Distributed Denial of Service War Stories from the Cloud Front. Michael Smith Security Evangelist

Similar documents
War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

The Interactive Guide to Protecting Your Election Website

Imperva Incapsula Product Overview

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

The Presence and Future of Web Attacks

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

Cyber War Chronicles Stories from the Virtual Trenches

Global DDoS Threat Landscape

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Imma Chargin Mah Lazer

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Innovation in the Cloud: How to Grow Markets, Reduce Risks, and Improve the Customer Experience

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

The New Net, Edge Computing, and Services. Michael R. Nelson, Ph.D. Tech Strategy, Cloudflare May 2018

Beyond Blind Defense: Gaining Insights from Proactive App Sec

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

F5 Warsaw SOC. Kamil Woniak. Security Operations Manager, F5 Networks

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

THE UTILITY OF DNS TRAFFIC MANAGEMENT

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Comprehensive datacenter protection

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Cyber Security, Big Data and Risk

Corrigendum 3. Tender Number: 10/ dated

Hosting Roadmap Upgrades, Improvements and Changes

AKAMAI CLOUD SECURITY SOLUTIONS

How to Choose a CDN. Improve Website Performance and User Experience. Imperva, Inc All Rights Reserved

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Enterprise D/DoS Mitigation Solution offering

Cloudflare Advanced DDoS Protection

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Cisco Firepower with Radware DDoS Mitigation

SpamCheetah manual. By implementing protection against botnets we can ignore mails originating from known Bogons and other sources of spam.

2015 DDoS Attack Trends and 2016 Outlook

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

haltdos - Web Application Firewall

akamai s [state of the internet] / security

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Intelligent and Secure Network

Imperva Incapsula Load Balancer

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

the Breakdown of Perimeter Defenses

F5 Synthesis Information Session. April, 2014

Incident Command: The far side of the edge

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

A10 DDOS PROTECTION CLOUD

NINE MYTHS ABOUT. DDo S PROTECTION

All-in one security for large and medium-sized businesses.

Corero & GTT DDoS Trends Report Q2 Q3 2017

NETACEA / WHITE PAPER DNS VS JAVASCRIPT

SOTI SUMMER [state of the internet] / security ATTACK SPOTLIGHT

DDoS Introduction. We see things others can t. Pablo Grande.

A Security Orchestration System for CDN Edge Servers

Prolexic Attack Report Q4 2011

Arbor White Paper Keeping the Lights On

Silverline DDoS Protection. Filip Verlaeckt

Additional Security Services on AWS

A GUIDE TO DDoS PROTECTION

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

DDoS MITIGATION BEST PRACTICES

Multi-vector DDOS Attacks

and indeed live most of our lives online. Whether we are enterprise users or endpoint consumers, our digital experiences are increasingly delivered

Analisi degli attacchi DDOS e delle contromisure

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Denial of Service Protection Standardize Defense or Loose the War

Securing Your Microsoft Azure Virtual Networks

Arbor WISR XII The Stakes Have Changed. Julio Arruda V1.0

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Review for Internet Introduction

MULTIPLAYER GAMING SOLUTION BRIEF

The Top 6 WAF Essentials to Achieve Application Security Efficacy

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

Security Whitepaper. DNS Resource Exhaustion

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Internet2 DDoS Mitigation Update

Ensuring the Success of E-Business Sites. January 2000

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Network Security (and related topics)

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

Powerful application delivery, security, performance and reliability

McAfee Virtual Network Security Platform

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Transcription:

Distributed Denial of Service War Stories from the Cloud Front Michael Smith Security Evangelist

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

The Akamai Cloud: Largest Distributed Computing Platform in the World 73,000+ Servers 1,600+ Locations 70 Countries All branches of the US Military 85 of the top 100 online retailers 9 of the top 10 virus companies 29 of the top 30 M&E companies 4.5+ Tbps, 15-25% of web traffic 10+ Million transactions per second

Akamai Topology and DDoS Customer Webserver End User Geographic Dispersion Traffic Management Device Offload Blocking Site Failover

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns Building Defenses July 4th, 2009 Active Response Summary

Threats: Extortion You have a nice website, it would be a shame if anything were to happen to it. $30,000 can buy you an insurance policy to keep that from happening.

Threats: State-Sponsored Estonia Georgia United States Or were they?

