STORM SURGESTORM SURGE: A DDoS Attack and Defend : A DDoS Attack and Defend

ScenarioScenario

Background photo courtesy of Ben Salter https://creativecommons.org/licenses/by/2.0/legalcode

ANDY SHOEMAKER - NimbusDDOS Founder

Contact:andy@nimbusddos.com781.591.2575www.nimbusddos.com

Bio: Over 15 years of operations experience in massive-scale consumer websites

Past Gigs TripAdvisor.com - Massive online travel website Harmonix Music Corp / MTV Games - Video game studio Cambridge Interactive Development Corp - Online poker and casinos WorldWinner.com / GSN - Online gaming destination

NimbusDDOS Overview

Why Perform DDoS Simulations?

Assess environment susceptibility to DDoSAm I susceptible to DDoS?What are the DDoS risk areas in my organization?

Evaluate various mitigation solutions prior to purchaseDDoS mitigation vendors are a partner in your infrastructure, so you better like them!

Validate DDoS mitigation hardware and services once installedDon't wait for the next DDoS to find out whether your mitigation strategy works!

Train IT staff in identification and mitigation of DDoSPreparedness drills can be invaluable in creating strategies that can be used during a crisis.

ComplianceVendors and suppliers are increasingly being asked whether they have a DDoS strategy.

The Victim: Introducing Widgets LLC

Overview A major manufacturer of custom Widgets

Mid-sized company with 200 employees and a 3 person IT team

The website is the primary marketing/sales/support channel for the organizationhttp://widgetsllc.nimbusddos.com/

Technology Stack Amazon Web Services (AWS) hosted infrastructure

Wordpress CMS

Quad core, 7.5GB RAM, SSD storage (c3.xlarge)

Approximately 500Mbps of network capacity

Security Preparedness Has defined procedures for software updates to ensure prompt patching of vulnerabilities

Periodic vulnerability scans with Nessus or similar

Was told by an AWS account representative that DDoS will not effect them due to Amazon's size

The Victim: Introducing Widgets LLC (cont.)

The Victim: Introducing Widgets LLC (cont.)

The Attacker: Introducing Thomas Scriptkid

Overview Uses DDoS to extort money (via Bitcoin) from companies

Sometimes performs DDoS for hire using “darknet” marketplaces

Botnet Capabilities A very small botnet of 50 compromised hosts

Capable of 5Gbps of traffic for bandwidth DDoS

Capable of 5 million packets per second SYN floods

Capable of 50,000 requests per second layer7 HTTP

Sense of Scale BredoLab botnet initiated a DDoS using 220,000 hosts in 2010

In Q1 2015 there were 25 attacks in excess of 100Gbps globally

Let's See that Website Again....this time as our attacker

Search likely hits DB Search tends to uselots of CPU Log-in likely hits DB Log-in tends to uselots of CPU Large media is a juicytarget (122K)

The facts: Port scanners allow an attacker to see what services are accessible from the Internet

Multiple applications are freely available, just a mouse click awayhttps://nmap.org/

Most scanners support a variety of cloaking modes

Scanners are very quick with only a single packet sent/received being necessary to scan a port- A modest linux server capable of processing 200k packets/sec scanning all ports

Single host: <1 secondClass C (254 hosts): <3 minutesClass B (65,534 hosts): 12 hoursClass A (16,777,214 hosts): 127 days

- MASSCAN can reportedly scan the entire Internet in under 6 minutes given sufficientresources https://github.com/robertdavidgraham/masscan

Port Scanners: the primary tool of all attackers

Port Scanners: the primary tool of all attackers (cont.)

What are our possible attack vectors?

Bandwidth DDoS UDP flood ICMP flood DNS reflection flood NTP reflection flood

Protocol Attacks TCP SYN flood targeting HTTP TCP SYN flood targeting HTTPS

Application/Layer7 Attacks HTTP/S request flood targeting large objects SSL renegotiation flood Log-in request flood to overwhelm the database Search request flood to overwhelm the database

....All of these options discovered in under 5 minutes

SYN Flood : pre-attack performance

SYN Flood : attack running

SYN Flood : post-attack performance

Mitigation Options (and their deficiencies)Block via firewall

SYN floods are often spoofed from random IPs making them difficult to block Substantial administrative overhead Blocking must occur upstream of the bottleneck, which may not be possible

Auto-scale resources in the cloud May not be possible with older applications, or those with monolithic databases Now becomes a DDoS on your wallet as you need to pay for the cloud resources

Dedicated on-premise DDoS mitigation hardware Requires time and resources to setup Requires in-house DDoS expertise which can be challenging even for large IT teams Blocking must occur upstream of the bottleneck, which may not be possible

Hide behind a content distribution network (CDN) Will not protect against layer7 DDoS as these will pass through the CDN to the origin

DDoS “clean pipe” vendor (proxy solutions) Will not prevent attacks directly targeting the origin

DDoS “clean pipe” vendor (BGP routed solutions) Only available to organizations that talk BGP

ANDY SHOEMAKER - NimbusDDOS Founder

Contact:andy@nimbusddos.com781.591.2575www.nimbusddos.com

THANK YOU!