3 34880 ians-arbor_networkscustomreport
TRANSCRIPT
DDoS Attacks
IANS CUSTOM REPORT
WRITTEN BY DAVE SHACKLEFORD
JUNE 2013
COMMISSIONED BY:
2
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
ContentsIntroduction ...................................................................................................................................... 3
DDoS Attacks Yesterday and Today ............................................................................................... 3
What types of protection are available (focus on internal)? ............................................................ 5
Framework for determining what type of protection you need ........................................................ 9
Conclusion ..................................................................................................................................... 12
About Arbor Networks ................................................................................................................... 12
About IANS .................................................................................................................................... 13
3
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
Introduction
At the end of March 2013, the largest Distributed Denial of Service (DDoS) attack in history was
seen on the Internet. With anti-spam organization Spamhaus.org in mind, the attackers initially
targeted a company called CloudFlare that hosts and helps control traffic for Spamhaus, and later
moved on to attack bigger upstream providers. The attack began with a whopping 120 Gbps of
traffic, but grew even more to eventually reach a 300 Gbps saturation. Both of these are huge
numbers that could bring even the biggest organizations to their knees. In analyzing the attack,
IANS believes that there are lessons for every organization here. First, we need to understand
what methods were employed by both attackers and defenders. Second, it underscores the need
for improved, more layered DDoS defenses than most organizations have traditionally had. If it
can happen to Spamhaus, it can happen to anyone.
This holds true for any organization, whether online service provider, financial organization, or
enterprise with an online business presence. The attacks are changing, even while the classic
DDoS attack techniques are still effective. Organizations of all sorts are finding themselves in the
crosshairs of malicious attackers with a variety of motivations to cause outages and lead to lost
business and reputations. IANS conducted a survey of global enterprises to determine what
concerns they have, what tactics they’re using to defeat DDoS, and what kinds of tools and
processes they’re using or considering. In this paper, we’ll review the history of DDoS attacks,
focusing on the variety of different types we’ve seen, as well as several recent cases where
newer methods were employed by the attackers. We will then review the different types of
protection available today with an eye toward putting in-house DDoS detection and prevention
tools and processes in place, including data from the IANS survey. Finally, we will include a
simple framework that can help you to accomplish this, with pointers on what to think about and
consider when devising an internal DDoS strategy.
DDoS Attacks Yesterday and Today DDoS attacks have been occurring since the mid 1990s (not counting some of the earlier
malware-driven DDoS effects from the Morris worm and others). The first DDoS attacks really
emerged in 1995-1996, when it was discovered that floods of TCP packets with only the SYN flag
set could overwhelm network equipment and many servers and services. This technique, known
as the SYN Flood, became much more popular in 1997-1998, along with attacks that crashed
services such as the Teardrop and Boink attacks. Reflected ICMP and other replies became
popular in 1998-2000 with techniques like Smurf and Fraggle.
The first real DDoS attacks, however, started emerging in late 1998 and early 1999, with a
number of client-server tools such as Trinoo, Tribe Flood Network (TFN), and Stacheldracht.
Attackers could compromise systems, install the software, and then remotely issue commands to
multiple owned systems, telling them to simultaneously launch attacks and send malicious traffic
to one or more destinations. These tools, along with the attacks they were capable of generating
and controlling, served as the precursors to today’s botnets, where a single attacker or group
controlled numerous distributed systems, commanding them to perform coordinated actions (in
this case, DDoS floods and attacks). In 1999, one of the first publicized DDoS attacks rendered
the University of Minnesota’s network almost unusable for close to three days, with 2500 or more
4
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
attacking hosts involved.1 The Trinoo tool was used to send many 2-byte UDP packets, and the
university was largely unable to do anything about it.
In 2000, DDoS attacks burst into the mainsteam through a series of attacks against the highest
profile Internet sites of that era. None of these attacks were particularly complex or sophisticated,
but the sheer volume of traffic and compromised hosts flooding the sites caused the initial
identification of the attacks and subsequent response to be somewhat slow. From 2001 to 2003,
flood-based DDoS attacks continued, but some of the techniques changed, as well as attacker
motivation. Now, attackers started extorting financial and other organizations by threatening
continued DDoS until a ransom was paid. The attackers also started actively making use of
reflected attacks, particularly spoofed DNS queries. Into 2004, DDoS attacks were starting to be
actively carried out by distributed botnets, with fast-spreading worms often seen as the initial
attack vector.