Threats: Activists/Protestors

Threats: The /B/tards Greetings, Anonymous Our beloved Pirate Bay has been recently taken down by certain Media Interests groups. It's back up, but- It has happened far too many times. It is time to show a clear message to those that wish to harm our Internet Refuge. It is time to strike back. We must show these jerks what we think of their games. We can not let them win. We must retaliate. Our first objective was to take down Aiplex, the ones that DDoSed The Pirate Bay. Everything had went even better than expected. We selected a new target, MPAA, in just eight minutes after launching the attack, their website suffered a tremendous blow at the hands of Anonymous. Instead of selecting another target we will be launching a second attack against the MPAA on September 19th, 3:00PM. This is to show these corporate jerks that we won't stand for them messing with our websites. If you do not use TPB, remember that Private Trackers are the next target. So, if you are still with me, Lets give them a night to remember.

Threats: 17-Year-Olds? Source: http://www.escapistmagazine.com/ Let this be a lesson to you, kids: If you're dumb enough to get caught cheating in SOCOM, you're probably dumb enough to get caught using a botnet to launch a DDOS attack against PlayStation.com. --Escapist Magazine

Attack Size - Gbps Peak Attack Traffic per year 50 49 45 40 40 35 30 25 24 20 17 15 10 5 0 0.4 1.2 2.5 10 2001 2002 2003 2004 2005 2006 2007 2008 (Arbor Networks)

Attack Size - Gbps Peak Attack Traffic per year 124 July 4th, 2009 (Akamai) 50 45 40 35 30 25 20 15 10 5 0 40 24 17 10 2.5 0.4 1.2 2001 2002 2003 2004 2005 2006 2007 (Arbor Networks) 49 2008

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

Fail Patterns: Network and Devices Includes circuits, firewalls, WAFs, load balancers Flooding Attacks (attacker bandwidth > you) UDP SYN (also OS) ICMP (ping -f) Reflected Attacks Web Objects (small request, large response) Images and movies (yes, pr0nz too) Documents (.doc.pdf.xls) Zip files Downloadable software If the network is attacked, everything on that network fails (shared Internet connections)

Fail Patterns: DNS DNS is a Single Point of Failure--all other traffic dies DNS is UDP is bad Limited to 10 nameservers per domain DNSSEC creates network, application, and OS load <-oops.

Fail Patterns: Mail Servers Filtering email creates server and application load Requires large amounts of attacker bandwidth Email can have large attached objects Fail: Mailbox size limits Storage Processing power for filters

Fail Patterns: Web and App Servers Load large objects Exercise business logic Siege http://www.joedog.org/index/siege-home Shell scripts work: while true; wget http://www.mpaa.org/resources/86fec176-1e62-401c-aaa6- e58c4078426e.jpg & wget http://www.mpaa.org/resources/ccb46057-c90e-4770-9f81- dd16b82ec062.jpg & wget http://www.mpaa.org/resources/3d434c12-7569-45b0-a242-2ca0be1036d6.jpg &... wget http://www.mpaa.org/templates/images/header_mpaa_logo.gif & done

Fail Patterns: Database Servers while true; do wget 'http://riaa.com/goldandplatinumdata.php?table= SEARCH_RESULTS&title=&artist=&label=&format =&category=&type=&awarddescription=&startmo nth=1&startyear=0&endmonth=12&endyear=200 9&sort=Date&sense=ASC&perPage=5000000000 &go=search' > /dev/null & done

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

July 4 th DDoS Attack Top Targets Peak Traffic Times Above Normal Traffic US Government 1 124 Gbps 598x US Government 2 32 Gbps 369x Financial 1 26 Gbps 110x US Government 3 9 Gbps 39x US Government 4 9 Gbps 19x US Government 5 2 Gbps 9x US Government 6 1.90 Gbps 6x US Government 7 0.73 Gbps * OC-192 speed is ~10Gbps at $2M/month (GSA rates for TIC) Source: Akamai * Site down before Akamai

July 4 th DDoS Attack Timeline 14:00 Alert fires in Akamai s Network Operations and Command Center

July 4 th DDoS Attack Timeline 16:00 Continued elevated traffic. Customer notification initiated based on SOP. 200 Mbps Normal traffic level 5,000 Mbps Elevated traffic level

Attack Size - Gbps July 4 th DDoS Attack Timeline 20:00 Attack increases rapidly 125 100 75 50 20:00 25 Probes 0:00 8:00 16:00 0:00 8:00 16:00 July 4th, 2009 July 5th, 2009

July 4 th DDoS Attack Timeline 21:00 Akamai Identifies Sources 97,882 Unique IP s in 30 mins Time

Attack Size - Gbps July 4 th DDoS Attack Timeline 23:00 Mitigation measures started 125 22:50 125 Gbps Peak bandwidth 100 75 23:50 795K Peak page views 50 25 0:00 8:00 16:00 0:00 8:00 16:00 July 4th, 2009 July 5th, 2009

July 4 th DDoS Attack Timeline 23:00 Mitigation measures started Few common attackers between spikes. Only 4,284 IP s Shared Across all Spikes.

