IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Similar documents
Analisi degli attacchi DDOS e delle contromisure

Arbor WISR XII The Stakes Have Changed. Julio Arruda V1.0

Arbor White Paper. DDoS: THE STAKES HAVE CHANGED. HAVE YOU? REVEALED: 3 dangerous myths about DDoS attacks

( ) 2016 NSFOCUS

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

Corero & GTT DDoS Trends Report Q2 Q3 2017

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Distributed Denial of Service (DDoS)

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Global DDoS Threat Landscape

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

App Economy Market analysis for Economic Development

2015 DDoS Attack Trends and 2016 Outlook

Trends in IoT DDoSbotnets

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Distributed Denial of Service (DDoS)

DDOS-GUARD Q DDoS Attack Report

DDoS Mitigation & Case Study Ministry of Finance

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

A Survey of Defense Mechanisms Against DDoS Flooding A

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Solutions to prevent IoT devices to be used for DDOS attacks. WISeKey General Business Use

Multi-vector DDOS Attacks

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Cisco Firepower with Radware DDoS Mitigation

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2016]

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Jaal: Towards Network Intrusion Detection at ISP Scale

Prolexic Attack Report Q4 2011

Corero Network Security plc

DDoS Introduction. We see things others can t. Pablo Grande.

The Scenes of Cyber Crime

Introduction to DDoS Attacks

Cyber Attacks: Evolving Network Architectures to Meet the Challenge

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Silverline DDoS Protection. Filip Verlaeckt

AdMob Mobile Metrics. Metrics Highlights. May 2010

Cloudflare Advanced DDoS Protection

Internet2 DDoS Mitigation Update

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Corrigendum 3. Tender Number: 10/ dated

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

WORLDWIDE INFRASTRUCTURE SECURITY REPORT

Cybersecurity with Automated Certificate and Password Management for Surveillance

Comprehensive datacenter protection

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2014]

ISE Cyber Security UCITS Index (HUR)

DMARC Continuing to enable trust between brand owners and receivers

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert

Asia Key Economic and Financial Indicators

the Breakdown of Perimeter Defenses

Security, Internet of Things, DNS and ICANN. ICANN Security Team Kiev November

A10 DDOS PROTECTION CLOUD

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

DDoS MITIGATION BEST PRACTICES

Table of contents Contacts 18

August 14th, 2018 PRESENTED BY:

Understanding the Mirai Botnet

Allot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity. Solution Brief

Arbor White Paper Keeping the Lights On

The Protocols that run the Internet

akamai s [state of the internet] / security

DNS Security. Ch 1: The Importance of DNS Security. Updated

CDNetworks DDoS Attack Trends and Outlook for February 2015 CDNetworks Security Service Team. Copyright 2015 CDNetworks

Computer

POSTAL AND TELECOMMUNICATIONS REGULATORY AUTHORITY OF ZIMBABWE (POTRAZ)

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)

Hongbo Yang, Xiaobing Sun, Richard Zhao

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Identifying and Disrupting Mirai Botnets. Chuck McAuley

Herding Cats. Carl Brothers, F5 Field Systems Engineer

IoT DDoS Attacks Detection based on SDN RAMTIN ARYAN

Building a Threat Intelligence Program

Arbor s Peakflow Solution

How Cloudflare s Architecture can Scale to Stop the Largest Attacks

POSTAL AND TELECOMMUNICATIONS REGULATORY AUTHORITY OF ZIMBABWE (POTRAZ)

Check Point DDoS Protector Simple and Easy Mitigation

RIPE Atlas. Measuring the Internet

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Transcription:

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

DDoS Attacks Increasing in Size, Frequency & Complexity Arbor Networks WISR XII Largest attack reported was 800 Gbps with other respondents reporting attacks of 600 Gbps, 550 Gbps, and 500 Gbps One third of respondents report peak attacks over 100Gbps 41% of EGE respondents and 61% of data-center operators reported attacks exceeding their total Internet capacity 2

Arbor Networks ATLAS DDoS statistics Peak monitored attack of 579Gbps, 73% growth from 2015 558 attacks over 100Gbps, 87 over 200Gbps Compared to 223 and 16 in 2015 20% of attacks over 1Gbps, as opposed to 16% in 2015 Average attacks size now 931Mbps, up from 760Mbps, a 23% increase 3

