1 Customer Driven Innovation 1 Do not distribute/edit/copy without the written consent of A10 Networks The Growing DDoS Threat Jim Mason, CISSP Sr. Systems Engineer A10 Networks – NC/SC Ralph Bozzini Regional Sales Director A10 Networks – NC/SC Mark Mormann Trusted Advisor Channel Systems
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Customer Driven Innovation
1
Do not distribute/edit/copy without the written consent of A10 Networks
The Growing DDoS Threat
Jim Mason, CISSP Sr. Systems Engineer
A10 Networks – NC/SC
Ralph Bozzini Regional Sales Director A10 Networks – NC/SC
Mark Mormann Trusted Advisor Channel Systems
2
2009
1010
3,000+
1.888.822.7210
2004 A10 founded in San Jose, CA by Lee Chen
Our name: “A” in Hexadecimal, “10” in Decimal
Shipped industry’s first “true” 64-bit ADCs
Customer Install Base Worldwide
(1-888-TACS-A10) World-class Customer Support!
A10 (NYSE: ATEN): By the Numbers
3
A10 Products
ADC Product Line
Application Optimization, Availability & Security for Web
DDoS Detection & Mitigation Products Protecting Attack on Critical Server Infrastructure
A10 provides solutions today in three distinct areas:
Advanced Core OS
4
Impact of DDoS Attacks
v Overwhelmed Internet Links
v Diminished Brand Equity
v Customer Dissatisfaction
v Winding up on “NBC Nightly News”
5
DDoS & Intrusion: Top of mind
6
DDoS Crime Timeline
Q3 2010 PayPal Discloses cost of attack £3.5M ($5.8 Million)
Q1 2013 Nat’l Credit Union Administration Recommended DDoS protection to all members
Q4 2012 Bank of the West $900k stolen DDoS used as a diversion
Q4 2012 al Qassam Cyber Fighters
10-40 Gbps attacks aimed at 10 major banks over 5-week period
Q4 2013 6.8 million mobile devices are potential attackers (LOIC and AnDOSid)
“The average hourly revenue loss during a Layer 7 DDoS attack is $220,000” – Forrester
“Predicted growth in financial impact from cybercrime: 10% (through 2016)” – Gartner
Q2 2014 Federal Financial Institutions Examination Council (FFIEC) issues new mandate requiring banks to monitor for DDoS
7
DDoS Readiness
� Co-Op Financial Services (April 2013) ¿ Conducted a random survey of Credit Unions regarding DDoS planning:
8
DDoS and the Financial Sector
� Federal Financial Institutions Examination Council (FFIEC) ¿ Banks and financial institutions regulated by the federal government must
now monitor for Distributed Denial-of-Service (DDoS) attacks against their networks and have a plan in place to try and mitigate against such attacks
¿ “…sometimes DDoS attacks will serve as “a diversionary tactic” by criminals in the course of attempting to commit fraud of various kinds”
� Six step program: ¿ Assess risk to IT systems
¿ Monitor Internet traffic
¿ Prepare to activate response
¿ Ensure sufficient staffing
¿ Share information
¿ Evaluate and adjust
9
� Akamai – Internet Content Delivery network
Headquartered in Cambridge MA (HQ) Delivers over 2 trillion Internet transactions a day Name: Hawaiian word meaning “intelligent” or “witty”
� DDoS attacks on websites shot up 75% last quarter
� A 23% Year Over Year increase
� Most of the targets were enterprises
� Chances of a repeat attack: 1 in 3 (35% YOY increase)
� Largest percentage by Country of Origin: China – 43%
The Latest from Akamai Technologies
Source: Akamai Technologies' State of the Internet Report for Q4 2013 (April 23, 2014)
10
� “High-bandwidth (200-400 Gbps) DDoS attacks are becoming “The new normal” and will continue wreaking havoc on unprepared enterprises…” - Gartner
� “Despite Volumetric-based attacks remaining most popular, more advanced hybrid attacks that include Application Layer and encrypted traffic will grow” – IDC
� “Bot traffic is up to 61.5% of all website traffic” – Incapsula
Analyst Observations: DDoS will keep growing…
Bottom line: Anyone can be targeted now.
11
What is a DDoS Attack?
