A Scalable DDoS Detection Framework with Victim Pinpoint Capability
A DDoS Security Control Framework - VUrORE · A DDoS Security Control Framework Version 1.0 Student...
Transcript of A DDoS Security Control Framework - VUrORE · A DDoS Security Control Framework Version 1.0 Student...
ADDoSSecurityControlFrameworkVersion1.0
Studentname :LarsDrostStudent# :1673726Thesisnumber:2040Date :31March2015Version :1.0Final
ADDoSSecurityControlFramework
2
VrijeUniversiteitAmsterdam(VU)FacultyofEconomicsandBusinessAdministration
POSTGRADUATETHESIS
ADDoSSecurityControlFrameworkOctober2014–March2015
AUTHOR
LarsDrost,MSc.(1673726)LangeVijfmatlaan64
2035LGHaarlem,[email protected]
THESISSUPERVISORPaulHarmzenRERA
PartnerControlSolutionsInternationalDeBoelelaan1105
1081HVAmsterdam,[email protected]
SECONDSUPERVISOR
ir.ShyamSoerjoesingRECISASeniorManagerITRisk&Assurance
AntonioVivaldistraat1501083HPAmsterdam,TheNetherlands
©Copyright2015Allrightsreserved.Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical, including photocopying and recording, or stored in any information storage and retrieval system, withoutpermissioninwritingfromtheauthor.
ADDoSSecurityControlFramework
3
PREFACEThisresearchmarkstheendofthePostgraduateITAuditdegreeoftheVrijeUniversiteitAmsterdam (VU). The research process has been a process thatwent through ups anddowns.In thebeginningoftheresearch itwasdifficultto find literature thatwassuitable for thetopicchosen.ThereisnoframeworkinwhatformwhatsoeverthatspecificallydealswithDDoS.Manyoftheacademicliteraturedealswithtypesofattacksormeasuresthatcanbetaken,buttheseelementsneededtobeputtogethertoestablishaDDoSspecificframework.When I foundtheNIST frameworkwhich isusedas abasis for theDDoSSecurityControlFrameworkestablishedinthisresearch,theresearchstartedtotakeoff.DDoSisatopicwhichhasbecomemorenoticeableforeveryoneandhasbecomeanactualthreat for organizations. By means of this research I wanted to offer organizations aframeworkwhichcouldgivethemguidanceonhowtodealwithDDoSattacksandimprovetheirDDoSstrategies.Duringthisresearch Ireceivedsupport fromseveralpersonswhichIwould liketothank.ThefirstpersonIwouldliketothankforhissupportismyThesisSupervisorattheVU,PaulHarmzen. Paul has been very patient with me and has kindly provided his view andconstructiveinputoncertainelementsincludedinthereportandthereportasawhole.IalsowanttoextendmygratitudetoShyamSoerjoesing.ShyamisSeniorManagerITRisk&AssuranceatEYandhasbeenoneofmybiggestsupportersduring thisresearch.Hehasinvestedmuchofhis time inbrainstormingwithmeanddiscussing the framework itselfandseparateelementsincludedinorunderlyingtheframework.Withouthimthisresearchwouldnothavebeensuchanexperienceasithasbeennow.Furthermore, IwishtoexpressmysincerethanksandappreciationtoalltheintervieweesfromZiggo,KNABandEY for taking the time to takepart in the interviewsdespite theirbusyschedulesandtoprovidemewithvaluableinsightstoenhancetheframeworktowhatithasbecome.Finally, I would like to thank my family who has been motivating me from the verybeginningtofinalizemythesis.Specialthanksgotomygirlfriend,Sabien,whohasprovidedmethetimeandsupportneededtobeabletocompletethisthesis.L.(Lars)Drost,MSc.
ADDoSSecurityControlFramework
4
TABLEOFCONTENTS
1 INTRODUCTION......................................................................................................................................................61.1 ResearchContext..........................................................................................................................................61.2 ProblemDefinition......................................................................................................................................61.3 ResearchQuestions.....................................................................................................................................81.4 AcademicRelevance...................................................................................................................................81.5 Stakeholders...................................................................................................................................................81.6 ResearchScope..............................................................................................................................................9
2 RESEARCHMETHODOLOGY..........................................................................................................................102.1 ResearchDesign.........................................................................................................................................102.2 ResearchProcess.......................................................................................................................................102.3 StructureOfThisThesis........................................................................................................................11
3 THEORETICALBACKGROUND.....................................................................................................................123.1 WhatisaDDoSattack?...........................................................................................................................123.2 TheOSImodel.............................................................................................................................................133.3 ThelayeringtechniqueoftheOSImodel......................................................................................153.4 DifferenttypesofDDoSattacks.........................................................................................................16
3.4.1 Attacksontheapplicationlayer.................................................................................................................163.4.2 Attacksonthepresentationlayer..............................................................................................................163.4.3 Attacksonthesessionlayer..........................................................................................................................173.4.4 Attacksonthenetworkandtransportlayer.......................................................................................173.4.5 Attacksonthedatalinklayer.......................................................................................................................183.4.6 Attacksonthephysicallayer........................................................................................................................18
4 THERISKSOFDDOS..........................................................................................................................................194.1. TypesofDDoSattacks............................................................................................................................19
4.1.1 Volumetricattacks..............................................................................................................................................194.1.2 Networklayerattacks......................................................................................................................................194.1.3 Applicationlayerattacks................................................................................................................................194.1.4 Attacksonlayer3,4and7.............................................................................................................................20
4.2 Differenttypesofrisks...........................................................................................................................204.2.1 OperationalRisk..................................................................................................................................................204.2.2 ReputationalRisk................................................................................................................................................204.2.3 DataintegrityRisk..............................................................................................................................................214.2.4 FraudRisk...............................................................................................................................................................21
4.3 Conclusion.....................................................................................................................................................21
ADDoSSecurityControlFramework
5
5 ESTABLISHINGTHEFRAMEWORK...........................................................................................................225.1 FrameworkforImprovingCriticalInfrastructureCybersecurity...................................225.2 Adynamicframework............................................................................................................................235.3 AdynamicDDoSSecurityControlFramework..........................................................................25
5.3.1 The‘Identify’level..............................................................................................................................................265.3.2 The‘Protect’level...............................................................................................................................................275.3.3 The‘Detect’level.................................................................................................................................................295.3.4 The‘Respond’level............................................................................................................................................315.3.5 The‘Recover’level..............................................................................................................................................335.3.6 The‘Assess’level.................................................................................................................................................345.3.7 The‘Adjust’level.................................................................................................................................................35
5.4 HowdoestheDDoSSecurityControlFrameworkcovertheidentifiedrisks............365.5 HowtoapplytheDDoSSecurityControlFramework...........................................................37
6 VERIFICATIONANDVALIDATIONOFTHEDDOSSECURITYCONTROLFRAMEWORK386.1 Verificationandvalidationdefinition.............................................................................................386.2 Approach.......................................................................................................................................................386.3 Results.............................................................................................................................................................396.4 Conclusion.....................................................................................................................................................40
7 CONTRIBUTIONANDCONCLUSION..........................................................................................................417.1 Contribution.................................................................................................................................................417.2 ConclusionPerSub-Question..............................................................................................................41
7.2.1 WhatisaDistributedDenial-of-Serviceattackandwhydoesthistrendrequireproperconsiderations?...........................................................................................................................................................................427.2.2 What are the security risks and impact imposed byDistributed Denial-of-Serviceattacks? .......................................................................................................................................................................................427.2.3 Which controls can be implemented to minimize the impact of risks related toDistributedDenial-of-ServiceAttacks?.........................................................................................................................43
7.3 ConclusionOnTheMainResearchQuestion..............................................................................437.4 FurtherResearch.......................................................................................................................................43
8 APPENDIX...............................................................................................................................................................458.1 Bibliography................................................................................................................................................458.2 SubjectMatterExperts...........................................................................................................................478.3 Listoffigures...............................................................................................................................................478.4 ListofTables................................................................................................................................................478.5 DDoSQuickGuide.....................................................................................................................................48
ADDoSSecurityControlFramework
6
1 INTRODUCTIONThischapterprovidesashortintroductiontothisthesis.Itdescribestheproblemwhichiscentraltothisthesisandintroducestheresearchquestionsthatneedtobeanswered.Thischapter also highlights the overall context of this research, its academic relevance anddefinesthescopeofandstakeholdertothisresearch.
1.1 ResearchContextThisthesisisamandatorypartofthePostgraduatedegreeofRegisterITAuditorattheVrijeUniversiteitAmsterdam,hereaftercalledVU.Thisthesiswaswrittenunderthesupervisionofmr.P.Harmzen (FEWEB).Ernst &YoungLLP,hereafter calledEY,requires that its ITauditors obtain this degree in order to become a registered IT auditor. Due to thisrequirement,thisdegreeformsamandatorycomponentforthepersonaldevelopmentplanwithintheorganization.TheclientsofEYarealsoconfrontedwithagrowingnumbersofDDoSattacks.Therefore,the results of this research are relevant for the clients and theworkofan ITauditor toensuretheITsecurityoforganizationsareset-up,monitoredandassessedcorrectly.
1.2 ProblemDefinitionDuring theyears1997 till2000 the internethypehas skyrocketedandorganizationsareeager tomakeuseofallopportunitiesthe internethastooffer them.Theinternetand itsintegration in the commercial and business world dramatically changed the wayorganizations do business nowadays. There are organizations that solely conduct theirbusinesson the internet, thesocallede-businesses, suchasonlineauctions, socialmediaorganizationsandonlinebrokers.Besidesthepuree-businessorganizationstherearealsoorganizationsthatuse the internetasoneof theirprimarysalesand/orservicechannels.Forexamplebanks thatoffer theirclients thepossibilityofonlinebanking,organizationsthatofferonlinegamingandorganizationsthatofferbookingservices.Duetothefactthatorganizationshavemassivelyembracedtheinternet,organizationsalsobecamedependentontheinternetandtheirITsystems(Smits,2011).Threatstothenetworkandinformationsecurityoforganizationsexistsincethedawnoftheinformationage,butthecomplexityandthescaleofattacksonthenetworkandinformationsecurity has grown and has become more intense. In recent years, organizations areconfronted with enormous challenges with regard to protecting and defending theirvulnerablenetwork.Now thatcyber-crimehasbecomemore lucrative,and far less riskythanillegaldrugtrafficking,itishardlysurprisingthatthelevelofcriminaltalentdevotedtothe Internet has risen tremendously (Symantec, 2009). Consequently, threat levels andattack impacthave skyrocketed.For example, in just a few years,DistributedDenial-of-Service(DDoS)attackshavejumpedinsizefromdozenstohundredsofgigabitspersecond(Prolexic,2013)(Prolexic,2014)(ArborNetworks,2014).
ADDoSSecurityControlFramework
7
RecentstudyshowswhyDDoSattackshaveskyrocketedoverthelastfewyears.NowadayseverybodycanbuyaDDoSserviceattackonline forapriceas lowas10US$ foronehour,150US$foranattackforaweekand1,200US$foranattackforamonth(Goncharov,2012)(ArborNetworks,2013).Besides the opportunity tobuy aDDoSattack, there isalso thepossibility tobuyyourownDDoSbot net for pricesup till700US$ (Goncharov,2012).Thesedevelopmentsmakeitrelativelyeasyforanyoneto launchaDDoSattack.Basedonthis information thequestion isnot if a companywillbe attackedbyDDoS,butwhen acompanywillbeattacked?Verisign (Verisign, 2012) conducted an online survey amongst 225 IT executives anddecisionmakersintheUSfromlargeandmediumsizedorganizations.Morethanhalfoftherespondents(53percent)experiencedwebinfrastructuredowntimeinthepastyear,withDDoSattacksaccountingforonethird(33percent)ofalldowntimeincidents(pleaserefertofigure1).Asurprising15percentofthe76percentofrespondentswithane-commerceplatform,reportedhavingnoDDoSsolutioninplace,while33percentreportedtheyhaveexperiencedthreeDDoSattacks in thepast12monthsthat lasted7hoursonaverage.Ofthose who experienced DDoS attacks, three-quarters reported that impact on theircustomers has been themost common consequence, followed by impact on brand andrevenueloss(pleaserefertofigure2).
