ANALYST BRIEF Keeping the Doors Open and the Lights On PROTECTING AGAINST DISTRIBUTED DENIAL- OF- SERVICE ATTACKS Authors Rob Ayoub and David DeSanto Overview Over the past decade, the threat landscape has changed as more enterprises and large organizations have moved their mission- critical services online. Competing in global markets driven by just- in- time demand, these enterprises rely on continuous uptime to perform business transactions on a 24/7/365 model. This shift in the business model has, however, engendered a new breed of cyber attacks designed to limit access to these resources. Although distributed denial- of- service (DDoS) attacks technically are not new, they are more effective today than ever before. The relative ease with which DDoS attacks can be launched, the diverse methods by which such attacks can be executed, and the amount of damage that can be caused by a single attack make DDoS attacks a challenge to defend against. Such attacks have proved an effective way to wreak havoc, causing high- profile outages and interruptions to transaction processing. They can be motivated by a wide range of factors, and taking down websites or blocking transactions remain effective ways to make statements or cause visible and potentially far reaching business disruptions. As enterprises look to defend against DDoS attacks, they are turning to DDoS prevention solutions, which offer protection against the different categories of DDoS attacks, and which can take the form of on- premise devices or managed services. Many vendors have entered the DDoS prevention market in recent years, and their solutions should be evaluated carefully.
NSS Labs Findings DDoS attacks continue to be one of the most difficult attack vectors to counter. The range of methods of conducting attacks is growing and diversifying as prebuilt toolkits, and even DDoS attack services, are made more readily available. The widespread availability of attack resources gives the general public the ability to participate in digital riots. Firewalls and other security devices are mistakenly viewed as adequate protection against DDoS attacks. Mitigation against DDoS attacks requires a multifaceted approach that involves network design, traditional security products (for example, intrusion prevention devices [IPS] and firewalls), contingency planning, and dedicated DDoS prevention solutions. NSS Labs Recommendations Evaluate the current network design and security posture within an organization in order to identify connections and applications that could easily be overwhelmed by malicious attacks or spikes in traffic. Establish traffic baselines in order to better determine the extent of abnormal traffic patterns. Test network infrastructures, applications, and servers against the diverse DDoS attack methods used today (volumetric attacks, protocol attacks, application attacks, or a combination of the three) in order to understand the limits and weaknesses of the network. Consider multiple mitigation techniques and products when creating a strategy to address DDoS attacks. Evaluate DDoS prevention solutions in the same manner as other critical security infrastructure components to ensure that the solution itself does not become a vulnerability to the network. 2
Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 The Need for Increased DDoS Protection... 4 Reliance on the Internet... 4 Diversity of Attack Drivers... 5 Ease of Initiating an Attack... 6 Why DDoS Protection Is a Challenge... 6 Difficulty in Managing Legitimate Spikes Versus Attack Traffic... 6 Requires Increased Architecture, Infrastructure, and Expertise... 6 Wide Range of Attack Types and Techniques... 7 DDoS Attack Types and Evasion Techniques... 7 Evasion Techniques... 8 DDoS Prevention Solutions... 8 In- Line Protection... 8 Out- of- Path Protection... 9 Performance Metrics for DDoS Prevention Devices... 9 Performance Under Attack... 9 Other Security Requirements... 10 Management and Configuration... 10 Reading List... 11 Contact Information... 12 3
Analysis As network bandwidth has increased and as critical assets have moved online, prevention of DDoS has become increasingly important for the enterprise. The March 2013 attack against Spamhaus clearly illustrates the damage that can be done with just a few machines. 1 Spamhaus turned to DDoS protection vendor CloudFlare to help mitigate the attack when its infrastructure was overwhelmed. Whether turning to service providers or purchasing devices in- house, organizations are considering their options for DDoS prevention. From evaluating a product s effectiveness in mitigating attacks to ensuring that traditional enterprise- class infrastructure features are in place, organizations must carefully assess different solutions to ensure that DDoS prevention is transparent. The Need for Increased DDoS Protection The sheer volume of business that occurs online requires that enterprises, websites, and partner connections remain operational with as close to 100 percent uptime as possible. In 2012, US retailers reported sales of USD $1.465 billion in online merchandise on Cyber Monday alone, an amount that was eclipsed by the over USD $5 billion in online sales reported during the Chinese equivalent. 