DDoS Introduction We see things others can t Pablo Grande pgrande@arbor.net
DoS & DDoS. Unavailability! Interruption! Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet A Distributed Denial of Service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.
DDoS type of Attacks 1. Volumetric Attacks Also known as floods, the goal of this type of attack is to cause congestion and send so much traffic that it overwhelms the bandwidth of the site. Attacks are typically executed using botnets, an army of computers infected with malicious software and controlled as a group by the hacker 2. TCP State-Exhaustion Attacks (Statefull devices) This type of attack focuses on actual web servers, firewalls and load balancers to disrupt connections, resulting in exhausting their finite number of concurrent connections the device can support 3. Application Layer Attacks This type of attack, also known as Layer 7 attacks, specifically targets weaknesses in an application or server with the goal of establishing a connection and exhausting it by monopolizing processes and transactions. These sophisticated threats are harder to detect because not many machines are required to attack, generating a low traffic rate that appears to be legitimate. 3
DDoS 10 years Timeline On New Year s eve, the BBC website and iplayer service went down due to a massive Distributed Denial of Service (DDoS) attack. The attack peaked up to 602 Gbps, according to the claims made by the New World Hacking group, who took the responsibility of the attack. In another recent attack, the Republican presidential candidate Donald Trump s main campaign website was also targeted by the same group. 4
DDoS Facts FREQUENT & COMPLEX by COMBINATION 5
DDoS Drivers/Motivators 25% 20% 30% 13% 12% 6
The New Breed of Advanced Threats BotNets ATTACK SPECTRUM Loud Quiet
Arbor Networks Overview DDoS Arbor Cloud Cloud Signaling +140 Tbps Visibility Arbor Network-Wide Product Portfolio Advanced Threats Peakflow MNA Peakflow SP/TMS ATLAS Peakflow SP/TMS Pravail APS Pravail APS Spectrum Spectrum User / Attacker Mobile Carrier Service Provider Public Clouds Private Clouds Corporate Networks Internal Employee Good traffic Malicious traffic & malware 100% of Tier 1 and 60% of Tier 2 Service Providers 90% of Gartner Cloud and Web Hoster MQ Providers 9/10 of Top Online Brands
Arbor: Securing the World s Largest Networks Percentage of world s 100% Tier 1 service providers who are Arbor customers 130 Number of countries with Arbor products deployed +140 Tbps Amount of global traffic monitored by the ATLAS security intelligence initiative right now 330+ ISPs sharing real-time data Very Significant portion of global Internet traffic! 16 Number of years Arbor has been delivering innovative security and network visibility technologies & products #1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments 67% of total market [Infonetics Research] 9
Malware Botnets Phishing P2P Behavioral Fingerprint ATLAS: Active Threat Level Analysis System ATLAS sensors are deployed in global internet darknet space to discover and classify attack activity Peakflow SP Pravail NSI ISP Network Pravail NSI Peakflow SP DARKNET ATLAS SENSOR Peakflow SP Pravail NSI The information is sent to an ATLAS central repository where it is combined with Arbor, thirdparty, and vulnerability data ISP Network DARKNET ATLAS SENSOR 1 2 ATLAS DATA CENTER ISP Network 3 DARKNET ATLAS SENSOR ASERT analyzes combined data and converts into actionable intelligence which is posted on the ATLAS public portal and updated to customer s devices Identify Analyze Protect Monitoring of worldwide infrastructure for network-borne threats. 1 2 3 10
Example of what we can see at Real-Time www.digitalattackmap.com 11
DDoS and Risk Planning 12
Solution Overview DDoS Defense
DDoS Attack? It will never happen to me 14
DDoS Attack, It will happen 15
DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard attacked Techwatch weathers DDoS extortion attack Greater Availability of Botnets Better Bots Easy Access More infected PCs with faster connections Using web 2.0 tools to control botnets Commoditized Cloud-based botnets, cheaper more attacks Increased Volume Increased Complexity Increased Frequency Largest volumetric DDoS has grown from8 to 600 Gbps in 10 years Over 25% of attacks are now application-based DDoS mostly targeting HTTP, DNS, SMTP >50% of data center operators experience >10 attacks per month
DDoS Misconceptions My firewall/ips provides DDoS protection I have enough bandwidth to absorb DDoS attacks No one would want to attack my business. FACT FACT FACT Most large data center operators have seen their firewalls/ips fail due to DDoS Multigigabit attacks are common and can overwhelm the largest networks Most data centers suffer downtime every year due to DDoS. Did Your Firewall/IPS Fail Due to DDoS Within Last 12 Months? 13% 38% 49% No Yes Not Deployed 150 100 50 0 Largest Attack in Gbps 40 49 0,14 1,2 2,5 10 17 24 100 60 Rent a botnet for as little as $50 per day Source: Arbor Worldwide Infrastructure Security Report 17
Botnet is a Business A large number of Botnet tools is available for purchase for you to create your own Botnet Botnet Tools today are an industry of its own You can Buy software to create your own Botnet or Hire Botnets to generate attacks 18
Commercial DDoS Botnets - Darkness Popular bot, still in use. Many leaked versions. Widely mentioned in underground forums, competitive 19
Darkness Control Panel 45,000 bots, 6900 online 20
DirtJumper Popular. 20,000 bots attacked Brian Krebs, Nov 2011. 70,446 bots total 668 active 21
