ddos fallacies v2 - fktg · misapprehension on attack complexity “to mitigate a ddos attack i...
TRANSCRIPT
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Introduction to & Fallacies in Mitigation
Stefan MardakEnterprise Security Architect
DDoS attacks
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.
©2015 AKAMAI | FASTER FORWARDTM
Running over the platform is our Intelligent software that enables high-performing and secure web experiences, to any device, anywhere.
Akamai Solutions
WEB PERFORMANCE
Web users
MEDIA DELIVERY
Web users
CLOUD SECURITY
Cloud and Data center infrastructure
CLOUD NETWORKING
Branch users
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Akamai Trusted Security Advisor
The Platform• 220,000+ Servers• 1300+ Networks• 110+ Countries• 30% of all web traffic
The Security Data
• 2 trillion web hits per day• Tens of millions of unique IP addresses seen
daily• 600k security daily log lines/sec• 2 PB of security data
Managed Security Services
DNS• Avalaibilty• Performance• Security• Enterprise Threat Manager
Web application Firewall
5 SoC’s• 7 Scrubbing Center’s• 200 Security Engineers• R&D Team• CERT Team
Client Reputation Feed
DDOS PROTECTION• DDOS Defense on Layer 7
combined with Web acceleration• DDOS defense on all layers
API protection
Bot Management
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
DDoS Attack: How does it work?
During a Distributed Denial of Service (DDoS) attack,[compromised] hosts or bots coming from distributed sources overwhelm the target with [il]legitimate traffic so that the servers cannot respond to legitimate clients.è Critical services are no longer available!
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 5
DDoS Attack-Types & Targets
Attack TrafficGood Traffic
ISP 2
ISP 1
ISP n
Backbone
TargetApplications &
Services
FirewallIPS
LoadBalancer
DATA CENTER
Volumetric, state-exhaustion and application-layer attacks can bring down critical data center services
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 6
DDoS Attack-Types & Targets
Attack TrafficGood Traffic
ISP 2
ISP 1
ISP n
Backbone
TargetApplications &
Services
FirewallIPS
LoadBalancer
DATA CENTER
Volumetric, state-exhaustion and application-layer attacks can bring down critical data center services
SATURATION
e.g.:Volumetric /FloodingAttack
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 7
Attack TrafficGood Traffic
ISP 2
ISP 1
ISP n
Backbone
TargetApplications &
Services
FirewallIPS
LoadBalancer
DATA CENTER
Volumetric, state-exhaustion and application-layer attacks can bring down critical data center services
Exhaustion of STATE
e.g:Layer 4-7 /State / ConnectionAttack
SATURATION
e.g.:Volumetric /FloodingAttack
DDoS Attack-Types & Targets
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 8
Attack TrafficGood Traffic
ISP 2
ISP 1
ISP n
Backbone
TargetApplications &
Services
FirewallIPS
LoadBalancer
DATA CENTER
Volumetric, state-exhaustion and application-layer attacks can bring down critical data center services
Exhaustion of STATE
Layer 4/ State / Connection Attack
Exhaustion of SERVICE
Layer 7 /Application-Layer /Slow&Low Attack
SATURATION
Layer 3/ Volumetric /Flooding Attack
DDoS Attack-Types & Targets
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
DDOS Attackers: Who are they?
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Actors: For Hire
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Current(ish) prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-20
Intelligent exploit bundle: $10-$3,000
Hiring a DDoS attack: $30-$70/day, $1,200/month
Botnet: $200 for 2,000 bots
DDoS botnet: $700
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Actors: Bored Kids
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
B O R E D T E E N SAND
https://www.flickr.com/photos/ardinhasaphotography/8484164608/sizes/l
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
H A C K T I V I S T STHE
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Actors: Nation States
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
S T A N D A R D V I L L A I N STHERE ARE
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
A R C H V I L L A I N SAND THERE ARE
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Commoditization of DDoS
https://www.flickr.com/photos/trophygeek/7309935684/sizes/l
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
What’s your fancy?
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
What’s a Booter?
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 24
WORKSHOP:BIGGEST FALLACIES IN DDOS DEFENSE
About erroneous belief and how to avoid pitfalls
Stefan Mardak, Enterprise Security Architect
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 25
Fallacy or logical fallacy
A fallacy is when the reasoning used in an argument or debate contains a factual, punctual or logical error.
A fallacious argument appears correct in one way but it proves to be wrong in the examination.
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 26
“WE WILL NOT BE ATTACKED”
WE WILL NOT BE ATTACKED
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
More wrong assumptions in this context
What happens if someone plugs out your internet router? It’s the same effect!
“Our Website is not big enough and not popular”
“Only big Companies having the risk of being attacked”
“We have never been attacked - why should we invest?”
“We are not an interesting goal, our risk is manageable”
“Our Hoster/Serviceprovider is taking care, we do not have a risk anymore!
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Actual DDoS Campaigns
• DD4BC (DDoS for Bit Coin)• Armada Collective• Anonymous• Complex goal oriented attacks• Krebsonline - Dyn
New Business Model: DDoS Coins Each dot represents a DDoS attack, and each interval covers a 10-fold increase in attack size.
