INDIANS! chapter 7, section 2. INDIANS! Actually, this is India. (Don’t get confused.)
Don’t get DDoSed and Confused - pspinfo.us · Don’t get DDoSed and Confused Patrick Sullivan...
-
Upload
nguyenquynh -
Category
Documents
-
view
219 -
download
0
Transcript of Don’t get DDoSed and Confused - pspinfo.us · Don’t get DDoSed and Confused Patrick Sullivan...
©2015 AKAMAI | FASTER FORWARDTM
Agenda
• Intro/Data Collection
• DDoS Basics
• Trends and Statistics
• Adversarial Groups/Motivations
• Defense
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
WAF
Edge servers
Akamai has unique insight into Web/DDoS Traffic
Akamai’s Edge carries ~ 20Tbps of Web Traffic at steady
state with bursts to 30+Tbps 1
Prolexic BGP-Based DDoS Mitigation 3
FAST DNS
DNS servers
FAST DNS Authoritative DNS Solution 2
Prolexic
Scrubbing
centers
Akamai Customer Base. 4
Akamai Web Platform
• 98 of top 100 Commerce Sites
• All Braches of US Military
• All Agencies of the US Gov’t
• 10 of top 10 Banks
• 30 of top 30 Media Sites
• 10 of top 10 Asset Managers
• 10 of top 10 P&C Companies
• 8 of top 10 Auto Manufacturers
©2015 AKAMAI | FASTER FORWARDTM
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection. Akamai Security Center
New in Q1 2015
Cloud Security Intelligence
Visibility 15 to 30 percent of global Web traffic
Data 20 TB of daily attack data; 4 PB / 45 days stored
©2015 AKAMAI | FASTER FORWARDTM
Agenda
• Intro/Data Collection
• DDoS Basics
• Trends and Statistics
• Adversarial Groups/Motivations
• Defense
©2015 AKAMAI | FASTER FORWARDTM
CISSP Refresher
Availability
What: Site Unavailable, Unresponsive, Unresolvable
How: DDoS (Packet flooding, HTTP request flooding)
What: Site Defacement, Hosting Malware, DNS
Zone Hijacking
How: Injection, Social Engineering
What: Data Breach, Session Hijacking,
Account Hijacking
How: Injection, Social Engineering,
Brute force login checking
©2015 AKAMAI | FASTER FORWARDTM
How we/attackers think of DDoS
VPN Concentrator wwwwww
ISP xcons
Public Internet
Relational Database
wwwwww
Users (good/bad)
DMZ
IPS/IDS
Remote Offices
LB
Name Servers
=
©2015 AKAMAI | FASTER FORWARDTM
DDoS Techniques
• Protocol Level Flooding
• Reflection/Amplification Attacks Dominate these type of attacks
• Web Application(Layer 7)
• More Subtle
• Targeting more fragile Web/Database resources
©2015 AKAMAI | FASTER FORWARDTM
Transport Layer Protocol Abuse: Fun with TCP
There are many variations of TCP Handshake Abuse.
SYN
SYN-ACK
ACK
SYN X 100
SYN-ACK X 100
SYN
?????
©2015 AKAMAI | FASTER FORWARDTM
Network Layer Attacks:
Reflection + Amplification Attacks
a.b.c.d(Address doesn’t matter. This is UDP. He will spoof it.)
10.1.10.128
1Mbps of Character Gen requests
360Mbps of this=>
CHARGEN Attack Script
Vulnerable Server
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Case Study: NTP Reflection Attacks
500X RETURN RATE IN TRAFFIC
>100GBPS ATTACK TRAFFIC AGAINST ORIGIN
1,000+ INCREASE IN HITS PER
SECOND AGAINST ORIGIN
Attack Vector Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function. NTP server replies back to the target IP, direct to origin, at massive scale.
©2015 AKAMAI | FASTER FORWARDTM
138
232
321
155
177
312
4
198 217
30
8
35 33
70
3
2 1.5
NTP Reflection used in attack:
(Source/Target in Asia)
Start End Infrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps) Web (Gbps)
21 + Day campaign against single customer
• 39 distinct attacks targeting applications and DNS infrastructure
• Eight attacks >100 Gbps including record 320 Gbps attack
©2015 AKAMAI | FASTER FORWARDTM
So many Amplification vectors for an attacker to choose from…..
Most select several.
Source:US-Cert.gov
©2015 AKAMAI | FASTER FORWARDTM
DDoS: Attackers find various bottlenecks to target
Firewall IPS Application Database Load
Balancer
Internet
Pipe
Capacity declines as you move to deeper towards the DB
©2015 AKAMAI | FASTER FORWARDTM
Attackers are leveraging common IT Mega-Trends
IoT
We have detected refrigerators participating in DDoS Attacks
Mobile
BotNets frequently own Mobile Devices
Cloud Sourced DDoS Attacks Challenge Legacy Defenses
©2015 AKAMAI | FASTER FORWARDTM
DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers
Best Practice DNS Locks
Client DNS Locks
• clientUpdateProhibited
• clientTransferProhibited
• clientDeleteProhibited
Registrar locks
• serverUpdateProhibited
• serverTransferProhibited
• serverDeleteProhibited
US DoD’s DNS Hijacked
©2015 AKAMAI | FASTER FORWARDTM
In Q2 2015, DDoS attacks were less powerful..
but longer and more frequent
11 18 22
39 48
68 79 82
190
320
171
240
2 8 11 15
29 38
45
69
144
270
89
214
0
50
100
150
200
250
300
350
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Q1 2015
Q2 2015
Gbps
Mpps
Traditional DDoS attacks harness the
scale of global botnets
Newer attacks target protocol
vulnerabilities to amplify size
• SNMP (6x)
• DNS (28x-54x)
• CHARGEN (358x)
• NTP (556x)
©2015 AKAMAI | FASTER FORWARDTM
DDoS Attack Instances, Q1 2013 - Q2 2015
The number of DDoS
attacks has more than
doubled compared with
Q2 2014, though with
slightly smaller attack
sizes
©2015 AKAMAI | FASTER FORWARDTM
Compared to Q2 2014
132% Total DDoS attacks
11% Average peak bandwidth
77% Average peak volume
122% Application layer DDoS attacks
134% Infrastructure layer attacks
19% Average attack duration
100% Total attacks > 100 Gbps
Q2 set a record for the number of DDoS attacks observed over the Akamai Prolexic Routed network, more than doubling the number of attacks observed in Q2 2014.
