DDoS Protection Service

Transcription

1 White Paper DDoS Protection Service Distributed Denial of Service (DDoS) Technical Product Information Effective protection of your infrastructure against attacks off the Internet highly available Internet access

2 Contents 1 DDoS Attacks a really existing risk Problem description Background Intentions of the attacker and kinds of attacks Development of DoS attacks DDoS attacks from a regular IP address Motivation for DDoS attacks Prerequisite for a DDoS attack The sequence of a DDoS attack General sequence of a (malicious) attack Preparation and sequence of a (malicious) attack Developments and the effects of DDoS attacks Protective measures against DDoS attacks Blackhole defence Current protective measures with the DDoS Protection Service General features Traffic anomaly detection Threat Management System DDoS Protection Service from Swisscom Filtering process of an DDoS attack Option DDoS Protection enhanced Summary Solution alternatives Danger and damage potentials Managed Service Glossary This White Paper was created on the basis of currently known parameters. The technical solution may still be subject to last-minute changes during the implementation. We are available for questions or comments about this White Paper. Document White Paper DDoS Date 01/03/2016 Page 2/18

3 1 DDoS Attacks a really existing risk The risk management of an enterprise lies in the responsibility of the top management. It has to check potential security risks regularly and preventatively. Especially in fully cross-linked IT environments threatening situations really do exist which are continuously change taking new forms over and over again. DDoS attacks belong to these risks. This White Paper takes these security risks in detail into consideration and describes effective defence mechanisms. DDoS attacks have to flow into the risk analysis of an enterprise like any other threat (location and access to the building, fire protection, electrical power supply, access to internal documents etc.). Due to the enormous potential of threat and damage they have to be treated equally. Current risk analysis and recommendations can be found at the web page of the registration and analysis office Informationssicherung at 2 Problem description 2.1 Background Since the early days of the Internet, "denial-of-service" (DoS) attacks have been a fact of life. The goal of these attacks is to restrict on a grand scale the availability of certain online systems and/or services or to deny service completely. Usually, in this type of attack, an attempt is made to cause the attacked systems to crash by exploiting vulnerabilities in operating systems, programs and services or basic design flaws in the network protocols in use via the Internet Intentions of the attacker and kinds of attacks The online systems can also be overloaded to an extent that they no longer work properly. The goal of pure DoS attacks is therefore not to steal confidential data or circumvent user authentication mechanisms but to disrupt or immobilise the service platforms of online provider such as E-shops, content providers, financial service providers (e.g. e-banking), government agencies (e.g. e-government) etc. severely. The web sites and/or services that are attacked may then not be available for a period of a few minutes or up to a few days. Unlike other attacks, the perpetrator does usually not infiltrate the computer networks and therefore does not need any passwords (or similar information). However, a DoS attack can be part of an attack on a system. For example, one online system is rendered inoperable by a DoS attack to cover up the actual attack on one of the customer s other systems. The IT staff tasked with administration is distracted by the increase in data traffic, allowing the actual attempted attack to go unnoticed Development of DoS attacks The DoS attacks are increasingly honed and therefore for ordinary persons difficult to recognise. E.g. since more than 10 years, instead of single PCs a multitude of different PCs are used for large-scale co-ordinated attacks of single online systems or networks. The individual PC user whose PC is part of a so-called botnet normally doesn t notice any loss of performance when working or surfing the Internet while an attack is underway. The number of PCs involved in an attack can range from several hundred to several hundred thousand PCs attacking at any one time. The PCs involved in an attack can be linked nationally, internationally or inter-continentally on the global Internet. Within such a "Distributed Denial-of-Service" Document White Paper DDoS Date 01/03/2016 Page 3/18

4 (DDoS) attack the attacker takes advantage of the capacity of several PCs. Thus, even sites with highperformance online systems with broadband network connections can be successfully disrupted. And it is ironically the broadband networks themselves that supply the necessary bandwidth DDoS attacks from a regular IP address One special type is the Distributed Reflected Denial of Service (DRDoS) attack. In this type of attack, the attacker does not address his data packets directly to the victim of the attack but to Internet services. However, he enters the IP address of the victim as the sender. Using this method, it is practically impossible to determine the origin of the attack. These types of forged connection requests are also referred to as IP spoofing. The respond to these requests and the resulting system overload represent the actual DoS attack for the victim Motivation for DDoS attacks The origin of and the motives for these types of attacks vary widely. They range from computer geeks without monetary interests over revenge or protest against a particular company or organisation up to professional hacker organisations. They can be retained to run a DDoS attack by everyone via online portal with payment via credit card. For little money managed attacks are offered e.g. as a 24-hour stress test. Quite often iniquitous menaces are placed or attempts at extorting protection money are made. Professionally active organisations carry them out with a clear intention for their own self-interest or on behalf of a third-party. Figure 1: Motivations for DDoS attacks ( ARBOR Networks) Document White Paper DDoS Date 01/03/2016 Page 4/18

