survivability of peaking interest and denial -of …...survivability of peaking interest and denial...
TRANSCRIPT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 1
Survivability of Peaking Interest and
Denial-of-Service Attacks
Volker Tanger, Managing IT Security Consultant
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 2
Set-List
1 White Flag
Fame
Messin‘ With The Kid
Flash - Ahaaaarghl…
Dumb Ways To Die
2 Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Friends Will Be Friends
Run For Cover
Benny Hill
SURVIVABILITY OF PEAKING INTEREST AND (D)DOS-ATTACKS
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 3
Fame …I want to live forever?!
Ritter Sport Chocolate
Rügenwalder Mühle (sausages)
Mett Schokolade
= minced raw meat & onions chococolate
Public product announcement 2014
immediately went viral
http://www.ritter-sport.de survived
http://shop.ritter-sport.de died
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 4
Fame …I want to live forever?!
Ritter Sport Chocolate
Rügenwalder Mühle (sausages)
Mett Schokolade
= minced raw meat chococolate
Public product announcement 2014
immediately went viral
http://www.ritter-sport.de survived
http://shop.ritter-sport.de died
Ritter-Sport online shop was offline for most of 1st april 2014
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 5
Fame …I want to live forever?!
Saturn (electronics & media markets)
rushed into the MP3-sales frenzy
for Christmas season 2009
Massive marketing campaign
Platform not ready
started overloaded / on&offline
Crashes with database corruption
(songs missing – or foreign showing up)
Project halted after a few days, re-started months later, finally scrapped.
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 6
Fame … I want to live forever?!
Heat Wave
Twitter, Facebook, …
Slashdot, Heise, Spiegel, Fefe, …
Quite often: own marketing department
Characteristics
Start: office hours / advertisements
Ramp-Up: within 1-3 hours
Shape: fast peak, slower decay
Duration: hours
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 7
Messin‘ With The Kid
Daily operations
Mail / SPAM waves
Seasonal variations
Problematic if already running low on capacity
(esp. if operations = cost factor, bureaucracy)
Characteristics
Start: coming & going (seasonal)
Ramp-Up: some hours / days
Shape: nondestinct wave-envelopes
Duration: days / weeks
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 8
Flash - Ahaaaarghl…
Targeted attack
Uplink saturation (max. 600s Gbit/s)
Increasingly L5 attacks (slowloris, LOIC)
Cheap weapon: $200 for 1 day
of 100.000 zombies = 10-100Gbit/s)
Characteristics
Start: suddenly
Ramp-Up: seconds
Shape: nothing (device crashed) / rectangular block (link saturation)
Duration: first wave few hours, often followed by „offer you can‘t deny“
repeat waves longer, up to weeks
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 9
Dumb Ways To Die
Admin-interfaces reachable from internet
Trivial passwords (admin, test, 123456, …)
Unpatched / unmonitored sytems
Single: uplink / server / data center
(also DoS-Attacks: Mastercard eBay-DNS .mil-DNS)
Characteristics
Start: accidental
Ramp-Up: instantaneous
Shape: empty
Duration: depends on recovery procedures
WHITE FLAG
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 10
Beat It
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 11
Beat It
Shadow on the Wall
Projects missing realistic load-predictions & -tests
Rumors regarding „quantum leap“ projects
Explicitly so named high-risk / legacy systems
Ceiling too close for comfort („Unused capacity is a waste!“)
Flag-Day switch for maximum marketing impact instead of more
controllable gradual roll-out (invite-only alpha, restricted beta, …)
Simply as the administrators?
Before throwing the switch?
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 12
Beat It
Shadow on the Wall
Drums of Doom
Monitoring: thresholds, trends
Automatic, realtime logfile evaluation / SIEM
Alerts! Alerts!! Alerts!!!