Up through 2007, these same techniques continued, culminating in the sustained 2007 attacks by
Russia against the country of Estonia. Seen as the first true politically motivated DDoS attack, the
flood of traffic continued for close to three weeks against high-profile Estonian web sites and
government services, leading to an organized response by NATO. This same behavior continued
in 2008 when Russia was accused of using DDoS techniques in its war with Georgia. In 2009,
security professionals saw the rise of the “crowdsourced” DDoS when Iranian protesters used
PHP scripts and other tools to target Iranian government sites. The hacktivism group Anonymous
started using DDoS effectively as a retaliation and political strategy, targeting religious groups like
Scientology, government sites in the US and UK, and financial firms.
The Wikileaks saga has led to numerous DDoS attacks in 2010 and beyond, with groups like
LulzSec and Anonymous taking out government and commercial sites. The blogging site
WordPress was hit in 2011, as was the Hong Kong Stock Exchange. One of the largest attacks in
2011 was against Sony’s Playstation Network, and was again attributed to Anonymous. The
DDoS attack against Sony was intended to both mask data exfiltration by creating a huge amount
of “noise”, and also to cause deliberate availability impacts to Sony.
2012 saw a significant rise in attacks against financial organizations. Many of the world’s leading
financial service institutions and banks experienced significant outages and slowdowns due to
politically-motivated DDoS attacks. Some of these reached sustained 100 Gbps speeds as well,
which many in the security community believe to be the foreshadowing of trends we are seeing
now. Several hosting providers were victims in 2012, as was the code-sharing site GitHub (which
is still under attack into 2013).
What has changed in the last several years? Several key trends are occurring now:
The variety and types of attacks are changing. While most attacks are still volume-based,
primarily SYN Floods and ICMP and UDP traffic, more and more application-level traffic
is seen today, primarily HTTP and HTTPS and DNS queries. Some of these are much
“slower” in nature, and focus more on connection handling at the application/service layer
then pure volume. This type of attack rose to prominence as far back as 2009, when tools
like Slowloris became available to target HTTP services. In addition, many DDoS attacks 1 http://denialofservice.uw.hu/ch03lev1sec3.html
5
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
now target stateful network devices, looking to fill connection queues and cause
slowdown and loss of availability.
More tools are becoming available to easily perpetrate DDoS attacks as political
statements. The most well known of these include Low-Orbit Ion Cannon (LOIC) and
High-Orbit Ion Cannon (HOIC). LOIC was used to great effect against the Church of
Scientology and other Anonymous targets. HOIC was used in early 2012 to protest the
shutdown of the site Megaupload.
New types of criminal activity are being seen related to DDoS attacks. In addition to the
classic extortion and political focus, DDoS attacks are now being used as a distraction
mechanism while other attacks (such as fraudulent wire transfers) are underway.
Businesses can now attack competitors with DDoS floods by purchasing them online
anonymously, as well.
So what types of recent high-profile data breaches are survey respondents most concerned with?
Figure 1 shows the percentage of respondents concerned with each unique attack variant:
Figure 1: High-Profile Attack Concerns
While the methods and motivations for DDoS attacks have changed over the years, one thing is
for certain: they will continue, and more and more organizations are likely to experience them.
What types of protection are available (focus on internal)? There are many different types of DDoS protection available to organizations today, and more
and more organizations are starting to look into these options seriously. 53% of respondents to
the IANS DDoS survey indicated that they currently have a significant online presence that would
be impacted by DDoS, and the remaining 47% are looking at DDoS detection and prevention very
soon.
44%
22%
34%
37%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Financial Services/ Bank DDoS attacks like "operation Ababil"
Spamhaus Attacks
Mobile Malware
Application based DDoS attacks
High‐Profile Attack Concerns
6
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
The following are common DDoS protection tools:
Dedicated DDoS Detection and Prevention Appliances: Today, there are very
sophisticated security platforms available that are dedicated solely to detecting and
defending against DDoS attacks. These platforms are purpose-built to evaluate more
sophisticated application-layer DDoS attacks and also defend against state and protocol-
focused attacks, since they are closer to the network equipment and services they’re
defending.