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 29
MOTIVATION ßà EXPOSURE
Who is attacking? Who is attacked?
Hactivists
Ex Employees
Script Kiddies
Competitors
Extortionists
State Sponsored
“There is a hater for everyone”
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 30
“CLASSIC SECURITY SOLUTIONS ARE OFFERING ENOUGH PROTECTION”
SEE, STILL CLASSIC SECURITY
OH NO –4TH GEN
ATTACKS
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.
11 18 2239 48
68 79 82
190
321 312
665
2 8 11 15 29 38 4569
144
97
222
348
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Gbps Mpps ©2016 AKAMAI | FASTER FORWARDTM
Source: Akamai
The importance of
SCALE
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Gbps Mpps
Mitigating DDoS Attacks with high bandwidth• Decentralized Scrubbing center• Traffic engineering - mutliple tier-1 provider• More bandwidth > 3Tbps• Minimal latency inside the Scrubbing Center
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Firewalls, IPS, WAF, Load balancer, …
Data inspection needs resources. Tailored attacks target these resources.Now the devices are part of the problem, not the resolution.
27%24%
8%4%
30%
5%
…are developed for protection of data integrity, for protection of access control and for confidentiality.
Targeted devices in a multi vector attack(numbers vary per attack)
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 33
“PROTECTION ON ONE LEVEL IS SUFFICIENT”“WE JUST ADD MORE BANDWIDTH”
THEIR PROTECTION IS ONLY ONE LEVEL
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Misapprehension on attack complexity“To mitigate a DDOS Attack I don’t need an expert.”“DDoS- Attacks are simple and not sophisticated.”“These pure packet floods are easy to spot and to block”
The reality: DDoS attacks can attack bandwidth, network elements or servers …or all of them = multi vector attacks
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
CDN & Outsourcing – a good start, but…
Todays networks are complex and spread -Corporate values and services are distributed in the Internet
Content Delivery Network•Concentrate on few services, mostly only HTTP and HTTPs•Concentrate on public available services•Buffer only static content and need connections to the origin (i.e. data base access)•Might hinder identification of the attacker and counter measures •Attack targets are often within the company DC (VPN-Gateways, E-Mail, FTP)•Attacker use changing or multiple attack vectors
Þ simple CDNs deliver basic protection for static contentÞ No protection for applications, for origin server, for shared resources in the DC
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Multi-Vector DDoS Attacks
Attack Vector vs. attacked Resource- UDP floods -> Bandwidth- Syn, Ack, TCP Anomaly -> IPS,
Load Balancer, Server- HTTP Get flood -> WAF, Server- RIP -> Router, Firewall- ICMP -> Router, Firewall
Multi-Vector DDoS Attacks Are the Norm
Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, up from 56% in Q4 2015
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
What to do? Multilevel Attack Protection• Multiple attack vectors on infrastructure level and application level• Growing complexity in attack vectors (all levels)
• Variable defense strategy needed• Integration between all levels for
reliable and comprehensive protection
• Communication between all levels is essential as well as up-to-dateness of counter measures
App levelProtection
Infrastructure levelProtection DNS level
Protection
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 38
“THE COST OF A DDOS ATTACK CAN NOT JUSTIFY THE COST FOR A SECURITY SOLUTION”
THAT IS BECAUSE HE STILL DOESN’T KNOW WHAT HE IS MISSING !
I MUST SAY THECASTLE OWNERDOESN”T LOOK
TOO UPSET !
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Hidden cost of a DDoS attack
Operational Expenses and indirect costs- Revenue loss- SLA compensation- Stock price fluctuation- Marketing to compensate reputation damage- Churn- Call center costs- Excessive emergency costs- Fees for consultants and lawyers- Increased insurance premium
DDoS attacks should be part of the risk management, as the risk can be predicted by statistics
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Recommendation
IT components should be used according to their planned purposed. Firewalls, IDP/IPS, load
balancer or application firewalls offer no DDoS protection.
Securing the availability of networks is a basic requirement and should not be underestimated.
Other connections like VPNs or partner accesses should be considered.
Multi level protection should be introduced. They mitigate attacks where it is most effective
Volumetric attacks can not be mitigated locally.
During a DDoS attack IT security staff should care for everything else, while the attack is
mitigated automatically with prepared strategies.
Think about pushing out the mitigation perimeter.
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential 41
“DDOS ATTACKS ARE NOT COMPLEX THREATS”
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Attack complexity
Technically DDoS attacks might not be complex, but mitigating them is!
4th gen DDoS attacks: IohT / Internet of hacked things1st gen: infected PCs, 2nd gen: Servers (i.e. wordpress), 3rd gen: reflection & amplification
DDoS used as smoke screen• Flooding security systems to lower security• Flooding log and SIEM systems to hide the hack
Threads which are imposed during a DDoS attack include- Data theft- Malware and spam delivery through compromised servers- Including compromised servers into attacks networks
©2016 AKAMAI | FASTER FORWARDTMAkamai Confidential
Fallacies have their impact...
…on decisions in the company on several departments•Risk assessment •Investments•Planning•IT security•All internet communication
Theses areas have their own models•Calculation•Best Common Practice•CIS Critical Security Controls for Effective Cyber Defense (www.sans.org)