DDoS Protection, An Inside Look The 3 main types of attacks Will I be victim ? Why Us ? The Top 3...
-
Upload
shanon-brown -
Category
Documents
-
view
213 -
download
0
Transcript of DDoS Protection, An Inside Look The 3 main types of attacks Will I be victim ? Why Us ? The Top 3...
DDoS Protection, An Inside Look
• The 3 main types of attacks• Will I be victim ? Why Us ?• The Top 3 Misconceptions Fact vs
Fiction• A Realistic Defense
The 3 Main Types of Attack
‣ # 1 Big and Dumb - UDP, ICMP floods
‣Attackers try to overwhelm your available Bandwidth resources Your ISP or Carrier may “Null route you” If your attack is disruptive to their network
• A good ISP or carrier will filter this out for you
• Although it still happens it is rarely the cause for outages Unfortunately it may be combined with other types of attack
‣Consider having all non-essential traffic(ports) denied, as part of normal operations
The 3 Main Types of Attack
• There are a variety of good DDoS mitigation devices available today for 10-60K
• Beware of false positives, keep the rate limiting “loose “or just right
‣ #2 SYN Floods
‣ Syn type floods try to overwhelm CPU, Memory, OS limitations or Network gear
The 3 Main Types of Attack
‣ #3 Layer 7 attacks
‣ HTTP get attacks, CPU intensive, slows web server to a crawl
* Sometimes hard to even detect, leads to misdiagnoses
* Low bandwidth, low PPS
• Requires large(2K-200K+) Botnet
• Existing off the shelf mitigation gear is not very effective
‣Our Observations over the last 12 months ending May 2010
The 3 Main Types of Attack
• UDP/ICMP flood only attacks account for less than 10% of total number of attacks
• SYN Flood only type attacks, account for less than 30% of total attacks
• Layer 7 only type attacks account for approximately 60 % of total attacks
• 80% of all attacks have 2 or more of the above components
• 80% of all attacks have a layer 7 component
Will I Be a Victim ? Why us ?
‣Given the number of attacks VS number of websites
• Overall risk is still very low, but very unpredictable
• Renting Botnets are cheap and easy to operate (see control panel sample)
• 30% of attacks are sector targeted, 5-25 websites of similar nature are attacked at the same time. i.e. Jewelry, Electronics, Car Parts, Fitness Gear, etc
The perpetrator is most likely a competitor trying to gain market share
• 40% are High risk sectors
E-gaming, Social/Dating Networks, Online Pharmacies, Investment Info, Payment processors, etc
The perpetrator is most likely a disgruntled customer or competitor
Extortion is sometimes involved, but rare
• 30% are “one offs”
No Logical reason
Rent-a-BotBotnet control panel
‣Can be rented for less Than $100.00/day‣Easy to operate
Will I Be a Victim ? Why us ?
The Top 3 Misconceptions Fact vs Fiction
‣ #1 My Firewall/DDoS device will handle anything• There is no easy to operate off-the-shelf box that will effectively stop all types of attacks in real-time
‣ #2 My engineers are brilliant and will be able to stop anything• In reality most technical staff have very little experience in real world DDoS attacks• Attack intensities and types change too often
‣ #3 My Hosting/Network provider will help me• Most hosting providers are ill equipped to handle all types of attacks on an ad-hock basis• Can be too time intensive for many hosting providers• They will not risk network disruptions to other customers/ collateral damage
A Realistic DefenseA simple layered approach
UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP
TCP port * 80 * TCP port 443 * TCP/SYN * layer 7 attacks
TCP port * 80 * TCP port 443 * layer 7 attacks
Legitimate TCP requests
Have your provider filter Everything except TCP port 80/443
Buy a box that has good SYN protection 1 million PPS +
Use a reverse proxy and/or cache array
ONLINE DEMO