Network IDS/IPS: Many organizations look to their existing IDS/IPS installations to help
defend against DDoS. While IDS/IPS can help identify anomalous traffic, including classic
obfuscation techniques like fragmentation, IP Options abuse, and others. These
platforms are not built to handle large volumes of traffic, and may not respond to
“legitimate” requests that fill connection queues. In addition, IPS/IDS often rely on
session state to inspect traffic, making them susceptible to attacks intent on
overwhelming session state in inline devices, effectively taking down the network that
way. 30% of respondents stated that they are leveraging network IDS/IPS for defense
against DDoS.
Firewalls: Traditional network firewalls can mitigate some attacks by using layer three
and four rules. However, firewalls are frequent targets for protocol attacks today, and can
often become major bottlenecks during sustained DDoS floods. Like IPS/IDS, firewalls
rely on session state for inspection and can be taken offline during these types of attacks.
42% of survey respondents stated that they are leveraging network firewalls for defense
against DDoS.
Routers: Some basic access control methods and packet filtering and shaping can be
done at the border router level. 19% of survey respondents stated that they are
leveraging routers for defense against DDoS.
Load Balancers: Close to 15% of survey respondents stated that they are leveraging
network/application load balancers for defense against DDoS. Load balancers can help
handle some aspects of application load, but are still not well-suited to handling huge
floods, and don’t help much with certain types of application and protocol attacks, such
as DNS reflection. Load balancers are designed for maintaining network uptime by
sharing bandwidth, not by stopping attacks. As such, lower volume attacks may be
missed.
Cloud-based DDoS Protection Services: These services are primarily focused on
detecting volume-based attacks and controlling bandwidth. Some of these services can
also balance load across multiple data centers, making very large traffic volumes
manageable. Cloud providers may require extra time to detect and mitigate attacks –
attacks that could be causing service interruption. While extremely useful, this may not be
ideal as a singular solution to DDoS.
Internet Service Providers: “Clean pipe” Internet Service Provider (ISP) offerings sanitize
7
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
traffic before it ever reaches you. These services are good for cleansing volume attacks
and some obvious signatures of DDoS, but still cannot handle protocol and application
attacks that leverage “normal” requests. Like cloud providers, relying on a service
provider to protect availability is good, but not as a sole solution. Service providers
cannot detect lower volume attacks that may cause issues with your IPS or firewall that
are still causing network outage situations. Response times to DDoS attacks can also
take anywhere from 45-60 minutes – which can be devastating during peak hours.
51% of respondents indicated that they are using firewalls, routers, IDS/IPS, and load balancers
in some combination for DDoS defense today. Based on survey results, it’s obvious that
organizations are shifting towards an in-house strategy. 72% of respondents stated that they
have some sort of on-premise protection, while only 28% indicated that they were relying solely
on external providers to help them with DDoS attacks.
The reasons organizations provided for focusing on having on-premise protection varied,
however. Figure 2 shows the breakdown of these reasons:
Figure 2: Reasons for On-Premise DDoS Protection
For those organizations not making use of an on-premise DDoS protection solution, 45.5% have
a cloud-based solution or DDoS protection with their ISP, while 54.5% indicated that they did not
have any external services (insinuating that they don’t have any real DDoS defenses at the
moment). When asked why they were not using on-premise solutions, survey respondents replied
with the following reasons:
30.40%
30.40%
30.40%
7.60%1.30%
Reasons for On‐Premise DDoS Protection
Maintaining uptime
Compliance
Stopping and recording attacks
Blocking botnets
Other (please specify)
8
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
Figure 3: Reasons for Not Employing On-Premise DDoS Protection
Those that answered “other” included reasons like employee skillset gaps and upcoming network
upgrades and changes which would prohibit such a solution at the moment.
