jeroen wijdogen (akamai) | tu - hacks & attacks

Akamai Web Security – DDOS: is there a threat? Jeroen Wijdogen, Enterprise Security Architect

©2014 AKAMAI | FASTER FORWARDTM

What is a Cyber Attack?


Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Types of Attacks

Application (Layer 6-7) • Zero Day, SlowLoris, Buffer Overflows, SQL Injections, Cookie Poisoning

• Number of Requests Rps

Protocol (Layer 4-5) • Syn Floods, Fragmented Packet, SMURF and Ping of Death

• Size of Packets (Xbps) Volumetric (Layer 3) •  ICMP echo, IP Spoofing, UDP Reflection attacks

• Numbers of packets (Xpps)

Application

Presentation

Session

Transport

Network

Data Link

Physical

6-7

4-5

3

OSI Model



Layer 3 DDoS / Volumetric Attack

LB R

R Bandwidth

HTTP

OS / WIN

DNS

DDOS Too much traffic

ICMP echo, IP Spoofing, UDP

Reflection attacks

Attacks measured in Xbps

404 /408 Error



Layer 4 DDoS / Protocol Attack

R Bandwidth

HTTP

OS / WIN

DNS

DDOS Overload Protocol

Requests

Syn Floods, Fragmented

Packet, SMURF and Ping

of Death

Attacks measured in

Xpps

LB Router

Firewall

404 Error



Layer 7 DDoS / Application Attacks

Bandwidth

DDOS Low & slow exploiting

Application and OS vulnerabilities

Zero Day, SlowLoris, Buffer Overflows, SQL

Injections, Cookie Poisoning

Attacks measured in Rps

Router

Firewall

No Access IDS

HTTP

OS / WIN

DNS

SMTP

VOIP



Hacker send out a UDP packet spoofed source 10.12.13.4 NTP mon list request 1

NTP Amplification (Volume metric attack) how it works

Abusable NTP Servers

Target 10.12.13.4



NTP Amplification (Volume metric attack) how it works

Abusable NTP Servers

Target 10.12.13.4

2 NTP monlist reply upto 500 packets from original servers to the target


DDoS: What is a Botnet see the different layers


To exhaust load balancer and application server resources

To bypass load balancers & CDN caches

To bypass IDS/IPS and overload load balancers

To bypass threshold- based mitigation

To seem like regular visitors Legitimate Requests

Low and slow

Encrypted traffic

Random request parameters

High rate of repetitive requests

Why DDoS Attacks Are Hard to Stop

DDoS = Resource Exhaustion


Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

See the black sheep?

Question: What Type of attacks do we visualize here?


Attack report Data


Attack spotlight Q3 2014 – GAMING

TLP = GREEN

©2014 AKAMAI | FASTER FORWARDTM 2.81%

6.39%

1.28%

9.58%

9.71%

1.40%

0.26%

14.56%

0.38%

0.13%

13.15%

17.11%

0.26%

19.91%

0.64%

1.53%

0.77%

0.13%

3.81%

3.92%

0.42%

0.21%

7.42%

8.05%

0.64%

0.11%

0.21%

7.31%

23.09%

0.42%

15.25%

13.88%

4.56%

8.90%

0.53%

0.64%

0.42%

0.21%

2.76%

5.19%

0.27%

0.13%

10.51%

4.18%

0.94%

0.27%

0.40%

0.67%

14.62%

16.91%

0.07%

0.07%

10.58%

13.95%

8.15%

8.42%

0.20%

1.15%

0.54%

0% 5% 10% 15% 20% 25%

ACK

CHARGEN

FIN Floods

FIN PUSH

DNS

ICMP

RESET

RIP

RAINBOW

RP

SNMP

SSDP

SYN

SYN PUSH

TCP Fragment

UDP Floods

UDP Fragment

IGMP Fragment

NTP

HTTP GET

HEAD

HTTP POST

PUSH

SSL GET

SSL POST

Q4 2014 Q3 2014

Q4 2013


Average attack bandwidth (Gigabits per second)

4.21

13.93

6.41

0

2

4

6

8

10

12

14

16

Q4 2013 Q3 2014 Q4 2014

Gbp

s


Average attack volume (Million packets per second)

Mpp

s

10.09

13.29

2.31

0

2

4

6

8

10

12

14

16

Q4 2013 Q3 2014 Q4 2014


NTP servers op het Internet

Zie hier publiek benaderbare NTP servers. En hier de vulnerable NTP servers, Die vulnerable zijn voor het monlist commando +/- 100K !!

https://ntpmonitorscan.shadowserver.org/stats/ http://openntpproject.org/ntp-stats1.cgi


Multi-vector attacks

46.24

53.26

44.14

0

10

20

30

40

50

60

Q4 2013 Q3 2014 Q4 2014


Attacks over 100 Gbps Media

0

20

40

60

80

100

120

140

160

180 SaaS Enablement Gambling/Gaming



Know the Enemy – Motivation can come from anywhere?



