Multi-vector DDOS Attacks Detection and Mitigation Paul Mazzucco Chief Security Officer August 2015
Key Reasons for Cyber Attacks Money and more money Large number of groups From unskilled to advanced Present in virtually every country Protest Revenge Large number of groups Basic skills; a few standouts with advanced skills who motivate a potential larger set of followers Acquiring secrets for - National security - Economic benefit Growing number of countries with capabilities Larger array of supported or tolerated groups Motivation is to destroy, degrade, or deny Politics by another name Growing number of countries with capability Non-state actors could be included Criminal Hacktivists Espionage War
DoS/DDoS Attacks New Cyber Weapon of Choice Cyber Attack Sophistication Is Increasing Lower bandwidth attacks occur more frequently, last longer, evade detection - Overwhelm servers' ability to respond; ultimately take down the site Multi-vector campaigns - Booter services, low-cost DDoS campaigns can take down typical business - DDoS-for-hire market is expanding - China, Germany, the U.S. accounted for more than 50% of all DDoS attacks origins in Q1 2015 Source: Akamai The number of DDoS attacks in Q1 2015 more than doubled the number of DDoS attacks in Q1 2014
The Industry Hit List Expands Drivers: the rise of the Internet of Things, web vulnerabilities and botnet building Choice Targets SaaS platforms, e.g. healthcare data Competitive industries, e.g. gaming Multi-tenant platforms because attacks on one tenant impact all other tenants Source: Akamai Q1 2015 infrastructure attacks were 91% of total DDoS attacks
Where Are the Attacks Taking Place? The 7 Layers of the OSI Model Network attacks were 90% of attacks in 2005 Session attacks typically defeat conventional firewalls Application attacks are 90% of attacks in 2015 Q1 2015 vs. Q1 2014: 124.69% increase in infrastructure layer (Layer 3 & 4) attacks Q1 2015 vs. Q1 2014: 59.83% increase in application layer (Layer 7) attacks
New Attack Vectors, One Dangerous Commonality Significant attack vectors emerged in 2014 50% of all Web attacks were encrypted application-based attacks 15% of organizations reported attacks targeting Web application log in pages on a daily basis DNS-based volumetric floods increased from 10% to 21%, becoming the 2 nd most common attack vector Source: Radware
The Simple Service Discovery Protocol (SSDP) - Top Infrastructure-based Attack Vector SSDP comes pre-enabled on millions of devices routers, media servers, web cams, smart TVs, printers Allows devices to discover each other on a network, establish communication, coordinate activities SSDP accounted for more than 20% of Q1 2015 attack vectors Attackers are armed with a list of vulnerable devices; use them as reflectors to amplify a DDoS attack
Not Just a Party of One Anymore Multi-Vector Attacks Take Aim More than 50% of attack campaigns deployed 5 or more attack vectors in 2014 Keeps the target busy by releasing one attack vector at a time vs. launching the entire arsenal all at once Sources: Radware, Arbor Networks
Attackers (Quickly) Strike Back Attackers are continually developing new attack vectors that defeat newly deployed mitigation tools They are responding in days sometimes even hours after mitigation tools are deployed Meaning businesses face two chief challenges: The increasing complexity of security, i.e. multi-pronged nature of the attacks Speed at which attackers adapt to new mitigation tools
Minutes to Compromise, Months to Discover DDoS attack costs SMB: $52,000 per incident 32% of companies would loose over $100K revenue per hour of attack 11% of US companies would loose $1 Million+ revenue per hour of attack Source: Radware Source: Neustar 88% of companies are hit multiple times, with 39% attacked over 10 times annually
Recap the Challenges Cyber attacks are mainstream Network perimeter disappears; Application data is final frontier Availability-based attacks are main weapon Multi-vector attack campaigns Targeting end-to-end weakness points Pipe, network, servers, applications Targeting multi-tenant environments Amplifies overall impact and management complexity Disguising techniques Multiple attackers, one IP address Attack using dynamic IP addresses Data (confidentiality) and integrity attacks
Required Detection: Encrypted/Non-Volumetric Attacks Envelope Attacks Device Overload Directed Attacks - Exploits Intrusions Mis-Configurations Localized Volume Attacks Low & Slow Attacks SSL Floods Sources: TierPoint, Radware
Required Detection: Application Attacks Web Attacks Application Misuse Connection Floods Brute Force Directory Traversals Injections Scraping & API Misuse Sources: TierPoint, Radware
Required Detection: Volumetric Attacks Network DDoS SYN Floods HTTP Floods Sources: TierPoint, Radware
Fight Back Advice #1 Don t assume that you re not a target Draw up battle plans; learn from the mistakes of others Ensure buy-in from ALL C-suite executives, not just the CTO or CIO
Fight Back Advice #2 Protecting your data is not the same as protecting your business True security necessitates data protection, system integrity, operational availability Review your current investments, then gauge the increase required to ensure appropriate protection
Fight Back Advice #3 You can t defend against attacks you can t detect The battle-prepared business harnesses an intelligence network
Fight Back Advice #4 Evaluate DDoS protection solutions Consider a hybrid approach of layered DDoS defenses: always on, on-premise hardware blocking plus cloud-based traffic scrubbing
Fight Back Advice #5 Know your limitations Enlist specialists that have the expertise to help you fight and win
Thank you