Many organizations rely on ISPs and service providers as their first line of defense for DDoS
attacks, and there are quite a few different types of DDoS protection techniques that these
external providers (ISPs or cloud services) can employ. When asked which techniques their
providers used, survey respondents replied as follows:
Figure 4: Cloud-Based DDoS Protection Techniques
9.10%
18.20%
9.10%
36.40%
27.30%
Reasons for Not Employing On‐Premise DDoS Protection
Cost
Complexity
Other (please specify)
Cost and Complexity
We don't feel the need for on‐premise protection.
0% 5% 10% 15% 20% 25% 30% 35%
Not Sure
None of the Above
All of the Above
DNS redirection
"Clean pipe", or packet scrubbing, techniques
Overprovisioning
Cloud‐Based DDoS Protection Techniques
9
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
18% of survey respondents indicated that they had experienced a significant DDoS attack in the
past 12 months. 60% stated that they could not identify the attackers or their motives for the
attacks. 17% successfully identified the attacks as being business-driven; in other words, their
competitors had initiated some sort of DDoS to cause harm or availability loss to their online
presence and services. 15% of attacks were directly related to criminal extortion attempts, and
8% were politically motivated in one way or another.
Survey respondents have been experiencing a variety of different types of traffic in recent DDoS
attacks. Figure 5 shows the breakdown of traffic types as seen by respondents:
Figure 5: Traffic Types Seen in Recent DDoS Attacks
There are a number of different types of controls organizations can implement to combat DDoS
attacks today. Many of these are often existing security and network products and platforms that
organizations have in-house, and with the rise in more sophisticated application, protocol, and
volume-based attacks, routers, firewalls, IDS/IPS, and load balancers just aren’t well-suited to
sustained defense efforts. Organizations need to evaluate more robust DDoS protection tools and
services, but what do they need to consider?
Framework for determining what type of protection you need As more organizations are looking into implementing an on-premise DDoS detection and
prevention strategy, it should help to have a sound framework for what type of protection
capabilities you need, and how to best establish a DDoS protection program that fits in with your
existing security operations teams. By following the simple framework here, you can start to
evaluate the proper approach and steps that fit best for your organization.
13.5%
11.2%
51.7%
25.8%
22.5%
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%
ICMP
UDP
HTTP/HTTPS
TCP Other
TCP SYN packets
Traffic Types Seen in DDoS Attacks
10
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
Evaluate the financial impact of losing your organization’s online presence.
While this may seem difficult (and may be, depending on the business model you have), there are
some rough estimates you can rely on. In the Arbor Networks paper, “the Risk vs. Cost of
Enterprise DDoS Protection”, a model that ties together business loss with operational overhead
cost leads to some simple and usable numbers.2 The number of attacks over a three-year period
can dramatically affect the total cost, too. If you experience only one attack in a 15-year span,
then the cost of an on-premise DDoS solution will break even. Any more attacks than this, and
you will likely get a more significant return on your investment, especially if you depend heavily on
your online presence.
Evaluate Current Incident Response Plans and Processes
The next phase of evaluating DDoS defense readiness and how you should go about preparing
for an on-premise DDoS defense program is to develop an incident response plan for responding
to DDoS attacks. This response plan should accommodate network engineering and operations,
security policy and processes related to availability, and business continuity and disaster recovery
(DR). The following considerations include items in the Preparation and Identification phases of
the NIST SP800-61 publication’s incident handling process. These will help to determine your
level of current readiness:
Criteria Phase
Do you have a clearly defined DDoS defense strategy? Preparation
Do you have contacts within your ISP when dealing with a DDoS attack? Preparation
Do you have a sound understanding of normal traffic patterns coming into
your environment?
Preparation
Do you have a good inventory and configuration/vulnerability management
program in place for DNS services?
Preparation
Do you have a Defense-in-Depth approach to DDoS defense controls? Preparation
Does your information security team regularly research and monitor new
DDoS varieties and threat vectors?
Preparation
Can your current incident response process accommodate DDoS attacks
today?
Identification
Can your response team currently identify and mitigate volume-based
DDoS attacks?
Identification
2 http://www.arbornetworks.com/component/docman/doc_download/497-the-risk-vs-cost-of-enterprise-ddos-
protection?Itemid=442
11
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
Can your response team currently identify and mitigate protocol anomaly
DDoS attacks?
Identification
Can your response team currently identify and mitigate application-based
DDoS attacks?