Advanced: automatic additional instances / rerouting / rolling blackout
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 13
Beat It
Shadow on the Wall
Drums of Doom
An other One bites the dust
WWW / DNS externally hosted
CDN
Mail routed via CloudFilter (eleven/cyren, antispameurope, …)
or completely external (classic Hoster, Mailbox.org, Posteo, Gmail)
= Classic Hosting / Cloud
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 14
Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Sufficient capacity (shiftable, bookable)
Fast & efficient webpages (lean, cacheable) => nicer for visitors!
Decoupled services, e.g. only self-contained webcontent, separate
servers / hosters (=> WWW / Shop @ Ritter Sport ),
Firewalling, SynFlood protection, QoS (provider-side)
Preparing for high load (loadbalancing, cluster, reverse-proxy)
Secondary lines, ability to selectively re-route traffic (DNS?)
Prepared rolling blackout, static copy of website, 4xx/5xx error pages
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 15
Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Friends Will Be Friends
Verify contracts for sufficient service offers
Continuous emergency drills => Enhancements
(extreme: Netflix‘ Simian Army / Chaos Monkey)
Establish procedures & contact to partners BEFORE you need them
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 16
Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Friends Will Be Friends
Run For Cover
Priority 1: keep communication channels open!
Priority 2: provide current (basic) information to customers/visitors
Coordinate response with providers & partners
Prioritize services, leave others behind
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 17
Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Friends Will Be Friends
Run For Cover
Benny Hill
On-premises Anti-DoS appliance – behind the bottleneck
DNS-based Anti-DDoS-CDN (Cloudflare…) does not prevent
IP-based attacks (Cloudpiercer finds backend systems)
BGP-blackholing = preemptive suicide (though ok for sacrifice)
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 18
Beat It
Shadow on the Wall
Drums of Doom
An other One Bites the Dust
Call to Arms
Friends Will Be Friends
Run For Cover
Benny Hill
…just beat it.
BEAT IT
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015
THANKS!
QUESTIONS?
Volker Tanger
HiSolutions AG
Bouchéstraße 12
12435 Berlin
www.hisolutions.com
+49 30 533 289-0
19
White Flag • Fame
• Messin‘ With The Kid
• Flash - Ahaaaarghl…
• Dumb Ways To Die
Beat It • Shadow on the Wall
• Drums of Doom
• An other One Bites the
Dust
• Call to Arms
• Friends Will Be Friends
• Run For Cover
• Benny Hill
SET-LIST
HiS-Blau
R:0
G:45
B:95
Dunkelgrau
R:60
G:60
B:60
Dunkelgrün
R:0
G:120
B:70
Gelb
R:250
G:185
B:0
Marker-Rot
R:215
G:0
B:30
Hellgrün
R:150
G:180
B:0
Hellblau
R:50
G:170
B:250
Orange
R:240
G:125
B:0
Lila
R:150
G:15
B:150
HA
US
FA
RB
EN
H
erv
orh
eb
un
gs-
farb
en
A
KZ
EN
TF
AR
BE
N
(ISC)2 Security Congress EMEA 2015 20
Contact Information & References
Contact
[email protected] / [email protected]
http://www.wyae.de/volker.tanger/papers/
References
Excavator: http://de.wikipedia.org/wiki/Bagger#mediaviewer/Datei:CAT_325_Raupenbagger.JPG
Ritter Sport Mett
http://www.ritter-sport.de/blog/2014/04/01/sonderedition-ritter-sport-mett-ab-sofort-erhaltlich/
Saturn MP3-Shop
http://www.heise.de/newsticker/meldung/Saturns-MP3-Shop-dem-Ansturm-nicht-gewachsen-
894193.html
Staminus DoS Attack https://www.staminus.net/mitigation-of-attacks-exceeding-40-gbps/
To the music of:
Blues Brothers, Bronski Beat, Dido, The Edwin Davids Jazz Band, Gary Moore, Irene Cara, Manowar,
Metro Trains Melbourne/Tangerine Kitty, Michael Jackson, Mike Oldfield, Queen
SURVIVABILITY OF PEAKING INTEREST AND (D)DOS-ATTACKS