2014 saw an average of 28 DDoS attacks every hour, and 40% of those business who suffered a DDoS attack saw their Internet connectivity completely “saturated” (in other words, the attack didn’t just degrade performance, it took the organization completely offline). As network providers improve their ability to protect against these attacks, criminals are stepping up, too. Today 81% of DDoS attacks are multi-vector, combining volumetric, application-layer and state exhaustion techniques. This session will dive into the seven network layers in the Open System Interconnection (OSI) model, describe how DDoS attacks are perpetrated against each layer, and offer advice for how to mitigate against these complex intrusions.
2. Key Reasons for Cyber Attacks
Criminal
• Money … and
more money
• Large number of
groups
• From unskilled to
advanced
• Present in
virtually every
country
• Protest
• Revenge
• Large number of
groups
• Basic skills; a few
standouts with
advanced skills
who motivate a
potential larger set
of followers
Espionage
• Acquiring secrets
for
- National security
- Economic benefit
• Growing number of
countries with
capabilities
• Larger array of
supported or
tolerated groups
War
• Motivation is to
destroy, degrade,
or deny
• Politics by another
name
• Growing number
of countries with
capability
• Non-state actors
could be included
Hacktivists
3. DoS/DDoS Attacks New Cyber Weapon of Choice
Cyber Attack Sophistication Is Increasing
• Lower bandwidth attacks occur more
frequently, last longer, evade detection
- Overwhelm servers' ability to respond;
ultimately take down the site
• Multi-vector campaigns
- Booter services, low-cost DDoS campaigns
can take down typical business
- DDoS-for-hire market is expanding
- China, Germany, the U.S. accounted for
more than 50% of all DDoS attacks origins
in Q1 2015
The number of DDoS attacks in Q1 2015
more than doubled the number of DDoS
attacks in Q1 2014
Source: Akamai
4. The Industry Hit List Expands
Drivers: the rise of the Internet of Things,
web vulnerabilities and botnet building
Choice Targets
• SaaS platforms, e.g. healthcare data
• Competitive industries, e.g. gaming
• Multi-tenant platforms because attacks
on one tenant impact all other tenants
Q1 2015 infrastructure attacks were
91% of total DDoS attacks
Source: Akamai
5. Where Are the Attacks Taking Place?
Network attacks were 90% of
attacks in 2005
Session attacks typically defeat
conventional firewalls
Application attacks are 90% of
attacks in 2015
The 7 Layers of the OSI Model
Q1 2015 vs. Q1 2014: 124.69% increase in
infrastructure layer (Layer 3 & 4) attacks
Q1 2015 vs. Q1 2014: 59.83% increase
in application layer (Layer 7) attacks
6. Significant attack vectors emerged in 2014
• 50% of all Web attacks were encrypted
application-based attacks
• 15% of organizations reported attacks
targeting Web application log in pages
on a daily basis
• DNS-based volumetric floods increased
from 10% to 21%, becoming the 2nd
most common attack vector
Source: Radware
New Attack Vectors, One Dangerous Commonality
7. The Simple Service Discovery Protocol (SSDP)
- Top Infrastructure-based Attack Vector
SSDP comes pre-enabled on millions of
devices – routers, media servers, web cams,
smart TVs, printers
Allows devices to discover each other on a
network, establish communication, coordinate
activities
Attackers are armed with a list of vulnerable
devices; use them as reflectors to amplify a
DDoS attackSSDP accounted for more than
20% of Q1 2015 attack vectors
8. Not Just a Party of One Anymore
– Multi-Vector Attacks Take Aim
More than 50% of attack campaigns deployed
5 or more attack vectors in 2014
Keeps the target busy by
releasing one attack vector
at a time vs. launching the
entire arsenal all at once
Sources: Radware, Arbor Networks
9. Attackers (Quickly) Strike Back
Attackers are continually developing new attack
vectors that defeat newly deployed mitigation tools
They are responding in days – sometimes even
hours – after mitigation tools are deployed
Meaning businesses face two chief challenges:
• The increasing complexity of security, i.e.
multi-pronged nature of the attacks
• Speed at which attackers adapt to new
mitigation tools
10. Minutes to Compromise, Months to Discover
Source: Radware
DDoS attack costs
• SMB: $52,000 per incident
• 32% of companies would
loose over $100K revenue
per hour of attack
• 11% of US companies would
loose $1 Million+ revenue
per hour of attack
Source: Neustar
88% of companies are hit multiple times,
with 39% attacked over 10 times annually
11. Recap the Challenges
• Cyber attacks are mainstream
• Network perimeter disappears;
– Application data is final frontier
• Availability-based attacks are
main weapon
– Multi-vector attack campaigns
• Targeting end-to-end weakness
points
– Pipe, network, servers, applications
• Targeting multi-tenant
environments
– Amplifies overall impact and
management complexity
• Disguising techniques
– Multiple attackers, one IP address
– Attack using dynamic IP addresses
• Data (confidentiality) and integrity
attacks
15. Fight Back – Advice #1
Don’t assume that you’re not a target
Draw up battle plans; learn from the
mistakes of others
Ensure buy-in from ALL C-suite
executives, not just the CTO or CIO
16. Fight Back – Advice #2
Protecting your data is not the same as
protecting your business
True security necessitates data protection,
system integrity, operational availability
Review your current investments, then
gauge the increase required to ensure
appropriate protection
17. Fight Back – Advice #3
You can’t defend against attacks you can’t
detect
The battle-prepared business harnesses
an intelligence network
18. Fight Back – Advice #4
Evaluate DDoS protection solutions
Consider a hybrid approach of layered
DDoS defenses: always on, on-premise
hardware blocking plus cloud-based traffic
scrubbing
19. Fight Back – Advice #5
Know your limitations
Enlist specialists that have the expertise
to help you fight and win