DDoS Introduction We see things others can’t
Pablo Grande [email protected]
DoS & DDoS…. Unavailability! Interruption!
• Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet
• A Distributed Denial of Service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.
DDoS type of Attacks
3
1. Volumetric Attacks Also known as “floods,” the goal of this type of attack is to cause congestion and send so much traffic that it overwhelms the bandwidth of the site. Attacks are typically executed using botnets, an army of computers infected with malicious software and controlled as a group by the hacker 2. TCP State-Exhaustion Attacks (Statefull devices) This type of attack focuses on actual web servers, firewalls and load balancers to disrupt connections, resulting in exhausting their finite number of concurrent connections the device can support 3. Application Layer Attacks This type of attack, also known as Layer 7 attacks, specifically targets weaknesses in an application or server with the goal of establishing a connection and exhausting it by monopolizing processes and transactions. These sophisticated threats are harder to detect because not many machines are required to attack, generating a low traffic rate that appears to be legitimate.
DDoS 10 years Timeline
4
On New Year’s eve, the BBC website and iPlayer service went down due to a massive Distributed Denial of Service (DDoS) attack. The attack peaked up to 602 Gbps, according to the claims made by the New World Hacking group, who took the responsibility of the attack. In another recent attack, the Republican presidential candidate Donald Trump’s main campaign website was also targeted by the same group.
DDoS Facts
5
FREQUENT & COMPLEX by COMBINATION
DDoS Drivers/Motivators
6
30%
25% 20%
13%
12%
BotNets
Loud Quiet
ATTACK SPECTRUM
The New Breed of Advanced Threats
Arbor Networks Overview
DDoS Advanced Threats Arbor Cloud Cloud Signaling
+140 Tbps Visibility
Good traffic Malicious traffic & malware
Public Clouds
Corporate Networks
Mobile Carrier
Private Clouds
Service Provider
User / Attacker
Internal Employee
Spectrum Peakflow MNA
Peakflow SP/TMS ATLAS
Peakflow SP/TMS
PravailAPS
PravailAPS
Arbor Network-Wide Product Portfolio
Spectrum
90% of Gartner Cloud and Web Hoster MQ Providers
100% of Tier 1 and 60% of Tier 2 Service Providers
9/10 of Top Online Brands
Arbor: Securing the World’s Largest Networks
100% Percentage of world’s Tier 1 service providers who are Arbor customers
130 Number of countries with Arbor products deployed
+140 Tbps
Amount of global traffic monitored by the ATLAS security intelligence initiative right now – 330+ ISPs sharing real-time data Very Significant portion of global Internet traffic!
#1
Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments – 67% of total market [Infonetics Research]
Number of years Arbor has been delivering innovative security and network visibility technologies & products
16
9
ATLAS: Active Threat Level Analysis System
ATLAS sensors are deployed in global internet darknet space to discover and classify attack activity
The information is sent to an ATLAS central repository where it is combined with Arbor, third-party, and vulnerability data
ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal and updated to customer’s devices
Peakflow SP Pravail NSI
ISP Network DARKNET
ATLAS SENSOR
Peakflow SP Pravail NSI
ISP Network DARKNET
ATLAS SENSOR
Peakflow SP Pravail NSI
ISP Network DARKNET
ATLAS SENSOR
ATLAS DATA CENTER
Monitoring of worldwide
infrastructure for network-borne
threats.
Malware Botnets Phishing
P2P
Behavioral Fingerprint
Identify Analyze Protect
1
2
3
1
2
3
10
DDoS and Risk Planning
12
Solution Overview DDoS Defense
DDoS Attack? It will never happen to me…
14
DDoS Attack, It will happen…
15
More Attack Motivations Greater Availability of Botnets
Increased Volume Increased Complexity Increased Frequency
Largest volumetric DDoS has grown from8 to 600
Gbps in 10 years
Over 25% of attacks are now application-based DDoS mostly targeting
HTTP, DNS, SMTP
>50% of data center operators experience >10
attacks per month
DDoS is an Exploding & Evolving Trend
more attacks
Geopolitical “Burma taken offline by DDOS attack”
Protests “Visa, PayPal, and MasterCard attacked”
Extortion “Techwatch weathers DDoS extortion attack”
Better Bots More infected PCs with faster connections
Easy Access Using web 2.0 tools to control botnets
Commoditized Cloud-based botnets, cheaper
DDoS Misconceptions
“My firewall/IPS provides DDoS protection”
“I have enough bandwidth to absorb DDoS attacks”
“No one would want to attack my business.”