Figure1:Reasonsforwebinfrastructuredowntime
overthelast12months(2012)
Figure2:MostcommonconsequencesofDDoSattacks
DuetothesedevelopmentstherisktobecomeatargetofaDDoSattackhasbecomehugeand should not be underestimated. It is of significant importance that organizationsimplementsecuritycontrolsand(counter)measurestodeflectandminimizetheimpactofaDDoSattackasitcanseverelycompromisetheavailabilityoftheirbusinessandwillleadtocustomerimpact,employeeproductivityimpactandrevenueloss(Verisign,2012).This thesis aims toprovide an insight of thedifferentDDoS attack techniques, the risksassociatedwiththeseattacksanddesignacomprehensivesecuritycontrolframeworkthatcanbeusedbyorganizationstoimplementcontrolsandmeasurestodeflectandminimizethe impact of a DDoS attack and enables IT auditors to audit DDoS security controlframeworks.
•65%Network outage•41%DNS failure•37%Hacker attack
•33%(D)DoS Attack
•51%Power Failure
•75%Impact on customer
•68%Impact on brand
•65%Revenue loss
ADDoSSecurityControlFramework
8
1.3 ResearchQuestionsThisstudywillanswerthefollowingmainresearchquestion:With what control framework can security be improved to mitigate identified risksrelatedtoDistributedDenial-of-ServiceAttacks?Themainresearchquestionissubdividedintoseveralsub-questions:1) What is aDistributedDenial-of-Service attack andwhy does this trend require proper
considerations?2) WhatarethesecurityrisksandimpactimposedbyDistributedDenial-of-Serviceattacks?3) WhichcontrolscanbeimplementedtominimizetheimpactofrisksrelatedtoDistributed
Denial-of-ServiceAttacks?
1.4 AcademicRelevanceBesidestheeconomicandpracticalrelevance,thisresearchalsohasanacademicrelevance.This research aims to improve an existing (cyber-security) framework by integratingrelevant,existingtheories.TheDDoSSecurityControlFramework,whichistheendproductof this thesis,provides a framework fororganizationsandalsoprovidesmore insightonDDoSattacks,protectionmeasures,andbecauseofthis,roomfordiscussionsandreflectionontheseattacksandtheprotectionmeasuresidentifiedinacademicliterature.
1.5 StakeholdersBasedon theprevious,the followingstakeholdersto thisresearchcanbeidentified:mainstakeholderandotherstakeholders.Mainstakeholders:stakeholdersthathaveadirectbenefitfromthisresearch.· PostGraduateITAuditDepartmentoftheVU;theirinterestliesinthecontributionthis
researchmakestotheacademicrelevanceofthisresearchfield.· EY ITRisk andAssurance (ITRA)practice;within the ITRApractice there is agroup
which focusses on IT Security solutions. As there is no standard security controlframework for DDoS at this time, their interest lies in the DDoS security controlframework.TheframeworkofferstheminsightsthatwillleadtonewadvisoryandauditopportunitieswithinthefieldofITSecurity.
Otherstakeholders:stakeholdersthathaveageneralinterestoraneedforfurtherresearch.· NOREA, the professional association for IT-auditors; DDoS attacks have already been
pinpointedasoneoftherisksthatneedattentionwithinthefieldofITAudit.· (External) IT Auditors; the frameworkwill provide them with guidance to provide
advisoryandauditservicesrelatedtotheDDoSdomain.· Organizations which offerweb-services; the DDoS Security Control Frameworkwill
providethemguidanceandinsightsonwhichcontrolmeasurestoimplementandhowtomaintaintheirframeworktobeabletodeflectand/orminimizetheimpactofaDDoSattack.
ADDoSSecurityControlFramework
9
1.6 ResearchScopeTheaimofthisresearchistodevelopa‘buildingblock’fortheITcontrolframeworkwhichspecifically focuses on DDoS. Therefore, it is assumed that an IT control framework isalready inplacewhichcontains the fundamentalorganizational,proceduraland technicalcontrolsbasedon awell-knownandaccepted framework, forexampleCOBIT.BecauseofthisaimthisthesiswillonlyfocusonDDoSmeasuresandnotonanyother(cyber-)securityrelatedissues.
ADDoSSecurityControlFramework
10
2 RESEARCHMETHODOLOGYIn thischapter the focuswillbeon theresearchdesign, thepreparations taken, thedatacollectedandtheanalysisandsharingofthisresearch.
2.1 ResearchDesignTheresearchdesignistheconceptualstructureofthisresearchandisformsablueprintonhowtoachievetheoverallobjectiveandanswertherelevantresearchquestions.Aproperdocumentationofthisprocessallowsotherresearcherstoadaptandreplicatethisresearchbyprovidingsufficientinformation.Tomakesurethatthisisaproperresearchthatmeetsthe relevant academic standards, the case study approach ofRobertK. Yin is chosenasresearchdesign.Thisapproachcontainsacollectionofscientificmethodswhichenablesaresearcher to achieve the research objective (Yin, 2013). The case study approach iscomprisedofthefollowingprocesses:
Figure3:Avisualrepresentationofthecasestudyapproach
2.2 ResearchProcessNow that the research design has been chosen, the specific activities relevant for thisresearchneedtobesetout.Theseactivitiesformapathwhichneedstobefollowedduringtheresearchperiodandsetsoutthegoalsandobjectivesthatneedtobeachievedalongthewayandintheend.Figure4providesaconceptualschemaofthisresearchprocess.
ADDoSSecurityControlFramework
11
PLAN, DESIGN & PREPARE
COLLECT
ANALYSIS
SHARE
Document location: CH01Define problem, research
question, objectives & goals
Document location: CH02Define Research Design
Document location: CH02(planning)
Prepare planning forexecution
Document location: CH03Literature Study –
Distributed Denial-of-ServiceAttacks
Document location: CH04Risk Assessment of
Distributed Denial-of-ServiceAttacks
Goal:SQ1
SQ1: What is a Distributed Denial-of-Service attack andwhy does this trend require proper considerations?
Goal:SQ2
SQ2: What are the security risks and impact imposed byDistributed Denial-of-Service attacks?
Document location: CH05Security Control Framework
for Distributed Denial-of-Service Attacks
Goal:SQ3
SQ3: Which controls can be implemented to minimizethe impact of risks related to Distributed Denial-of-
Service Attacks?
Document location: CH06Verification and validation of
the DDoS Security ControlFramework
Case Study
Document location: CH07Conclusion
Goal:MRQ
Main Research Question: With what control frameworkcan security be improved to mitigate identified risks
related to Distributed Denial-of-Service Attacks?
Figure4:Aschematicoverviewoftheresearchprocess
2.3 StructureOfThisThesisThisthesisconsistoffivechaptersthatcoversthepreviouslydescribedresearchprocess.· Chapter3providesa theoreticalbackground to theresearch.Thischapter introduces
the theories used in this thesis to establish and modify the DDoS Security ControlFramework.
· Chapter4providesanoverviewofthemostimportantrisksassociatedwithDDoS· Chapter5describesthestepstakentodevelopandestablishtheDDoSSecurityControl
Frameworkandtheframeworkitself.· Chapter 6 describes the verification and validation of the DDoS Security Control
Framework. The framework is verified and validated by interviews conductedwithsubjectmatterexpertsinthefieldofDDoSandcybersecurity.
· Chapter7describestheeconomicandacademiccontributionmadebythisresearchandtheanswerstotheresearchquestionsdescribedinchapter1ofthisthesis.
ADDoSSecurityControlFramework
12
3 THEORETICALBACKGROUNDThis chapter describes the theoretical background to the main research question. ThischapterprovidesabriefoverviewofwhataDDoSattackisandthedifferenttypesofDDoSattacksthatcanbeperformed.ToprovideanunderstandingofthetypeofattackstheOSIlayerisaddedtothecontextwhichprovidesinsightsintothelocationoftheattack.Finallyabriefoverviewoftheattacktypesperlayeraredescribed.TheOpenSystem InterconnectionReferenceModel, orOSImodel in short,will form thebasistothischapter.ThereasonforchoosingtheOSImodelasthebasisforthischapteristhat theOSImodel is a commonly accepted standard,well-known andmost referred tonetworkmodel (Fitzgerald &Dennis,2009),whichmakes this thesismore accessible toreadsincemostpeoplewillbefamiliarwiththismodel.TheOSImodelwillbediscussedinmoredetail in this chapter, but first the basicquestion ‘what is aDDoSattack?’willbediscussed.
3.1 WhatisaDDoSattack?ADDoSattack,alsoknownbyitsfullname‘distributeddenial-of–service’attack,isa“large-scale, coordinated attack on the availability of services on a victim’s systemornetworkresources,launchedindirectlythroughmanycompromisedcomputersontheInternet”(EC-Council, 2010). The services that are being attacked are the services of the victim alsoknownas ‘primaryvictim’.The compromisedsystems thatareused for the launchof theattackareoften seenas ‘secondaryvictims, since the attack (mis)uses the compromisedsystemstowagea largerandmoredisruptiveattackwhileinthemeantimealsoshieldingthehacker,whichmakesitmoredifficultfortheprimaryvictimortheauthoritiestotrackthehackerdown.Anattackgenerallyconsistsoffoursteps.Thefirststep isthattheDDoSattackerwritesavirus thatwill sendpingpackets to a targetnetworkor awebsite.Thesecond step is toinfectasmanysystemsaspossibleandmakethemintoso-called‘zombies’.Thethirdstepisto launchtheattackbywakingupthezombiesystemsandthelaststep isthatthezombiesystemswillattackthetargetwebsiteornetworkuntilitisdisinfected(EC-Council,2010)(McDowell,2013).
ADDoSSecurityControlFramework
13
Figure5:AvisualrepresentationofaDDoSattack(Science&Lifestyle,2012)
Nowthat thebasicprinciplesofaDDoSattackarediscussed, the focuswillbeon theOSImodelandthedifferentcategoriesandtypesofDDoSattacks.
3.2 TheOSImodelIn1947 the International StandardOrganization,betterknownas ‘ISO’wasestablished.Thegoalof ISO istoreachaworldwideagreementon internationalstandards.Dueto theneed for worldwide standards for heterogeneous information networks, ISO in 1977established a new subcommittee for the open systems interconnection (SC16). Theobjective of SC16was to come upwith standards thatwere required for open systemsinterconnection. Discussions in this committee lead to a layered architecture that couldmeet the current requirements for open systems interconnection, but could also beexpended inthe futurewhenneeded.In1983thislayeredarchitecturewasintroducedbyISOastheOSImodel.TheOSImodelcoversallelementsofnetworkcommunicationandcanbeused for theunderstandinganddesigning anetwork that is flexible, interoperableandrobust(Tanenbaum,2002).
ADDoSSecurityControlFramework
14
TheOSImodelconsistsofsevenlayers:
Figure6:ThesevenlayersoftheOSImodel
ThelayersoftheOSImodelwillbeseparatelydiscussedbelowinmoredetail(Tanenbaum,2002)(Blank,2004)(Fitzgerald&Dennis,2009):PhysicallayerThis layerdetermineshowbits ofdata that are send and receivedaremoved along thenetwork.Thislayertakesbitsofdataoffthewireandputsthemonthewire.ExamplesofthephysicallayerareEthernetandFDDI.DataLinklayerInthislayerthedataispreparedfordeliverytothenetwork.Thedatalinklayerconsistsoftwosub-layers:(I)thelogicallinkcontrolorLLCsublayerand(II)themediaaccesscontrolorMACsublayer.TheLLC layer isthe interfacebetweenthenetwork layerprotocolsandthemediaaccessmethodsuchasatokenorEthernet.TheMACsublayerisinchargeoftheconnectiontothephysicalmediasuchasthecoaxialcabling.ExamplesofthedatalinklayerarePPPandIEEE802.5/802.2.NetworklayerRoutingisperformedbythenetworklayer.Inthislayeritisdeterminedtowhichcomputerthemessage should be send next tomake it follow thebest routepossible through thenetwork.ExamplesofthenetworklayerareIPandIPX.TransportlayerTheend-to-end issues aredealtwithby the transport layer. Logical connections for thetransport of data between the place of origin and the final destination are established,maintained and terminated by this layer. It controls the flow of data to ensure that nosystemisoverflowingwithdataitreceives.Thetransportlayertogetherwiththenetwork
7. Application Layer
6. Presentation Layer
5. Session Layer
4. Transport Layer
3. Network Layer
2. Data Link Layer
1. Physical Layer
ADDoSSecurityControlFramework
15
layerformsonegroupoflayersknownasthe ‘internetworkgroup’or ‘internetworklayer’.ExamplesofthetransportlayerareTCPandSPX.SessionlayerManagingandstructuringallsessionsistheresponsibilityofthesessionlayer.Sessionscanbetheperformanceof asecuritycheckbutalso transferring files fromoneapplication toanother.ExamplesofthesessionlayerareSQLandRPC.PresentationlayerTheformattingofthedataforpresentationtotheuserisdonebythepresentationlayer.Itgivemorestructuretothedatathatisbeingexchangedbyformattingandeditingtheinputandoutputofusers.Themaintaskofthislayeristomakesurethatthedataexchangedisexchanged in a form that is understood by the receiving system. Examples of thepresentationlayerareJPEGandGIF.ApplicationlayerThislayerprovidesnetworkaccesstotheend-user.Itmanagesthecommunicationbetweenapplications. Everything in the application layer is application-specific and it providesservicesfornetworksoftwareservicessuchase-mailandwebsites.Thisisthelayerofthemodelinwhichtheapplicationsrequestsforandreceivesdata.ExamplesoftheapplicationlayerareHTTPandFTP.