5 2.2 Prerequisite for a DDoS attack DDoS attacks as a means to extortion are usually initiated via so-called bot networks. They comprise from several dozen up to several hundred thousand computers infected with Trojan horses or worms. The fact that most computers connected via broadband networks have a fixed IP address and are usually online makes DDoS attacks even easier. Therefore, the user doesn t usually notice that the computer is infected or has become a part of a bot network because most computers connected to the Internet have inadequate or non-existent protective measures. The owners of these computers don t even recognise that they are part of a bot network. The performance of a PC involved in a DDoS attack and the connection bandwidth are generally not affected in any perceptible way for the user. These bot networks are made up of several hundred to several thousand infected PCs. These PCs can be time-activated arbitrarily for attacks by the bot network administrator/controller. There has also been a noticeable increase in the misuse of networked computers now that TCP/IP protocols are very widespread and have become practically common knowledge. Figure 2: Globally active botnet sources ( 2.3 The sequence of a DDoS attack General sequence of a (malicious) attack Up to now, the following attack models have been subject to discussion in Internet blogs or forums: Model 1 A company with an Internet presence receives an extortion letter demanding the payment of a specific sum to be paid by a set deadline. If the deadline passes without payment, the attacks threatened in the extortion letter are immediately initiated. The web servers are then attacked by an enormous number of requests as a result. Depending on the bandwidth, it takes very little time for the web site and its e- services (e-shop, e-banking ) to become inaccessible. Document White Paper DDoS Date 01/03/2016 Page 5/18

6 Model 2 A company s online presence is blocked without warning by a DDoS attack for unknown reasons. During the attack, the attacked party receives a letter claiming responsibility, e.g. by (e.g. via alternative Internet access) or fax demanding either payment to an account by a certain deadline or another condition that must be met. If this deadline passes without payment, the attacks are continued. Model 3 The online platform of a company is under attack without any warning. The company should be damaged sustainably whereat the attack can run between a few minutes up to several weeks Preparation and sequence of a (malicious) attack As already mentioned, several computer systems are involved in a DDoS attack. The complex attack sequence or the network of attackers could be described as follows: An attacker (also called a client) commissions one or more masters (also called handlers). They control several daemons (also called agents). These then attack a victim. Analysis The attacker communicates via an Internet connection (often from an illegally used IP address) with the distributed masters. He then uses scanning tools to find out their IP address and/or which TCP or UDP ports are open. Potential targets of attacks and their vulnerabilities are identified with the help of Internet security scanners. The attacker also uses this same channel to get at the root rights on the server systems and simultaneously checks which services and ports are active (and therefore open ) on the systems. Script creation Once the security weaknesses have been revealed, the attacker generates a script (= a program that runs automatically) and places it in the stolen accounts. He uses the scripts to attack precisely these security weaknesses later on. Incidentally, existing toolkits are often used to create the script files, making them much easier in their application. Now the attacker defines his subsequent daemon and master systems. Other storage locations are used to store the pre-compiled binaries of the daemons on the master systems. Then the attacker creates a script that uses the list of computers that have been taken possession of and creates another script which automatically performs the installation in the background. Document White Paper DDoS Date 01/03/2016 Page 6/18