2 While these numbers represent a small number of data points, the significant economic value that they represent illustrates the importance of online transactions. The migration of government services online adds convenience but also creates targets for politically motivated attacks, as recently illustrated during the rollout of Healthcare.gov where a DDoS attack 3 compromised the site and prevented citizens from accessing the enrollment for new healthcare services. Why does DDoS present such a threat? There is no simple answer. Diverse attack drivers; the increased availability of network bandwidth; the pervasiveness of botnets; poor implementation of Internet protocols and applications/services; reliance on Internet- based services; and the high visibility and relative ease of conducting DDoS attacks combine to create an environment where attackers can use DDoS attacks to great effect and where victim organizations struggle to protect against these attacks. Reliance on the Internet Today s society is highly dependent on the Internet; it is difficult to conceive of a world without email, and retailers such as Amazon continue to illustrate the importance of online shopping. Within the business- to- business world, every transaction, from order to payment, occurs online. The importance of the connected world extends beyond commerce, affecting almost every aspect of daily living. In 2003, the Department of Homeland Security drafted the National Strategy to Secure Cyberspace, 4 which discussed the dependence of society on connected resources. The list of critical infrastructures it cited was comprehensive, including banking and finance, insurance, chemical, oil and gas, electric, law enforcement, higher education, transportation, telecommunications and information technology, and water. 1 http://www.nytimes.com/interactive/2013/03/30/technology/how- the- cyberattack- on- spamhaus- unfolded.html?_r=0 2 http://www.internetretailer.com/2013/11/11/chinas- cyber- monday- posts- more- 5- billion- web- sales 3 http://www.scmagazine.com/cyber- attacks- on- healthcaregov- reported- to- dhs/article/321243/ 4 https://www.us- cert.gov/sites/default/files/publications/cyberspace_strategy.pdf 4
Any disruption of a business or service has the potential to cause national or even global economic disruption (a 2012 Neustar survey suggested that 35 percent of organizations surveyed indicated that downtime losses would result in over USD $10,000 per hour in losses), 5 and attacks against other components of the critical infrastructure could even be life threatening (for example, an attack against power grids or water utilities). Diversity of Attack Drivers DDoS attacks have been in use for well over two decades 6 and have targeted governments, educational institutions, enterprises, and even charitable organizations. In some cases, the express purpose of a DDoS attack is to prevent services from operating, and in other cases, the attacks are intended as a diversion while a separate attack exfiltrates data. Given the wide range of potential attack drivers, it is difficult for organizations and service providers to plan for an attack. According to Arbor s 2013 Enterprise Threat Landscape Report, 50 percent of enterprises surveyed experience a DDoS attack on their infrastructure. 7 Figure 1 depicts data from this study and demonstrates the diversity of drivers for DDoS attack, based on customer survey data. 33% 31% 27% 15% 15% Polimcal/ideological disputes Online gaming Vandalism/nihilism Diversion to cover compromise/data exfiltramon Compemmve rivalry between business organizamons Figure 1 Drivers for DDoS Attacks 5 http://hello.neustar.biz/rs/neustarinc/images/neustar- insights- ddos- attack- survey- q1-2012.pdf 6 http://www.defense.net/index.php/ddos- in- depth/ddos- timeline/index.html 7 http://www.arbornetworks.com/corporate/blog/4923- introducing- the- 1st- annual- enterprise- threat- landscape- report 5
Ease of Initiating an Attack Another factor driving the prevalence of DDoS attacks is the relative ease with which these attacks can be initiated. Botnet services are available (prebuilt botnets that an attacker can rent), and recent reports claim botnet pricing to be in the range of USD $2 to USD $5 per hour for an attack that lasts from several hours to up to three days. 8 The attacker has only to specify the IP address to attack, and the attack will commence. Other attackers might build their own botnets, making use of the many malware kits that are available. Security researchers are partly to blame for the ease with which attack methods can be accessed: DDoS code is often posted on the Internet for the purpose of educating, and thus arming, others against these attacks; however, this information also arms attackers. The cost and complexity of a DDoS attack is low in comparison to most other attacks, and this low barrier to entry allows even non- technical individuals and groups within the general public to launch large- scale attacks with relative ease. This puts all organizations at risk of attack, since any organization may have detractors to its ideology, political affiliation, or business model. Why DDoS Protection Is a Challenge DDoS attacks have a long history, and yet the security industry has had limited success in preventing them. Why do DDoS attacks remain so effective? As previously discussed, they are simple to launch and cost considerably less than targeted persistent attacks (TPAs), which typically require zero- day vulnerabilities and sophisticated programming techniques. Other reasons for their prevailing success include: Difficulty in Managing Legitimate Spikes Versus Attack Traffic No organization wants to block legitimate traffic. Accidentally turning away a customer can have a significant economic impact on an organization. In the case of many DDoS attacks, the traffic that is used to generate the attack often appears legitimate. How does an organization determine whether a spike in traffic is legitimate (for example, a sale or breaking news) or an attack? This dilemma is the reason why