700 600 DDoS Attack Trends Worldwide Peak attack size (Gbps) 579.6 500 400 300 200 238.8 276.6 298.6 270.2 330.2 267.3 489.4 327.4 498.3 392.7 100 0 700000 600000 500000 156.5 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 no of DDoS attacks 607848 619691 645590 644256 630912 559329 552766 493789 495581 482114 503767 460641 400000 300000 200000 100000 0 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 4

250 DDoS Attack Trends APAC Peak attack size (Gbps) 200 196.1 150 100 177.1 111.2 173.8 135.5 161.3 147.7 104.7 166.5 154.6 134.8 149.1 50 0 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Year 2016 Global APAC Peak attack size 579.59 Gbps 196.06 Gbps Average attack size 931.24 Mbps 623.82 Mbps Average duration 55 min 20 sec 45 min 6 sec Attack dest port TCP/80 TCP/80 Top reflection attack type DNS DNS 5

WISR XII DDoS trend Service Provider Attack Types 6

DDoS Targets SPs see Government, Finance and Hosting as top targets SPs seeing attacks on cloud services drops from one third to one quarter 42% of EGE respondents experienced an attack 63% of finance, up from 45% 53% of government, up from 43% 7

DDoS driving factors - IoT The Problem Almost every piece of technology we buy is connected Devices are designed to be easy to deploy and use, often resulting in limited security capabilities Software is very rarely upgraded. Some manufacturers don t provide updates, or the ability to install updates The Result First high-profile attack using IoT devices Christmas 2013, using CPE and webcams In 2016 Botnet owners started to recruit IoT devices en mass Attacks of 540Gbps against the Olympics, 620Gbps against Krebs, Dyn etc.. 8

DDoS driving factors DDoS as a service Fact: It s Never Been Easier to Launch a DDoS Attack. DDoS attack tools and DDoS for Hire Services add to the weaponization of DDoS. Cost of DDoS Service Impact to Victim DDoS Attacks Are The Great Equalizer 9

Two Mega Trends Merging to Create The Perfect Storm? Abusable IoT Devices Weaponization and Ease of Attack Rise in IoT-Based DDoS Attacks 10

Why IoT Devices? Embedded or stripped-down versions of Linux Easy to target a wide range of devices Limited security features Internet-accessible Unfettered outbound access Market Dynamics Extremely Low-margin Products not differentiated by security features Chip makers ODM s Brand Company End User No security expertise, No incentive for Security Result A large population of highly susceptible, high bandwidth devices that cannot or will not be patched or otherwise secured. 11

Default Crendentials for IoT Devices https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-sheet1.pdf 12

The Mirai Botnet Approximately 500,000 compromised IoT devices worldwide. Default user name and passwords enabled and open ports in firewalls (Telnet TCP 23/2323). IoT devices are subsumed into botnet by continuous, automated scanning by other compromised Mirai botnet IoT devices. Rebooting device removes malware, but its estimated that it will take less than 10 min to be rescanned and become part of botnet again. 13

The Mirai Botnet (cont d) Segmented command-and-control. Capable of launching simultaneous DDoS attacks against multiple targets. Non-spoofed traffic. (could change in future) Code has been released to wild already seeing signs of alteration. 14

Mirai is NOT Just a DNS Attack Attack Vectors: SYN-flooding ACK-flooding UDP flooding Valve Source Engine (VSE) query-flooding GRE-flooding Pseudo-random DNS label-prepending attacks (also known as DNS Water Torture attacks) HTTP GET, POST and HEAD attacks. The Mirai Botnet is capable of launching complex, multi-vector attacks. 15

Attack Size (Gbps) 1000 900 4000 800 3500 IoT Botnets Are Not New and On The Rise MIRAI IOT BOTNET OVH? 700 600 500 LIZARDSTRESSER IOT BOTNET TARGETS BRAZIL Dyn Who/What Next? 400 300 1000 200 500 100 Targets were organizations affiliated with major international sporting events (e.g. gov t, banks, sponsors, etc.). Pre-event activity July 2014 April 2016 Aug 2016 Oct 2016 16