3.3 ThelayeringtechniqueoftheOSImodelThe layering technique used in theOSImodel enables people to view open systems assystemlogicallycomposedofasuccessionoflayers.Eachlayerisconsideredtobelogicallycomposedof asuccessionofsubsystems.IntheOSIsystemany layer isreferred toas the(N)Layer,whilethelayerabovethe(N)layerisreferredtoasthe(N+1)layerandthelayerbelowthe(N)layerisreferredtoasthe(N-1)layer.Ateach(N)layer,two layers(layerNpeers)exchangeprotocoldataunitsthroughalayerNprotocol(Saxena,2014).
Figure7:ThelayeringtechniqueoftheOSImodel
(N)
(N+1)
(N-1)
ADDoSSecurityControlFramework
16
The basic principle to OSI layering is that each layer provides added-value to servicesprovidedbythelayersbelowthatparticularlayer.Basedonthisprinciplethehighestlayerconstitutesthesetofserviceswhichareneededforthedistributionofapplications(Saxena,2014).
3.4 DifferenttypesofDDoSattacksThebasicideabehindaDDoSattackistoidentifyaweaknessandcreateamass-exploitinaneffort to compromise the system. Per layerof theOSImodel different typesofDDoSattacks can be identified. The National Cybersecurity and Communications IntegrationCenter of theU.S.Department ofHomeland Securitypublished aDDoSQuickGuide (werefer to8.5) (NationalCybersecurityandCommunications IntegrationCenter,2014).TheDDoSQuickGuideprovidesanoverviewofthetypesofDDoSattacksperOSIlayer.Thesetechniquesper layerandalsosomeadditionalexampleswillbediscussedbelow inmoredetail.
3.4.1 AttacksontheapplicationlayerAttacks on the application layer concentrate around the protocols such as HTTP. TwocommonknownattacksaretheHTTPPostattackandtheHTTPGetFlooding.HTTPPostattackIfanattackerlaunchesa(slow)HTTPPostattacktheattackerssendsPOSTheaderswithalegitimate“content-length”fieldthatinformsthewebserversoftheamountofdatathatisarriving.OncethePOSTheadersaresentthemessagebody issend inaslowspeedwhichresultsinagridlockoftheconnectionandexhaustionoftheserverresources.HTTPGetFloodingAHTTPGetFloodingrequestattack is launchedby sendinga largenumberofHTTPGetRequeststothetargetwebservertoexhausttheresourcesofthetargetwebserver(Yang,2014). Due to the facts that these requests have a legitimate content and are send vianormal TCP connections the server treats these requests as normal requests until itsresourcesareexhausted(Kim,2013).
3.4.2 AttacksonthepresentationlayerAttacks on thepresentation layeraremalformed Secure SocketLayer (SSL)attacks. SSLprovidessecurityinweb-servicesandnowadaysmostonlinetransactionsareprotectedbySSL.DuringatransactionthereisasessionofthenetworklayerforSSLhandshakeaftertheTCPhandshake is finished.During the SSLhandshakemessages are exchangedbetweenbothcommunicatingentitiestovalidatetheauthenticity.Severalattacksmakeuseof thisSSLhandshaketoexhaustserverresources.Oneexampleisthe‘Pushdo’botnetattack.Thistypeofattacksendgarbagedatato the targetSSLserverwhichgeneratesextraworkloadfortheservernowthatishastoprocessthegarbagedataasalegitimatehandshake.AsaresulttheservermayrestarttheSSLconnectionsorevenstopacceptingthematall(Kumar,2004).
ADDoSSecurityControlFramework
17
3.4.3 AttacksonthesessionlayerAttacksonthesessionlayerexploitthelogonandlogoffprotocols.AnexampleofanDDoSattack on the session layer is a Telnet attack. A Telnet application enables a system toremotely communicatewith a counterpart.Telnet attacks can be sub-divided into threecategories:(i)Telnetcommunicationsniffing,(ii)Telnetbrute forceattackand(iii)TelnetDoS–DenialofService.SincethelastcategoryconcernsDoSattacks,thiscategorywillnotbediscussed.TelnetcommunicationsniffingDuetothefactthattheTelnetprotocolislackingencryptionitisveryeasyforanattackertosniff thecommunicationbetween thenetworkdeviceand theremotedevice since it is inplain text.Anattackercanseehow thedevice isconfiguredandseewhichpasswordwasusedtogainaccesstothedevice.DuetothisproblemSSHisnowusedasadefaultinmanycases,sinceSSHdoesencryptthecommunication.Becauseofthischangethisattackbecamelesseffective.TelnetbruteforceattackWhenanattackerwantstogainremoteaccesstoanetworkswitchtheattackercanuseaTenetbruteforceattack.Toretrievethepasswordused,theattackerwilldesignaprogramwhich will try to establish a Telnet communication session by using for example adictionary or by creating sequential character combinations in attempts to guess thepasswordandgainaccess(Popeskic,2011).
3.4.4 AttacksonthenetworkandtransportlayerAttacksonthenetworkandtransportlayer,alsoknownasnetworkinfrastructureattacks,arealwaysattacksthatcontainanextremelyhighnumberofpacketsordatawiththegoaltoconsumebandwidth,slowdownthewebserverandpreventusersfromgettingaccess.SYNfloodattacks,teardropattacksandInternetControlMessageProtocol(ICMP)floodingarelayer3and4attacks.WhenanattackerstartsaSYNFloodattackhesendsanunlimitednumber of SYN (synchronized) packets to the host system, but never responds whichresults inphantomconnectionrequestswhichwilloverwhelmthetargetmaking itunabletorespondtorealSYNrequests.A teardrop attack is an attack inwhich the attacker sends fragments, or teardrops, ofpacketstothetarget.These‘teardrops’havebadvaluesinthem.Duetothesebadvaluesthetargetsystemcrasheswhenittriestoreassemblethefragments.ICMPfloodingisanumbrellatermforavarietyofattacksthatuseICMP.ExamplesofICMPfloodingattacksare:theSmurfattack,thePingofdeathandthepingflood:SmurfattackASmurfattack isanattack inwhich theattackeruses asoftwareprogram to send ICMPpackets to a large number of network hosts on the Internet. By default most network
ADDoSSecurityControlFramework
18
deviceswillresponsetothisbysendingareply.Duetothelargenumberofresponsesthesystemcrashesorgetsparalyzed(Cao,2014).PingofdeathIn caseof a ‘Pingofdeath’ theattackerssendsanextremely large sizeechopacket to itstarget.Apacketsizeofwhichheknowsthetargetcannotaccept it.Asaresult,thetargetcrashes.PingfloodThePing flood isrelated to the ‘Pingofdeath’. Incaseof aPing floodanextremelyhighnumberofICMPpacketsaresendtothetargetbytheattackerwiththegoaltooverwhelmthetarget.NowadaysthePingfloodisnolongerusefulasaDOSattack,butasaDDOSattackitisstillproventobeanveryeffectiveattackduetothelargenumberofcoordinatedsourcesystemsattackingonesingletarget(Easttom,2014).
3.4.5 AttacksonthedatalinklayerMACfloodingisanattacktargetingthedatalinklayer.AMACfloodingisanattacklaunchedtocompromisethesecurityofnetworkswitches.TheMAC flooding iscausedbysendingahugeamountofAROreplies,eachofthemcontainingadifferentsourceMACaddress,totheswitch.Asaresultthecamtableoftheswitchisoverloading.Whentheswitchisflooded,itswitchesintotheso-called ‘hubmode’.Whentheswitchisinthehubmodeitwillforwardthe traffic to every computer connected to thenetwork.After a successfulMAC floodingattack,anattackercanuseaso-calledsniffer toretrievesensitivedata that istransmittedbetween network hosts. This would not be possible with a switch that is functioningnormally(Baloch,2014).
3.4.6 AttacksonthephysicallayerAttacks on the physical layer are attacks that result in physicaldestruction,obstruction,manipulation ormalfunctionofphysical assets.An example of an attack on thephysicallayer istolauncharelativelysimpleDDoSattacktargetingwirelessnetworksby jammingorinterferingcommunicationwithinthesewirelessnetworks(Gu,2012).
ADDoSSecurityControlFramework
19
4 THERISKSOFDDOSInorder to setupaneffective frameworkand,with that,effectivemeasures to fightoff aDDoS attack, it is essential to understand the variousDDoSmethods. Currently, awiderangeofDDoSattackscanbe identifiedthatareusedbyattackers.TheseDDoSattacks,ofwhichseveralwerediscussedinchapterthree,canbedividedintobroadlythreetypes.
Figure8:TypesofDDoSattacks
4.1. TypesofDDoSattacks
4.1.1 VolumetricattacksIncaseofvolumetricattackstheattackersendsalargeamountofdatatothetargetedhostinordertosaturatethebandwidth.TheseattacksusuallycomeintheformofUDPfloodsorICMP floods(asdiscussed inchapterthree).Volumetricattacksarethe leastsophisticatedattacks as they simple overwhelm the host with data and do not rely on for exampleweaknessesinapplications.Despitethis,volumetricattacksareoftenveryeffective.Evenifthe traffic is easily filtered, it remains difficult and also expensive for organizations toeffectivelymanagelargeamountsofdata
4.1.2 NetworklayerattacksNetworkand transport layerattacks, alsoknownas layer 3attacksmakeuseofpacketswhicharespecificallymadeanddesigned to causeprocesses toberesource intensive, tomaketargetdevicesrespondslowlyand/ordisruptTCPstateinformation.Examplesofthelayer 3 attacks are SYN floods and Teardrop attacks (as discussed in chapter 3). Theseattacksusemuchlessbandwidthasthevolumetricattacksandmakeuseoftheflawsintheprotocolsapplicabletolayer3.
4.1.3 ApplicationlayerattacksApplicationlayerattacksorlayer7attacksmakeuseofweaknessesinanapplicationbyforexampleexploiting layer7commandswhichcauses theapplication to slowingdown theprocess or even crash and as a result the service of the application is disrupted.Mostapplication layerattackstargetHTTP.The layer7attacksaremuchmoredifficultto filterthanlayer3/4attacksandbecauseofthisrequiremoremeasures,suchaschangestowebapplications.
VolumetricAttacks
NetworkLayer
Attacks
ApplicationLayer
Attacks
ADDoSSecurityControlFramework
20
4.1.4 Attacksonlayer3,4and7Asdescribedabove,almostallDDoSattacks initiatednowadays targeteither thenetwork(network layer attacks), the network and transport layer (volumetric attacks) or theapplication layer(application layerattacks).Thenumberof layer7attacksare increasing.This can be explained by the fact that layer 3/4 attacks are more easily detected andfiltered,whichmakesthechanceofsuccessof layer7attacksmuchhigherthan the layer3/4 attacks. Layer 7 attacks are more sophisticated and can be very effective from aprotocolperspectiveandatlowtrafficrates.Theattacksisoften‘seen’aslegitimate.Basedontheabovedescribedattackvectors,the layerswhichareatriskthemostarethenetwork,transportandapplication layer.Asaresult theprotectivemeasuresdiscussed inchapter five and in the DDoS Security ControlFrameworkwill therefore focus on thesethreelayers(Kostadinov,2013).
