DDoS Introduction. We see things others can t. Pablo Grande.

DDoS Introduction We see things others can t Pablo Grande pgrande@arbor.net

DoS & DDoS. Unavailability! Interruption! Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet A Distributed Denial of Service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

DDoS type of Attacks 1. Volumetric Attacks Also known as floods, the goal of this type of attack is to cause congestion and send so much traffic that it overwhelms the bandwidth of the site. Attacks are typically executed using botnets, an army of computers infected with malicious software and controlled as a group by the hacker 2. TCP State-Exhaustion Attacks (Statefull devices) This type of attack focuses on actual web servers, firewalls and load balancers to disrupt connections, resulting in exhausting their finite number of concurrent connections the device can support 3. Application Layer Attacks This type of attack, also known as Layer 7 attacks, specifically targets weaknesses in an application or server with the goal of establishing a connection and exhausting it by monopolizing processes and transactions. These sophisticated threats are harder to detect because not many machines are required to attack, generating a low traffic rate that appears to be legitimate. 3

DDoS 10 years Timeline On New Year s eve, the BBC website and iplayer service went down due to a massive Distributed Denial of Service (DDoS) attack. The attack peaked up to 602 Gbps, according to the claims made by the New World Hacking group, who took the responsibility of the attack. In another recent attack, the Republican presidential candidate Donald Trump s main campaign website was also targeted by the same group. 4

DDoS Facts FREQUENT & COMPLEX by COMBINATION 5

DDoS Drivers/Motivators 25% 20% 30% 13% 12% 6

The New Breed of Advanced Threats BotNets ATTACK SPECTRUM Loud Quiet

Arbor Networks Overview DDoS Arbor Cloud Cloud Signaling +140 Tbps Visibility Arbor Network-Wide Product Portfolio Advanced Threats Peakflow MNA Peakflow SP/TMS ATLAS Peakflow SP/TMS Pravail APS Pravail APS Spectrum Spectrum User / Attacker Mobile Carrier Service Provider Public Clouds Private Clouds Corporate Networks Internal Employee Good traffic Malicious traffic & malware 100% of Tier 1 and 60% of Tier 2 Service Providers 90% of Gartner Cloud and Web Hoster MQ Providers 9/10 of Top Online Brands

Arbor: Securing the World s Largest Networks Percentage of world s 100% Tier 1 service providers who are Arbor customers 130 Number of countries with Arbor products deployed +140 Tbps Amount of global traffic monitored by the ATLAS security intelligence initiative right now 330+ ISPs sharing real-time data Very Significant portion of global Internet traffic! 16 Number of years Arbor has been delivering innovative security and network visibility technologies & products #1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments 67% of total market [Infonetics Research] 9

Malware Botnets Phishing P2P Behavioral Fingerprint ATLAS: Active Threat Level Analysis System ATLAS sensors are deployed in global internet darknet space to discover and classify attack activity Peakflow SP Pravail NSI ISP Network Pravail NSI Peakflow SP DARKNET ATLAS SENSOR Peakflow SP Pravail NSI The information is sent to an ATLAS central repository where it is combined with Arbor, thirdparty, and vulnerability data ISP Network DARKNET ATLAS SENSOR 1 2 ATLAS DATA CENTER ISP Network 3 DARKNET ATLAS SENSOR ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal and updated to customer s devices Identify Analyze Protect Monitoring of worldwide infrastructure for network-borne threats. 1 2 3 10

Example of what we can see at Real-Time www.digitalattackmap.com 11

DDoS and Risk Planning 12

Solution Overview DDoS Defense

DDoS Attack? It will never happen to me 14

DDoS Attack, It will happen 15

DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard attacked Techwatch weathers DDoS extortion attack Greater Availability of Botnets Better Bots Easy Access More infected PCs with faster connections Using web 2.0 tools to control botnets Commoditized Cloud-based botnets, cheaper more attacks Increased Volume Increased Complexity Increased Frequency Largest volumetric DDoS has grown from8 to 600 Gbps in 10 years Over 25% of attacks are now application-based DDoS mostly targeting HTTP, DNS, SMTP >50% of data center operators experience >10 attacks per month

DDoS Misconceptions My firewall/ips provides DDoS protection I have enough bandwidth to absorb DDoS attacks No one would want to attack my business. FACT FACT FACT Most large data center operators have seen their firewalls/ips fail due to DDoS Multigigabit attacks are common and can overwhelm the largest networks Most data centers suffer downtime every year due to DDoS. Did Your Firewall/IPS Fail Due to DDoS Within Last 12 Months? 13% 38% 49% No Yes Not Deployed 150 100 50 0 Largest Attack in Gbps 40 49 0,14 1,2 2,5 10 17 24 100 60 Rent a botnet for as little as $50 per day Source: Arbor Worldwide Infrastructure Security Report 17

Botnet is a Business A large number of Botnet tools is available for purchase for you to create your own Botnet Botnet Tools today are an industry of its own You can Buy software to create your own Botnet or Hire Botnets to generate attacks 18

Commercial DDoS Botnets - Darkness Popular bot, still in use. Many leaked versions. Widely mentioned in underground forums, competitive 19

Darkness Control Panel 45,000 bots, 6900 online 20

DirtJumper Popular. 20,000 bots attacked Brian Krebs, Nov 2011. 70,446 bots total 668 active 21

Dirt Jumper 2 HTTP flood, Synchronous flood, Download flood, POST flood options 22

Dirt Jumper 3 2 HTTP GET attacks, HTTP POST attack Increased randomization of attack header 23

