[webinar] ddos pentester reveals: how hackers find your website’s weak points to craft advanced...
TRANSCRIPT
STORM SURGESTORM SURGE: A DDoS Attack and Defend : A DDoS Attack and Defend
ScenarioScenario
Background photo courtesy of Ben Salter https://creativecommons.org/licenses/by/2.0/legalcode
ANDY SHOEMAKER - NimbusDDOS Founder
Contact:[email protected]
Bio: Over 15 years of operations experience in massive-scale consumer websites
Past Gigs TripAdvisor.com - Massive online travel website Harmonix Music Corp / MTV Games - Video game studio Cambridge Interactive Development Corp - Online poker and casinos WorldWinner.com / GSN - Online gaming destination
NimbusDDOS Overview
Why Perform DDoS Simulations?
Assess environment susceptibility to DDoSAm I susceptible to DDoS?What are the DDoS risk areas in my organization?
Evaluate various mitigation solutions prior to purchaseDDoS mitigation vendors are a partner in your infrastructure, so you better like them!
Validate DDoS mitigation hardware and services once installedDon't wait for the next DDoS to find out whether your mitigation strategy works!
Train IT staff in identification and mitigation of DDoSPreparedness drills can be invaluable in creating strategies that can be used during a crisis.
ComplianceVendors and suppliers are increasingly being asked whether they have a DDoS strategy.
The Victim: Introducing Widgets LLC
Overview A major manufacturer of custom Widgets
Mid-sized company with 200 employees and a 3 person IT team
The website is the primary marketing/sales/support channel for the organizationhttp://widgetsllc.nimbusddos.com/
Technology Stack Amazon Web Services (AWS) hosted infrastructure
Wordpress CMS
Quad core, 7.5GB RAM, SSD storage (c3.xlarge)
Approximately 500Mbps of network capacity
Security Preparedness Has defined procedures for software updates to ensure prompt patching of vulnerabilities
Periodic vulnerability scans with Nessus or similar
Was told by an AWS account representative that DDoS will not effect them due to Amazon's size
The Victim: Introducing Widgets LLC (cont.)
The Victim: Introducing Widgets LLC (cont.)
The Attacker: Introducing Thomas Scriptkid
Overview Uses DDoS to extort money (via Bitcoin) from companies
Sometimes performs DDoS for hire using “darknet” marketplaces
Botnet Capabilities A very small botnet of 50 compromised hosts
Capable of 5Gbps of traffic for bandwidth DDoS
Capable of 5 million packets per second SYN floods
Capable of 50,000 requests per second layer7 HTTP
Sense of Scale BredoLab botnet initiated a DDoS using 220,000 hosts in 2010
In Q1 2015 there were 25 attacks in excess of 100Gbps globally
Let's See that Website Again....this time as our attacker
Search likely hits DB Search tends to uselots of CPU Log-in likely hits DB Log-in tends to uselots of CPU Large media is a juicytarget (122K)
The facts: Port scanners allow an attacker to see what services are accessible from the Internet
Multiple applications are freely available, just a mouse click awayhttps://nmap.org/
Most scanners support a variety of cloaking modes
Scanners are very quick with only a single packet sent/received being necessary to scan a port- A modest linux server capable of processing 200k packets/sec scanning all ports
Single host: <1 secondClass C (254 hosts): <3 minutesClass B (65,534 hosts): 12 hoursClass A (16,777,214 hosts): 127 days
- MASSCAN can reportedly scan the entire Internet in under 6 minutes given sufficientresources https://github.com/robertdavidgraham/masscan
Port Scanners: the primary tool of all attackers
Port Scanners: the primary tool of all attackers (cont.)
What are our possible attack vectors?
Bandwidth DDoS UDP flood ICMP flood DNS reflection flood NTP reflection flood
Protocol Attacks TCP SYN flood targeting HTTP TCP SYN flood targeting HTTPS
Application/Layer7 Attacks HTTP/S request flood targeting large objects SSL renegotiation flood Log-in request flood to overwhelm the database Search request flood to overwhelm the database
....All of these options discovered in under 5 minutes
SYN Flood : pre-attack performance
SYN Flood : attack running
SYN Flood : post-attack performance
Mitigation Options (and their deficiencies)Block via firewall
SYN floods are often spoofed from random IPs making them difficult to block Substantial administrative overhead Blocking must occur upstream of the bottleneck, which may not be possible
Auto-scale resources in the cloud May not be possible with older applications, or those with monolithic databases Now becomes a DDoS on your wallet as you need to pay for the cloud resources
Dedicated on-premise DDoS mitigation hardware Requires time and resources to setup Requires in-house DDoS expertise which can be challenging even for large IT teams Blocking must occur upstream of the bottleneck, which may not be possible
Hide behind a content distribution network (CDN) Will not protect against layer7 DDoS as these will pass through the CDN to the origin
DDoS “clean pipe” vendor (proxy solutions) Will not prevent attacks directly targeting the origin
DDoS “clean pipe” vendor (BGP routed solutions) Only available to organizations that talk BGP