38% 49%
13%
Did Your Firewall/IPS Fail Due to DDoS Within
Last 12 Months?
No
Yes
Not Deployed
0,14 1,2 2,5 10 17 24 40 49
100
60
0
50
100
150 Largest Attack in
Gbps
Source: Arbor Worldwide Infrastructure Security Report
Rent a botnet for as little as $50 per day
FACT FACT FACT
Most large data center operators have seen their
firewalls/IPS fail due to DDoS
Multigigabit attacks are common and can overwhelm
the largest networks
Most data centers suffer downtime every year
due to DDoS.
17
Botnet is a Business
• A large number of Botnet tools is available for purchase for you to create your own Botnet
• Botnet Tools today are an industry of its own
• You can – Buy software to create your own Botnet or – Hire Botnets to generate attacks
18
Commercial DDoS Botnets - Darkness
• Popular bot, still in use. Many leaked versions. • Widely mentioned in underground forums, competitive
19
Darkness – Control Panel
• 45,000 bots, 6900 online
20
DirtJumper
• Popular. 20,000 bots attacked Brian Krebs, Nov 2011. • 70,446 bots total – 668 active
21
Dirt Jumper 2
• HTTP flood, Synchronous flood, Download flood, POST flood options
22
Dirt Jumper 3
• 2 HTTP GET attacks, HTTP POST attack • Increased randomization of attack header
23
DDoS Services using Dirt Jumper 3
• Version 3 featured prominently in underground advertisement • Also mentions Optima (Darkness) and G-Bot • Anti-DDoS attacks mentioned
24
Dirt Jumper 5
• New features, anti-DDoS protection evasion
25
Pandora
• $800, cracked for $100 • Attacks look just like Dirt Jumper 5 and Khan bots • March 2012
26
Di BoTNet
• Re-uses Dirt Jumper code, adds “bot killer” feature • March 2012
27
Armageddon
• Very popular bot, active competitor to other Russian bots • Involved in politically motivated attacks in Russia • Observed attacking HTTP and other various ports • Features “Anti-DDoS” attack style and increased attack diversity
28
Commercial DDoS Services
• March 2012, claims private version of Dirt Jumper 5 • $200/week • Five minute test can account for very short attacks
29
microsoftDDoS
• March 2012. $800/month. 15 minute test • Money returned if site comes back online • Anonymous logo used, yet competitive ideology
30
Killer-G
• March 2012. $600/month. 10 minute test • G-bot (AKA Piranha, Drooptroop)
31
DDoS Service Marketing
32
Commercial DDoS Services
33
Commercial DDoS services
34
Commercial DDoS Services
35
Distributed Denial of Service (DDoS)
Targeting your Network, Services and
Customers
36
Volumetric, Brute Force Attacks
• Traffic Floods – Exhaust resources by
creating high bps or pps volumes
– Overwhelm the infrastructure – links, routers, switches, servers
DDoS Attack Categories
Layer 4-7, Smarter and Slow Attacks
• TCP resource exhaustion – Exhaust resources in
servers, load balancers, firewalls or routers
• Application Layer – Take out specific services
or applications
37
DDoS Attacks: Volumetric
Volumetric DDoS attacks are designed to saturate and overwhelm network resources, circuits etc by brute force
Attack Traffic
Good Traffic
ISP 2
ISP 1
ISP n
ISP
SATURATION
Target Applications &
Services
Firewall IPS Load
Balancer
DATA CENTER
38
Distributed Denial of Service (DDoS) Volumetric Attack - Filling up your network capacity
39
Stopping Volumetric Attacks
Cloud-based: Volumetric DDoS mitigation must be done up stream, before traffic gets to Data Center
Activated “on demand”: only active when an attack is detected or reported
Cloud-based DDoS Protection
ISP 2
ISP 1
ISP n
ISP
Peakflow SP/TMS
SCRUBBING CENTER
DATA CENTER
Firewall IPS Load
Balancer
40
Layer 4-7, Smart DDoS Attacks
Use much less bandwidth; harder to detect; target applications where they slowly exhaust resources.
