Evolving DDoS Threat and Standards Based Mitigation Techniques Evolving DDoS Thre… ·...
Transcript of Evolving DDoS Threat and Standards Based Mitigation Techniques Evolving DDoS Thre… ·...
Evolving DDoS Threat and Standards Based Mitigation Techniques
Ken O’Kelly / Sanjay Chohan – Juniper Networks
November 2014
Agenda
• Introduction • DDoS Evolution• DDoS Identification• Network Protection techniques• BGP Flowspec• Q & A
SECURITY Represents A Big Problem
Denial of Service Attacks Data stolen Web site hacked Government snooping Passwords cracked Laptop stolen
The cost to affected organisations is huge, but what cost to your reputation?
Despite a multi-billion dollar industry computers continue to be compromised…
Money
Intellectual property
Records
Targeted Attacks On The Rise
• Targeted, Deliberate, and Expensive
Fact
• 70% of all threats are at the Web application layer1
• 70+% of organizations have been hacked in the past 2 years through insecure Web apps3
• Yet 66% of breaches took months or more to discover2
Business Impact
• Average cost incurred from a successful breach: £5.5m2
• Average annual cost incurred from a DDoS attack: £2.1M3
Source: 1Gartner; 22012 Cost of Cyber Crime Study, 3Ponemon Institute, 2013
DDoS Attack Vectors
VOLUMETRICANYTHING THAT MAKES THE
RESOURCES BUSY LOW AND SLOW
Source: 1Gartner
• Easy to detect
• Attacks are getting bigger in size
• Frequency of attacks increasing at a moderate rate
• Flash mobs organized via social media
• Overwhelming legitimate requests for tickets for a big event available in a very short period of time
• Growing fast – 25% of attacks in 20131
More sophisticated & difficult to detect
• Target back-end weaknesses
• Small volume of requests can take out a large Web site
Evolving “LOW and SLOW” Attacks
• SLOWLORIS/PYLORIS/ENDLESS HEADERS• Exhausts web server connections by sending HTTP requests with
an infinite amount of headers
• DB QUERIES
• Exhausts web server CPU/resources by repeatedly sending a request that forces web server to query the database for a large number of objects
• COMMONALITY• Does not use a lot of bandwidth, can exhaust web server
connections or exhaust CPU/memory.
• Very difficult to detect in one direction with a “signature”
• Signature involves URL or payload – what if the URL changes?
• Signature can involve header – what if the headers change?
14%
37%42% 44%
Don’t know/not sure
Multi-vector Applications Volumetric
Base: 59 US and UK IT decision-makers at 500+ employee companies that
have been hit by a DDoS or DNS-based attack within the last year
Classification of Attacks on Companies in 2013
Source: “DNS Security Study”, a commissioned study conducted by Forrester Consulting on behalf of Verisign, July, 2013
Approaches To DDoS Protection
Legacy
In-House
Techniques
Technology and expertise may not be current
Only works for certain types of attacks (low-level or network-level
attacks)
ISP Solutions
Network-dependent
Attack type mitigation can be limited
Niche elements of Internet infrastructure management not core
expertise
Cloud-Based
Services
ISP Neutral solution provides global coverage
Reduced operational cost & bandwidth investment due to cloud-
based model
Multi-layer filtering that can identify and block complex, multi-vector
attacks including application layer
Approaches To DDoS Protection, continued
Hybrid: On-PremisesHardware + Cloud
Always-On hybrid mitigation
Lower operational overhead and cost to by performing critical steps to manage mitigation of attacks
Continuous monitoring of inbound and outbound traffic for
malicious behavior
Layered technologies may increase in efficacy compared to alternative solutions
Considerations For Determining Best DDoS Strategy
DDoS protection strategy appropriate for your organisation
• Risk assessment
• What assets are valuable to the organization?
• What is the network and application footprint and exposure points?
• What are the existing protection mechanisms and are they fit for purpose?
• What is the cost of downtime, unavailability or reputational damage?
• Is the threat clearly understood by management?
• Response plan
• Design a solution based on gap analysis and risk assessment
• Fit for purpose – volumetric and application level defenses
• Outsource + insource. Get specialist help.
• Build in proactive defense- threat intelligence and situational awareness
• Response team—people and process
• Budget allocation
Where to stop the attack?
•
•
•
Stopping the attacks - what are the requirements?
Solution 1: ACL
• Ease of implementation and uses well understood
constructs
• Requires high degree of co-ordination between
Sec-Ops and Net-Ops
• Cumbersome to scale in a large network
perimeter
• Mis-configuration possible and expensive
Solution 2: Destination RTBH
Solution 2 : Destination RTBH
• Requires pre-configuration of discard route on all
edge routers
• Monitoring via separate mechanism identifies
destination of attack
• Monitoring router injects a discard route in
forwarding target prefix
• BGP community used to distribute the discard route
• Routers drop traffic taking the target completely
offline
• Attack completed however collateral damage limited
Solution 3 : Source RTBH
• Behavior for match and filtering action defined in
RFC 5635
• Requires pre-configuration of discard route on all
edge routers
• Monitoring identifies source of attack and injects
discard route
• BGP community used to distribute the discard
route
•
–
•
–
•
•
•
•
•
–
•
•
•
–
–
•
Q&A
Thank you