July 4 th DDoS Attack Timeline 23:00 Mitigation measures started Korea IP Space Few common attackers between spikes. Only 4,284 IP s Shared Across all Spikes.

Attack Size - Gbps July 4 th DDoS Attack Timeline 0:30 Block Korean traffic 125 100 75 0:30 50 25 0:00 8:00 16:00 0:00 8:00 16:00 July 4th, 2009 July 5th, 2009

Attack Size - Gbps July 4 th DDoS Attack Timeline 9:30 Quarantine Korea traffic to isolated infrastructure 125 100 75 9:30 50 25 0:00 8:00 16:00 0:00 8:00 16:00 July 4th, 2009 July 5th, 2009

Attackers Change Targets and Tactics July 4th Attacks focused on two sites July 5th Attacks spread to include 5 other sites. Even traffic spread. July 5th (late) Attack shifts bulk of attack to 2 new sites July 6th (late) Attack Ends

Observations Attacks are sophisticated Attacks are long: 3 Day Duration Attacks are large: 300,000+ Attack IPs 7+ Billion Total Page Views 200+ Tbytes Equal to 50 STM16 and 2,500 Servers Attacks are fast: Traffic to a single site reached 100 Gbps in just four hours

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

Defense: Basic Strategies Monitoring Tuning Caching Filtering Traffic Management

Defense: Instrumentation and Monitoring Percentage of total network capacity Percentage of total OS/DB load Increase of 50% of traffic in 8 hours Increase of 50% of traffic over historical average Percentage of bizarre user agent strings Server response times Increase in error responses Is it an actual attack or an awesome marketing campaign, and does it matter?

Defense: Communications and Escalation Attackers pick inconvenient times Similar to DR/COOP plans Authority to activate SOP given to NOCC teams Established red button to DDoS plan 5% of traffic through DDoS system DNS switch to activate

Defense: Caching and Dispersion Customer Webserver End User HTTP TTL HTML Pragmas CDN Configuration

Defense: Application, Web, DB Servers Tuning means higher throughput and better user experience Input validation doesn t just mean XSS and SQLi User-supplied query limits User-supplied workloads (&action=) Validate input based on business logic or context In-application caches Communication with upstream filtering/caching

Defense: Low-Bandwidth Site Low-bandwidth sites can be cached or served from a cloud or alternate site Google for standard downloadable files: site:targetsite.com filetype:rtf filetype:ppt filetype:pptx filetype:csv filetype:xls filetype:xlsx filetype:docx filetype:doc filetype:pdf Google image search: site:targetsite.com &imgsz=medium large xlarge Web analytics tools can find large objects Use YSlow http://developer.yahoo.com/yslow/ Can you use your mobile site?

Defense: Traffic Redirect Rewrite the target url to the redirect method Redirect: Page only with JavaScript 302 codes (small) Rewrite the landing url to the real page Redirects and redirect pages can be cached! Very easy for the attacker to manually retarget

Defense: HTTP Traffic Filtering UserAgent Accept-Language Cookie set by site Cookie set by client-side JavaScript Referrer All of these together

Defense: DNS Make DNS resilient Multiple servers behind a VIP Geographic dispersion DNS resolution by geography Direct % of traffic to low-bandwidth or alternate hosting Blackhole attack traffic to 127.0.0.1 Quarantine servers

Defense: Email Maximum attachment size GreetPause Use DNS to blackhole regions

Defense: Network Traffic Scrubbers/Filters Filter by IP, CIDR, ASN, or country Drop Layer 3-5 attack traffic Organic to Content Delivery Networks Services provided by ISPs Offload of attack traffic to places outside of your network Hiding the target servers to force traffic through the scrubbers/filters

Defense: Waiting Room Uses load.txt to notify CDN of resource overload Low-bandwidth site residing on the edge Sets a cookie on the client One value gets sent to origin One value stays in queue Incrementally migrates users to origin servers as capacity is decreased

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

Summary: Defending Yourself What is the cost for an outage? (impact) Income Brand Preservation Loss of Confidence Timeliness of Attack Use DR/COOP Figures How much of a target are you (frequency) Priorities for protection (risk management)

Agenda Akamai and DDOS Threats and Capabilities Fail Patterns July 4th, 2009 Building Defenses Summary

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback