DDoS Protection, An Inside Look

• The 3 main types of attacks• Will I be victim ? Why Us ?• The Top 3 Misconceptions Fact vs

Fiction• A Realistic Defense

The 3 Main Types of Attack

‣ # 1 Big and Dumb - UDP, ICMP floods

‣Attackers try to overwhelm your available Bandwidth resources Your ISP or Carrier may “Null route you” If your attack is disruptive to their network

• A good ISP or carrier will filter this out for you

• Although it still happens it is rarely the cause for outages Unfortunately it may be combined with other types of attack

‣Consider having all non-essential traffic(ports) denied, as part of normal operations

The 3 Main Types of Attack

• There are a variety of good DDoS mitigation devices available today for 10-60K

• Beware of false positives, keep the rate limiting “loose “or just right

‣ #2 SYN Floods

‣ Syn type floods try to overwhelm CPU, Memory, OS limitations or Network gear

The 3 Main Types of Attack

‣ #3 Layer 7 attacks

‣ HTTP get attacks, CPU intensive, slows web server to a crawl

* Sometimes hard to even detect, leads to misdiagnoses

* Low bandwidth, low PPS

• Requires large(2K-200K+) Botnet

• Existing off the shelf mitigation gear is not very effective

‣Our Observations over the last 12 months ending May 2010

The 3 Main Types of Attack

• UDP/ICMP flood only attacks account for less than 10% of total number of attacks

• SYN Flood only type attacks, account for less than 30% of total attacks

• Layer 7 only type attacks account for approximately 60 % of total attacks

• 80% of all attacks have 2 or more of the above components

• 80% of all attacks have a layer 7 component

Will I Be a Victim ? Why us ?

‣Given the number of attacks VS number of websites

• Overall risk is still very low, but very unpredictable

• Renting Botnets are cheap and easy to operate (see control panel sample)

• 30% of attacks are sector targeted, 5-25 websites of similar nature are attacked at the same time. i.e. Jewelry, Electronics, Car Parts, Fitness Gear, etc

The perpetrator is most likely a competitor trying to gain market share

• 40% are High risk sectors

E-gaming, Social/Dating Networks, Online Pharmacies, Investment Info, Payment processors, etc

The perpetrator is most likely a disgruntled customer or competitor

Extortion is sometimes involved, but rare

• 30% are “one offs”

No Logical reason

Rent-a-BotBotnet control panel

‣Can be rented for less Than $100.00/day‣Easy to operate

Will I Be a Victim ? Why us ?

The Top 3 Misconceptions Fact vs Fiction

‣ #1 My Firewall/DDoS device will handle anything• There is no easy to operate off-the-shelf box that will effectively stop all types of attacks in real-time

‣ #2 My engineers are brilliant and will be able to stop anything• In reality most technical staff have very little experience in real world DDoS attacks• Attack intensities and types change too often

‣ #3 My Hosting/Network provider will help me• Most hosting providers are ill equipped to handle all types of attacks on an ad-hock basis• Can be too time intensive for many hosting providers• They will not risk network disruptions to other customers/ collateral damage

A Realistic DefenseA simple layered approach

UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP

TCP port * 80 * TCP port 443 * TCP/SYN * layer 7 attacks

TCP port * 80 * TCP port 443 * layer 7 attacks

Legitimate TCP requests

Have your provider filter Everything except TCP port 80/443

Buy a box that has good SYN protection 1 million PPS +

Use a reverse proxy and/or cache array

ONLINE DEMO