Identification
Can your network monitoring team identify anomalous DNS or other
inbound and outbound traffic quickly?
Identification
Have you incorporated DDoS attack indicators into your log and event
monitoring?
Identification
These are just a few of the types of questions you should ask your team to evaluate DDoS
defense readiness.
When asked whether their current enterprise teams knew how to identify and respond to DDoS
attacks, 92% of survey respondents said, “yes”. Some combination of operations and security
seems most applicable, with Figure 6 demonstrating the percentage of respondents indicating
which teams played a role in defending against these attacks:
Figure 6: Enterprise Teams Handling DDoS Attacks
Select the appropriate services and product offerings to mitigate DDoS Attacks
Depending on your business scenario and risk appetite, you will need some combination of
service-based and on-premise DDoS defense controls. Cloud and ISP-based DDoS defense
services may be helpful for handling larger bandwidth-hogging attacks, especially if you don’t
have enough staff in-house or the right expertise to handle this. However, the trend in DDoS
attacks is heading toward application-layer and protocol attacks, which are much better handled
7%
43%
32%
60%
0%
10%
20%
30%
40%
50%
60%
70%
I don't know Network engineering teams
Incident response teams
Information security teams (general)
Enterprise Teams Handling DDoS Attacks
12
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
and mitigated close to the platforms and services they protect in most cases. Look for the
following attributes of DDoS detection and protection products that you may employ onsite:
Regular updates to DDoS detection signatures and automated defense mechanisms: An
enterprise-class DDoS platform should be backed by a research team that provides
regular updates to combat the constantly changing threats and attack variants. Also, any
on-premise solution should be capable of detecting and defending against all three major
DDoS types today: volumetric attacks, protocol and state attacks, and application-layer
attacks that target specific services.
Performance: In-house platforms should be capable of very robust performance, never
contributing to latency and lost packets.
Ease of Deployment and Use: Many DDoS solutions are believed to be unnecessarily
complicated. These devices need to be flexible in how they are deployed within an
existing network architecture, and should not require extensive training to get up and
running. The management interface should be intuitive and simple, and reporting should
be customizable.
Easily customizable to your environment: Every network is different, from the
infrastructure down to the applications in use. It is important to have a solution that can
easily adapt to the attacks that target each unique system, as well as broad based
protection.
Conclusion More and more organizations are experiencing DDoS attacks today. The largest and most
intense traffic floods on record have been seen in 2013, and this trend will likely continue in high-
profile cases. While the majority of attacks are still less than 1 Gbps in size, the variety of blended
attacks using more than one technique can cripple many services and network devices just as
effectively as volumetric attacks. Organizations need to understand the variety of attacks that are
possible, as well as the different types of DDoS defense services and products available. Now is
the right time for most enterprises to evaluate their current detection and response plans with
DDoS in mind, and consider the potential costs and other business impacts from experiencing
multiple sustained outages over a short period of time. The capabilities of on-premise DDoS
platforms have grown significantly, and organizations interested in a proper Defense-in-Depth
model should look at a combination of controls that best meets their needs of both today and
tomorrow.
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network security and management solutions for
enterprise and service provider networks, including the vast majority of the world's Internet
service providers and many of the largest enterprise networks in use today. Arbor's proven
network security and management solutions help grow and protect customer networks,
13
© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].
businesses and brands. Through its unparalleled, privileged relationships with worldwide service
providers and global network operators, Arbor provides unequalled insight into and perspective
on Internet security and traffic trends via the ATLAS® Active Threat Level Analysis System.
Representing a unique collaborative effort with 250+ network operators across the globe, ATLAS
enables the sharing of real-time security, traffic and routing information that informs numerous
business decisions.
About IANS
IANS is the leading provider of in-depth security insights delivered through its research,
community, and consulting offerings. Fueled by interactions among IANS Faculty and end users,
IANS provides actionable advice to information security, risk management, and compliance
executives. IANS powers better and faster technical and managerial decisions through
experience-driven advice.
IANS was founded in June 2001 as the Institute for Applied Network Security. Inspired by the
Harvard Business School experience of interactive discussions driving collective insights, IANS
adapted that format to fit the needs of information security professionals.