4.2 DifferenttypesofrisksAsaworkingassumptionthefollowingriskformulaisused:
Risks=ThreatsxVulnerabilitiesxImpact.Basedontheattackdescriptionsadefinitionofthevulnerabilitiesisdescribed.Whilethreatlevelsandimpactcandifferperorganization,theresultingriskscanbecategorizedinthefollowing (most important) types ofrisks :(i)operational risk; (ii) reputational risk; (iii)data integrityriskand (iv) fraudrisk.The typesofriskswillbediscussedbelow inmoredetail.
4.2.1 OperationalRiskInalmostallcasesthegoalofaDDoSattackistomakeservicesunavailable.Dependingonthe typeofservicesprovided,DDoSattackscanhave a (significant) impactoncustomersand employee productivity. for example, a DDoS attack can make it impossible forcustomerstoreachtheironlinebankingapplicationorforemployeestousetheirbusinessapplications.DuetotheDDoSattack,anorganizationisunabletoprovideitsservices,whichcanresultinsignificantrevenue losseswhentheservicescannotbeprovidedforalongerperiodoftimeoriftheorganizationprovidesanessentialserviceand,incaseofaservicelevelagreement,violatestheservicelevelagreementwhentheorganizationaffectedbytheDDoS attack is the service provider under the agreement. (Verisign, 2012) (FederalFinancialInstitutionsExaminationCouncil,2012)
4.2.2 ReputationalRiskAnotherimportantriskassociatedwithDDoSattackisthereputationalrisk.Iforganizationscannotprovidetheirservices,customersareimpactedbythatandtheirexperiencewiththeservicewithbeaffectednegatively.When theorganization is the targetofmultipleDDoSattacks, as we have seen with the large Dutch banks, customers will start ranking theservices as unreliable and even rank the service below expectation. These negativeexperiences will negatively impact the brand and image of the organization and the
ADDoSSecurityControlFramework
21
reputationtheorganizationhaswithitscustomersandwithinthemarket.(Verisign,2012)(FederalFinancialInstitutionsExaminationCouncil,2012)
4.2.3 DataintegrityRiskAssystemsarehighlyconnectedanddependentoninternalandexternaldata,connectiondisruptionsordelaysindataprocessingwillimpactdataintegrity.Ifoneapplicationinthebusiness (data)processingnetwork isattacked, theapplicationsareno longercapableoftransferring data to the targeted application and the targeted application is no longercapabletotransferanydatatoanyoftheotherapplicationswithinthebusinessnetwork.Asaresultthedataisnolongeraccurate.
4.2.4 FraudRiskBesidestheabovementionedrisksthereisanactualriskthatisoftenoverlooked,butcouldimpact a company severely. This risk occurs when a hacker uses a DDoS attack as adiversion todraw theattention from theiractualgoal.TheDDoSattackcouldbecoupledwithafraudattempt.Insuchcasesorganizationsmayalsoexperiencefraud losses,whichmight in turnresult in liquidityandcapitalrisks.ForexampleDDoSattacksservedasadiversionary tacticbycriminalsattemptingtocommit fraudusingstolencustomerorbank employee credentials to initiate fraudulent wire or automated clearinghousetransfers.(FederalFinancialInstitutionsExaminationCouncil,2012)
4.3 ConclusionToenableorganizationstoeffectivelyusetheDDoSSecurityControlFrameworkassetoutin thenext chapter of this thesis, it is essential that an organization is familiarwith thedifferentthreats,vulnerabilitiesandtheimpactwhichtranslatesinaspecificriskassociatedwith the organization and the services it provides. Familiarity with the DDoS methodsenablestheorganizationtorecognizetheDDoSattacksandfamiliaritywiththeDDoSrisksmakestheorganizationawareofitsweaknessesandtheconsequencesassociatedwiththerisks. Together they enable an organization to mitigate the risks associated with DDoSattacks.
ADDoSSecurityControlFramework
22
5 ESTABLISHINGTHEFRAMEWORKThepreviouschapterdiscussesdifferentDDoSattacksperOSIlayer.Theseattacksposeathreat to the ITsystemsofgovernments, companies, institutionsandotherentities, sinceDDoSattacksnotonlyresultinITdisruptions,butalsoinforexamplereputationaldamage.Inordertobecomeawareofthepossiblerisksandtoputeffectivemeasures inplace, it isessentialforentitiestohaveaDDoSSecurityControlFrameworkinplace.
5.1 FrameworkforImprovingCriticalInfrastructureCybersecurityTheNationalInstituteofStandardsandTechnology(NIST),anon-regulatoryfederalagencywithin theU.S.Department of Commerce, has introduced the Framework for ImprovingCritical InfrastructureCybersecurityon12February2014.TheNIST framework,which iscreated through collaboration between industry and the U.S. government, consists ofstandards,guidelinesandpracticestopromotetheprotectionofcriticalinfrastructure.TheNIST framework is designed to help owners and operators of critical infrastructures tomanagecybersecurity-relatedrisk(NationalInstituteofStandardsandTechnology,2014).TheNISTframeworkconsistsoffivemainfunctions:
Figure9:FrameworkforImprovingCriticalInfrastructureCybersecuritybyNIST
TheNISTframeworkfocusesonCybersecurity-relatedrisks,whichmakesittoobroadtobeusedasaDDoSspecific frameworksinceDDoSisonly asmallpieceof theCybersecurity-related risks faced by entities. The NIST framework provides organizations with
•Develop the organisational understanding to managecybersecurity risk to systems, assets, data, and capabilities.Identify
•Develop and implement the appropriate safeguards to ensuredelivery of critical infrastructure services.Protect
•Develop and implement the appropriate activities to identify theoccurrence of a cybersecurity event.Detect
•Develop and implement the appropriate activities to take actionregarding a detected cybersecurity event.Respond
•Develop and implement the appropriate activities to maintainplans for resilience and to restore any capabilities or servicesthat were impaired due to a cybersecurity event.Recover
ADDoSSecurityControlFramework
23
structure and multiple approaches to cybersecurity which are known today byassembling standards, guidelines and practices that are working effectively in theindustry today. The fact that the NIST framework only focuses on the multipleapproacheswhich are known todaymakes it static by nature. It does not take intoaccountanyfuturechanges,itonlyprovideinformationaboutthecurrentsituationanentityisinwithregardtocybersecurity-relatedrisks.
5.2 AdynamicframeworkTo improve the NIST framework and the processes it contains, the Deming Cycle alsoknown as thePDCA Cycle, is a tool that canbe used. TheDemingCycle is a continuousimprovementmodel to improve thequalityofprocesses,whichconsistsof fourrepetitivesteps(Deming,2000):
Plan:Designandrevisebusinessprocess components to improveresults.Do: implement the plan andmeasureitsperformance.Check:studytheresultsAct: decide on the changes thatneed tobemade to improve theprocess.
Figure10:TheDemingCycle
IfyoureviewtheNISTframeworkfromaDemingCycleperspective,the ‘identify’functiontogetherwithapartofthe ‘Protect’functioncanbeseenasthe‘plan’step.IncaseofDDoSyouwould identify,forexample,whichapplicationsare inplaceandyouwoulddevelopaplantoprotecttheseapplicationsagainstDDoSattacks.The‘revise’elementfromthe‘plan’stepisnotpartoftheFramework,duetoitsstaticnature.So,a ‘revise’elementshouldbeincorporated intotheFramework inorder tomake itmoredynamicandcompatiblewiththe‘plan’stepoftheDemingCycle.Theimplementationassetoutinthe‘Do’stepoftheDemingCycleis(partially)coveredbythe‘Protect’,‘Detect’and‘Respond’functionsoftheNISTframework.The‘check’stepoftheDemingCycleisonlypartiallycoveredbythe‘Recover’functionoftheNISTframework.Dueto thestaticnatureof theNIST framework, the ‘Recover’ function isonly focusingon thesituationtoberestoredtotheoldsituationbeforetheDDoSattackoccurred.Theelementofstudying the results of thedetection, responses and recoveryandmaking adecision onwhichchangestomakeisnotincludedinthe‘recover’functionoftheNISTframework.
Plan
DoCheck
Act
ADDoSSecurityControlFramework
24
InordertomaketheNISTframeworkmoredynamicandbetterfittingtotheDemingCycle,twonew functionsare introduced: ‘Assess’and ‘Adjust’.Thenew ‘Assess’ functionof theNISTframeworkshouldfocusondeterminingwhetherthedetectionofandtheresponsestotheDDoSattacksareeffectiveandwhethertherecoveryofthesystemisgoodenoughaftertheattack.Theresultscollectedduringthe ‘Assess’functionneedtobeusedaspartofthe‘Adjust’ function.Basedontheresultstheorganizationneedstodeterminewhichchangesneed tobemade to either one of theother functions in order to improve itsprotectionagainst,detectionof,responsetoandrecoveryofaDDoSattack.Taking intoaccount thechanges to theNIST frameworkasdescribedabove, thedynamicframeworkwilllookasfollows:
Figure11:ThesevenfunctionlevelsoftheDDoSSecurityControlFramework
ByaddingtheprinciplesoftheDemingcycletotheexistingmodel,theframeworkismoredynamic,butfurtherstepsneedtobetakentomaketheframeworkmorespecificforDDoS.
•Develop the organisational understanding to manage DDoSrisk to systems, assets, data, and capabilities.Identify
•Develop and implement the appropriate safeguards toensure delivery of critical infrastructure services.Protect
•Develop and implement the appropriate activities to identifythe occurrence of a DDoS event.Detect
•Develop and implement the appropriate activities to takeaction regarding a detected DDoS event.Respond
•Develop and implement the appropriate activities tomaintain plans for resilience and to restore any capabilitiesor services that were impaired due to a DDoS event.Recover
•D
eter
min
ew
heth
erth
epr
evio
usDD
oSfu
nctio
nsfu
nctio
ned
effe
ctiv
ely
and
are
able
toco
pew
ithne
wid
entif
ied
DDo
Sde
velo
pmen
ts.
Asse
ss•
Det
erm
ine
whi
chch
ange
sne
edto
bem
ade,
base
don
the
asse
ssm
ent
resu
lts.
Adju
st
ADDoSSecurityControlFramework
25
5.3 AdynamicDDoSSecurityControlFrameworkInparagraph4.1ofthisthesisthemostimportantOSIlayers,namelythenetwork,transportandapplicationlayer,andtherisksassociatedwiththeDDoSattacksontheselayerswereidentified. The three OSI-layers and the risks identified form the basis for determiningwhichmeasuresagainstDDoSattacksshouldbeincludedintheframework.Theframeworkconsistsofthreelevels:1. The function level: this level consists of all the function phases of the dynamic
frameworkasdescribedinparagraph5.2;2. Thecontroltypelevel:thislevelconsistsofthetypesofcontrolsdescribedbelow;and3. Themeasurespertypeofcontrol.AlthoughDDoSattackscanbelinkedtothedifferentOSIlayers,aframeworkthatstronglyfocuses on these OSI layerswould only cover technical infra components, which is toolimited toestablisha trulyeffectiveDDoS securitycontrol framework.Notonly technicalinfracomponents,butalsoproceduralcomponentsareimportantinthebattleagainstDDoSattacks. As mitigating DDoS risks requires a combination of procedural and technicalmeasures.Inordertokeeptheframeworkaccessibleandunderstandableforbothtechnicalandnon-technical persons, themeasures are not specified perOSI layer or risk, but per type ofcontrol.Theframeworkcontainsthefollowingtypesofcontrols:· Procedural controls e.g. incidentresponseprocesses,management oversight, security
awarenessandtraining;· Technicalcontrolse.g.userauthentication(login)and logicalaccesscontrols,antivirus
software,firewalls;There are a number ofmeasures that organizations can take in order to prevent DDoSattacks, to detect attacks when happening and respond to these attacks. Themeasuresdiscussed in this research are adopted from existing researches and publications:(Govcert.nl, 2006) (IntruGuard, 2008) (Govcert.nl, 2010) (Nationaal Cyber SecurityCentrum, 2012) (Nationaal Cyber Security Centrum, 2012) (National Cybersecurity andCommunicationsIntegrationCenter,2014)(NationalInstituteofStandardsandTechnology,2014) (Verisign,2014)and ifnecessary,adjustedorexpanded tomake themsuitable forthisresearchandthespecifictopicthisresearchcovers.