organizations are cautious when making decisions on throttling traffic. Without a solid understanding of baselines and historic traffic trends, organizations are unlikely to detect an attack until it is too late. Requires Increased Architecture, Infrastructure, and Expertise The additional architecture, infrastructure, and expertise that an organization requires to prepare for, detect, and mitigate a DDoS attack present another challenge. To manage the sudden influx of traffic that occurs during a DDoS attack, organizations must have the ability to route traffic across various resources. Additional servers, routers, and network resources (such as load balancers) must be in place to manage the additional traffic. Depending on the size of the attack, however, having more resources may not in itself be sufficient. Organizations may require re- routing of all traffic to block offending IP addresses and then permit non- offending IP addresses to pass through to the protected resources. These options for mitigation require extra equipment and specific expertise to configure the infrastructure during an attack. Many organizations do not have this level of sophistication. 8 http://channelnomics.com/2013/07/08/ddos- attacks- on- sale- for- 2- an- hour/ 6
Wide Range of Attack Types and Techniques The range of DDoS attack techniques available presents yet another challenge. Historically, the concept of a DDoS attack was simply to overwhelm the target with traffic. While many effective attacks rely on this method (the Spamhaus attack used this type of attack to reach rates over 300 Gbps), attackers have also found application- level attacks to be highly effective. DDoS Attack Types and Evasion Techniques Volumetric On occasion, the easiest way to prevent access to a target is to consume all of the network bandwidth available. This is the goal behind a volumetric DDoS attack. The attacker, through various means, launches an attack designed to cause network congestion between the target and the rest of the Internet. This volume of traffic can be generated through multiple hosts, for example, a botnet, and leaves no available bandwidth for legitimate users of the resource (whether it is an ecommerce website or a financial services group). Volumetric DDoS attacks generally target protocols that are stateless and do not have built- in congestion avoidance. Examples of volumetric DDoS attacks include (but are not limited to): Internet Control Message Protocol (ICMP) packet floods (including all ICMP message types) Malformed ICMP packet floods User Datagram Protocol (UDP) packet floods (usually containing no application layer data) Malformed UDP packet floods Spoofed IP packet floods Malformed IP packet floods Ping of Death Smurf attack Protocol Attackers can also prevent access to a target by consuming other types of resources. Protocol DDoS attacks are designed to exhaust resources available on the target or on a specific device between the target and the Internet. The devices can include routers, load balancers, and even some security devices. When the DDoS attack consumes a resource such as a device s TCP state table, no new connections can be opened because the device is waiting for connections to close or expire. Protocol DDoS attacks need not consume all of a target s available bandwidth to make it inaccessible. Examples of protocol DDoS attacks include (but are not limited to): SYN floods ACK floods RST attacks TCP connection floods Land attacks TCP state exhaustion attacks Fragmentation attacks TCP window size attacks 7
Application Attackers also attempt to prevent access by exploiting vulnerabilities in the application layer. These vulnerabilities can be within an application layer protocol as well as within the application itself. Attacks on unpatched, vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks in order to be successful. This style of DDoS attack may require, in some instances, as little as one or two packets to render the target unresponsive. Application DDoS attacks can also consume application layer or application resources by slowly opening up connections and then leaving them open until no new connections can be made. Examples of application DDoS attacks include (but are not limited to): HTTP GET floods HTTP POST floods HTTP partial connection floods HTTP overlapping range header attacks DNS amplification attacks Secure Sockets Layer (SSL) exhaustion attacks Session Initiation Protocol (SIP) invite floods Layered Attacks As the name implies, layered attacks use diverse DDoS attacks in an attempt to overwhelm the network and any defenses that may be in place. While some networks may be able to sustain DDoS attack, their resources may soon be exhausted, which would allow an application DDoS attack to successfully bypass protection mechanisms and thus render the target inoperable. Evasion Techniques Attackers can modify basic DDoS attacks to evade detection in a number of ways. If a single evasion is successful and an attack passes through, then all of the defenses in place at that point are nullified. Therefore, it is critical that any defense put up by an organization is capable of detecting and defending against the many evasion techniques available to attackers. Some common evasion techniques use IP fragmentation and stream segmentation. Evasion of defenses may not be critical for attackers if the goal is to overwhelm resources (whether bandwidth or state exhaustion), but as more organizations install better defense evasion techniques, it could become a critical component of future DDoS attacks. DDoS Prevention Solutions Given the scale and complexity of many modern DDoS