Webinar: Behavioral shifts in recent DDoS attacks that should get you worried
-
Upload
instart-logic -
Category
Technology
-
view
489 -
download
0
Transcript of Webinar: Behavioral shifts in recent DDoS attacks that should get you worried
![Page 1: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/1.jpg)
BEHAVIORAL SHIFTS IN RECENT ATTACKS THAT SHOULD GET YOU WORRIED
Uncover the best practices for defense without sacrificing performance
![Page 2: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/2.jpg)
Instart Logic has partnered with Verisign to mitigate the risk of DDoS attacks
✔ 24x7 monitoring✔ Superior attack mitigation ✔ Performance guaranteedFast application delivery performance
Advanced DDoS mitigation and scrubbing
![Page 3: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/3.jpg)
Agenda
• Verisign Analysis– Challenges in securing applications– DDoS overview– Quarterly DDoS trend analysis
• Instart Logic Analysis– Need for end to end security– Types of attacks– Recent examples
• Q&A
Rohit Kinra
Director - Product TechnologyVerisign Security Services
Justin Fitzhugh
VP, Technical Operations
Fawad Shaikh
Technical Leader - Security
![Page 4: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/4.jpg)
© 2016 VeriSign, Inc. All rights reserved
BEHAVIORAL SHIFTS IN RECENT DDoS
ATTACKS THAT SHOULD GET YOU WORRIED
Rohit Kinra
Director, Product Technology, Verisign Security Services
March 31, 2016
![Page 5: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/5.jpg)
• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
– Domain Name Services
– Network Intelligence and Availability• Headquartered in Reston, VA
• 2012 Revenues: $874 million
• S&P 500 Company
• 1,100 Employees
• VerisignInc.com
Our CompanyABOUT VERISIGN• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
• Domain Name & Registry Services
• Security Services
• Headquartered in Reston, VA
• 2015 Revenues: $1.06 Billion
• S&P 500 Company
• 1,000+ Employees (as of Dec. 31, 2015)
• Verisign.com
Mission“Enable the world to connect online with reliability and confidence,
anytime, anywhere.” Jim Bidzos, President and CEO
3
![Page 6: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/6.jpg)
Verisign Public
SECURING YOUR APPLICATION IS CRITICAL
6Verisign Public
APPLICATION
DOWNTIME
AFFECTS...Reputation & Brand
Supply Chain
Online Revenue
Productivity & Communications
Service & Information Delivery
![Page 7: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/7.jpg)
Verisign Public
…AND CHALLENGING
77
Public Cloud91%
SaaS89%
On Premise Virtual Server
85%
On Premise Private Cloud
81%
On Premise Physical Server
77%
ALL FIVE
59%
Diverse Application Environments +
GROWING
DIVERSITY
OF ACTORS
& ATTACKS
State-sponsoredCyber Spies
Hacktivists
Cyber Criminals
Zero-day Vulnerabilities
Growing Threat Landscape
Increasing DDoS & Multi-vector Attack Volume
Attacks to DNS, HTTP/HTTPS, NTP/SNMP
Source: Riverbed Technology, December 2014
Verisign Public
![Page 8: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/8.jpg)
Verisign Public
GROWTH OF CLOUD ENVIRONMENTS
8
Source: Cisco Global Cloud Index Source: Rightscale 2014 State of Cloud Survey
More to protect – increased attack surface
Verisign Public
0
50
100
150
200
250
2013 2014 2015 2016 2017 2018
Cloud Data Center Traditional Data Center
Insta
lled
Wo
rklo
ad
s i
n M
illi
on
s
47%
53%
22%
78%
14% CAGR2013 - 2018
No Plans4%
Single public13%
Single private9%
Multiple private 11%
Multiple public 15%
Hybrid cloud48%
Multi-Cloud74%
Enterprise Cloud Strategy1000+ Employees
![Page 9: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/9.jpg)
Verisign Public
HOW DO WE SECURE ALL OF THIS?
9Verisign Public
![Page 10: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/10.jpg)
Verisign Public
WHAT IS A DDOS?
10
Attacker compromises vulnerable systems
IRC/Web Controller
Attacker Unsuspecting Users Victim
Botnet
Attacker uses controller to activate botnet Causing the botnet to
attack victim…
Bringing victim down.