7 Script installation Because this process is automated, a widespread denial-of-service network can be created without the knowledge of the actual system owners. The master programs which play a key role in the attacker s network are then installed with extreme care. Optionally, a root kit (an administrator kit ) that conceals the presence of the programs, files and network connections may also be installed. The master programs are installed, preferably on so-called primary name server hosts. Because they are designed for an extremely high volume of network traffic, a large number of network connections run on these types of server systems. This has two key advantages for the attacker. On the one hand, the basic load (processors and network) camouflages the additional network traffic on the master very well. On the other hand, such server systems are not prematurely disconnected from the network even if a DDoS is suspected because the role they play in the company s network is too great Start of the attack At a later time, the attacker sends the attack command including the data of the victim (IP address, port number, type of attack, start- and stop time) to the masters. During the attack, this is the only outgoing traffic. Once the attack got started, its continued control and coordination lies under the complete responsibility of the masters (= computers acting as servers), which control a set number of daemons (daemons are processes running in the background). To ensure that not all daemons are rendered immediately unusable when a master is discovered by a network sniffer, the attackers distribute the masters into functional sub-areas. The daemons in turn run on other computers and can be globally dispersed in the network. Only the daemon systems carry out the actual attack when instructed by the master. This can be, for example, a SYN flood attack where the attacker sends a packet to the victim system to establish a TCP connection (SYS packets). This reserves a port and sends back what is known as a SYN-ACK packet. However, because the attacker has spoofed his own IP address (i.e. he s not using his own IP address), the sender does not receive any confirmation. The victim system tries again and finally rejects the reserved connection after a set time period that can last several minutes depending on the operating system. If not just one request is sent to establish this connection but many in parallel, the computer becomes overloaded with answering the requests, blocking it for all practical purposes. 2.4 Developments and the effects of DDoS attacks Ongoing investigation by ARBOR Networks since 2002 in collaboration with the most important Internet Service Provider (ISPs) show a significant increase of the bandwidth intensity of DDoS attacks at a continuously high occurrence. Primary attacking targets are commercial Internet and network services (e.g. Domain Name Server, DNS). Most commonly used are UDP flood (sending a large quantity of UDP packets to randomly selected ports until they become inaccessible) and TCP SYNC (delay of the handshake procedure when establishing a TCP connection) while other known vulnerabilities in the application protocols also support the attack. The number and intensity of DDoS attacks are continuously rising since then. Document White Paper DDoS Date 01/03/2016 Page 7/18

8 Figure 3: Development of DDoS attacks ( ARBOR Networks) Practical experiences and observations Unfortunately and despite their enormous threat potential, DDoS attacks normally are not or only secondarily considered in risk analyses of enterprises. Due to the obviously existing threat level DDoS attacks have to be equalised with the commonly known risks in general risk analyses of enterprises. Document White Paper DDoS Date 01/03/2016 Page 8/18

9 Figure 4: Number of DDoS attacks per month ( ARBOR Networks) Non-operable e-services can result in huge losses in revenue. In addition, the company s reputation and customer confidence in the company that has been attacked are influenced seriously and strongly. This is particularly the case if the company has a large portion of its business online. Thus, convenient DDoS protection tools and appropriate services of professional Internet Provider are indispensable to recognise and stave off DDoS attacks. They represent the fastest and most secure method to sustain the operation of the own Internet service platform. One the one hand it strengthens the confidence of the own customers and on the other hand it ensures constant business volumes of the platform. Figure 5: Average duration for staving off DDoS attacks ( ARBOR Networks) Document White Paper DDoS Date 01/03/2016 Page 9/18

10 3 Protective measures against DDoS attacks 3.1 Blackhole defence Effectively protecting against attacks on the accessibility of both secured and unsecured systems is generally only possible to a very limited extent using IT resources. Unsecured systems are designed for the express purpose of allowing for communication with practically any system and responding dynamically to fluctuations in load. Almost all known measures focus on preventing a company s own systems and networks from being misused for a DDoS attack. There is only a small number of effective protective measures that can diminish the effects of an attack. The protective measures up to now have made use of black hole or sinkhole technology to disable the attacked services. The undesirable data streams are completely rerouted to router ports of the backbone gateways (->Route to Null0) and neutralised. Figure 6: Principle of blackhole technology Advantages: Blackhole technology protects the web infrastructure from attacks, but only to a limited extent. Disadvantages: All data streams are deleted meaning that the company can no longer receive data from specific sections and regions of the network. Combating undesired data streams in the backbone of the ISP on the basis of black hole technology is complex and requires in-depth routing knowledge. Document White Paper DDoS Date 01/03/2016 Page 10/18

