ddos fallacies v2 - fktg · misapprehension on attack complexity “to mitigate a ddos attack i...

©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential

Introduction to & Fallacies in Mitigation

Stefan MardakEnterprise Security Architect

DDoS attacks


Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

©2015 AKAMAI | FASTER FORWARDTM

Running over the platform is our Intelligent software that enables high-performing and secure web experiences, to any device, anywhere.

Akamai Solutions

WEB PERFORMANCE

Web users

MEDIA DELIVERY

Web users

CLOUD SECURITY

Cloud and Data center infrastructure

CLOUD NETWORKING

Branch users


Akamai Trusted Security Advisor

The Platform• 220,000+ Servers• 1300+ Networks• 110+ Countries• 30% of all web traffic

The Security Data

• 2 trillion web hits per day• Tens of millions of unique IP addresses seen

daily• 600k security daily log lines/sec• 2 PB of security data

Managed Security Services

DNS• Avalaibilty• Performance• Security• Enterprise Threat Manager

Web application Firewall

5 SoC’s• 7 Scrubbing Center’s• 200 Security Engineers• R&D Team• CERT Team

Client Reputation Feed

DDOS PROTECTION• DDOS Defense on Layer 7

combined with Web acceleration• DDOS defense on all layers

API protection

Bot Management


DDoS Attack: How does it work?

During a Distributed Denial of Service (DDoS) attack,[compromised] hosts or bots coming from distributed sources overwhelm the target with [il]legitimate traffic so that the servers cannot respond to legitimate clients.è Critical services are no longer available!

©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 5

DDoS Attack-Types & Targets

Attack TrafficGood Traffic

ISP 2

ISP 1

ISP n

Backbone

TargetApplications &

Services

FirewallIPS

LoadBalancer

DATA CENTER

Volumetric, state-exhaustion and application-layer attacks can bring down critical data center services




ISP 2

ISP 1

ISP n

Backbone


Services

FirewallIPS

LoadBalancer

DATA CENTER


SATURATION

e.g.:Volumetric /FloodingAttack



ISP 2

ISP 1

ISP n

Backbone


Services

FirewallIPS

LoadBalancer

DATA CENTER


Exhaustion of STATE

e.g:Layer 4-7 /State / ConnectionAttack

SATURATION

e.g.:Volumetric /FloodingAttack




ISP 2

ISP 1

ISP n

Backbone


Services

FirewallIPS

LoadBalancer

DATA CENTER


Exhaustion of STATE

Layer 4/ State / Connection Attack

Exhaustion of SERVICE

Layer 7 /Application-Layer /Slow&Low Attack

SATURATION

Layer 3/ Volumetric /Flooding Attack



DDOS Attackers: Who are they?


Actors: For Hire


Current(ish) prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-20

Intelligent exploit bundle: $10-$3,000

Hiring a DDoS attack: $30-$70/day, $1,200/month

Botnet: $200 for 2,000 bots

DDoS botnet: $700


Actors: Bored Kids


B O R E D T E E N SAND

https://www.flickr.com/photos/ardinhasaphotography/8484164608/sizes/l


H A C K T I V I S T STHE


Actors: Nation States


S T A N D A R D V I L L A I N STHERE ARE


A R C H V I L L A I N SAND THERE ARE


Commoditization of DDoS

https://www.flickr.com/photos/trophygeek/7309935684/sizes/l


What’s your fancy?


What’s a Booter?


WORKSHOP:BIGGEST FALLACIES IN DDOS DEFENSE

About erroneous belief and how to avoid pitfalls

Stefan Mardak, Enterprise Security Architect


Fallacy or logical fallacy

A fallacy is when the reasoning used in an argument or debate contains a factual, punctual or logical error.

A fallacious argument appears correct in one way but it proves to be wrong in the examination.


“WE WILL NOT BE ATTACKED”

WE WILL NOT BE ATTACKED


More wrong assumptions in this context

What happens if someone plugs out your internet router? It’s the same effect!

“Our Website is not big enough and not popular”

“Only big Companies having the risk of being attacked”

“We have never been attacked - why should we invest?”

“We are not an interesting goal, our risk is manageable”

“Our Hoster/Serviceprovider is taking care, we do not have a risk anymore!


Actual DDoS Campaigns

• DD4BC (DDoS for Bit Coin)• Armada Collective• Anonymous• Complex goal oriented attacks• Krebsonline - Dyn

New Business Model: DDoS Coins Each dot represents a DDoS attack, and each interval covers a 10-fold increase in attack size.


MOTIVATION ßà EXPOSURE

Who is attacking? Who is attacked?

