Post on 09-Aug-2020
Distributed Denial of Service – Deep DiveAkamai’s Observations on DDoS Attacks and Defending Against Them
©2011 Akamai Powering a Better Internet
The Akamai Cloud: Largest Distributed
Computing Platform in the World
77,000+ Servers1,600+ Locations1100 Networks70 Countries
All branches of the US Military85 of the top 100 online retailers9 of the top 10 virus companies29 of the top 30 M&E companies
4.5+ Tbps, 15-25% of web traffic10+ Million transactions per second
©2011 Akamai Powering a Better Internet
Threats
Extortion and For Profit
• Gambling, Commerce, Global Brands
• Used to hide or delay response to other attacks
Show Offs and Traditional Hackers
• 17 yr old brings down Playstation Website
Political Objection/Hacktivism
• Anonymous/Wikileaks, Opt-In Botnets
State Sponsored
• 2007 Estonia: 100Mbps[1]
• 2007 Georgia: 814Mbps[1]
• 2009 United States: 200Gbps[2]
$50-$200 Botnet subscriptions!
©2011 Akamai Powering a Better Internet
Opt-In….
It’s as easy as hitting a website
©2011 Akamai Powering a Better Internet
Threats: 17-Year-Olds?Source: http://www.escapistmagazine.com/
©2011 Akamai Powering a Better Internet
Types of Attacks
Bandwidth flood
• Getting more sophisticated
• Geographically centralized based on language
• New types- round-robin
Asymmetric
• Smaller bandwidth requests resulting in large processing requirements
• Images and movies
• Documents (.doc .pdf .xls)
• Downloadable software
Request Floods w/ Malformation
Layer 7 Hacks
Infrastructure — DNS, Firewalls, Mail Servers, Net Interfaces, etc
Slowloris and Slow HTTP POST
©2011 Akamai Powering a Better Internet
Peak Attack Traffic per yearA
tta
ck S
ize
—G
bps
0.4 1.2 2.5 510
1724
40
49
100
124
0
25
50
75
100
125
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
(Arbor Networks)
Akamai
(Jul 4, 2009)
©2011 Akamai Powering a Better Internet
OriginDatacenter
End User
1
10
100
10000
Traffic
1000
Web Site Without Akamai
©2011 Akamai Powering a Better Internet
End User
1
10
100
10000
Traffic
1000
X
Any number of origin
systems overloaded!
OriginDatacenter
Web Site Without Akamai
©2011 Akamai Powering a Better Internet
End User
1
10
100
10000
Traffic
1000
Origin offloaded to
the Akamai Edge
OriginDatacenter
Web Site With Akamai
©2011 Akamai Powering a Better Internet
1
10
100
10000
Traffic
1000
Trusted
ConnectionEnd User
Defend and cloak
your origin
OriginDatacenter
Akamai
Site
Shield
Web Site with Akamai Site Shield
©2011 Akamai Powering a Better Internet
1
10
100
10000
Traffic
1000
Trusted
ConnectionEnd User
Extend a layer 7 defense
perimeter to the Akamai
Edge!
OriginDatacenter
Akamai
Site
Shield
Web Site with Akamai Web Application FirewallFilters SQL Injections, Cross Site Scripting, Other HTTP attacks
©2011 Akamai Powering a Better Internet
1
10
100
10000
Traffic
1000
Akamai
DNS
Servers
End User
Secure, scalable,
and available:
Enhanced DNS
Akamai
Site
Shield
Trusted
Connection
OriginDatacenter
Web Site with Akamai EDNS (and DNS Sec)
©2011 Akamai Powering a Better Internet
The Largest DDoS Ever RecordedJuly 4th 2009 US Gov’t Targeted and Protected
Few common attackers between spikes.Only 4,284 IP’s Shared Across all Spikes.