� Denial of Service (DoS) is an attack to make a service unusable
� Distributed DoS (DDoS) leveraged by botnets: many “Zombie” hosts send a high volume of traffic to a target server/service/website
� “Botnets-for-hire” are a reality for on-demand attacks
Attacker
Zombie
Target
Zombie Zombie
Zombie
12
Attack Percentages
Source: Prolexic - Q4 2013
75% Network Layer
20% Application Layer
TCP/UDP Floods – 37%
� Largest attack increase: 33% 300 Gbps (Q2 2013)
400 Gbps (Q1 2014)*
� 60 Gbps regularly seen 100 Gbps not uncommon**
� Average attack: 35 Million Packets-per-second
13
DDoS Network Attack Traits
� Common characteristics ¿ Exploits layer Layer 3-4 protocols ¿ Does not require a
full connection (often spoofed)
¿ High volume attacks can overwhelm pipes and/or connection capabilities
¿ Simple to create the high volumes necessary for such attacks
� Types ¿ Malformed requests
¿ Spoofing
¿ High PPS rates
¿ Connection exhaustion
14
SYN Flood Attack
• The attacker or botnet sends multiple TCP SYN requests to the target
• Target responds to each SYN with a SYN-ACK to establish a valid connection, waits for ACKs
• Connection table of the server fills up with “half-opens”, new connections are dropped
• Server/service effectively “DDoSed” at that point, legitimate users shut out
• Why it works – Exploits the TCP 3-Way Handshake weakness (blind trust)
15
DNS Amplification Attacks
• Valid UDP-based DNS requests using a spoofed IP address (similar to Smurf attack) are sent to the intended target (victim)
• Type of attack executed against Spamhaus (300Gbps) in 2013
• Why it works: DNS is heavily used (Web, Email, VoIP) and generally unrestricted Nature of DNS results in larger response volume than request volume
16
� Common characteristics ¿ Legit TCP/UDP connections
(Not spoofed) Thus harder to differentiate
¿ Operates at L7 (Protocol and packet payload)
¿ Exploits flaws in or limitations of applications
¿ More efficient and lethal
¿ Sophisticated: Evades simple countermeasures
� Types ¿ High host processing
¿ Application floods
¿ Application exploits
¿ Amplification attacks
DDoS Application Attack Traits
17
HTTP GET Flood
• Huge flood of HTTP GET packets, requesting large amounts of data/objects from the target server
• Due to the amount of requests coming from botnets, the target system is overwhelmed and cannot respond to legitimate requests from users
• Why it works: Since the 3-way TCP handshake has been completed, these requests look legitimate
18
Slow POST/RUDY Attack
• A common attack, where attacker sends HTML “POSTs” at slow rates under the same session Slow POST tool RUDY uses long-form field submissions to perform these attacks
• Causes server application threads to await the end of boundless POSTs in order to process them
• This results in exhaustion of web server resources and prevents service for legitimate traffic
19
Slowloris Attack
• Slowloris holds many connections to the target web server open as possible, for as long as possible.
Creates connections to the target server, but sends only a partial request at a very slow rate.
• The targeted server keeps each of these false connections open, eventually overflowing the maximum concurrent connection pool and shutting out legitimate clients.
20
Network Time Protocol (NTP) Amplification Attack
• Attacker gains control of a server on a network that allows Source IP address spoofing (i.e., it does not follow IETF BCP38 (Best Current Practices) for ingress filtering)
• Large number of spoofed UDP packets sent appearing to come from the intended target
• UDP packets are sent to NTP servers (port 123) that support the MONLIST command
• CloudFlare attacker used 4,529 NTP servers running on 1,298 different networks Each server sent an average 87Mbps of traffic to CloudFlare = 400Gbps!
21
What’s Needed for Effective DDoS Mitigation?
Mitigation device with higher Packet Per Second (PPS) and throughput capacity
Fast, dedicated hardware to combat frequent network attacks
Attacks are now very high volume
Existing solutions cannot keep up
Advanced L7 intelligence and high processing capacity
Unparalleled Packet Processing and Throughput Capacity 64K Protected Object Capacity Large Capacity Threat Intelligence List (8 x 16 Million lines) Sub-second Traffic Rate Control for Burst Traffic
23
Thunder TPS: Next Generation DDoS Protection
Multi-vector Application &
Network Protection
High Performance
Mitigation
Broad Deployment Options & 3rd Party
Integration
High performance 155 Gbps of attack mitigation throughput, 200 Million PPS (5x today’s average) in 1 RU
Up to 1.2 Tbps in 8-device cluster
Broad Deployment and 3rd Party Symmetric, Asymmetric, Out-of-band (TAP) Modes
� Monitor and rate limit traffic ¿ Prevents volumetric attacks,
protocol and resource attacks
¿ Network and application level enforcement (Layer 3-7)
� Examples ¿ Connection limit
¿ Connection rate limit
¿ Packet rate limit
¿ HTTP Request rate limit
Rate and/or Connection Limits for Predictable Load
29
Protocol and Application Check
� Monitor and check traffic behavior ¿ Prevents resource attacks
and application attacks
¿ Enforce specific values
¿ Network and application checks (Layer 3-7)
� Examples ¿ TCP template, HTTP template,
DNS template, UDP template, SSL-L4 template more…
¿ HTTP example - Slowloris
Denied Allowed
DPI and Application Awareness for L7 Protection
30
Thunder TPS Release Quotes
"As an early user of the Thunder TPS, we believe A10 is delivering a high-value product, with rich features and really great performance," said Gerold Arheilger, CTO Xantaro Group. "In order to sufficiently protect against large-scale, multi-vector DDoS attacks, mitigation solutions must provide very high packet-per-second processing power. Thunder TPS is built for these extreme environments."
"The Microsoft Digital Crimes Unit and A10 Networks have a shared vision to protect the Internet from large-scale threats," said Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit. "We will continue to partner to mitigate future threats leveraging DCU's expertise and A10's advanced threat protection technologies."