Verisign Public
![Page 11: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/11.jpg)
Verisign Public
HOW EASY IS IT TO “DDOS” SOMEONE?
• The increasing availability of DDoS-for-hire
services
• DDoS-for-hire capabilities have advanced in
both success and popularity
• Some can be hired for just $5 USD an hour
• DDoS-for-hire services have become
remarkably skilled at working under the radar
11Verisign Public Source: Verisign Q414 DDoS Trends Reports
Sample Service Pricing (USD)
![Page 12: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/12.jpg)
Verisign Public
RISE OF DD4BC (“DDOS FOR BITCOIN”)
• Small attacks and ransom requests
• TCP SYN or UDP attacks, (SSDP and NTP
floods) 1-5 Gbps for less than an hour
• Initially targeted Bitcoin exchanges, online
casinos and gaming sites
• Then moved on to financial institutions, e-
commerce, & online travel organizations
• Has inspired other DDoS extortion groups
12Verisign Public Source: Verisign iDefense Cyber Trends Report
![Page 13: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/13.jpg)
Verisign Public
TREND 1: ENORMOUS SCALE OF ATTACK
Bad guys always have more bandwidth than you
13Verisign Public
DDoS Attack Size Over Time
2.5 10 17 2440 49
75100+
150+
300
500
0
50
100
150
200
250
300
350
400
450
500
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Ba
nd
wid
th in
Gb
ps
Average Size > 6Gbps
Sources
DDoS attack data based on DDoS mitigations performed by Verisign and various online media sources
300Gbps attack: http://blogs.verisigninc.com/blog/entry/verisign_mitigates_300_gbps_ddos
500Gbps attack: http://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/
![Page 14: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/14.jpg)
Verisign Public
DDOS TRENDS – PEAK ATTACK SIZE
14
Peak Attack Sizes by % of Mitigations Peak Attack Size by Top Verticals (Gbps)
38%
30%
14%
18%
< 1 G
1G - 5G
5G - 10G
>10G
270
80
300
90
65
50
Financial Services IT Services / Cloud/ SaaS
Media /Entertainment
E-commerce /Online Advertising
Telecom & Others Public Sector
Verisign Public Source: Verisign Q415 DDoS Trends Reports
![Page 15: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/15.jpg)
Verisign Public
• IT/Cloud/SaaS
popular target
• 75% of attacks
DNS, SSDP and
NTP
TREND 2: MORE WIDESPREAD
15Source: Verisign Q315 & Q415 DDoS Trends Reports
Q3 2015
29%
26%
15%
13%
12%
5%
33%
30%
15%
10%
8%4%
IT Services / Cloud / SaaS
Media & Entertainment / Content
Financial
Public Sector
Telecom
E-Commerice / Online Advertising
Q4 2015
Verisign Public
![Page 16: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/16.jpg)
Verisign Public
TREND 3: MORE COMPLEX
16Verisign Public
14%
37%
42%44%
Don’t know/not sure
Multi-vector Applications Volumetric
Base: 59 US and UK IT decision-makers at 500+ employee companies at
organizations that have been hit by a DDoS or DNS-based attack within the last year,
2013-2014 Forrester Study
Multi-Vector AttacksAttack Complexity Vs Automation Mitigation
![Page 17: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/17.jpg)
Verisign Public
• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
• Domain Name Services
• Network Intelligence and Availability
• Headquartered in Reston, VA
• 2012 Revenues: $874 million
• S&P 500 Company
• 1,100 Employees
• VerisignInc.com
Our CompanyTHANK YOU!