ISP 2
ISP 1
ISP n
ISP
EXHAUSTION
Firewall IPS Load
Balancer
Target Applications &
Services
DATA CENTER EXHAUSTION
41
Distributed Denial of Service (DDoS) Slow Attacks - Taking down your services
42
Stopping Layer 4-7, Smart Attacks
CPE-based: L4-7 DDoS mitigation must be done at the Data Center Always ON: immediate mitigation Fine-tuned to the services behind it to minimize false positives and
false negatives
ISP 2
ISP 1
ISP n
ISP
Target Applications &
Services
CPE-based DDoS Protection
Firewall IPS Load
Balancer
DATA CENTER
43
CPE-based DDoS Defense
• Multifunctional Devices are
not good for DDoS – Security devices “enhanced”
with DDoS functionalities • Firewalls, IPSs, Load balancers
• Specialized Devices – IDMS appliances
• Pravail APS
Think about it: If Firewalls, which are present everywhere, could really handle DDoS attacks,
we would not hear so many stories of sites taken by DDoS, right?
Firewall IPS Load Balancer
44
CPE-Based DDoS Defense Comparison
Pravail APS IPS WAF FW
Application-Layer DDoS Protection
Flood Attack Protection via Cloud Signaling
Protected from State-Exhausting Attacks
Asymmetric DDoS Threat Protection
Easy Inline Deployment
Botnet Detection & Protection
Look for Security & Network Engineering Budgets for Funding
Excellent Good Fair Poor 45
The Evolving Threat Against Data Centers Attackers use a combination of techniques
ISP 2
ISP 1
ISP n
ISP
EXHAUSTION
Load Balancer
Target Applications &
Services
DATA CENTER
SATURATION
Exhaustion of Service
Layer 4-7, Smart DDoS Impact
Volumetric, Brute Force DDoS Impact
Firewall IPS Load
Balancer
46
DDoS Defense Offers in the Market
ISP 2
ISP 1
ISP n
ISP
SCRUBBING CENTER
Cloud Signaling
Cloud-based DDoS Protection
CPE-based DDoS Protection
Firewall IPS
Load Balancer
Target Applications &
Services
DATA CENTER
47
Cloud Signaling
• Immediate protection with seamless handoff to ISP’s DDoS filtration services
– “Clean Pipes”
Arbor Peakflow SP / TMS-based DDoS
Service
Arbor Pravail APS
Data
Cen
ter N
etw
ork
Firewall / IPS / WAF
Publ
ic F
acin
g Se
rver
s
Subscriber Network Subscriber Network
Internet Service Provider
Cloud Signaling Status
Gain full protection from a single console by signaling to the cloud Utilize Cloud Signaling Coalition for volumetric DDoS protection
1. Service Operating Normally
2. Attack Begins and Initially Blocked by Pravail APS
3. Attack Grows Exceeding Bandwidth
4. Cloud Signal Launched
5. Customer Fully Protected!
SATURATION
Subscriber Network Subscriber Network
48
Cloud Signaling Deployment Options • Cloud Signaling can work with two options of
Cloud-based DDoS Mitigation service offerings:
• Cloud Signaling is an advanced feature! – Reduce time to start Cloud-based mitigation,
increasing availability, with Cloud Signaling
LOCAL- ISP DDoS mitigation infrastructure directly upstream to the Data Center
Carrier- agnostic
Provider DDoS mitigation infrastructure is somewhere in the internet Cloud, even in a different country
49
Pravail APS + Arbor Cloud
ISP 2
ISP 1
ISP n
ISP Firewall
IPS Load
Balancer
Target Applications &
Services
DATA CENTER
SCRUBBING CENTER Cloud-based
DDoS Protection
On-premise DDoS Protection
Cloud Signaling
50
Comments? Questions?
Thank You !