11 3.2 Current protective measures with the DDoS Protection Service General features The DDoS Protection Service is an option to the IP-Plus Business Internet Service from Swisscom and features the following characteristics: Effective protection of the Internet infrastructure from DDoS attacks (can currently be filtered up to 40 Gbit/s) Pro-active alert system when DDoS attacks occur via , SMS, SNMP Traps and Syslog Access for friendly users permitted during DDoS attacks Full access to the management platform including monitoring and reporting during DDoS attacks Direct defence against DDoS attacks via management platform by the security or network administrator Dynamic identification and blocking of DDoS attacks 7x24h helpdesk/support by the DDoS experts team No hardware installation at the customer s site required Figure 7: Function of the DDoS Protection Service (option to the IP-Plus Business Internet Service) Advantages: Disadvantage: The traffic streams in the backbone are continuously monitored based on the DDoS Protection Service. If a deviation from the baseline (= bandwidth development continuously recorded over 24 hours) occurs, a low, medium or high alert depending on the type of deviation is proactively sent right to the individual responsible for the system via , SMS, SNMP Traps or Syslog. Based on the alert information, the customer can systematically fight the DDoS attacks either himself or with 2nd or 3rd level support from the Swisscom helpdesk. In-depth knowledge is required to assess traffic anomalies. If this knowledge is not present, specialists are available around-the-clock. Document White Paper DDoS Date 01/03/2016 Page 11/18

12 3.2.2 Traffic anomaly detection What is known as traffic anomaly detection is based on several Arbor Peakflow systems. With the help of these systems, the data stream is recorded in the Internet backbone of IP Plus and analysed for anomalies. The baseline data is continuously and dynamically recorded with the Peakflow systems. The day of the week, the time and the bandwidth measured at this time is registered during this process along with the protocol conformity. This baseline data is finally used as comparison data to alert the company of DDoS attacks. In the event of an alert, the respective alert level (low, medium, high) is triggered on the basis of a deviation between baseline and the actually measured data stream throughput. Using this information the traffic related to the company s own infrastructure can be continuously monitored and analysed. Figure 8: Status view via customer portal Threat Management System To defend against DDoS attacks, Swisscom uses what is known as a Threat Management System (TMS). In the event of an attack, the traffic and/or the data stream can be rerouted via TMS in the direction of the attacked system. The TMS analyses this traffic and can efficiently distinguish between non-malicious and malicious traffic and filter it out. The filtered ant therefore authorised traffic is then rerouted again to the original destination. Document White Paper DDoS Date 01/03/2016 Page 12/18

13 4 DDoS Protection Service from Swisscom 4.1 Filtering process of an DDoS attack The first four steps of the DDoS attack filtering process are: 1. Additional DDoS traffic (attack traffic) 2. Recognition of the malicious DDoS attack (malicious traffic recognition) 3. Automatic alerting via DDoS Protection Service (alerting/notification) 4. Manual activation via DDoS Protection Management Platform (DDoS filter activation) Figure 9: Defence against a DDoS attack (1/2) The next three and final steps of the DDoS attack filtering process are: 5. The malicious data traffic is rerouted via the TMS (malicious traffic rerouting) 6. Active filtering of the DDoS traffic (active DDoS filtering) 7. Normal forwarding of the legitimated data traffic (legitimated traffic) Document White Paper DDoS Date 01/03/2016 Page 13/18

14 Figure 10: Defence against a DDoS attack (2/2) The activation of the TMS filter function is always initialised by the customer. For the knowledge of his network operations avoids false alarms released i.e. by a planned software upgrade, which can be recognised as a traffic anomaly under certain circumstances. The following activation options are available for selection: Direct activation of the TMS using user name/password on a protected web site (->https) including secure authentication by a client certificate Activation or support via help desk 7 x 24h with the following response times: Mon - Fri, 7 a.m. 6 p.m. Mon - Sun, 7 a.m. 6 p.m. Via remote maintenance < 1 hr. < 2 hrs. If the attack is currently utilising the full capacity of the customer s Internet connection, the TMS can alternatively be accessed via a Mobile Unlimited connection, a dedicated xdsl connection or another Internet access technology via web browser. Document White Paper DDoS Date 01/03/2016 Page 14/18

