ddos threat to clouds

7/31/2019 DDoS Threat to Clouds

1/30

The DDoS Threat

to Internet DataCenters (IDCs)

Darren AnsteeEMEA Solutions Architect

[email protected]

March 2011


2/30

Page 2 - Company Confidential

Introduction

300+ employees in 20+ countries

300+ customers 90%+ of Tier1 providers, 60%+ of Tier2 providers, 11 of 13 of NA MSOs.

Privileged relationships with majority ofworlds ISPs

ATLAS/ASERT thought leadership

Darren Anstee, EMEA Technical Specialist 15+ years of experience in Networking and

Security.

8 years at Arbor Network


3/30


1. The Evolution of the DDoS Threat2. Internet Data Center (IDC) DDoS Examples and

Details

3. Best Current Practices for Preventing DDoS

Attacks

Agenda


4/30



Details


Attacks

Agenda


5/30


2010 Infrastructure Security Survey

6th Annual Survey

Survey conducted inSeptember October2010

111 total respondentscontributed Service providers

Content/ASPs

Enterprises

Broadband

Mobile

DNS

Educational


6/30


7/30Page 7 - Company Confidential

Looking at the IDC.

DDoS directly impactsbusiness

84% see increased Opexdue to DDoS

43% see customer churn

86% of respondents hadfirewalls and / or IDS deployed

49% have experienced a failureof their firewalls or IPS due toDDoS attack



Loss of Availability Goes Beyond Financials

Source: Ponemon Institute 2010 State of Web Application Security

Botnets & DDoS

attacks cost anaverageenterprise

$6.3M*for a 24-houroutage

* Source: McAfee Into the Crossfire January 2010

Botnets & DDoS

also hurt acompanys brand,

lower customers

confidence, andwaste employees

time especiallywhen they are

front-page news



The Evolving Threat Against Data Centers

Both volumetricand application-layerDDoS attacks

can bring down critical data center services

IPS Load

Balancer

Application-LayerDDoS Impact

VolumetricDDoS Impact



The Failure of Existing Security Devices

Other CPE-based security devices focus on integrity

and confidentiality and noton availability

IPS Load

Balancer

Information Security Triangle

Product Family Triangle Benefit

Firewalls IntegrityEnforce network policy to prevent

unauthorized access to data

Intrusion Prevention System IntegrityBlock break-in attempts causing data

theft

Firewalls and IPS device do

not solve the DDoS problem

because they (1) are

optimized for other security

problems, (2) cant detect or

stop distributed attacks, and

(3) can not integrate with in-

cloud security solutions.

Because they are stateful and

inline, they are part of theDDoS problem and not thesolution.




Details


Attacks

Agenda



The IDC Infrastructure and DDoS

IDC Based

IDMS

DataCenterNetwork

Firewall / IPS / WAF

PublicFacingServers

1. Service Operating

Normally

2. Attack Begins with both

volumetric, state exhasution

and application layer

components.

3. Bandwidth Saturation and

/or state exhaustion and /

or application layer impact.

4. Application layer

component mitigated inIDC

5. Volumetric Component

Mitigated in ISP

Subscriber Network Subscriber Network

Internet Service

ProviderISP Based

IDMS

6. Normal Service Operation

Anatomy of DDoS



Common Attack Vectors, Part 1

Volumetric Traffic Floods

Large botnets or spoofed IPsgenerate high bps / pps trafficvolume

UDP based floods from spoofed IPtake advantage of connection lessUDP protocol

Take out the infrastructure capacity routers, switches, servers, links

319% growth in number ofATLAScmonitored attacks > 10Gbfrom 2009 -> 2010

ATLAS 2010 Attack Size

Break-Out, BPS

>1251020Gbps

Reflection Attacks Use a legitimate resource to

amplify an attack to a destination Send a request to an IP that will

yield a big response and spoof thesource IP address to that of theactual victim

The victim will see a lot of trafficfrom the legitimate source

DNS Reflective Amplificationincreasingly common

Attacker Server

DNS RequestV

DNS Serverresponds torequest fromspoofedsource.DNSResponse ismany timeslarger thanrequest.

Repeated many times

Victim

DNS ResponseV




TCP resource exhaustion Take advantage of stateful nature

of TCP protocol SYN, FIN, RST Floods TCP connection attacks Exhaust resources in servers,

load balancers, firewalls or routers

Client ServerSYNC

SYNS, ACKC

Listening

Store data(connectionstate, etc.)

Repeated many times System runsout of TCPlistener

sockets or outmemory forstored state

Application layer attacks Exploit limitations, scale and

functionality of specific applications Can be low level and still be

effective HTTP Get queries that return large

files DNS requests that prompt many

zone transfers Malformed HTTP, SIP, DNS

requests



TCP Exhaustion Attacks

Client Server

SYNC

SYNS, ACKC

ACKS

Listening

Store data(connection state, etc.)

WaitConnected

Little or no traffic is sent

over the establishedsession

Application Data

System runs out ofavailable connections

Client ServerSYNC

SYNS, ACKCACKS

ListeningStore data(connection state, etc.)

Wait

ConnectedFINC Wait

FINS, ACKCNo traffic sent over the session.Connection is followed by an

immediate FIN.

