3 34880 ians-arbor_networkscustomreport

DDoS Attacks

IANS CUSTOM REPORT

WRITTEN BY DAVE SHACKLEFORD

JUNE 2013

COMMISSIONED BY:

2

© 2013 IANS. All rights reserved. Commissioned by Arbor Networks. For more information, write to [email protected].

ContentsIntroduction ...................................................................................................................................... 3

DDoS Attacks Yesterday and Today ............................................................................................... 3

What types of protection are available (focus on internal)? ............................................................ 5

Framework for determining what type of protection you need ........................................................ 9

Conclusion ..................................................................................................................................... 12

About Arbor Networks ................................................................................................................... 12

About IANS .................................................................................................................................... 13

3


Introduction

At the end of March 2013, the largest Distributed Denial of Service (DDoS) attack in history was

seen on the Internet. With anti-spam organization Spamhaus.org in mind, the attackers initially

targeted a company called CloudFlare that hosts and helps control traffic for Spamhaus, and later

moved on to attack bigger upstream providers. The attack began with a whopping 120 Gbps of

traffic, but grew even more to eventually reach a 300 Gbps saturation. Both of these are huge

numbers that could bring even the biggest organizations to their knees. In analyzing the attack,

IANS believes that there are lessons for every organization here. First, we need to understand

what methods were employed by both attackers and defenders. Second, it underscores the need

for improved, more layered DDoS defenses than most organizations have traditionally had. If it

can happen to Spamhaus, it can happen to anyone.

This holds true for any organization, whether online service provider, financial organization, or

enterprise with an online business presence. The attacks are changing, even while the classic

DDoS attack techniques are still effective. Organizations of all sorts are finding themselves in the

crosshairs of malicious attackers with a variety of motivations to cause outages and lead to lost

business and reputations. IANS conducted a survey of global enterprises to determine what

concerns they have, what tactics they’re using to defeat DDoS, and what kinds of tools and

processes they’re using or considering. In this paper, we’ll review the history of DDoS attacks,

focusing on the variety of different types we’ve seen, as well as several recent cases where

newer methods were employed by the attackers. We will then review the different types of

protection available today with an eye toward putting in-house DDoS detection and prevention

tools and processes in place, including data from the IANS survey. Finally, we will include a

simple framework that can help you to accomplish this, with pointers on what to think about and

consider when devising an internal DDoS strategy.

DDoS Attacks Yesterday and Today DDoS attacks have been occurring since the mid 1990s (not counting some of the earlier

malware-driven DDoS effects from the Morris worm and others). The first DDoS attacks really

emerged in 1995-1996, when it was discovered that floods of TCP packets with only the SYN flag

set could overwhelm network equipment and many servers and services. This technique, known

as the SYN Flood, became much more popular in 1997-1998, along with attacks that crashed

services such as the Teardrop and Boink attacks. Reflected ICMP and other replies became

popular in 1998-2000 with techniques like Smurf and Fraggle.

The first real DDoS attacks, however, started emerging in late 1998 and early 1999, with a

number of client-server tools such as Trinoo, Tribe Flood Network (TFN), and Stacheldracht.

Attackers could compromise systems, install the software, and then remotely issue commands to

multiple owned systems, telling them to simultaneously launch attacks and send malicious traffic

to one or more destinations. These tools, along with the attacks they were capable of generating

and controlling, served as the precursors to today’s botnets, where a single attacker or group

controlled numerous distributed systems, commanding them to perform coordinated actions (in

this case, DDoS floods and attacks). In 1999, one of the first publicized DDoS attacks rendered

the University of Minnesota’s network almost unusable for close to three days, with 2500 or more

4


attacking hosts involved.1 The Trinoo tool was used to send many 2-byte UDP packets, and the

university was largely unable to do anything about it.

In 2000, DDoS attacks burst into the mainsteam through a series of attacks against the highest

profile Internet sites of that era. None of these attacks were particularly complex or sophisticated,

but the sheer volume of traffic and compromised hosts flooding the sites caused the initial

identification of the attacks and subsequent response to be somewhat slow. From 2001 to 2003,

flood-based DDoS attacks continued, but some of the techniques changed, as well as attacker

motivation. Now, attackers started extorting financial and other organizations by threatening

continued DDoS until a ransom was paid. The attackers also started actively making use of

reflected attacks, particularly spoofed DNS queries. Into 2004, DDoS attacks were starting to be

actively carried out by distributed botnets, with fast-spreading worms often seen as the initial

attack vector.