DDoS Services using Dirt Jumper 3 Version 3 featured prominently in underground advertisement Also mentions Optima (Darkness) and G-Bot Anti-DDoS attacks mentioned 24

Dirt Jumper 5 New features, anti-ddos protection evasion 25

Pandora $800, cracked for $100 Attacks look just like Dirt Jumper 5 and Khan bots March 2012 26

Di BoTNet Re-uses Dirt Jumper code, adds bot killer feature March 2012 27

Armageddon Very popular bot, active competitor to other Russian bots Involved in politically motivated attacks in Russia Observed attacking HTTP and other various ports Features Anti-DDoS attack style and increased attack diversity 28

Commercial DDoS Services March 2012, claims private version of Dirt Jumper 5 $200/week Five minute test can account for very short attacks 29

microsoftddos March 2012. $800/month. 15 minute test Money returned if site comes back online Anonymous logo used, yet competitive ideology 30

Killer-G March 2012. $600/month. 10 minute test G-bot (AKA Piranha, Drooptroop) 31

DDoS Service Marketing 32

Commercial DDoS Services 33

Commercial DDoS services 34

Commercial DDoS Services 35

Distributed Denial of Service (DDoS) Targeting your Network, Services and Customers 36

DDoS Attack Categories Volumetric, Brute Force Attacks Traffic Floods Exhaust resources by creating high bps or pps volumes Overwhelm the infrastructure links, routers, switches, servers Layer 4-7, Smarter and Slow Attacks TCP resource exhaustion Exhaust resources in servers, load balancers, firewalls or routers Application Layer Take out specific services or applications 37

DDoS Attacks: Volumetric Volumetric DDoS attacks are designed to saturate and overwhelm network resources, circuits etc by brute force ISP 1 DATA CENTER ISP 2 ISP SATURATION Firewall IPS Load Balancer ISP n Target Applications & Services Attack Traffic Good Traffic 38

Distributed Denial of Service (DDoS) Volumetric Attack - Filling up your network capacity 39

Stopping Volumetric Attacks ISP 1 SCRUBBING CENTER Peakflow SP/TMS Cloud-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Cloud-based: Volumetric DDoS mitigation must be done up stream, before traffic gets to Data Center Activated on demand : only active when an attack is detected or reported 40

Layer 4-7, Smart DDoS Attacks Use much less bandwidth; harder to detect; target applications where they slowly exhaust resources. ISP 1 DATA CENTER EXHAUSTION ISP 2 ISP ISP n Firewall IPS EXHAUSTION Load Balancer Target Applications & Services 41

Distributed Denial of Service (DDoS) Slow Attacks - Taking down your services 42

Stopping Layer 4-7, Smart Attacks ISP 1 CPE-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Target Applications & Services CPE-based: L4-7 DDoS mitigation must be done at the Data Center Always ON: immediate mitigation Fine-tuned to the services behind it to minimize false positives and false negatives 43

CPE-based DDoS Defense Multifunctional Devices are not good for DDoS Security devices enhanced with DDoS functionalities Firewalls, IPSs, Load balancers Firewall IPS Load Balancer Specialized Devices IDMS appliances Pravail APS Think about it: If Firewalls, which are present everywhere, could really handle DDoS attacks, we would not hear so many stories of sites taken by DDoS, right? 44

CPE-Based DDoS Defense Comparison Look for Security & Network Engineering Budgets for Funding Application-Layer DDoS Protection Flood Attack Protection via Cloud Signaling Protected from State- Exhausting Attacks Asymmetric DDoS Threat Protection Easy Inline Deployment Pravail APS IPS WAF FW Botnet Detection & Protection Excellent Good Fair Poor 45

The Evolving Threat Against Data Centers Attackers use a combination of techniques ISP 1 Layer 4-7, Smart DDoS Impact DATA CENTER ISP 2 ISP SATURATION Firewall IPS Load Balancer Load Balancer Exhaustion of Service ISP n EXHAUSTION Target Applications & Services Volumetric, Brute Force DDoS Impact 46

DDoS Defense Offers in the Market ISP 1 SCRUBBING CENTER Cloud Signaling Cloud-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Target Applications & Services CPE-based DDoS Protection 47

Cloud Signaling Gain full protection from a single console by signaling to the cloud Subscriber Network Internet Service Provider Subscriber Network Utilize Cloud Signaling Coalition for volumetric DDoS protection Immediate protection with seamless handoff to ISP s DDoS filtration services Clean Pipes Cloud Signaling Status Arbor Peakflow SP / TMS-based DDoS Service Data Center Network Arbor Pravail APS Firewall / IPS / WAF Public Facing Servers SATURATION 1. Service Operating Normally 2. Attack Begins and Initially Blocked by Pravail APS 3. Attack Grows Exceeding Bandwidth 4. Cloud Signal Launched 5. Customer Fully Protected! 48

Cloud Signaling Deployment Options Cloud Signaling can work with two options of Cloud-based DDoS Mitigation service offerings: LOCAL- ISP Carrieragnostic DDoS mitigation infrastructure directly upstream to the Data Center Provider DDoS mitigation infrastructure is somewhere in the internet Cloud, even in a different country Cloud Signaling is an advanced feature! Reduce time to start Cloud-based mitigation, increasing availability, with Cloud Signaling 49

Pravail APS + Arbor Cloud SCRUBBING CENTER Cloud-based DDoS Protection ISP 1 Cloud Signaling DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n On-premise DDoS Protection Target Applications & Services 50

Comments? Questions?

Thank You!