DDoS: How bad is it today recent example?



DDoS: Is there a threat?

Launched Christmas 2014 and untill january (hacked) 13,000 users signed up for the LizardStresser service: •  about 250 actually did anything with it:

•  More than half the users launched less than 20 short attacks; •  (could purchase from 100 seconds several days) •  Pricing from $6 upto $500

•  with only 30 users launching more than 100 •  16000 attacks launched in total!

* Information from: http://arstechnica.com/security/2015/01/a-hacked-ddos-on-demand-site-offers-a-look-into-mind-of-booter-users/



DDoS: Tools/ What is happening now?

53% 109% 83%

39% 100%

164%

51% 61% 144%

48% 69% 53%

335%

1100%

0%

200%

400%

600%

800%

1000%

1200%

1-‐Oct 8-‐Oct 15-‐Oct 22-‐Oct 29-‐Oct 5-‐Nov 12-‐Nov 19-‐Nov 26-‐Nov 3-‐Dec 10-‐Dec 17-‐Dec 24-‐Dec 31-‐Dec

Akamai Changes in DDoS attacks per week Q4 2014 vs. Q4 2013


Lizardsquad is it over?



DDoS: Security is like Dental Floss?

•  Small Displine •  Have Commitment to make it work

Het gaat er niet om wat de kans is of je wordt aangevallen maar wat is de impact als het gebeurd!


Questionnaire “ How vulnerable are you?”

Hoe kwetsbaar ben je, wie zou een aanval op de media kunnen lanceren?



High performance Protect websites from DDoS and Web attacks while improving performance

Akamai Edge Network

Massive scale More than 157,000 servers deployed in over 1200 networks and 92 countries

Distributed resources Users and attackers connect to websites through the closest edge server

Built-in resiliency Built on the assumption that individual components will fail



Data Center Protection Services (plx – Prolexic)

Web Site Protection Services (KSD -Kona)

Akamai Web Security Solutions Portofolio


Number of applications

Leve

l of P

rote

ctio

n (c

ompl

exic

ty)



Protecting Multiple Perimeters in the Cloud



7 Layers of Web Application Firewall Defense

1.  Scale 150,000 servers inline and always on

2.  Reverse Proxy Automatically drops traffic not on port 80 or port 443

3.  Geo-based blocking Refuse requests from customer-selected list of countries

4.  Validate against known list of attackers Positive or negative security model (black or white lists)

5.  Rate Controls Block requests that are too fast or too slow (anomaly scoring)

6.  Kona Rule Set WAF rules continuously refined based on visibility into web

7.  Caching Dynamic and static caching to serve requests


DDoS: Trends / problems in a CyberAttack

Scale!

Losse tools probleem

Human Intelligence needed


DDoS: Trends in DDOS Complexiteit neemt toe!

2.81%

6.39%

1.28%

9.58%

9.71%

1.40%

0.26%

14.56%

0.38%

0.13%

13.15%

17.11%

0.26%

19.91%

0.64%

1.53%

0.77%

0.13%

3.81%

3.92%

0.42%

0.21%

7.42%

8.05%

0.64%

0.11%

0.21%

7.31%

23.09%

0.42%

15.25%

13.88%

4.56%

8.90%

0.53%

0.64%

0.42%

0.21%

2.76%

5.19%

0.27%

0.13%

10.51%

4.18%

0.94%

0.27%

0.40%

0.67%

14.62%

16.91%

0.07%

0.07%

10.58%

13.95%

8.15%

8.42%

0.20%

1.15%

0.54%

0% 5% 10% 15% 20% 25%

ACK

CHARGEN

FIN Floods

FIN PUSH

DNS

ICMP

RESET

RIP

RAINBOW

RP

SNMP

SSDP

SYN

SYN PUSH

TCP Fragment

UDP Floods

UDP Fragment

IGMP Fragment

NTP

HTTP GET

HEAD

HTTP POST

PUSH

SSL GET

SSL POST

Q4 2014 Q3 2014

Q4 2013

Questions?

jeroen wijdogen (akamai) | tu - hacks & attacks

Internet

ddos attacks

akamai faster forwardtm

data theft

sophistication of web

akamai web security

udp reflection attacks

security perimeter

cookie poisoning attacks