Up through 2007, these same techniques continued, culminating in the sustained 2007 attacks by

Russia against the country of Estonia. Seen as the first true politically motivated DDoS attack, the

flood of traffic continued for close to three weeks against high-profile Estonian web sites and

government services, leading to an organized response by NATO. This same behavior continued

in 2008 when Russia was accused of using DDoS techniques in its war with Georgia. In 2009,

security professionals saw the rise of the “crowdsourced” DDoS when Iranian protesters used

PHP scripts and other tools to target Iranian government sites. The hacktivism group Anonymous

started using DDoS effectively as a retaliation and political strategy, targeting religious groups like

Scientology, government sites in the US and UK, and financial firms.

The Wikileaks saga has led to numerous DDoS attacks in 2010 and beyond, with groups like

LulzSec and Anonymous taking out government and commercial sites. The blogging site

WordPress was hit in 2011, as was the Hong Kong Stock Exchange. One of the largest attacks in

2011 was against Sony’s Playstation Network, and was again attributed to Anonymous. The

DDoS attack against Sony was intended to both mask data exfiltration by creating a huge amount

of “noise”, and also to cause deliberate availability impacts to Sony.

2012 saw a significant rise in attacks against financial organizations. Many of the world’s leading

financial service institutions and banks experienced significant outages and slowdowns due to

politically-motivated DDoS attacks. Some of these reached sustained 100 Gbps speeds as well,

which many in the security community believe to be the foreshadowing of trends we are seeing

now. Several hosting providers were victims in 2012, as was the code-sharing site GitHub (which

is still under attack into 2013).

What has changed in the last several years? Several key trends are occurring now:

The variety and types of attacks are changing. While most attacks are still volume-based,

primarily SYN Floods and ICMP and UDP traffic, more and more application-level traffic

is seen today, primarily HTTP and HTTPS and DNS queries. Some of these are much

“slower” in nature, and focus more on connection handling at the application/service layer

then pure volume. This type of attack rose to prominence as far back as 2009, when tools

like Slowloris became available to target HTTP services. In addition, many DDoS attacks 1 http://denialofservice.uw.hu/ch03lev1sec3.html

5


now target stateful network devices, looking to fill connection queues and cause

slowdown and loss of availability.

More tools are becoming available to easily perpetrate DDoS attacks as political

statements. The most well known of these include Low-Orbit Ion Cannon (LOIC) and

High-Orbit Ion Cannon (HOIC). LOIC was used to great effect against the Church of

Scientology and other Anonymous targets. HOIC was used in early 2012 to protest the

shutdown of the site Megaupload.

New types of criminal activity are being seen related to DDoS attacks. In addition to the

classic extortion and political focus, DDoS attacks are now being used as a distraction

mechanism while other attacks (such as fraudulent wire transfers) are underway.

Businesses can now attack competitors with DDoS floods by purchasing them online

anonymously, as well.

So what types of recent high-profile data breaches are survey respondents most concerned with?

Figure 1 shows the percentage of respondents concerned with each unique attack variant:

Figure 1: High-Profile Attack Concerns

While the methods and motivations for DDoS attacks have changed over the years, one thing is

for certain: they will continue, and more and more organizations are likely to experience them.

What types of protection are available (focus on internal)? There are many different types of DDoS protection available to organizations today, and more

and more organizations are starting to look into these options seriously. 53% of respondents to

the IANS DDoS survey indicated that they currently have a significant online presence that would

be impacted by DDoS, and the remaining 47% are looking at DDoS detection and prevention very

soon.

44%

22%

34%

37%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Financial Services/ Bank DDoS attacks like "operation Ababil"

Spamhaus Attacks

Mobile Malware

Application based DDoS attacks

High‐Profile Attack Concerns

6


The following are common DDoS protection tools:

Dedicated DDoS Detection and Prevention Appliances: Today, there are very

sophisticated security platforms available that are dedicated solely to detecting and

defending against DDoS attacks. These platforms are purpose-built to evaluate more

sophisticated application-layer DDoS attacks and also defend against state and protocol-

focused attacks, since they are closer to the network equipment and services they’re

defending.