System runs out of state

resources available

TCP

Connection

Attack

TCP

Connecti

on

FINA

ttack




TCP resource exhaustion Take advantage of stateful nature

of TCP protocol SYN, FIN, RST Floods TCP connection attacks Exhaust resources in servers, load

balancers, firewalls or routers

Client ServerSYNC

SYNS, ACKC

Listening

Store data(connectionstate, etc.)

Repeated many times System runsout of TCPlistener

sockets or outmemory forstored state

Application layer attacks Exploit limitations, scale and

functionality of specific applications Can be low level and still be

effective HTTP Get queries that return large

files DNS requests that prompt many

zone transfers Malformed HTTP, SIP, DNS

requests


17/30


Mitigating the effects of DDoS in the IDC

Shared, state rich

infrastructure exacerbatesthe DDoS issue 69% of 2010 Arbor ISR IDC

respondents saw DDoS attackslast year

46% see more than 10 DDoSattacks per month

Collateral damage

IDCs can, and do, protectthemselves A combination of tools are

used

Need to be very careful howtools such as firewalls andIDS are used

Security, and availabilityassurance, must be a partof the underlying design


18/30



Details


Attacks

Agenda


19/30


Pervasive Security in an Age of Distrust

Security is the heart of internetworkings future; we

have moved from an Internet of implicit trust to anInternet of pervasive distrust

Network/application design = security, security =network/application design

We can no longer differentiate networking &applications from security, they must beintertwined

What is security? QoS? Routing? DNS? Web 2.0?

No packet can be trusted; all packets must earnthat trust through a network devices ability to

inspect and enforce policy


20/30


PREPARATIONPrep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice

IDENTIFICATIONHow do you know aboutthe attack?What tools can you use?Whats your process for

communication?

CLASSIFICATIONWhat kind of attack is it?

TRACEBACKWhere is the attack comingfrom?Where and how is it affectingthe network?

REACTIONWhat options do you haveto remedy?Which option is the bestunder the circumstances?

POST MORTEMWhat was done?Can anything be done toprevent it?How can it be less painful in

the future?

Six Phases of Infrastructure Security


21/30


Industry Best Current Practices (BCPs)

BCPs have been developed and evolved over time by

security architects and security vendors

Goals of BCPs are to prepare the network for the possibilityof threats.

IDCs must take pro-active steps to implement BCPs toharden the network against threats

2 types of BCPs

Network infrastructure based

Host based


22/30


Network Infrastructure BCPs

Security capabilities built into routing/switching

infrastructure use it or lose it iACLs protect control plane, reduce attack potential

URPF reduce impact of spoofing

BGP Policy protect the routing control plane

Black hole routing framework Source and destination based black hole routing a

very effective defense using fast path resources

Dedicated OOB Management Network

Protect load-balancers / firewalls / IDS from stateexhaustion = Design / iACLS / IDMS

Flow export = Pervasive Visibility = Context

IDMS = protection against DDoS and traffic visibility


23/30


Visibility through Flow Telemetry

Flow technology provides

visibility into normalnetwork traffic

Flow is generated byexisting networkinfrastructure

Flow can begenerated for IPv4,IPv6 and MPLStraffic

Flow can be usedas a means to detect

threats as they occur Flow can provide

contextual trafficinformation This is KEY to understanding

impact.


24/30


Intelligent DDoS Mitigation Systems (IDMS)

General Infrastructure and host BCPs provide a general

coverage for many of the threats that may impact a network Most DDoS attacks are designed to thwart general defenses

Use large, distributed botnets

Employ lower level, application specific attacks

Combine the above for obfuscation

IDMS are specifically designed to detect and mitigate thesetypes of attacks using more advanced techniques Firewalls are policy enforcement points not built for DDoS

Stateful firewalls can be manipulated by DDoS

IPS equipment is built for pattern matching to detect

vulnerabilities. DDoS often mimics legitimate traffic. IDMS equipment uses a combination of Deep Packet

Inspection (DPI), proxy inspection and heuristic basedtechniques to separate malicious traffic from good traffic


25/30


IDMS Anomaly Detection

Can you see the anomaly in this picture?


26/30


IDMS Flow Based Detection Techniques

Baseline Detection Detecting shifts in traffic above what is normally seen

Catches non standard application/protocol floods, multi-victim attacks,

application attacks, changes in GeoIP traffic mix

Misuse Detection

Detecting host traffic that exceeds normally accepted Internet behavior

Catches common attack vectors like SYN floods, ICMP floods, DNS

floods

Fingerprint Detection

Detecting known anomalous traffic behaviors indicative of a knownthreat. Malware detection, specific packet size attacks.


27/30


IDMS Mitigation Counter-Measures

Static & DynamicPacket Filters

Rate-limitingAnti-SpoofingMechanisms

BaselineEnforcement

Application-LevelCountermeasures

TCP StackFlood Attacks

Generic FloodAttacks

FragmentationAttacks

ApplicationAttacks

VulnerabilityExploits


28/30


IDMS Stopping Attacks in the Right Place


29/30


Summary

Threat severity and complexity continue to increase

Attack size increases dramatically, impacting underlying networkinfrastructure

Application layer attacks continue with some new applications

being targeted more frequently

Firewall and IPS equipment represents critical points of failure

during DDoS attacks These products are commonly the targets of DDoS attacks

Solutions must be put in place to deal with multiple DDoSattack vectors

Security Best Current Practices (BCPs) exist to help operators

address the growing DDoS threat IDMS is a key part of a DDoS detection and mitigation solution


30/30

ddos threat to clouds

Documents