ADDoSSecurityControlFramework
26
5.3.1 The‘Identify’level
Figure12:Theidentifylevel
RelevanceIn order to create an environment in which DDoS attacks are effectively detected andrespondedto,itisessentialthatanorganizationisfamiliarwithitsnetworkinfrastructure,data flowsand thecapacitywithin thenetwork.Toget familiaranorganizationneeds todevelopanoverviewofitsnetworkanditskeyappliances.Onlyifanorganizationhassuchanoverview,itcaneffectivelyprotectitselfagainstDDoSattacks.GoalThegoalofthemeasuresatthe‘Identify’levelistocreateanetworkschemewhichcontainsall key appliances, data flows and bandwidth between these appliances that enables anorganization to identify weaknesses within their network. Furthermore, it helps anorganization to createawareness thatavailabilityand even integrity cannotbe taken forgrantedandrequiresseriousattention.MeasuresToenableanorganizationtopinpointDDoSrelatedweaknesseswithinitsnetworkcertainstepsneed tobe taken.These steps consist ofmeasures that systematicallymap-out thenetwork components and identifying critical areas that need to be protected. Possiblemeasuresareidentifiedinmoredetailbelow.ControlType
# Measure
Proc
edur
al
I1.1 Physicaldevicesandsystemswithintheorganizationareinventoried.I1.2 Software platforms and applications within the organization are
inventoried.I1.3 Organizationalcommunicationanddataflowsaremapped.I1.4 Externalinformationsystemsarecatalogued.I1.5 Resources (e.g. hardware, devices, data and software) are prioritized
basedontheirclassification,criticalityandbusinessvalue.I1.6 Roles and responsibilities for the entire workforce and third-party
stakeholders(e.g.suppliers,customers,partners)areestablishedI1.7 FutureDataCenterPlans/Roadmap:Whatelementsareyouplanningon
changing?Howwill theseaffectthecomplexityofyourdatacenteranddotheypresentanynewrisks?Addingnewhardwareorservicescomeswithmanyknownandunknownchallenges.
•Develop the organisational understanding to manageDDoS risk to systems, assets, data and capabilities.Identify
ADDoSSecurityControlFramework
27
I1.8 IdentifystoragerequirementstobeabletomaintainlogdatawhenunderaDDoSattack.
I1.9 BasedonthegathereddataariskassessmentisperformedtoidentifytheDDoSrelatedriskswithintheITenvironmentwiththeuseoftheoverallnetwork schema. As part of this assessment organizations need toaddresstheirriskappetite,defineweaknesseswithintheirnetworkanddeterminetheassetsthatrequireprotection.
Table1:Overviewofpossiblemeasuresattheidentifylevel
5.3.2 The‘Protect’level
Figure13:Theprotectlevel
RelevanceThefirststepforanorganizationtoprotectthemselvesofbeingtargetedbyaDDoSattackistomakeitasunattractiveaspossibleforhackerstochoosethemastheirtarget.Numerousattacksareperformedbyhackersor scriptkiddieswhousestandard toolkits toperformtheir attack.Themajority of attacksusewell-knownvulnerabilities,whichorganizationscaneasilyprotectitselfagainst.Itisbestcomparedtoaburglarwhoseizesanopportunitybasedonthelikelihoodthatonetargetiseasiertobreakintothantheother.Sodowhatliesinyourspanofcontroltomakehackersgoforyourneighbors’propertyinfavorofyours.GoalThe ‘protect’ level focusses on which pre-emptive measures can be implemented tosafeguardanorganizationsnetwork.Thegoalofthesemeasuresistominimizethenumberofopportunities forhackerstoattacktheorganizationononehand.Ontheother, ithelpsorganizationtopreparethemselvesonhowtodealwithDDoSattackswhentheyareunderattackbyhavingaresponseplanthattellsthemhowtoreactandtherelevanttechniquesinplacethatprovidesthemwiththeabilitytocopewithDDoSattacks.MeasuresToenableanorganizationtohardenitsnetworkagainstDDoSattacks,protectivemeasuresneedtobeimplemented.Possibleprotectivemeasuresareidentifiedinmoredetailbelow.ControlType
# Measure
Proc
edur
al P1.1 Create baseline configuration of information technology/industrialcontrolsystemsandmaintainthesebaselines.
P1.2 Validate that information technology/industrial control systems aresetupaccordingtotheirrespectivebaseline.
P1.3 DDoSresponseplans(IncidentResponseandBusinessContinuity)arein
•Develop and implement the appropriate safeguards toensure delivery of critical infrastructure services.Protect
ADDoSSecurityControlFramework
28
placeandmanaged.TheseplansneedtobedefinedscenariobasedTheseresponseplansneed tobe scenariobasedand specifywhichmeasuresneedtobetakentodealwiththespecifiedDDoSscenario.Furthermore,itneedstoclearlyspecifywhoperformswhat,howandwhenandwhohasmandatetotakecertaindecisions.
P1.4 DDoSrecoveryplans (IncidentRecoveryandDisasterRecovery)are inplaceandmanaged.
P1.5 The response and recovery plans are periodically tested (e.g. BulkVolumetricTesting).
P1.6 AgreementsrelatedtoDDoSareinplacewithnetworkproviderstoassistinblockingaDDoSattack.
P1.7 DDoS communication plans are in place and managed. Thesecommunicationsplans need to coverpublic relations, authorities, legalandclearlyspecifywhoperformswhat,howandwhen.
P1.8 Define (technical) measures according to the outcome of the riskassessmentperformedaspartofmeasureI1.9withinthe‘Identify’level.
Tech
nica
l
P1.9 A SYN proxy is implemented to ensure that under SYN flood, allconnectionrequestsarescreenedandonlythosethatarelegitimateareforwarded.
P1.10 AnomalyRecognition;byperforminganomalychecksonheaders, stateandrate,anappliancecanfilteroutmostattackpacketswhichotherwisewouldpasssimplefirewallrules.
P1.11 DarkAddressPrevention,IPaddressesthatarenotyetassignedbyIANAareblocked.
P1.12 White-list and black-list are maintained. Within network, there willalways be some IP addresses that you want to deny or allow. White-listing and Black-listing capability are useful during DDoS attack toensurethatsuchrulesarehonoreddespiterateviolationsorinspiteofrate-violations.
P1.13 Connection limiting; by giving preference to existing connections andlimiting the new connection requests. By limiting the number of newconnectionrequests,youcantemporarilygivetheserverrespite.
P1.14 Active verification; SYN Proxy combined with caching identifiedlegitimateIPaddressesintoamemorytableforalimitedperiodoftimeandthenlettingthemgowithouttheSYNproxy.Mustbecombinedwithrate limiting incasezombiesareable tocomplete3-way-handshakes toavoidmisuse.
P1.15 Implement anti-spoofing measures (e.g. unicast Reverse-PathForwarding(uRPF),Bogonlist,AccessControlList(ACL))toprotectoratleastreduce the likelihoodofsource IP spoofing takingplace (EG,NTP,SNMP,DNSetcetera).
P1.16 Firewallsareconfigured toapplycertain filteringtomonitor the trafficfor certainprotocols such asFTP andHTTP andexaminewhether the
ADDoSSecurityControlFramework
29
trafficmeetsthepurposeoftheRFCs.P1.17 Firewallssettingsareconfiguredwhich ‘tell’thefirewallwhat isnormal
behavior of a particular traffic flow such as a maximum number ofconnectionsfromonespecificIP-address.
P1.18 SystemsarehardenedtoimprovetheperformanceofthesystemsduringaDDoSattackorganizationcanconfigureaTCP/IPstack.Toprovidetheperformancethefollowingconfigurationscanbemade:
· Expansionofthe‘TCPwindowsize’;· Expansionofbuffersforhalfopensocketsandopensocketsthat
waitforan‘accept’oftheapplication;and· Reductionofthetime-outvalueoftheTIME_WAITstatus.
P1.19 Implementadequatestorage facilitiestoretainloggingfileswhenunderattacktoenabletheopportunitytoperformforensics.
P1.20 FirewallsareconfiguredassuchthattheymonitorthemaximumnumberofconnectionsmadefromoneIP-address
Table2:Overviewofpossiblemeasuresattheprotectlevel
5.3.3 The‘Detect’level
Figure14:Thedetectlevel
RelevanceAlthoughorganizationscan takenumerousmeasures toprotect themselvesagainstDDoSattacks, it isimpossible tocompletelyprevent it fromhappening.For these instances it isimportantthatanorganizationisabletodetectaDDoSattack.Inthiscasedetectiondoesnotmeanourwebsite isdown,weareunderattack!,butbeingabletopinpointabnormalbehaviorwhenitoccurs.Ifabnormalbehaviorisidentified,itcanbedealtwithaccordinglytopreventanattackofreachingitsgoalofdisruptingaservice.GoalThis level focusseson implementingmeasures that enable anorganization to identifyanattackasoonaspossible,whichenablesittorespondadequatelytominimizetheimpactoftheDDoSattack.MeasuresTo enable an organization to detect DDoS attacks, detection measures need to beimplemented.Possibledetectionmeasuresareidentifiedinmoredetailbelow.
•Develop and implement the appropriate activities toidentify the occurrence of a DDoS attack.Detect
ADDoSSecurityControlFramework
30
ControlType
# Measure
Proc
edur
al
D1.1 DetectedeventsareanalyzedtounderstandattacktargetsandmethodsD1.2 DetectionprocessesaretestedD1.3 DetectionprocessesarecontinuouslyimprovedD1.4 Define the basic or standard behavior of the systems and network
environment.Thebasic information isbasedonanumberofdata,suchas: (i) theaveragenumberofvisitorsorusers; (ii) theaveragepackagesizeof thedata; (iii) theaveragememory spaceused; (iv) theaverageprocessoruse;(v)theaveragebroadbanduseoftheinternetconnectionand (vi) the average reading/writing actions on the hard drive. ThisinformationtogetheristheoverallaveragebehaviorandcanbeusedasabasisforthedetectionofoddbehaviorsuchasDDoSattacks.
Tech
nica
l
D1.5 AnIntrusionDetectionSystem(IDS)isinplacewhichmonitorswhetherthe content of a network package meets certain requirements orstandardsandflagspatternsthatareplausibleDDoSattacks.
D1.6 AnIntrusionPreventionSystem(IPS)issetuptoblockdatatrafficeitherbyitselforbylettingitapplycertainrulesinafirewallorrouter.
D1.7 Flow-based accounting: netflow is an application that can be used inroutersand isanadditiontotheprocesswhichdeterminestherouteofanIPpackage.ForeachIPpackageenteringtherouterthehashvalueiscalculatedandthencomparedwiththeflowcache.Ifthepackagehasthesamehashvalueisdetectedintheflowcachethepackageisaddedtothestatisticsofthatparticularflow.Netflow can be a very effective weapon against DDoS attacks. If anorganization transports thecollectednetflowdata to a central storage,various application can interpret this data. There are even specialapplicationswhichcanmonitorDDoSattackon thebasisof thenetflowdata.
D1.8 GranularRateLimitingisatechniquethatidentifiesrateviolationsfrompastbehavior.
D1.9 Applydynamicfiltering,whichisperformedbyidentifyingundisciplinedbehaviorandpunishingthatbehaviorforashorttimebycreatingashort-spanfilteringruleandremovingthatruleafterthattime-span
D1.10 Source Rate Limiting; by identifying outlier IP addresses that breaknorms,youcandenythemaccesstoexcessivebandwidth.
D1.11 Within the ‘protect’ levelnumerousmeasures havebeen implementedthat besides protection are able to provide organizations withinformation to detect DDoS attacks. Organizations need to implementmonitoringmeasurestodealwiththisinformationaccordingly.