125 Gb/sec Peak Bandwidth
795,000 page views a
second
98,000 Unique IP’s in 30
minutes
300,000 total unique IP’s
Top Targets Peak TrafficTimes Above Normal Traffic
US Government 1 124 Gbps 598x
US Government 2 32 Gbps 369x
Financial 1 26 Gbps 110x
US Government 3 9 Gbps 39x
US Government 4 9 Gbps 19x
US Government 5 2 Gbps 9x
US Government 6 1.90 Gbps 6x
US Government 7 0.73 Gbps *
©2011 Akamai Powering a Better Internet
DDoS Profile — US Government
Target: US Government Web sites
Date: July 4-7, 2009
Peak Traffic: 125 Gbps
Peak Overage: 598 x normal
Primary Origin: South Korea
Duration: 11 Hours
Downtime: 0 Hours, 0 Minutes
Mitigation:
• Acceleration/Caching
• Global Traffic Management
• IP/CIDR Blocking08:00 16:00 0:00 08:000:00 16:00
25
50
75
100
125
Att
ack S
ize
—G
bps
July 4, 2009 July 5, 2009
16:00 Customer notified
20:00 Attack grows rapidly
23:00 Mitigation measures engaged
0:30 Korean traffic blocked
9:30 Korean traffic quarantined
Spike 1
Spike 2Spike 3
Few common attackers across spikes. Only 4,284 common IPs
Unique IPs
21:00 Akamai identifies sources
23:50 Peak pageviews
©2011 Akamai Powering a Better Internet
Holiday Season 2010
Coordinated DDoS AttacksAttacked eCommerce Web Sites Protected by Akamai
PROTECTED
US Customer #1
US Customer #2
US Customer #3
US Customer #4
US Customer #5
Times Above
Normal Traffic
9,095x
5,803x
3,115x
2,874x
1,807x
Peak Attack
Time (GMT)
11/30 2PM
12/1 2PM
11/30 2PM
12/1 1PM
12/1 1PM
Highly distributed international DDoS attacks from
Asia-Pac, South America and Middle East
Customer 1
Customer 2
Customer 3
$15 Million in lost revenues AVOIDED!
©2011 Akamai Powering a Better Internet
PROTECTED
Attack #1
Attack #2
Times Above
Normal Pages
300x
35x
Peak Attack
Time
Nov 18, 2010
Jan 14, 2011
One Customer, Different DDoS AttacksAttacked Top IR150 eCommerce Web Site Protected by Akamai
Attack#1 – Highly distributed, no recognizable pattern
Attack#2 - Highly distributed, concentration from Eastern
Europe – Russian Federation, Greece, Ukraine, Belarus,
Latvia, Kazakhstan
Peak DDoS traffic of 300 Mbps
#1 #2
Estimated Potential Lost Revenue Impact = $350,000
#2
©2011 Akamai Powering a Better Internet
PROTECTED
eCommerce
Account Mgmt
Online Interactivity
Times Above
Normal Pages
6x
14x
51x
Peak Attack
Time
Jan 17
Jan 17
Jan 17
Highly distributed DDoS attacks from South
America (Brazil & Mexico) and Asia-Pac (Thailand)
Browsers – Opera, Firefox 2.0, 3.0
Operating Systems – X11 Linux, Symbian
Peak DDoS Traffic of 100 Mbps
eCommerce
online interactivity
Fortune 1000 Electronics ManufacturerMultiple Web Site Attacks - Protected by Akamai
account mgmt
Estimated Potential Lost Revenue Impact = $140K
Estimated Unique Customers Impacted = 375,000
©2011 Akamai Powering a Better Internet
Two International Gov’t SitesDDoS available to the masses for protest
PROTECTED
Site #1
Site #2
Times Above
Normal Pages
215x
225x
Peak Attack
Time
Dec 21st, 2010
Dec 21st, 2010
In country, opt-in attack using LOIC
Requests for abnormally long URL query strings
Peak DDoS Traffic of 550 Mbps
Estimated Citizens Viewing Available Web Site = 8,000
©2011 Akamai Powering a Better Internet
Akamai Unveils New Architecture for DDoS
IP Blocking & Rate ControlIP blocking & rate limiting capabilities at
network layer
Web Application FirewallWeb application firewalling at Layer 7
(application layer)
eDNS w/DNSSECScalable protection for Domain Name
System (DNS) attacks
Global Traffic Management Blocking of traffic by geographic region
User ValidationIdentification of suspected BOTs from real
users to de-prioritize or block
Site ShieldAbility to cloak web infrastructure from the
Internet
DoS ReadinessDDoS specialists to assess infrastructure
and develop a run-time playbook
Customer Support 24/7 support with a response SLA
Akamai’s edge absorbs traffic and can
failoverAdvanced Caching, NetStorage + Failover
Fee ProtectionCapped exposure to bursting fees related to
an attack
©2011 Akamai Powering a Better Internet
Observations
Attacks are sophisticated
Attacks are long: 3 Day Duration
Attacks are large:
• 300,000+ Attack IPs
• 7+ Billion Total Page Views
• 200+ Tbytes
• Equal to 50 STM16 and 2,500 Servers
Attacks are fast:
• Traffic to a single site reached 100 Gbps in just four hours
Attacks are EXPENSIVE
• $15 Million in 3 days!
Distributed Defenses for Distributed Attacks!