Hactivists

Ex Employees

Script Kiddies

Competitors

Extortionists

State Sponsored

“There is a hater for everyone”


“CLASSIC SECURITY SOLUTIONS ARE OFFERING ENOUGH PROTECTION”

SEE, STILL CLASSIC SECURITY

OH NO –4TH GEN

ATTACKS


Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

11 18 2239 48

68 79 82

190

321 312

665

2 8 11 15 29 38 4569

144

97

222

348

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Gbps Mpps ©2016 AKAMAI | FASTER FORWARDTM

Source: Akamai

The importance of

SCALE

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Gbps Mpps

Mitigating DDoS Attacks with high bandwidth• Decentralized Scrubbing center• Traffic engineering - mutliple tier-1 provider• More bandwidth > 3Tbps• Minimal latency inside the Scrubbing Center


Firewalls, IPS, WAF, Load balancer, …

Data inspection needs resources. Tailored attacks target these resources.Now the devices are part of the problem, not the resolution.

27%24%

8%4%

30%

5%

…are developed for protection of data integrity, for protection of access control and for confidentiality.

Targeted devices in a multi vector attack(numbers vary per attack)


“PROTECTION ON ONE LEVEL IS SUFFICIENT”“WE JUST ADD MORE BANDWIDTH”

THEIR PROTECTION IS ONLY ONE LEVEL


Misapprehension on attack complexity“To mitigate a DDOS Attack I don’t need an expert.”“DDoS- Attacks are simple and not sophisticated.”“These pure packet floods are easy to spot and to block”

The reality: DDoS attacks can attack bandwidth, network elements or servers …or all of them = multi vector attacks


CDN & Outsourcing – a good start, but…

Todays networks are complex and spread -Corporate values and services are distributed in the Internet

Content Delivery Network•Concentrate on few services, mostly only HTTP and HTTPs•Concentrate on public available services•Buffer only static content and need connections to the origin (i.e. data base access)•Might hinder identification of the attacker and counter measures •Attack targets are often within the company DC (VPN-Gateways, E-Mail, FTP)•Attacker use changing or multiple attack vectors

Þ simple CDNs deliver basic protection for static contentÞ No protection for applications, for origin server, for shared resources in the DC


Multi-Vector DDoS Attacks

Attack Vector vs. attacked Resource- UDP floods -> Bandwidth- Syn, Ack, TCP Anomaly -> IPS,

Load Balancer, Server- HTTP Get flood -> WAF, Server- RIP -> Router, Firewall- ICMP -> Router, Firewall

Multi-Vector DDoS Attacks Are the Norm

Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, up from 56% in Q4 2015


What to do? Multilevel Attack Protection• Multiple attack vectors on infrastructure level and application level• Growing complexity in attack vectors (all levels)

• Variable defense strategy needed• Integration between all levels for

reliable and comprehensive protection

• Communication between all levels is essential as well as up-to-dateness of counter measures

App levelProtection

Infrastructure levelProtection DNS level

Protection


“THE COST OF A DDOS ATTACK CAN NOT JUSTIFY THE COST FOR A SECURITY SOLUTION”

THAT IS BECAUSE HE STILL DOESN’T KNOW WHAT HE IS MISSING !

I MUST SAY THECASTLE OWNERDOESN”T LOOK

TOO UPSET !


Hidden cost of a DDoS attack

Operational Expenses and indirect costs- Revenue loss- SLA compensation- Stock price fluctuation- Marketing to compensate reputation damage- Churn- Call center costs- Excessive emergency costs- Fees for consultants and lawyers- Increased insurance premium

DDoS attacks should be part of the risk management, as the risk can be predicted by statistics


Recommendation

IT components should be used according to their planned purposed. Firewalls, IDP/IPS, load

balancer or application firewalls offer no DDoS protection.

Securing the availability of networks is a basic requirement and should not be underestimated.

Other connections like VPNs or partner accesses should be considered.

Multi level protection should be introduced. They mitigate attacks where it is most effective

Volumetric attacks can not be mitigated locally.

During a DDoS attack IT security staff should care for everything else, while the attack is

mitigated automatically with prepared strategies.

Think about pushing out the mitigation perimeter.


“DDOS ATTACKS ARE NOT COMPLEX THREATS”


Attack complexity

Technically DDoS attacks might not be complex, but mitigating them is!

4th gen DDoS attacks: IohT / Internet of hacked things1st gen: infected PCs, 2nd gen: Servers (i.e. wordpress), 3rd gen: reflection & amplification

DDoS used as smoke screen• Flooding security systems to lower security• Flooding log and SIEM systems to hide the hack

Threads which are imposed during a DDoS attack include- Data theft- Malware and spam delivery through compromised servers- Including compromised servers into attacks networks


Fallacies have their impact...

…on decisions in the company on several departments•Risk assessment •Investments•Planning•IT security•All internet communication

Theses areas have their own models•Calculation•Best Common Practice•CIS Critical Security Controls for Effective Cyber Defense (www.sans.org)


THANK YOU

Stefan Mardak, [email protected]

ddos fallacies v2 - fktg · misapprehension on attack complexity “to mitigate a ddos attack i...

Documents