Table3:Overviewofpossiblemeasuresatthedetectlevel
ADDoSSecurityControlFramework
31
5.3.4 The‘Respond’level
Figure15:Therespondlevel
RelevanceEven if an organization has all prevention and detectionmeasures in place, it can stillhappen that the systems are attacked by a DDoS attack. So it is important for anorganization tohaveprocedures andprotocols in place on ‘how to respond in case of aDDoSattack’.GoalAs already mentioned in the introduction of this paragraph, it is essential for anorganizationtohaveproceduresorprotocolsinplaceon‘whotoreacttoDDoSattacks’.Theproceduresneedtospecifywhoisinthelead,whichpersonshavewhichauthority,howtocommunicate and aboutwhat. In case the systems aremanaged by a hosting-provider,procedures needs tobe implementedwhich included both the actions that needs to betakenbythehostingproviderandtheorganizationitself.MeasuresTo enable an organization to respond in a structured matter when under attacks,responsivemeasuresneed tobe implemented.Possiblemeasures are identified inmoredetailbelow.ControlType
# Measure
Proc
edur
al
R1.1 DDoSresponseplanisexecutedduringorafteraneventR1.2 DDoS communication plan is executed during and after an event to
address public relations with the press, customers, organization,authorities and legal obligations based on the DDoS communicationplan.
R1.3 DDoSresponsestrategiesareupdatedR1.4 DDoSresponseplansincorporatelessonslearnedR1.5 NotificationsfromdetectionsystemsareinvestigatedR1.6 TheimpactoftheincidentisunderstoodR1.7 ForensicsareperformedR1.8 IncidentsarecategorizedconsistentwiththeDDoSresponseplansR1.9 IncidentsarecontainedR1.10 IncidentsaremitigatedR1.11 Newly identified vulnerabilities are mitigated or documented as
acceptedrisks
•Develop and implement the appropriate activities totake action regarding a detected cybersecurity event.Respond
ADDoSSecurityControlFramework
32
Tech
nica
l
R1.12 Quality-of-Service (QoS):QoS thedata canbeblocked, thebandwidthcanbelimitedortheorganizationcandecidetodonothing.Dependingon the typeof IP-addressesused for theattack,adecisionneeds tobemade
R1.13 Null-routingis inplaceandthepotentialDDoSattackIPaddressescanberoutedtothenullinterface
R1.14 AnACLcanenableanorganization toblock (orpermit)certainsourceor destination IP-addresses and/orprotocols to respond to an DDoSattack
R1.15 Aggressive aging involves removing connections from the tables andmayalsoinvolvesendingaTCPRSTpackettotheserver/firewall.
R1.16 White-list and black-list are maintained. Within network, there willalwaysbe some IPaddresses that youwant todenyorallow.White-listing and Black-listing capability are useful during DDoS attack toensurethatsuchrulesarehonoreddespiterateviolationsorinspiteofrate-violations.
R1.17 Organizationscanapplyasocalled‘DDoSwashstreet’.Internettrafficisredirected when a potential attack warrants traffic redirection. Thistechniqueisalsocalled 'Off-Ramping'.Thedataisthenreceivedbythe(third)party,where it is 'washed', as it goes through specialpurposebuiltappliances to filter illegitimatetrafficoutwith theuseofspecificalgorithms.Oncethetrafficis'washed'itisreroutedbacktotheclient,socalledOn-Ramping.
R1.18 SpecificDDoSappliancesareavailable,whichcanbeplacedwithinthenetworkthatareabletodealwith(moresophisticated)DDoSattacks.
R1.19 OrganizationsareabletodeflectsophisticatedDDoSattacksbyhavingmultipledatacentersatdifferent InternetExchanges, theorganizationcanpoint theDNSentryof theirwebsites to these companieswho inreturn, handle all the requestswhere each packet is then inspected.Thereuponbasedonthesignatures,illegitimatetrafficcanbedetectedand discarded. Next, legitimate traffic is sent back to end-users'browsersbasedontheirgeographicallocation.
Table4:Overviewofpossiblemeasuresattherespondlevel
ADDoSSecurityControlFramework
33
5.3.5 The‘Recover’level
Figure16:Therecoverlevel
RelevanceAsdescribedintherisksection,therisksrelatedtoDDoSattacksarefierceandcanhaveasevereimpact.Thereforeitisofhigh importanceforanorganizationtobeabletorestorecapabilitiesorservices,thatwere impairedbyaDDoSattack, inastructuredmattertobeabletokeeprecoverytimeasminimalaspossible.Itiskeyfororganizationstogetbacktoa‘businessasusual’state to limit lossesdue toe.g.nosalesoremployeesnotable to fulfiltheirjobduetoserviceoutage.GoalThegoalof therecover level is toensurethatanorganization isprepared tore-establishoperations at an acceptable level to limit the downtime of a disruption and to resumeoperationsinaphasedapproach.MeasuresToenableanorganization torecoverafteraDDoSattacks,recoverymeasuresneed tobeimplemented.Possiblerecovermeasuresareidentifiedinmoredetailbelow.ControlType
# Measure
Proc
edur
al
R2.1 DDoSrecoveryplanisexecutedduringorafteranevent.R2.2 DDoSrecoverystrategiesareupdated.R2.3 DDoSrecoveryplansincorporatelessonslearned.R2.4 Publicrelationswiththepress,customers,organization,authoritiesand
legalobligationsaremanagedbasedontheDDoScommunicationplan.R2.5 Reputationafteraneventisrepaired.R2.6 Recovery activities are communicated to internal stakeholders and
executiveandmanagementteams.Table5:Overviewofpossiblemeasuresattherecoverlevel
•Develop and implement the appropriate activities tomaintain plans for resilience and to restore anycapabilities or services that were impaired due to aDDoS event.
Recover
ADDoSSecurityControlFramework
34
5.3.6 The‘Assess’level
Figure17:Theassesslevel
RelevanceImplementingaframeworktomitigatetherisksassociatedwithDDoSshouldbeseenasthefirststep.Simply,implementingaframeworkisjustnotgoingtocutitinthelongrun.TheworldofDDoS is in continuousdevelopment and new attack techniques are introducedconstantly.ThereforeitisofgreatimportancethattheframeworkisabletocopewiththesechangesbybeingabletoassesstheimpactofchangesinthefieldofDDoSinrelationtotheimplemented framework.Only,whenanorganizationisabletoassesstheimpactofthesechangeitisabletocopewithitandadjusttheframeworkaccordingly.GoalThegoaloftheassess level istoevaluatethepreviousstepstakeninorderto identifythefocus areas where measures will need to be implemented. It does so by gatheringinformation resulting from the previous function levels. Management should not onlyevaluates but also analyses the results to determine if the implemented measuressufficientlymitigatetherisksoratleastreducetherisktoanacceptablelevel.Anyfindingsresultingfromtheevaluationandtheanalysisarethenaddressedwithcorrectivemeasures.MeasuresToenableanorganizationtoassesstheeffectivenessof implementedmeasures,aprocessneedstobeinplacetogatherinformationateachlevel.Thegathereddataisthenevaluatedandactionsaretaken.ControlType
# Measure
Proc
edur
al
A1.1 ExecutemonitoringproceduresA1.2 ReviewandmeasureeffectivenessofcurrentDDoScontrolsA1.3 ConductInternalDDoSAuditsA1.4 A Security Team monitors DDoS trends and validates whether the
current control framework is able to cope with these trends ordevelopments
A1.5 UndertakemanagementreviewA1.6 RecordactionsandeventsthatimpactDDoScontrols
Table6:Overviewofpossiblemeasuresattheassesslevel
•Determine whether the previous functionsperformed/functioned effectivelyAssess
ADDoSSecurityControlFramework
35
5.3.7 The‘Adjust’level
Figure18:Theadjustlevel
RelevanceBasedon theassessmentsperformedattheprevious level, findingswillbe identifiedandtheorganizationneedstotakeactionbymeansofanalyzingandremediatingthefindings.By analyzing the findings and actions needed an organization will need to update thecontrol framework inordertopreventrecurrenceofattacksatthe identifiedweaknesses.Attheadjustmentleveltheinitiationofthecontinuousimprovementcycleisactivatedandthelessonslearnedcanbeusedasareferenceforfutureanalysis.GoalThegoaloftheadjust levelistoprovideanorganizationwithatooltoeffectivelydefineacorrective action plan that not only enables improvement of the current measuresimplementedbutalsocreatesabasisforcontinuousimprovement.MeasuresToenableanorganization toadjust theeffectivenessof implementedmeasures,aprocessneeds to be in place which supports a continuous improvement cycle. The followingmeasurescanenableanorganizationtoachievethis.ControlType
# Measure
Proc
edur
al
A2.1 TheDDoSSecurityControlFrameworkisupdatedA2.2 PreventiveprocessesarecontinuouslyimprovedA2.3 DetectionprocessesarecontinuouslyimprovedA2.4 Respondprocessesarecontinuouslyimproved
A2.5 Communicateactionsandimprovements
Table7:Overviewofpossiblemeasuresattheadjustlevel
•Determine which changes need to be made, based onthe assessment made.Adjust
ADDoSSecurityControlFramework
36
5.4 HowdoestheDDoSSecurityControlFrameworkcovertheidentifiedrisksThere is no universal approach that can cover all DDoS security risks. As described inchapter 4, if organizations want to implement an effective DDoS security controlframework.Itisessentialthatanorganizationisfamiliarwiththespecificrisksthatapplytothe service they provide and enables them to identify the weaknesses within their ITenvironment.The familiarizationwith the associatedrisks isestablishedbyapplying the‘identify’functionlevel.Inordertosetupaneffectiveframeworkand,aspartofthisframework,effectivemeasuresto fight off aDDoS attack, it is also essential tounderstand the variousDDoSmethods.Currently,awiderangeofDDoSattacksareusedbyattackers.TheseDDoSattacks,canbedivided into three typeswhich takeplaceon layer3, 4and7of theOSI layermodel.ToeffectivelybattleDDoSattacks, it iskey fororganisation toimplementtechnicalmeasuresthatnot onlyprevent orminimize risks on.one of these layers,butprevent orminimizerisksonlayers3,4and7.ThisiswhytheDDoSSecurityControlFrameworkcoversthesethreelayers,asshowninthemappingbelow. Protect Detect RespondOSILayer3 P1.10, P1.11, P1.12,
P1.13, P1.14, P1.15,P1.16, P1.17, P1.18,P1.19,P1.20
D1.5, D1.6, D1.7,D1.8,D1.10,D1.11
R1.12, R1.13, R1.14,R1.16,R1.17,R1.18
OSILayer4 P1.9, P1.10, P1.11,P1.12, P1.13, P1.15,P1.18,P1.19
D1.5, D1.6, D1.7,D1.8, D1.9, D1.10,D1.11
R1.13, R1.15, R1.16,R1.17,R1.18
OSILayer7 P1.11, P1.12, P1.13,P1.14,P1.19
D1.5,D1.6,D1.11 R1.16,R1.18,R1.19
Table8:MappingofmeasuresperrelevantOSIlayer
Besidesthetechnicalmeasures,organizationalsoneedtoimplementproceduralmeasuresattheprotect,detectandrespondlevel.Theaimoftheseproceduralmeasuresistotriggeractions and to create awareness. The combination of both types ofmeasures is key forcreatinganeffectivefunctioningDDoSmitigationenvironment.Takingawayeveryvulnerabilityisanutopia.Thismakesitimportantfororganizationsthattheyhavetheabilitytorecoverandbyintroducingacontinuousimprovementcycleaspartof the framework,organizationscanstart implementingcontrolswhichmitigate themostimportantrisksidentified,whilestrengtheningthecontrolsetwitheachcycletoreducethelevelofvulnerabilitiesinthenetworkandasaresultminimizetherisksrelatedtoanattack.
ADDoSSecurityControlFramework
37
5.5 HowtoapplytheDDoSSecurityControlFrameworkThisresearchhasnowresultedinadynamicDDoSSecurityControlFramework.Butbeforeorganizationsstarttoimplementorusethisframeworkinanyway,theyneedtocomeupwith a plan. Simply implementing this frameworkwill not provide themwith theDDoSsecuritycontrolenvironmenttheywouldlike.Everyorganizationisdifferentinmanyways.Thisneedstobetakenintoaccountwhenusingtheframework.Organizationsneedtoadoptaso-calledriskbasedapproachwhenusingthis framework.Thismeansthattheyhavetoask themselvesquestionssuchas:“howmuchriskarewewilling totake?”,“whatare therisks associated with the services we provide?” and “what are the weaknesses of ournetwork?”.Based on the answers to thesequestions organization canuse (parts of) theframeworktosetuporimprovetheirDDoSsecuritycontrolenvironmentaccordingly.The frameworkcontainsmulti-disciplinaryelements.Someelementsare technical,othersaremore risk focused.Therefore it is recommended that the framework is appliedby amulti-disciplinary team which preferably consists of IT Security Experts, IT Risk andmanagementtocoverthewholespectrumandhavesufficientknowledgewithintheteamtoapplytheframeworkcorrectly.
ADDoSSecurityControlFramework
38
6 VERIFICATIONANDVALIDATIONOFTHEDDOSSECURITYCONTROLFRAMEWORK
In chapter 5 a DDoS Security Control Framework was established which can helporganizationsmitigateDDoSattacksandtherisksassociatedwiththeseattackseffectively.Inthischaptertheframeworkwillbeverifiedandvalidated.Pleasenotethatthevalidation,assetoutbelow,islimitedandpurelybasedontheexperienceofsubjectmatterexperts.
6.1 VerificationandvalidationdefinitionThe terms verification and validation originate from software project management,softwaretestingandsoftwareengineering.Verificationandvalidationentailstheprocessofchecking that a software systemmeets requirements and fulfils its intendedpurpose. Inotherwords,verificationandvalidationaremethodstocontrolthequalityofthesystem.Verificationandvalidationareeasilymixedupormistakenbyassumingthattheyareoneandthesame,buttheyarecertainlynot.BelowthedefinitionofverificationandvalidationasdescribedbyBoehmarecited(Boehm,1989):
· Verification:Arewebuildingtheproductright?· Validation:Arewebuildingtherightproduct?
ThegoalofthisthesisistoestablishaDDoSSecurityControlFrameworkandnotasoftwaresystem.Still,withsomeminoralterations,validationandverificationareusefultoprovidethe necessary quality control and help gain an understandingwhether this frameworkprovidesaddedvaluewithinthefieldofDDoSandcybersecurity.
6.2 ApproachFor theverificationandvalidationof theDDoSSecurityControlFramework anumberofsubject matter experts within the field of DDoS and cyber security were consulted. Adetailedlistoftheconsultedsubjectmatterexpertscanbefoundinparagraph8.2.
Figure19:Schematicoverviewoftheverificationandvalidationprocess
The consulted subject matter experts were requested to review the established DDoSSecurityControl Framework as presented in chapter5.Furthermore, the subjectmatterexpertswere clearly instructed that the framework shouldbe interpretedas a ‘buildingblock’andtofunctionproperlyan‘effective’ITcontrolframeworkneedstobeinplace.This
Experts takenotice of DDoS
Security ControlFramework
Verification Validation Analyse Data AdjustFramework
ADDoSSecurityControlFramework
39
framework needs to contain the fundamental organizational, procedural and technicalcontrolsbasedonawell-knownandacceptedframeworksuchasCOBIT.VerificationTheverificationstage focussesonverifyingwhether thecontrol frameworkwasdesignedproperly.
· ArethereanycontrolsthataremissingfromtheDDoSSecurityControlFramework?· Are thereanyspecificelementsmissing thatyoumightexpect in aDDoSSecurity
ControlFramework?ValidationByvalidatingtheframework,wegainconfirmationthattheframework,asestablished,willfulfil its intendeduse.The followingquestionswereasked tovalidatewhether theDDoSSecurityControlFrameworkwillfulfilitsintendedgoal:
· DoyouthinkimplementingthisDDoSSecurityControlFrameworkhelpsmitigatingtheriskofDDoSasoriginallypresented?
· Dothelevels ‘assess’and ‘adjust’maketheDDoSSecurityControlFrameworkabletocopewithchangesinthefieldofDDoS?
· Do you think implementing this DDoS Security Control Framework will enableorganizationstomitigatetherisksofDDoS?
· CouldtheDDoSSecurityControlFrameworkaddvaluetoyourcurrentpractice?Aftertheverificationandvalidationstageallinputiscollectedandanalyzed.Theresultswillbediscussedinmoredetailbelow.
6.3 ResultsBased on the fruitful interviewsheldwith the subjectmatter experts the following keyfeedbackwasprovided:· Theintervieweepointedoutthattheassessandadjustfunctionlevelsarenowplacedat
thebottomoftheframework.Thisplacementofthesetwofunctionlevelsmaysuggestthat these levelsareseparate items.However,whenanalyzingtheeffectivenessof theexisting plan, all previous function levels are assessed: is the system sufficientlyprotected? has the response been successful? and so on. After the assessment thefunctionlevelsmaybeadjustedtomaketheplanevenmoreeffective.
o I can understand the point made by the interviewee. To improve the visualrepresentationofthe function levels in the frameworkIdecidedtoremovetheassessandadjustfunctionlevelsfromthebottomoftheframeworkandplacethemalongsidethefivepreviousfunctionlevelstoreflecttheiroverallcoverage.
· The interviewee points out that the frameworkmentions that forensics need to be
performed on the available data. The interviewee indicated that it isdifficult to run
ADDoSSecurityControlFramework
40
forensics,becausedue toDDoS attacksdatamightbe incompleteorunavailable.Theframeworkdoesnottakethisproblemintoaccount.
o To perform forensics data is needed. To trigger organizations to really think aboutsafekeepingandmaintainingdata,evenafterorduringaDDoSattack, Ihave includedmeasureI1.8andP1.19intheframeworkpointingoutthatorganizationsneedtomakesurethatforensicscanbeperformed.
· TheintervieweeaskedthequestionwhethermeasuresP1.3upandincludingP1.6falls
withinthescopeoftheprotect function levelor thatthesemeasurescould fallwithinthescopeoftheeithertheresponseand/ortherecoverfunctionlevel.
o ThemeasuresincludedunderP1.3upandincludingP1.6formthefoundationoftheseplansandarethereforeprotectiveinnature.Withintheresponseandrecoverfunctionlevels these plans are applied, but it is of great importance that these plans areestablishedwithinthemeasuresincludedunderP1.3upandincludingP1.6.
· The intervieweepointedoutthat themeasurespreviouslynumberedD1.7,D1.10and
D1.13where not includedunder the correct function level.Themeasureswere of aprotectivenature.
o Although thesemeasuresenableorganizations tocreate thenecessary information todetectDDoSattacks.Iagreedwiththeintervieweeanddecidedtoremovethemeasuresfromthedetectfunctionlevelandincludethemundertheprotectfunctionlevel.D1.11wascreatedtocoverthatthesemeasurescanalsobeusedtodetectDDoSattacks.
· The interviewee indicated that several layers can be identifiedwithin the response
functionlevelasorganizationsareabletotakecareoftheresponse itself,outsource ittowards for example an ISP and other third parties or maybe even more apply acombination.
o This is a valet point made by the interviewee. I have widened and included themeasuresfortheseadditionallayers.
Besidethe frameworkspecificsuggestions,thesubjectmatterexpertsalsoprovidedsomesuggestionsforfurtherresearchsuchastheestablishmentofaquickscan.
6.4 ConclusionTo verify and validate the framework interview sessions were organized with subjectmatter experts. Based on the results of these interviews it can be concluded that theestablishedframeworkcontainstherelevantelementsandmeasuresand formsavaluablebasis for organizations to establish or improve their security tomitigate identified risksrelatedtoDDoS,butthatsomeimprovementscouldbemadetomaketheframeworkevenmore effective. These improvement mostly concerned moving measures around theframeworkandaddingsomeadditionalinformationormeasures.Besidesthevalidationandverification of the framework the interviews alsoprovided some suggestions for furtherresearch.
ADDoSSecurityControlFramework
41
7 CONTRIBUTIONANDCONCLUSIONInthischapterthecontributionofthisthesistotheresearchdomainandtheconclusiontothe researchwill be discussed. First the contribution of the researchwill be discussedfollowed by the conclusion per sub-question and the overall conclusion on the mainresearchquestion.Finally,possiblefurtherresearchwillbediscussed.
7.1 ContributionThecontributionofthisthesiscanbedividedintotwocategories:(i)academiccontributionand (ii) economic contribution.With regard to theacademic contributionorrelevance itneedstobenotedthatthisthesisusedtheexistingframeworkoftheNationalInstituteofStandardsandTechnology(NIST)asthebasisfortheDDoSSecurityControlFrameworkitwantstoestablishandincorporatedacademicinformationregardingDDoSattacksandtherisksrelatedtotheseattacksinthisframework,tomaketheNISTframeworkdynamicandsuitable for use by organizations to establish or enhance their DDoS strategy. Theframework incorporatesreadilyavailableacademicinformationtoimprovetheusefulnessof the existing (NIST) framework. The enhanced model contributes to the body ofknowledgeandalsoprovides anewstartingpoint for furtherresearchanddiscussiononthe frameworkandthetopicofDDoSattacks.While theNISTmodelprimarily focusesonbuildingasetofDDoSsecuritycontrols,thenewmodelincorporatesimprovementcyclestocontinuouslyimprovetheappliedcontrolsinlinewiththeorganizationsriskprofile.Besides the academic contribution of the thesis, it also makes a more practical andeconomiccontribution.ByprovidingmoreinsightintherisksrelatedtoDDoSattacksandintroducing themeasures that canbe taken by organizations, it canmakeorganizationsmorefamiliarwiththetopicandmakethemmoreawareoftherisksandthestepstheycantaketocontinuouslyimprovetheirDDoSprevention,detectionandprotectionstrategies.IforganizationsbecomemoreawareofthepossibilitiestomitigatetherisksassociatedwithDDoS attacks such as reputational damage and revenue losses, while not entirelyquantifiable,theeconomicvaluearebelievedtobebeyondthesetupcosts.
7.2 ConclusionPerSub-QuestionIn thebeginningofthisresearch amainresearchquestionwas formulated inaccordancewiththegoalofthisresearch,asintroducedinchapter1ofthisthesis.Themainresearchquestion is: “Withwhat control framework can securitybe improved tomitigate identifiedrisksrelatedtoDistributedDenial-of-ServiceAttacks?”Inordertoanswerthismainresearchquestion,threesub-questionswereintroduced:
1. WhatisaDistributedDenial-of-Serviceattackandwhydoesthistrendrequireproperconsiderations?
2. What are the security risks and impact imposed by Distributed Denial-of-Serviceattacks?
ADDoSSecurityControlFramework
42
3. Which controls can be implemented to minimize the impact of risks related toDistributedDenial-of-ServiceAttacks?
Belowtheconclusionpersub-questionwillbediscussed.
7.2.1 What is aDistributedDenial-of-Serviceattackandwhydoes this trendrequireproperconsiderations?
ADistributedDenial-of-Serviceattackisa“large-scale,coordinatedattackontheavailabilityof servicesonavictim’s systemornetworkresources, launched indirectly throughmanycompromisedcomputersontheInternet”.InthepastorganizationswereonceinawhileconfrontedwithaDDoSattackandinmanycasestheimpactofthisattackwasonlylimited.DuethedevelopmentsinthefieldofIT,thecomplexityandthescaleof theDDoSattackson thenetworkand informationsecurityasgrownextensively and theattackshavebecomemore intense.Furthermore, cyber-crimehavebecomemorelucrativeandlessriskyinthelastyearsandthethresholdsforinitiatinga DDoS attack have been lowered significantly. Nowadays DDoS attacks can be boughtonlineforverylowprices.DuetoallthesedevelopmentstheimpactofDDoSattacksandthelikelihoodofbeing a target ofan attackhas skyrocketed. Itno longer is aquestion IF acompanywill be attacked, butWHEN a companywill be attacked.Because of this, it isimportantthatorganizationsgiveproperconsiderationtothistrend.