Network IDS/IPS: Many organizations look to their existing IDS/IPS installations to help

defend against DDoS. While IDS/IPS can help identify anomalous traffic, including classic

obfuscation techniques like fragmentation, IP Options abuse, and others. These

platforms are not built to handle large volumes of traffic, and may not respond to

“legitimate” requests that fill connection queues. In addition, IPS/IDS often rely on

session state to inspect traffic, making them susceptible to attacks intent on

overwhelming session state in inline devices, effectively taking down the network that

way. 30% of respondents stated that they are leveraging network IDS/IPS for defense

against DDoS.

Firewalls: Traditional network firewalls can mitigate some attacks by using layer three

and four rules. However, firewalls are frequent targets for protocol attacks today, and can

often become major bottlenecks during sustained DDoS floods. Like IPS/IDS, firewalls

rely on session state for inspection and can be taken offline during these types of attacks.

42% of survey respondents stated that they are leveraging network firewalls for defense

against DDoS.

Routers: Some basic access control methods and packet filtering and shaping can be

done at the border router level. 19% of survey respondents stated that they are

leveraging routers for defense against DDoS.

Load Balancers: Close to 15% of survey respondents stated that they are leveraging

network/application load balancers for defense against DDoS. Load balancers can help

handle some aspects of application load, but are still not well-suited to handling huge

floods, and don’t help much with certain types of application and protocol attacks, such

as DNS reflection. Load balancers are designed for maintaining network uptime by

sharing bandwidth, not by stopping attacks. As such, lower volume attacks may be

missed.

Cloud-based DDoS Protection Services: These services are primarily focused on

detecting volume-based attacks and controlling bandwidth. Some of these services can

also balance load across multiple data centers, making very large traffic volumes

manageable. Cloud providers may require extra time to detect and mitigate attacks –

attacks that could be causing service interruption. While extremely useful, this may not be

ideal as a singular solution to DDoS.

Internet Service Providers: “Clean pipe” Internet Service Provider (ISP) offerings sanitize

7


traffic before it ever reaches you. These services are good for cleansing volume attacks

and some obvious signatures of DDoS, but still cannot handle protocol and application

attacks that leverage “normal” requests. Like cloud providers, relying on a service

provider to protect availability is good, but not as a sole solution. Service providers

cannot detect lower volume attacks that may cause issues with your IPS or firewall that

are still causing network outage situations. Response times to DDoS attacks can also

take anywhere from 45-60 minutes – which can be devastating during peak hours.

51% of respondents indicated that they are using firewalls, routers, IDS/IPS, and load balancers

in some combination for DDoS defense today. Based on survey results, it’s obvious that

organizations are shifting towards an in-house strategy. 72% of respondents stated that they

have some sort of on-premise protection, while only 28% indicated that they were relying solely

on external providers to help them with DDoS attacks.

The reasons organizations provided for focusing on having on-premise protection varied,

however. Figure 2 shows the breakdown of these reasons:

Figure 2: Reasons for On-Premise DDoS Protection

For those organizations not making use of an on-premise DDoS protection solution, 45.5% have

a cloud-based solution or DDoS protection with their ISP, while 54.5% indicated that they did not

have any external services (insinuating that they don’t have any real DDoS defenses at the

moment). When asked why they were not using on-premise solutions, survey respondents replied

with the following reasons:

30.40%

30.40%

30.40%

7.60%1.30%

Reasons for On‐Premise DDoS Protection

Maintaining uptime

Compliance

Stopping and recording attacks

Blocking botnets

Other (please specify)

8


Figure 3: Reasons for Not Employing On-Premise DDoS Protection

Those that answered “other” included reasons like employee skillset gaps and upcoming network

upgrades and changes which would prohibit such a solution at the moment.