©2015 AKAMAI | FASTER FORWARDTM
Mega Attacks > 100 Gbps in Q2 2015
Twelve mega-
attacks in Q2 2015
vs. six in Q2 2014.
Most targeted
Internet/Telecom.
Two targeted
Gaming.
©2015 AKAMAI | FASTER FORWARDTM
Mega Attacks > 50 Mpps in Q2 2015
A 214 million packets per second (Mpps) DDoS attack was among the highest ever recorded. Such attacks can take out tier 1 routers, such as used by Internet service providers (ISPs).
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Most Commonly Attacked Verticals – Q1 2015
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Top 10 Source Countries for DDoS Attacks in
Q2 2015
©2015 AKAMAI | FASTER FORWARDTM
Agenda
• Intro/Data Collection
• DDoS Basics
• Trends and Statistics
• Adversarial Groups/Motivations
• Defense
©2015 AKAMAI | FASTER FORWARDTM
1. Initial small attack
2. Email ransom demand Payment in bitcoin
Increasing ransom over time
3. Claims of capability 400 Gbps attack sizes
Bypass DDoS defenses
4. Continued email threats Increasing ransom for countermeasures
DD4BC
WHAT TO EXPECT
©2015 AKAMAI | FASTER FORWARDTM
DDoS as a Distraction
Multi-Vector Attacks: 2014 Sochi Olympics • 3.5 Tbps event
• 50% Growth in Average User Connection Speed Compared to 2012.
• More than a Million Malicious Requests Blocked • Multi-Vector Attacks Detected Again in 2014
• Application DDoS • RFI • Command Injection • Requests from Anonymous Proxy
• Attacks Again Spiked During Major Events
• Opening Ceremonies • Hockey Semi-Final(US v. Canada)
©2015 AKAMAI | FASTER FORWARDTM
Large March 2014 Attack:
Target was European Media Company
• Blended Attack, Significant NTP Traffic
• DDoS Start :: 8MAR14 13:52:00 UTC
• DDoS Stop :: 9MAR14 02:00:00 UTC
• Peak Bps :: 200+Gbps
• Peak Pps :: 65Mpps
• 2 hosts targeted on Random
UDP/TCP/ICMP ports
©2015 AKAMAI | FASTER FORWARDTM
BroBot: Advanced Attacker Evades Common DDoS Services
Attack IP’s Changing every ~ 10 minutes
• Banking site real-time Kona security dashboard view
• Blocking ~18M HTTPS attacks per minute
• Attacker requesting URL’s with heavy compute burden(search, login, ATM locator)
• Source IP’s are frequently Cloud servers
• Commandeered using vulnerabilities in well known CMS’s
©2015 AKAMAI | FASTER FORWARDTM
QCF Later Stages of Campaign:
Targeting small regional banks and Credit Unions
©2015 AKAMAI | FASTER FORWARDTM
Case Study: Augusta County Public Schools
• Augusta County’s Education IT team Mission:
• Provide IT support for 20+ schools and manage 7500+ Devices
• Challenge:
• Persistent DDoS Attacks impact ability to deliver uninterrupted access to Government
Mandated SOL testing
• SOL testing impacts grades and graduation eligibility for students.
• Solution:
• Akamai’s Prolexic Routed Cloud-based DDoS Protection
©2015 AKAMAI | FASTER FORWARDTM
Georgia High School Case Study: Sept 2015
• School system experiences daily DDoS Attacks disrupting confidence in students/parents in
the school’s ability to deliver IT Services
• SOL Systems are at risk, which is a huge concern for School Administrators
• Akamai Enterprise Security Architect goes on site to speak with school IT Team
• UDP Flood on port 80 is observed
• Akamai ESA directs customer to review web-logs and students were observed visiting DDoS-
as-a-Service Sites kicking off attacks
• Logs identified which students were logged onto machines at the time of visits to Stressor websites
©2015 AKAMAI | FASTER FORWARDTM
Agenda
• Intro/Data Collection
• DDoS Basics
• Trends and Statistics
• Adversarial Groups/Motivations
• Defense
©2015 AKAMAI | FASTER FORWARDTM
How do you defend from these attacks?
• Architecture
• Knowledge of Attack Trends
• A Plan
©2015 AKAMAI | FASTER FORWARDTM
Potential Architectures for Defending from DDoS
Data center
Transit Network
ISP
ISP
ISP
©2015 AKAMAI | FASTER FORWARDTM
Potential Architectures for Defending from DDoS
Data center
Transit Network
ISP
ISP
ISP
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
1. You Need Data To derive intelligence on current & evolving threats.
2. Scale, Availability & Resilience To be high performing, take the punches, & stay online.
3. A Plan To understand how to respond to bad day scenarios.
4. Control & Flexibility To adapt your defenses dynamically.
5. People & Experience To execute every time you come under attack.
DDoS Mitigation Success: 5 Points To Take Away