Recent Attacks Summer, 2016 540 Gbps attack on an organization associated with the Rio Olympics (Lizardstresser) September 20th 620 Gbps attack targeting KrebsOnSecurity.com (Mirai) September 21st 990 Gbps attack targeting OVH (Mirai) September 30th Mirai source code leaked October 21st Dyn s Managed DNS Infrastructure Targeted (Mirai) October 31st 600 Gbps attack on Liberia (Mirai) 17

Dyn Attacks on October 21st Three Attacks Targeting Dyn s Managed DNS Infrastructure Dyn Customers include Netflix, Twitter, Reddit, Github, Spotify, PayPal, Airbnb, NYT, etc. Large-scale outages for Dyn Customers, even though the customers were not attacked directly 18

Mirai Propagation, Command and Control 3 Already Compromised? 2 Report: - Discovered IP - Successful Creds ScanListen Service TCP/48101 New Victim - IP - Creds 4 Loader 5 C2 TCP/23 6 Check-In Install Bot Code Telnet Port Scans Bot (compromised) 1 Telnet Scan (TCP/23) Brute Force IoT Device 19

Mirai Propagation, Command and Control 3 Already Compromised? 2 Report: - Discovered IP - Successful Creds ScanListen Service TCP/48101 New Victim - IP - Creds 4 Loader 5 C2 TCP/23 6 Check-In Install Bot Code 7 And the beat goes on... Telnet Port Scans Bot (compromised) 1 Telnet Scan (TCP/23) Brute Force Bot (compromised) Telnet Port Scans 20

ATLAS IoT Botnet tracking Network of honeypots setup to monitor IoT compromise activities Snapshots of activities from 29 Nov to 12 Dec 2016 1,027,543 login attempts from a total of 92,317 unique IP addresses Peak login attempts per hour is 18,054 22

ATLAS IoT Botnet tracking Billions of IoT devices connected to the Internet Estimates vary, 5B+, with millions added every day Arbor honeypot devices look for exploit activity on Telnet / SSH ports 1M login attempts from 11/29 to 12/12 from 92K unique IP addresses More than 1 attempt per minute in some regions 23

ATLAS IoT Botnet tracking Attempts by ASN Country Number of Attempts China 102,975 Vietnam 26,573 Republic of Korea 19,465 USA 17,062 Brazil 16,609 Russia 13,378 Taiwan 11,697 Hong Kong 11,200 Turkey 10,190 Romania 9,856 49% 1% 3% 8% 24% 15% AS17924 AS36678 AS38197 AS62468 AS8075 AS4515 AS9381 AS9304 AS9269 AS4760 24

20000 ATLAS IoT Botnet tracking Login attempts per hour 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 11/28/16 0:00 11/30/16 0:00 12/2/16 0:00 12/4/16 0:00 12/6/16 0:00 12/8/16 0:00 12/10/16 0:00 12/12/16 0:00 12/14/16 0:00 Sum Sum SSH Sum Telnet 25

ATLAS IoT Botnet tracking 7000 Login attempt per region 6000 5000 4000 3000 2000 1000 0 11/28/16 11/30/16 12/2/16 12/4/16 12/6/16 12/8/16 12/10/16 12/12/16 12/14/16 APAC EU SA US 26

Attack Characteristic, Effects, and Mitigations Multiple Highly Distributed Attack Vectors Dyn originally reported 10s of millions of IP addresses Later corrected to an estimate of 100,000 Cascading Effect 2nd Order Impact on Dyn customers DNS service disruption from original attack generates legitimate retry activity This is, in part, what caused Dyn to overreport the number of attacking IP s 3rd Order Impact on Broadband Operators Mitigations Performed by Dyn According to Dyn: Traffic shaping, Anycast Rebalancing, ACL Filtering, Scrubbing Services 27

Telnet Traffic IoT botnet growing 28

Telnet Traffic by Country Matches Attack SRC 29

WISR XII Organization Security SP Nearly half of SPs now implement anti-spoofing filters Rehearsing DDoS attack processes and procedures is key 10% increase in SPs running simulations, 37% do this quarterly EGE 55% now run simulations, 40% do this quarterly Difficulty in hiring and retaining personnel remains a key issue for both SP and EGE respondents 30

For More Information 31

Thank You 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback