Distributed Denial of Service Deep Dive - Cloud Computing

Distributed Denial of Service – Deep DiveAkamai’s Observations on DDoS Attacks and Defending Against Them

©2011 Akamai Powering a Better Internet

The Akamai Cloud: Largest Distributed

Computing Platform in the World

77,000+ Servers1,600+ Locations1100 Networks70 Countries

All branches of the US Military85 of the top 100 online retailers9 of the top 10 virus companies29 of the top 30 M&E companies

4.5+ Tbps, 15-25% of web traffic10+ Million transactions per second


Threats

Extortion and For Profit

• Gambling, Commerce, Global Brands

• Used to hide or delay response to other attacks

Show Offs and Traditional Hackers

• 17 yr old brings down Playstation Website

Political Objection/Hacktivism

• Anonymous/Wikileaks, Opt-In Botnets

State Sponsored

• 2007 Estonia: 100Mbps[1]

• 2007 Georgia: 814Mbps[1]

• 2009 United States: 200Gbps[2]

$50-$200 Botnet subscriptions!


Opt-In….

It’s as easy as hitting a website


Threats: 17-Year-Olds?Source: http://www.escapistmagazine.com/

http://www.escapistmagazine.com


Types of Attacks

Bandwidth flood

• Getting more sophisticated

• Geographically centralized based on language

• New types- round-robin

Asymmetric

• Smaller bandwidth requests resulting in large processing requirements

• Images and movies

• Documents (.doc .pdf .xls)

• Downloadable software

Request Floods w/ Malformation

Layer 7 Hacks

Infrastructure — DNS, Firewalls, Mail Servers, Net Interfaces, etc

Slowloris and Slow HTTP POST


Peak Attack Traffic per yearA

tta

ck S

ize

—G

bps

0.4 1.2 2.5 510

1724

40

49

100

124

0

25

50

75

100

125

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

(Arbor Networks)

Akamai

(Jul 4, 2009)


OriginDatacenter

End User

1

10

100

10000

Traffic

1000

Web Site Without Akamai


End User

1

10

100

10000

Traffic

1000

X

Any number of origin

systems overloaded!

OriginDatacenter

Web Site Without Akamai


End User

1

10

100

10000

Traffic

1000

Origin offloaded to

the Akamai Edge

OriginDatacenter

Web Site With Akamai


1

10

100

10000

Traffic

1000

Trusted

ConnectionEnd User

Defend and cloak

your origin

OriginDatacenter

Akamai

Site

Shield

Web Site with Akamai Site Shield


1

10

100

10000

Traffic

1000

Trusted

ConnectionEnd User

Extend a layer 7 defense

perimeter to the Akamai

Edge!

OriginDatacenter

Akamai

Site

Shield

Web Site with Akamai Web Application FirewallFilters SQL Injections, Cross Site Scripting, Other HTTP attacks


1

10

100

10000

Traffic

1000

Akamai

DNS

Servers

End User

Secure, scalable,

and available:

Enhanced DNS

Akamai

Site

Shield

Trusted

Connection

OriginDatacenter

Web Site with Akamai EDNS (and DNS Sec)


The Largest DDoS Ever RecordedJuly 4th 2009 US Gov’t Targeted and Protected

Few common attackers between spikes.Only 4,284 IP’s Shared Across all Spikes.

125 Gb/sec Peak Bandwidth

795,000 page views a

second

98,000 Unique IP’s in 30

minutes

300,000 total unique IP’s

Top Targets Peak TrafficTimes Above Normal Traffic

US Government 1 124 Gbps 598x


Financial 1 26 Gbps 110x




US Government 6 1.90 Gbps 6x

US Government 7 0.73 Gbps *


DDoS Profile — US Government

Target: US Government Web sites

Date: July 4-7, 2009

Peak Traffic: 125 Gbps

Peak Overage: 598 x normal

Primary Origin: South Korea

Duration: 11 Hours

Downtime: 0 Hours, 0 Minutes

Mitigation:

• Acceleration/Caching

• Global Traffic Management

• IP/CIDR Blocking08:00 16:00 0:00 08:000:00 16:00

25

50

75

100

125

Att

ack S

ize

—G

bps

July 4, 2009 July 5, 2009

16:00 Customer notified

20:00 Attack grows rapidly

23:00 Mitigation measures engaged

0:30 Korean traffic blocked

9:30 Korean traffic quarantined

Spike 1

Spike 2Spike 3

Few common attackers across spikes. Only 4,284 common IPs

Unique IPs

21:00 Akamai identifies sources

23:50 Peak pageviews


Holiday Season 2010

Coordinated DDoS AttacksAttacked eCommerce Web Sites Protected by Akamai

PROTECTED

US Customer #1

US Customer #2

US Customer #3

US Customer #4

US Customer #5

Times Above

Normal Traffic

9,095x

5,803x

3,115x

2,874x

1,807x

Peak Attack

Time (GMT)

11/30 2PM

12/1 2PM

11/30 2PM

12/1 1PM

12/1 1PM

Highly distributed international DDoS attacks from

Asia-Pac, South America and Middle East

Customer 1

Customer 2

Customer 3

$15 Million in lost revenues AVOIDED!


PROTECTED

Attack #1

Attack #2

Times Above

Normal Pages

300x

35x

Peak Attack

Time

Nov 18, 2010

Jan 14, 2011

One Customer, Different DDoS AttacksAttacked Top IR150 eCommerce Web Site Protected by Akamai

Attack#1 – Highly distributed, no recognizable pattern

Attack#2 - Highly distributed, concentration from Eastern

Europe – Russian Federation, Greece, Ukraine, Belarus,

Latvia, Kazakhstan

Peak DDoS traffic of 300 Mbps

#1 #2

Estimated Potential Lost Revenue Impact = $350,000

#2


PROTECTED

eCommerce

Account Mgmt

Online Interactivity

Times Above

Normal Pages

6x

14x

51x

Peak Attack

Time

Jan 17

Jan 17

Jan 17

Highly distributed DDoS attacks from South

America (Brazil & Mexico) and Asia-Pac (Thailand)

Browsers – Opera, Firefox 2.0, 3.0

Operating Systems – X11 Linux, Symbian

Peak DDoS Traffic of 100 Mbps

eCommerce

online interactivity

Fortune 1000 Electronics ManufacturerMultiple Web Site Attacks - Protected by Akamai

account mgmt

Estimated Potential Lost Revenue Impact = $140K

Estimated Unique Customers Impacted = 375,000


Two International Gov’t SitesDDoS available to the masses for protest

PROTECTED

Site #1

Site #2

Times Above

Normal Pages

215x

225x

Peak Attack

Time

Dec 21st, 2010

Dec 21st, 2010

In country, opt-in attack using LOIC

Requests for abnormally long URL query strings

Peak DDoS Traffic of 550 Mbps

Estimated Citizens Viewing Available Web Site = 8,000


Akamai Unveils New Architecture for DDoS

IP Blocking & Rate ControlIP blocking & rate limiting capabilities at

network layer

Web Application FirewallWeb application firewalling at Layer 7

(application layer)

eDNS w/DNSSECScalable protection for Domain Name

System (DNS) attacks

Global Traffic Management Blocking of traffic by geographic region

User ValidationIdentification of suspected BOTs from real

users to de-prioritize or block

Site ShieldAbility to cloak web infrastructure from the

Internet

DoS ReadinessDDoS specialists to assess infrastructure

and develop a run-time playbook

Customer Support 24/7 support with a response SLA

Akamai’s edge absorbs traffic and can

failoverAdvanced Caching, NetStorage + Failover

Fee ProtectionCapped exposure to bursting fees related to

an attack


Observations

Attacks are sophisticated

Attacks are long: 3 Day Duration

Attacks are large:

• 300,000+ Attack IPs

• 7+ Billion Total Page Views

• 200+ Tbytes

• Equal to 50 STM16 and 2,500 Servers

Attacks are fast:

• Traffic to a single site reached 100 Gbps in just four hours

Attacks are EXPENSIVE

• $15 Million in 3 days!

Distributed Defenses for Distributed Attacks!

Distributed Denial of Service Deep Dive - Cloud Computing

Documents

Transcript of Distributed Denial of Service Deep Dive - Cloud Computing