Many organizations rely on ISPs and service providers as their first line of defense for DDoS

attacks, and there are quite a few different types of DDoS protection techniques that these

external providers (ISPs or cloud services) can employ. When asked which techniques their

providers used, survey respondents replied as follows:

Figure 4: Cloud-Based DDoS Protection Techniques

9.10%

18.20%

9.10%

36.40%

27.30%

Reasons for Not Employing On‐Premise DDoS Protection

Cost

Complexity

Other (please specify)

Cost and Complexity

We don't feel the need for on‐premise protection.

0% 5% 10% 15% 20% 25% 30% 35%

Not Sure

None of the Above

All of the Above

DNS redirection

"Clean pipe", or packet scrubbing, techniques

Overprovisioning

Cloud‐Based DDoS Protection Techniques

9


18% of survey respondents indicated that they had experienced a significant DDoS attack in the

past 12 months. 60% stated that they could not identify the attackers or their motives for the

attacks. 17% successfully identified the attacks as being business-driven; in other words, their

competitors had initiated some sort of DDoS to cause harm or availability loss to their online

presence and services. 15% of attacks were directly related to criminal extortion attempts, and

8% were politically motivated in one way or another.

Survey respondents have been experiencing a variety of different types of traffic in recent DDoS

attacks. Figure 5 shows the breakdown of traffic types as seen by respondents:

Figure 5: Traffic Types Seen in Recent DDoS Attacks

There are a number of different types of controls organizations can implement to combat DDoS

attacks today. Many of these are often existing security and network products and platforms that

organizations have in-house, and with the rise in more sophisticated application, protocol, and

volume-based attacks, routers, firewalls, IDS/IPS, and load balancers just aren’t well-suited to

sustained defense efforts. Organizations need to evaluate more robust DDoS protection tools and

services, but what do they need to consider?

Framework for determining what type of protection you need As more organizations are looking into implementing an on-premise DDoS detection and

prevention strategy, it should help to have a sound framework for what type of protection

capabilities you need, and how to best establish a DDoS protection program that fits in with your

existing security operations teams. By following the simple framework here, you can start to

evaluate the proper approach and steps that fit best for your organization.

13.5%

11.2%

51.7%

25.8%

22.5%

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%

ICMP

UDP

HTTP/HTTPS

TCP Other

TCP SYN packets

Traffic Types Seen in DDoS Attacks

10


Evaluate the financial impact of losing your organization’s online presence.

While this may seem difficult (and may be, depending on the business model you have), there are

some rough estimates you can rely on. In the Arbor Networks paper, “the Risk vs. Cost of

Enterprise DDoS Protection”, a model that ties together business loss with operational overhead

cost leads to some simple and usable numbers.2 The number of attacks over a three-year period

can dramatically affect the total cost, too. If you experience only one attack in a 15-year span,

then the cost of an on-premise DDoS solution will break even. Any more attacks than this, and

you will likely get a more significant return on your investment, especially if you depend heavily on

your online presence.

Evaluate Current Incident Response Plans and Processes

The next phase of evaluating DDoS defense readiness and how you should go about preparing

for an on-premise DDoS defense program is to develop an incident response plan for responding

to DDoS attacks. This response plan should accommodate network engineering and operations,

security policy and processes related to availability, and business continuity and disaster recovery

(DR). The following considerations include items in the Preparation and Identification phases of

the NIST SP800-61 publication’s incident handling process. These will help to determine your

level of current readiness:

Criteria Phase

Do you have a clearly defined DDoS defense strategy? Preparation

Do you have contacts within your ISP when dealing with a DDoS attack? Preparation

Do you have a sound understanding of normal traffic patterns coming into

your environment?

Preparation

Do you have a good inventory and configuration/vulnerability management

program in place for DNS services?

Preparation

Do you have a Defense-in-Depth approach to DDoS defense controls? Preparation

Does your information security team regularly research and monitor new

DDoS varieties and threat vectors?

Preparation

Can your current incident response process accommodate DDoS attacks

today?

Identification

Can your response team currently identify and mitigate volume-based

DDoS attacks?

Identification

2 http://www.arbornetworks.com/component/docman/doc_download/497-the-risk-vs-cost-of-enterprise-ddos-

protection?Itemid=442

11


Can your response team currently identify and mitigate protocol anomaly

DDoS attacks?

Identification

Can your response team currently identify and mitigate application-based

DDoS attacks?

Identification

Can your network monitoring team identify anomalous DNS or other

inbound and outbound traffic quickly?

Identification

Have you incorporated DDoS attack indicators into your log and event

monitoring?

Identification

These are just a few of the types of questions you should ask your team to evaluate DDoS

defense readiness.

When asked whether their current enterprise teams knew how to identify and respond to DDoS

attacks, 92% of survey respondents said, “yes”. Some combination of operations and security

seems most applicable, with Figure 6 demonstrating the percentage of respondents indicating

which teams played a role in defending against these attacks:

Figure 6: Enterprise Teams Handling DDoS Attacks

Select the appropriate services and product offerings to mitigate DDoS Attacks

Depending on your business scenario and risk appetite, you will need some combination of

service-based and on-premise DDoS defense controls. Cloud and ISP-based DDoS defense

services may be helpful for handling larger bandwidth-hogging attacks, especially if you don’t

have enough staff in-house or the right expertise to handle this. However, the trend in DDoS

attacks is heading toward application-layer and protocol attacks, which are much better handled

7%

43%

32%

60%

0%

10%

20%

30%

40%

50%

60%

70%

I don't know Network engineering teams

Incident response teams

Information security teams (general)

Enterprise Teams Handling DDoS Attacks

12


and mitigated close to the platforms and services they protect in most cases. Look for the

following attributes of DDoS detection and protection products that you may employ onsite:

Regular updates to DDoS detection signatures and automated defense mechanisms: An

enterprise-class DDoS platform should be backed by a research team that provides

regular updates to combat the constantly changing threats and attack variants. Also, any

on-premise solution should be capable of detecting and defending against all three major

DDoS types today: volumetric attacks, protocol and state attacks, and application-layer

attacks that target specific services.

Performance: In-house platforms should be capable of very robust performance, never

contributing to latency and lost packets.

Ease of Deployment and Use: Many DDoS solutions are believed to be unnecessarily

complicated. These devices need to be flexible in how they are deployed within an

existing network architecture, and should not require extensive training to get up and

running. The management interface should be intuitive and simple, and reporting should

be customizable.

Easily customizable to your environment: Every network is different, from the

infrastructure down to the applications in use. It is important to have a solution that can

easily adapt to the attacks that target each unique system, as well as broad based

protection.

Conclusion More and more organizations are experiencing DDoS attacks today. The largest and most

intense traffic floods on record have been seen in 2013, and this trend will likely continue in high-

profile cases. While the majority of attacks are still less than 1 Gbps in size, the variety of blended

attacks using more than one technique can cripple many services and network devices just as

effectively as volumetric attacks. Organizations need to understand the variety of attacks that are

possible, as well as the different types of DDoS defense services and products available. Now is

the right time for most enterprises to evaluate their current detection and response plans with

DDoS in mind, and consider the potential costs and other business impacts from experiencing

multiple sustained outages over a short period of time. The capabilities of on-premise DDoS

platforms have grown significantly, and organizations interested in a proper Defense-in-Depth

model should look at a combination of controls that best meets their needs of both today and

tomorrow.

About Arbor Networks

Arbor Networks, Inc. is a leading provider of network security and management solutions for

enterprise and service provider networks, including the vast majority of the world's Internet

service providers and many of the largest enterprise networks in use today. Arbor's proven

network security and management solutions help grow and protect customer networks,

13


businesses and brands. Through its unparalleled, privileged relationships with worldwide service

providers and global network operators, Arbor provides unequalled insight into and perspective

on Internet security and traffic trends via the ATLAS® Active Threat Level Analysis System.

Representing a unique collaborative effort with 250+ network operators across the globe, ATLAS

enables the sharing of real-time security, traffic and routing information that informs numerous

business decisions.

About IANS

IANS is the leading provider of in-depth security insights delivered through its research,

community, and consulting offerings. Fueled by interactions among IANS Faculty and end users,

IANS provides actionable advice to information security, risk management, and compliance

executives. IANS powers better and faster technical and managerial decisions through

experience-driven advice.

IANS was founded in June 2001 as the Institute for Applied Network Security. Inspired by the

Harvard Business School experience of interactive discussions driving collective insights, IANS

adapted that format to fit the needs of information security professionals.