attacks and given that firewall and intrusion prevention systems (IPS) cannot always mitigate these attacks, many organizations are selecting DDoS prevention solutions as a critical architectural component in their networks. These solutions provide protection by identifying a specific DDoS attack and then working to minimize its effect on the network and legitimate traffic. The solutions are deployed in- line or out- of- path and should have performance and reliability requirements similar to other critical infrastructure components, since they may be required to process potentially large amounts of traffic. In- Line Protection In- line DDoS prevention solutions adopt the traditional network security device posture of mitigating, or dropping, malicious traffic in- line, and as such, typically consist of a single appliance (or multiple appliances for 8
high availability scenarios) and are often deployed in front of or behind the perimeter security device. The appliances can be dedicated standalone appliances, or they can be integrated into other traditional security products, such as IPS and next generation firewalls (NGFW). This type of solution is generally deployed in enterprises and small- to- medium data centers, but it is not, however, limited to these environments since it can be designed to handle high throughput scenarios. Out- of- Path Protection The out- of- path posture is one where the DDoS prevention solution actively monitors traffic at an ingress point for malicious activity. Once malicious activity is detected, the DDoS prevention solution uses routing protocols such as border gateway protocol (BGP) to redirect traffic to a dedicated appliance for inspection and to reintroduce the legitimate (i.e., non- malicious) traffic into the network. This type of DDoS prevention solution commonly consists of more than one appliance and is designed to work in higher throughput environments such as large data centers and ISPs. Performance Metrics for DDoS Prevention Devices Since DDoS protection solutions are intended to run at line rate (even if out- of- path), performance is critical. While DDoS prevention solutions should be held to the same standards as other pieces of network infrastructure, they have the additional challenge of being required to process application traffic. The following are examples of performance metrics that require evaluation when considering DDoS prevention solutions: Raw packet processing performance Latency Maximum throughput capacity HTTP capacity (with and without transaction delays) Application average response time Real- world traffic Performance Under Attack In addition to performing at line speeds during normal traffic loads, DDoS prevention solutions must also continue passing traffic under attack. This is especially critical for latency- sensitive environments or environments that serve multitudes of customers such as data centers, Internet service providers (ISPs), or financial institutions. DDoS prevention solutions should be able to still pass legitimate, real- world traffic to the intended destinations, regardless of the size or complexity of the attack. 9
Other Security Requirements Like other security infrastructure devices, DDoS prevention solutions must continue to operate in spite of multiple attacks or disruptions in traffic. Beyond processing legitimate traffic throughout an attack, the devices themselves must be hardened and must offer the same levels of stability and reliability, as well as support the same high- availability options, which are common in devices such as firewalls and other IPS devices. In addition to performance, the following factors should be evaluated on a device: What happens to the device when power fails? Does the device include redundant components (for example, fans, power supplies, hard drive)? Does the device data remain persistent during a power failure? Is a high- availability option available, and how does the device perform during failover? o What happens to legitimate traffic? o How long does the device take to failover? o Is stateful operation maintained? Management and Configuration Management and configuration capabilities should be critical components in the evaluation of a DDoS prevention solution. Preventing DDoS attacks requires delicate tuning to avoid blocking legitimate traffic. DDoS prevention solutions are complicated to deploy, and options such as centralized management console options, log aggregation, and event correlation/management systems further complicate the purchasing decision. Understanding key comparison points will allow customers to model the overall impact on network service level agreements (SLAs); estimate operational resource requirements to maintain and manage the systems; and better evaluate the required skill/competencies of staff. The following considerations should be made for any DDoS prevention solution. How easy is it to install and configure devices and to deploy multiple devices throughout a large enterprise network? How easy is it to create, edit and deploy complicated security policies across an enterprise? How accurate and timely is the alerting, and how easy is it to drill down to locate the critical information that is required to remediate a security problem? How effective is the reporting capability, and to what extent can it be customized? 10
Reading List Test Methodology Distributed Denial- of- Service (DDoS) Prevention v1.0. NSS Labs https://www.nsslabs.com/reports/distributed- denial- service- ddos- prevention- test- methodology- v10 11
Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2014 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 12