Rohit Kinra
linkedin.com/in/rohitk/
+1 703-948-4048
@rohitkinra
![Page 18: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/18.jpg)
End to end security
Justin Fitzhugh Fawad Shaikh
VP, Technical Operations Technical Leader, Security
![Page 19: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/19.jpg)
Instart Logic Overview
• We make websites fast, secure, and easier to operate
• Raised $140M to date, 500+ Enterprise Websites using our
service, and sales growth of 3x in 2015
• 80+ patents in performance and security with team from
Google, Twitter, Akamai, Cisco, VMware and others
Strategic InvestorsKey Customers
Recent Awards
![Page 20: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/20.jpg)
20 | Confidential and proprietary
Performance Security
Traditional model of hardware and
appliances are moving to the cloud
Performance and security solutions are
converging
CDNs started out predominantly focused
on performance, but are expanding into
security
One streamlined solution versus multiple
boxes
End to end protection from the client to
the cloud to the origin
Site performance and security are converging
![Page 21: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/21.jpg)
Web Application
Internet/CDNWeb Browser
Traditional web applications were single ended
HTML
![Page 22: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/22.jpg)
Today’s applications are a mash-up
Web Browser
3rd Party Services
Internet/CDNExternal Code HTML
![Page 23: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/23.jpg)
Vulnerabilities are exposed along the entire content delivery path
23 | Confidential and proprietary
3rd Party Services
• Malware
• Ad blockers
• Bot scrapers
Internet/CDN
Threats • Man in the middle
• DDoS
• Vulnerability mistakes
• 3rd party software
Web Browser
External Code HTML
![Page 24: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/24.jpg)
DDoS attacks are becoming larger across our network
24 | Confidential and proprietary
![Page 25: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/25.jpg)
Attacks of all sizes cause site disruption
25 | Confidential and proprietary
Site goes down
Typical “Large” Volumetric
Attack
Site slows down
Typical Layer 4-7
Attack
Offline Loading…
Site Disturbance =
Lost Revenue
![Page 26: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/26.jpg)
Security needs to be layered across content delivery path
26 | Confidential and proprietary
3rd Party Services
• Malware
• Ad blockers
• Bot scrapers
Threats • Man in the middle
• DDoS
• Vulnerability mistakes
• 3rd party software
Internet/CDN
• Web Application Firewall
• Type checking
• Vulnerability scanners
• HTTPS
• Software Resource Integrity
• Encrypted CDN
• DDoS Mitigation
• Bot protection
• Enpoint securityMitigation
Web Browser
External Code HTML
![Page 27: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/27.jpg)
27 | Confidential and proprietary
Internet
3rd-Party Services
Browser
Transit
Cloud/Origin
Transit
Optimization
Secured
Content/Code Loaded:1) Nanovisor
Instart Logic provides layered protection end-to-end
Web BrowserExternal Code HTML
Nanovisor.js
2) Origin
3) 3rd-party
4) Local (extensions)
![Page 28: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/28.jpg)
Example 1 – Travel Site
• Suspected DDOS attack
• Large number of unique visitors requesting
significantly higher number of resources than
standard
28 | Confidential and proprietary
Issue
• Homepage was updated to include “Hot Deals”
– Additional intensive call to database for each request
– Deals were updated every few minutes
Analysis
Outage
Traffic coming from everywhere
Site slowed down to the point that it was
unusable for end users
• Cached homepage for non-authenticated users for 1 min• Hot Deals were always fresh• Authenticated users presented customized homepage• Reduced origin load while improving overall performance
Mitigation
![Page 29: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/29.jpg)
Example 2 – eCommerce Site
• Scraper utilizing TOR made 20 requests/second
cumulative across all IP addresses
• Requests targeted search functionality and consumed
high amount of database resources
29 | Confidential and proprietary
Issue
• Scraper migrated to BotNet of 80K+ endpoints
– WAF signature detected and blocked attacks from
new endpoints automatically
– Created additional WAF signatures to ensure
coverage in case of additional scraper mutation
Loading…
Not a high volume attack
Analysis
Mitigation
• Blocked the TOR exit node IP addresses
– Analyzed traffic patterns to find common signatures
– Created WAF signature based rules to detect new
requests
Database
overload and site
instability
![Page 30: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/30.jpg)
Thank you!
linkedin.com/in/justinfitzhugh
+1 650-870-9945
Justin Fitzhugh
linkedin.com/in/fawadshaikhatl
+1 404-939-5082
Fawad Shaikh
@Jfitzhugh
![Page 31: Webinar: Behavioral shifts in recent DDoS attacks that should get you worried](https://reader031.fdocuments.in/reader031/viewer/2022030313/58ad91141a28ab662a8b6347/html5/thumbnails/31.jpg)
Q&A
linkedin.com/in/justinfitzhugh
+1 650-870-9945
Justin Fitzhugh
linkedin.com/in/fawadshaikhatl
+1 404-939-5082
Fawad Shaikh
@jfitzhugh
linkedin.com/in/rohitk/
+1 703-948-4048
@rohitkinra
Rohit Kinra