Dirt Jumper 2 HTTP flood, Synchronous flood, Download flood, POST flood options 22
Dirt Jumper 3 2 HTTP GET attacks, HTTP POST attack Increased randomization of attack header 23
DDoS Services using Dirt Jumper 3 Version 3 featured prominently in underground advertisement Also mentions Optima (Darkness) and G-Bot Anti-DDoS attacks mentioned 24
Dirt Jumper 5 New features, anti-ddos protection evasion 25
Pandora $800, cracked for $100 Attacks look just like Dirt Jumper 5 and Khan bots March 2012 26
Di BoTNet Re-uses Dirt Jumper code, adds bot killer feature March 2012 27
Armageddon Very popular bot, active competitor to other Russian bots Involved in politically motivated attacks in Russia Observed attacking HTTP and other various ports Features Anti-DDoS attack style and increased attack diversity 28
Commercial DDoS Services March 2012, claims private version of Dirt Jumper 5 $200/week Five minute test can account for very short attacks 29
microsoftddos March 2012. $800/month. 15 minute test Money returned if site comes back online Anonymous logo used, yet competitive ideology 30
Killer-G March 2012. $600/month. 10 minute test G-bot (AKA Piranha, Drooptroop) 31
DDoS Service Marketing 32
Commercial DDoS Services 33
Commercial DDoS services 34
Commercial DDoS Services 35
Distributed Denial of Service (DDoS) Targeting your Network, Services and Customers 36
DDoS Attack Categories Volumetric, Brute Force Attacks Traffic Floods Exhaust resources by creating high bps or pps volumes Overwhelm the infrastructure links, routers, switches, servers Layer 4-7, Smarter and Slow Attacks TCP resource exhaustion Exhaust resources in servers, load balancers, firewalls or routers Application Layer Take out specific services or applications 37
DDoS Attacks: Volumetric Volumetric DDoS attacks are designed to saturate and overwhelm network resources, circuits etc by brute force ISP 1 DATA CENTER ISP 2 ISP SATURATION Firewall IPS Load Balancer ISP n Target Applications & Services Attack Traffic Good Traffic 38
Distributed Denial of Service (DDoS) Volumetric Attack - Filling up your network capacity 39
Stopping Volumetric Attacks ISP 1 SCRUBBING CENTER Peakflow SP/TMS Cloud-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Cloud-based: Volumetric DDoS mitigation must be done up stream, before traffic gets to Data Center Activated on demand : only active when an attack is detected or reported 40
Layer 4-7, Smart DDoS Attacks Use much less bandwidth; harder to detect; target applications where they slowly exhaust resources. ISP 1 DATA CENTER EXHAUSTION ISP 2 ISP ISP n Firewall IPS EXHAUSTION Load Balancer Target Applications & Services 41
Distributed Denial of Service (DDoS) Slow Attacks - Taking down your services 42
Stopping Layer 4-7, Smart Attacks ISP 1 CPE-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Target Applications & Services CPE-based: L4-7 DDoS mitigation must be done at the Data Center Always ON: immediate mitigation Fine-tuned to the services behind it to minimize false positives and false negatives 43
CPE-based DDoS Defense Multifunctional Devices are not good for DDoS Security devices enhanced with DDoS functionalities Firewalls, IPSs, Load balancers Firewall IPS Load Balancer Specialized Devices IDMS appliances Pravail APS Think about it: If Firewalls, which are present everywhere, could really handle DDoS attacks, we would not hear so many stories of sites taken by DDoS, right? 44
CPE-Based DDoS Defense Comparison Look for Security & Network Engineering Budgets for Funding Application-Layer DDoS Protection Flood Attack Protection via Cloud Signaling Protected from State- Exhausting Attacks Asymmetric DDoS Threat Protection Easy Inline Deployment Pravail APS IPS WAF FW Botnet Detection & Protection Excellent Good Fair Poor 45
The Evolving Threat Against Data Centers Attackers use a combination of techniques ISP 1 Layer 4-7, Smart DDoS Impact DATA CENTER ISP 2 ISP SATURATION Firewall IPS Load Balancer Load Balancer Exhaustion of Service ISP n EXHAUSTION Target Applications & Services Volumetric, Brute Force DDoS Impact 46
DDoS Defense Offers in the Market ISP 1 SCRUBBING CENTER Cloud Signaling Cloud-based DDoS Protection DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n Target Applications & Services CPE-based DDoS Protection 47
Cloud Signaling Gain full protection from a single console by signaling to the cloud Subscriber Network Internet Service Provider Subscriber Network Utilize Cloud Signaling Coalition for volumetric DDoS protection Immediate protection with seamless handoff to ISP s DDoS filtration services Clean Pipes Cloud Signaling Status Arbor Peakflow SP / TMS-based DDoS Service Data Center Network Arbor Pravail APS Firewall / IPS / WAF Public Facing Servers SATURATION 1. Service Operating Normally 2. Attack Begins and Initially Blocked by Pravail APS 3. Attack Grows Exceeding Bandwidth 4. Cloud Signal Launched 5. Customer Fully Protected! 48
Cloud Signaling Deployment Options Cloud Signaling can work with two options of Cloud-based DDoS Mitigation service offerings: LOCAL- ISP Carrieragnostic DDoS mitigation infrastructure directly upstream to the Data Center Provider DDoS mitigation infrastructure is somewhere in the internet Cloud, even in a different country Cloud Signaling is an advanced feature! Reduce time to start Cloud-based mitigation, increasing availability, with Cloud Signaling 49
Pravail APS + Arbor Cloud SCRUBBING CENTER Cloud-based DDoS Protection ISP 1 Cloud Signaling DATA CENTER ISP 2 ISP Firewall IPS Load Balancer ISP n On-premise DDoS Protection Target Applications & Services 50
Comments? Questions?
Thank You!