7.2.2 WhatarethesecurityrisksandimpactimposedbyDistributedDenial-of-Serviceattacks?
ManyrisksareassociatedwithDDoSattacks.Thetypesofrisksthatcanbeidentified,whicharemostlikelytooccurorhavethehighestimpactare:
i. operational risk:Depending on the typeof servicesprovided,DDoS attacks canhave a (significant) impact on customers and employee productivity.Due to theDDoSattack,anorganization isunable toprovide itsservices,whichcanresult insignificantrevenue losses. Incaseof a service levelagreement, aDDoSattackcanresult inaviolationof theagreementwhentheorganizationaffectedby theDDoSattackistheserviceproviderundertheagreement;
ii. reputational risk: if organizations cannot provide their services, customerswillhaveanegativeexperiencewiththeorganization.Ifthishappensmultipletimes,theservices can be ranked unreliable and thiswill negatively impact the brand, theimageandreputationoftheorganization.
iii. dataintegrityrisk:DDoSattackscandisruptconnections.Sincesystemsarehighlyconnectedanddependentoninternalandexternaldata, aDDoSattackcan impactthedataintegrityofthesystem;and
iv. fraudrisk:This riskoccurswhen ahackeruses aDDoS attackas adiversion todraw the attentionof theiractualgoal.TheDDoSattackcouldbe coupledwith a
ADDoSSecurityControlFramework
43
fraudattempt, insuchcasesorganizationsmayalsoexperiencefraud losses,whichmightinturnresultinliquidityandcapitalrisks.
The impact imposedbyDDoS attacksdependenton several factors, such as the servicesprovidedbythetargetorganizationandthenumberofcustomersandemployees,andcanonlybedeterminedperorganization.
7.2.3 Which controls can be implemented to minimize the impact of risksrelatedtoDistributedDenial-of-ServiceAttacks?
Themeasuresthatcanbeimplementeddifferperorganization.TheDDoSSecurityControlFrameworkenablesanorganizationtodeterminewhichmeasures itshould implement tominimize the impactofrisksrelated toDDoSattacks.While ariskbasedapproach isnotaimingattakingawayeveryvulnerability,byintroducingacontinuousimprovementcycletoanexistingmodel,anorganizationcanstart implementingcontrolswhichmitigate themost important risks identified, while strengthening the control setwith each cycle toreducethelevelofvulnerabilitiesinthenetworkandasaresultminimizetherisksrelatedtoanattack.
7.3 ConclusionOnTheMainResearchQuestionAsalreadyintroducedabove,themainresearchquestionis:“Withwhatcontrolframeworkcan securitybe improved tomitigate identifiedrisksrelated toDistributedDenial-of-ServiceAttacks?”Theabovediscussedsub-questionshaveidentifiedthenatureofaDDoSattack,haveshownthat,duetothequicklygrowingimpactandlikelihoodofDDoSattacks,itisveryimportantfororganizations togiveproperconsideration tothis trend.Furthermore, the impactandrisksassociatedwithDDoSattacksandthemeasuresthatcanbeimplementedtominimizetheseriskshavebeenidentified.Theinformationgatheredonthebasisofthesub-questionswas incorporated and taken into account when structuring the DDoS Security ControlFramework in order tomake the framework asdynamic and asuseful as possible.Theresult istheDDoSSecurityControlFrameworkassetout inChapter5ofthis thesis.Thiscontrol framework canenableorganizations tomanage therisksrelated toDDoSattacksand,asaresult,improveitssecurity.
7.4 FurtherResearchThe framework has not been designed for a specific sector ormarket, but canbe usedacrossmarkets.Now that the framework is established, the frameworkwill need tobevalidated by organizations which are active in different sectors and markets. Furtherresearchneedstobeconductedtodeterminewhethertheframeworkisindeedsuitableforall sectorsandmarkets or that the framework is only suitable for a certainnumbers ofsectors/markets due to, for example, the risks profiles associated with thosesectors/markets. The current framework has been validated and verified based on
ADDoSSecurityControlFramework
44
interviews,assuchtheresultingmodelservesasaworkinghypothesiswhichcouldproveit’sworthandcouldbeimprovedbyappliedvalidationandverification.Besidesthevalidationandverificationtheframeworkwillalsoneedtobeadjusted.Step6and 7aredesigned tomake the framework adjust to new developmentson the topic ofDDoSattacks.ItisimportantthatresearchregardingthetypesofDDoSattacksandtherisksassociatedwiththesetypesofattacksisalsocontinuedinthefuture.Thisresearchwillformthebasisfortheadjustmentstotheframeworkandwillhardentheframework.
ADDoSSecurityControlFramework
45
8 APPENDIX
8.1 BibliographyArborNetworks. (2013).UnderstandingDDoS.RetrievedDecember8,2014, fromDigital
AttackMap:http://www.digitalattackmap.com/understanding-ddos/ArborNetworks.(2014).LargestDDoSAttackReported.Burlington:ArborNetworks.Baloch,R.(2014).EthicalHackingandPenetrationTestingGuide.BocaRaton:CRCPress.Blank,A.(2004).TCP/IPFoundations.Alameda:SYBEXInc.Boehm,B.(1989).SoftwareRiskManagement.IEEEComputerSocietyPress.Cao,W. a. (2014). Introduction of theSmurfAttackPrincipl.Proceedingsof International
ConferenceonSoftComputingTechniquesandEngineeringApplication(p.316).NewDehli:SpringerIndia.
Deming,W.E.(2000).OutoftheCrisis.Cambridge:MITPressLtd.Easttom,C.(2014).SystemForensics,investigationandResponse.Burlington:Jones&Barlett
Learning2014.EC-Council. (2010).EthicalHackingandCountermeasures:TreatsandDefenseMechanisms.
CliftonPark:CengageLearning.Federal Financial Institutions Examination Council. (2012). Distributed Denial-of-Service
(DDoS)Cyber-Attacks,RiskMitigation,andAdditionalResources.Arlington:FederalFinancialInstitutionsExaminationCouncil(FFIEC).
Fitzgerald,J.,&Dennis,A.(2009).BusinessDataCommunicationsandNetworking.Hoboken:JohnWiley&Sons.
Goncharov,M.(2012).RussianUnderground101.Cupertino:TrendMicroInc.Govcert.nl. (2006). Aanbevelingen ter bescherming tegen Denial-of-Service aanvallen.Den
Haag:Govcert.nl.Govcert.nl.(2010).WhitepaperRaamwerkBeveiligingWebapplicaties.DenHaag:govcert.nl.Gu,Q. a. (2012).Denial ofServiceAttacks. InQ. a.Gu,Handbookof ComputerNetworks:
DistributedNetworks,NetworkPlanning,Control,Management,andNewTrendsandApplications(pp.454-468).Hoboken:JohnWiley&Sons,Inc.
IntruGuard. (2008,November10).10DDoSMitigationTechniques.RetrievedFebruary2,2015, from www.slideshare.net: http://www.slideshare.net/intruguard/10-ddos-mitigation-techniques-presentation
Kim, S. K. (2013). DDoS Analysis Using Correlation Coefficient Based on KolmogorovComplexity.GridandPervasiveComputing(p.445).Heidelberg:Springer.
Kostadinov,D. (2013,October24).LayerSevenDDoSAttacks.Retrieved January10,2015,from InfoSec Institute: http://resources.infosecinstitute.com/layer-seven-ddos-attacks/
Kumar, G. (2004, October). Understanding Denial of Service (Dos) Attacks Using OSIReferenceModel.InternationalJournalofEducationandScienceResearch,1(5),10-17.
McDowell, M. (2013, February 6). Understanding Denial-of-Service Attacks. RetrievedDecember7,2014,fromUnitedStates-ComputerEmergencyReadinessTeam(US-CERT):http://www.us-cert.gov/ncas/tips/ST04-015
ADDoSSecurityControlFramework
46
NationaalCyberSecurityCentrum.(2012).ICT-Beveiligingsrichtlijnenvoorwebapplicaties -Deel1.DenHaag:NationaalCyberSecurityCentrum.
NationaalCyberSecurityCentrum.(2012).ICT-Beveiligingsrichtlijnenvoorwebapplicaties -Deel2.DenHaag:NationaalCyberSecurityCentrum.
NationalCybersecurityandCommunicationsIntegrationCenter.(2014).DDoSQuickGuide.Arlington:NationalCybersecurityandCommunicationsIntegrationCenter.
National InstituteofStandardsandTechnology. (2014).Framework for ImprovingCriticalInfrastructure Cybersecurity. Gaithersburg: National Institute of Standards andTechnology.
Popeskic,V. (2011,December17).Telnetattacksways to compromiseremoteconnections.Retrieved January 2, 2015, from How does internet work:http://howdoesinternetwork.com/2011/telnet-attacks.
Prolexic.(2013).QuarterlyGlobalDDoSAttackReportQ32013.Hollywood:Prolexic.Prolexic.(2014).QuarterlyGlobalDDoSAttackReportQ12014.Hollywood:Prolexic.Saxena, P. (2014). OSI Reference Model – A Seven Layered Architecture of OSI Model.
InternationalJournalofResearch(IJR),1(10),1145-1156.Science&Lifestyle.(2012,July4).HowaDDoSattackworks.RetrievedDecember20,2014,
fromScienceandlifestyle:http://scilifestyle.com/how-a-ddos-attack-works.htmlSmits,M.S. (2011).Hoehet internetdeNederlandse economieverandert.Amsterdam:The
BostonConsultingGroup.Symantec.(2009,September10).Newsroom-pressreleases.RetrievedSeptember4,2014,
from Symantec:http://www.symantec.com/about/news/release/article.jsp?prid=20090910_01
Tanenbaum,A.S.(2002).ComputerNetworks.UpperSadleRiver:PrenticeHallPTR.Verisign.(2012).DistributedDenialofService(DDoS):finallygettingtheattentionitdeserves.
Reston:VerisignPublic.Verisign.(2014).DDoSProtectionServicesOverview.Reston:VerisignPublic.Yang,X.e.(2014).ARMed-http:AnUnsupervisedMachineLearningMethod forDetecting
HTTP-floodingAttack. InternationalConferenceon Computer Science andNetworkSecurity(p.398).Lancaster:DEStechPublicationsInc.
Yin,R.K.(2013).CaseStudyResearch:Design&Methods.ThousandOaks:SAGEPublicationsInc.
8.2 SubjectMatterExpertsName CurrentRoleVincentJoosen SeniorSecuritySpecialistatZiggoJacquesvanderHeide SeniorSecuritySpecialistatZiggoJanineFeddes ManagerSecurityOperationsCenteratZiggoMichaelWillems DirectorNetworkOperationsCenteratZiggoIngridTerlien SecurityManageratKNABTonydeBos SeniorManagerITRisk&AssuranceatEYJatinSehgal GlobalPracticeLeaderatEYCertifyPoint
SeniorManagerInformationSecurityatEY
8.3 ListoffiguresFigure1:Reasonsforwebinfrastructuredowntimeoverthelast12months(2012)................7Figure2:MostcommonconsequencesofDDoSattacks..............................................................................7Figure3:Avisualrepresentationofthecasestudyapproach...............................................................10Figure4:Aschematicoverviewoftheresearchprocess.........................................................................11Figure5:AvisualrepresentationofaDDoSattack(Science&Lifestyle,2012)..........................13Figure6:ThesevenlayersoftheOSImodel...................................................................................................14Figure7:ThelayeringtechniqueoftheOSImodel......................................................................................15Figure8:TypesofDDoSattacks............................................................................................................................19Figure9:FrameworkforImprovingCriticalInfrastructureCybersecuritybyNIST.................22Figure10:TheDemingCycle...................................................................................................................................23Figure11:ThesevenfunctionlevelsoftheDDoSSecurityControlFramework.........................24Figure12:Theidentifylevel....................................................................................................................................26Figure13:Theprotectlevel.....................................................................................................................................27Figure14:Thedetectlevel.......................................................................................................................................29Figure15:Therespondlevel...................................................................................................................................31Figure16:Therecoverlevel....................................................................................................................................33Figure17:Theassesslevel.......................................................................................................................................34Figure18:Theadjustlevel.......................................................................................................................................35Figure19:Schematicoverviewoftheverificationandvalidationprocess....................................38
8.4 ListofTablesTable1:Overviewofpossiblemeasuresattheidentifylevel................................................................27Table2:Overviewofpossiblemeasuresattheprotectlevel.................................................................29Table3:Overviewofpossiblemeasuresatthedetectlevel...................................................................30Table4:Overviewofpossiblemeasuresattherespondlevel...............................................................32Table5:Overviewofpossiblemeasuresattherecoverlevel................................................................33Table6:Overviewofpossiblemeasuresattheassesslevel...................................................................34Table7:Overviewofpossiblemeasuresattheadjustlevel....................................................................35
ADDoSSecurityControlFramework
48
Table8:MappingofmeasuresperrelevantOSIlayer...............................................................................36
8.5 DDoSQuickGuide