15 4.2 Option DDoS Protection enhanced For an even more efficient protection the option DDoS Protection enhanced can be implemented as an additional enhancement. It is based on Hardware which is implemented near to the WAN-LAN-transition at the customer location. The HW analyses the traffic flow permanently inline up to and including the OSI application layer (layer 7). A SSL inspection function allows the cognition and neutralisation of the increasing attacks via encrypted IP sessions. Based on the rule setting, the anomaly level is ongoing determined and unambiguous attack traffic is filtered automatically. If a pre-defined anomaly level is exceeded, help from the cloud is requested via cloud signalling. If an operator decides for a mitigation of the situation, a new anycast address is set via the DDoS Protection Service as a new next-hop for the attacked IP address. The traffic flow will now be re-directed and filtered via the Threat Management System (TMS) and rerouted via GRE-Tunnel without attack traffic directly to the customer router. Figure 11: Enhanced defence of a DDoS attack with DDoS Protection enhanced The option DDoS Protection enhanced the security level onto all seven OSI layers. The most important advantages are: Immediate protection against DDoS attacks on the application layer which could endanger the availability of services and applications. Automatic recognition and lock-out of DDoS attacks prior to the disturbances of services. This requires no respectively only a minimal user intervention which reduces the pressure onto the IT safety officer. Document White Paper DDoS Date 01/03/2016 Page 15/18

16 5 Summary 5.1 Solution alternatives Actually the customer has the choice between three different options: 1. The customer infrastructure does not have any DDoS defence mechanisms. Therefore an attack quickly becomes effective and the web site is offline. 2. Right before the firewall at the customer s site a DDoS device is integrated. If the bandwidth of the DDoS attack exceeds the bandwidth of the access link, the web site falls into the offline modus, too. 3. In the third and most effective solution alternative the DDoS attack is detected already before its ingress into the ISP backbone and it can be filtered accordingly. Within this setup the attack traffic is filtered out and the legitimated traffic is continuously routed to the web service. Therefore the online modus practically can be ensured completely. Figure 12: Possible solution alternatives for defending DDoS attacks The option DDoS Protection enhanced offers additional protection which includes a permanent local inline traffic analysis up to and including OSI layer 7. Document White Paper DDoS Date 01/03/2016 Page 16/18

17 5.2 Danger and damage potentials During the past 12 months an above-average growth rate of DDoS attacks on enterprises in different branches and on political organisations was registered in Switzerland. Within a case study, a real DDoS attack on an enterprise with an online platform and the progress and defence of the attack were documented. The analysed attack traffic originated mainly from Peru, Chile, China, Taiwan, USA, Egypt and Kenya. The progression of the attack clearly gave proof that it was actively leaded against the customer. This circumstance was illustrated beneath others by the appearance of another traffic peak some two days after the start of the first attack. By this, the offender proved if the online services can be disturbed by intensifying the attack traffic. However, also this trial ended unsuccessfully due to the DDoS Protection Service from Swisscom. Without its activation the online services would have been unavailable for at least two days. The attack would have caused a large damage on the one hand financially (sales shortfall), on the other hand to the company s image. The latter damage is hard to quantify, but so much sustainable. 5.3 Managed Service The DDoS Protection Service is set up in the IP Plus Business Internet backbone as a Swisscom Managed Service, using the IP address range requested by the customer. This setup allows the Internet access to be continuously monitored for anomalies and the customer alerted depending on the defined bandwidth limits. This direct access to the TMS provides an efficient tool that allows the customer to perform an indepth analysis of the data traffic aimed at his infrastructure and protect himself immediately in the case of an attack. Of course, Swisscom also provides the customer with the best possible support in this process. Document White Paper DDoS Date 01/03/2016 Page 17/18

18 6 Glossary Term AS ASN BGP Blackhole Botnet CPE DDoS DNS GRE HTTPS IP ISP Mpps OSI PC SAP SMS SNMP SSL TCP TMS UDP Explanation Autonomous System Autonomous System Number Border Gateway Protocol Blackholes are used to route all IP packets sent to an offended system to the Null0 interface. A Botnet can be described as a network of remotely controlled PCs which were infected with worms, Trojan horses or others and which can be misused for specific attacks on demand. Customer Premises Equipment Distributed Denial of Service Domain Name System Generic Routing Encapsulation (serves the encapsulation of other protocols and their transport via a tunnel over IP) Secure Hyper Text Transport Protocol Internet Protocol Internet Service Provider Mega packets per second Open System Interconnection (reference model for data networks; it consists of seven communication layers with different tasks( Personal Computer Service Access Point Short Message Service Simple Network Management Protocol (is used for the management of network elements like router, switches, printers etc.) Secure Sockets Layer (encryption protocol for a secure data transmission) Transmission Control Protocol Threat Management System User Datagram Protocol Document White Paper DDoS Date 01/03/2016 Page 18/18