attackers like to promote their “work” – can give an early insight into what’s happening (or about to happen)  Don’t believe everything you read 
  • 9. Incident Analysis  Incident Response Team formed  Multi-disciplinary teams – can bring new insight into solutions  Whiteboard-based evaluation of options  Continual comms with the impacted customer  Possible solutions  Block or disable attacking platforms at source  Rebuild the web service to cope with the additional workloads  Filter the DDoS traffic whilst allowing legitimate requests
  • 10. Starting Situation attack attack attack attack attack attack attack attack web firewalls routers www.customer.gov.uk user
  • 11. www.customer.gov.uk Proposed Solution web firewalls routers Proxy-2LogServer Load Bal. Proxy-1 attack attack attack attack attack attack attack attack safe.customer.gov.uk user Black Hole www.customer.gov.uk
  • 12. Web Proxy in the Cloud  Cloud provider choice – Amazon Web Services  Already had expertise in deploying AWS services  Huge bandwidth capacity (estimated at 600 Gbps+)  AWS Marketplace offers quick deployment of application servers  Proxy choice - AiCache  Reviewed options in the AWS Marketplace  AiCache seemed to deliver the functionality required  Available on a PAYG basis with no up-front licensing commitments  Configured and implemented inside of 4 hours
  • 13. Enabling DDoS protection Total HTTP requests Valid HTTP requests Bad HTTP requests DDoS protection enabled
  • 14. Enabling IP Throttling Initial (Test) IP throttling started Initial (Test) IP throttling finished Full IP Throttling enabled
  • 15. Traffic profile before and after proxy implementation Initial DDoS causing outages Ongoing DDoS – proxy in place Normal traffic profile
  • 16. Costs  IT costs: £350, comprising:  AWS: 150 GB of data transfer, load-balancing; 2 large VMs; 100 GB of data storage: ~$270 over 14 days  AiCache: 2 licences & support: $280, again over 14 days  People costs: £25k, comprising  Incident response: ~£15k  Incident analysis: ~£10k  Indirect costs: ~£20k  Impact on customer services, 3rd party effort, opportunity costs
  • 17. Lessons Learned  Bandwidth is king  In a sustained attack, whoever has the most, wins  DNS flexibility is vital  Having a well-architected DNS infrastructure allows you to change service endpoints quickly in response to targeted attacks  Make sure you have a diverse route into your DNS management  Watch social media  Can often give you insights into upcoming attacks, motivation  Log everything  Never know what might be needed to support further investigations
  • 18. AWS Learning  Amazon CloudWatch  Useful near-real time insight into DDoS traffic (via ELB metrics)  Provided evidence for the criminal investigation  Only stores data for 2 weeks – grab the data whilst you can  Needed to write custom CLI/API scripts to extract CloudWatch data  Really could do with a built-in data export capability!  AWS Elastic Load Balancer  Partially mitigated some of the DDoS attack vectors  Supports X-Forwarded-For (XFF) header to track originating IPs
  • 19. AWS Learning  EC2 capabilities  AWS offers an incredibly easy way to tap into huge data pipes  Incoming bandwidth is free… useful in DDoS situations  Route53 is great!  Supports simple mapping of Zone Apex to ELB target  Geo-distributed endpoints make it incredibly quick and reliable  Amazon Marketplace  Great source of pre-configured AWS-ready services  Use it!
  • 20. Thank you! Questions?  Matt Johnson  Matt.Johnson@eduserv.org.uk  @mhj_work  www.eduserv.org.uk  www.slideshare.net/eduserv