ddos attacks and the ostrich mentality,d2zmdbbm9feqrf.cloudfront.net/2012/eur/pdf/brkgs-2005.pdf ·...

BRKGS-2005

DDoS Attacks and the Ostrich Mentality, How to avoid having a very large egg on your face.

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

http://www.ciscolivevirtual.com/

http://www.ciscolivevirtual.com/


DDoS attack? It’ll Never Happen to Me

Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in the ground, assuming that because it cannot see, it cannot be seen.’

Historically, the attitude to DDoS as a Service Availability Threat has been similar.

…but this is changing because of:

- AWARENESS : Massive mainstream press around Anonymous, Lulzsec, Sony, etc..

- RISK : More businesses are reliant on Internet Services for their business continuity.

- MOTIVATIONS : Wider spread of attack motivations, broader target set.

- EXPERIENCE : Larger, more frequent, more complex attacks.

Looking at the Internet Threat Landscape


DDoS, when it Happens

Numerous surveys through 2010 / 2011 indicating that the likelihood of being attacked is increasing:

- Arbor 2010 Infrastructure Security Report

Weighted average of 1.8 attacks/year for medium to large enterprise in 2010

Average down-time of 6.7 hours.

- Verisign, DDoS Finally Getting the Attention it Deserves

63% saw 1 or more attack, 11% saw 6 or more.

46% site down for more than 5 hours, 23% more than 12 hours

And the costs can be significant:

- Ponemom Institute, Annual Cost of Cyber Crime Study

56% increase in cost of Cyber Crime from 2010 study.

DDoS most costly type of attack, average annualized cost of $187,506

- Verisign, DDoS Finally Getting the Attention is Deserves

Costs are spread between: customer impact, productivity, lost revenue, brand damage, SLA violation.

The Business Impact of DDoS attacks


What is a Denial of Service attack?

- An attempt to consume finite resources, exploit weaknesses in software

design or implementation, or exploit lack of infrastructure capacity

- Effects the availability and utility of computing and network resources

- Attacks can be Distributed for

even more significant effect

- The collateral damage caused

by an attack can be as bad,

if not worse, than the

attack itself

Load

Balancer

Application-Layer

DDoS Impact

Volumetric

DDoS Impact

DATA

CENTER

(D)DoS Primer

EXHAUSTION

OF STATE

Attack Traffic

Good Traffic

State-Exhaustion

DDoS Impact


DDoS Attack Vectors

Volumetric Attacks

- Usually botnets or traffic from spoofed IPs generating high bps / pps traffic volume

- UDP based floods from spoofed IP take advantage of connection less UDP protocol

- Take out the infrastructure capacity – routers, switches, servers, links

Reflection Attacks

– Use a legitimate resource to amplify an attack to a destination

– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual victim

– DNS Reflective Amplification is a good example

Attacker Server

DNS RequestV

DNS Server

responds to

request from

spoofed

source.

DNS

Response is

many times

larger than

request.

Repeated many times

Victim

DNS ResponseV

Internet

Backbone

B

UK Broadband

US Corp US Broadband

B

JP Corp. Provider B B

B

B B

B

B

B

Systems

Become

Infected

Controller

Connects

Botnet master

Issues attack

Command

BM

C&C

Bots attack

Bye Bye!

Bots connect to a C&C to create an overlay network (botnet)


DDoS Attack Vectors

TCP state exhaustion

- Take advantage of stateful nature of TCP protocol

- SYN, FIN, RST Floods

- TCP connection attacks

- Exhaust resources in servers, load balancers or firewalls.

Client Server SYNC

SYNS, ACKC

Listening…

Store data (connection state, etc.)

Repeated many times System runs

out of TCP

listener

sockets or out

memory for

stored state

Application layer attacks

– Exploit limitations, scale and functionality of specific applications

– Can be low-and-slow

– HTTP GET / POST, SIP Invite floods

– Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..

– Multiple malware families capable


So, how is DDoS Evolving?

In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.

Two data sources being presented here:

- Preview of Arbor World-Wide Infrastructure Security Survey, 2011.

- Arbor ATLAS Internet Trends data.

Arbor World-Wide Infrastructure Security Survey, 2011

- 7th Annual Survey

- Concerns, observation and experiences of the OpSec community

- 114 respondents, broad spread of network operators from around the world

Arbor ATLAS Internet Trends

- 180+ Arbor customers

- Hourly export of anonymised DDoS and traffic statistics

Looking at the Internet Threat Landscape


Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators

13% of respondents report attacks above 10 Gbps

40% of respondents report attacks above 1 Gbps

Largest pps attack reported is 35 Mpps keeping pace with 2010

Large Attacks are Now Commonplace

Key Findings in the 2011 Survey

0.14 1.2 2.5 10

17 24

40 49

100

60

0

20

40

60

80

100

120

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Largest Attack in Gbps

43%

13%

27%

17%

Highest BPS DDoS in 2011

Don't Know

> 10Gbps

1 - 10 Gbps

< 1Gbps


A higher percentage of attacks reported on HTTP and IRC relative to 2010

- HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010

Lower percent of attacks on DNS, SMTP, HTTPS and VOIP

- DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP (19% vs 38%)

SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris

Application Layer and Multi-Vector Attacks


87%

67%

25%

24%

19%

11%

7%

0% 20% 40% 60% 80% 100%

HTTP

DNS

SMTP

HTTPS

SIP/VOIP

IRC

Other

Services Targeted by Application Layer DDoS Attacks

27%

41%

32%

Have You Experienced Multi-vector Application / Volumetric DDoS

Attacks

Don't Know

No

Yes


91% of respondents see at least 1 DDoS attack per month up from 76% in 2010

44% of respondents see 10 or more attacks per month up from 35% in 2010


Reported Attack Frequencies Increasing

9%

47%

15%

7% 10% 11%

1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 500

Number of DDoS Attacks per Month


ATLAS Intelligence

The Growth of Volumetric Attacks

1861

0

500

1000

1500

2000

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Average Monthly Mbps of Attacks

Average monitored volumetric attack is now 1.86Gb/sec / 1.74Mpps in size

- Enough to saturate some enterprise / data-centre connectivity

Clear trend towards higher PPS attacks in 2011

- 143% growth in proportion of monitored attacks over 10Mpps

- 37% drop in proportion of monitored attacks over 10Gbps compared to 2010

- …but 2010 saw a 470% rise over 2009.

Largest monitored attacks continue to grow in size.


ATLAS Intelligence


World 2010 Size Break-Out, PPS

<1Mpps

>1<2Mpps

>2<5Mpps

>5<10Mpps

>10<20Mpps

>20Mpps

World 2011 Size Break-Out, PPS

<1Mpps

>1<2Mpps

>2<5Mpps

>5<10Mpps

>10<20Mpps

>20Mpps









ATLAS Intelligence


75.97

0

20

40

60

80

100

120

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Ja

nua

ryF

ebru

ary

Ma

rch

Ap

ril

Ma

yJu

ne

Ju

lyA

ug

ust

Se

pte

mb

er

Octo

be

rN

ove

mb

er

De

ce

mb

er

Peak Monthly Gbps of Attacks









DDoS, a Growing Problem

Most current DDoS attacks are designed to thwart general defenses

- Use large, distributed botnets

- Employ low-and-slow application layer attacks

- Combine the above for obfuscation

Existing security devices / routers / switches can help with small, simple attacks (ACLs, DRTBH / SRTBH, FlowSpec)

- Won’t stop application layer attacks

- Won’t stop widely distributed attacks (1000s of hosts)

- Can be targeted by state-exhaustion attacks, in some cases.

- Require expert users for configuration.

So, how can we protect ourselves?


The Solution : IDMS

Intelligent DDoS Mitigation Systems (IDMS) are specifically designed to detect and mitigate DDoS attacks using more advanced techniques.

IDMS equipment uses a combination of Deep Packet Inspection (DPI), proxy inspection and heuristic based techniques to separate malicious traffic from good traffic.

- Counter-measures to deal with the specific DDoS threats.

- Minimal state, so the device does not become a target.

- Actionable intelligence / automation.

Arbor Networks is the market leading supplier of IDMS solution to the majority of ISPs, and has over 11 years of experience in this area.

- ATLAS / ASERT intelligence on the Internet Threat Landscape

Intelligent DDoS Mitigation Systems


DATA CENTER

IPS Load

Balancer

Cloud Scrubbing

Center

Firewall

Peakflow SP

TMS

Pravail APS

In-Cloud DDoS Protection Block attacks before they reach the

customer infrastructure

CPE-Based DDoS Protection Stop application DDoS attacks on the

customer premise

Cloud Signaling

“I need help!”

Arbor’s Intelligent, Layered DDoS Protection Solution


CPE Solution - Arbor Pravail APS

‘Out-of-the-Box’ Protection Immediate protection from all types of

DDoS threat

Minimal configuration, utilises Arbor

ASERT expertise.

Advanced DDoS Blocking Packet-based detection & mitigation for

slow-and-low application-layer DDoS

ATLAS Intelligence Feed Leverage ATLAS intelligence to block

current DDoS malware / tool attack

vectors.

Diverse Deployment Models Fits many IDC and enterprise on-

premise deployment scenarios

Little maintenance or expertise required

by users

Firewall Load

Balancer

Firewall Load

Balancer

Arbor Pravail APS

Public Web

Servers

Corporate

Servers

DNS

Servers

VoIP

Gateways

Data

Cente

r Netw

ork

Arbor Pravail APS

Pravail APS 2100-Series Appliance

Pervasive and cost-effective visibility and security


Pervasive Network Visibility & Deep Insight into Services

- Leverage Cisco Netflow technology for broad traffic visibility across service provider networks.

Comprehensive Threat Management

- Granular threat detection, surgical mitigation and reporting of DDoS attacks that threaten business services.

In-Cloud Services Enabler

– A platform which offers the ability to deliver new, profitable, revenue-generating services i.e DDoS Protection

Cloud Solution – Arbor Peakflow SP & TMS

Pervasive and cost-effective visibility and security


DATA CENTER

IPS Load

Balancer

Pravail

APS

Peakflow

SP * TMS

Cloud Signaling: “Help stop the

volumetric attack!

Firewall

Cloud Signaling The Bridge Between Cloud-based and CPE-based DDoS Protection

Integrated protection for government, business, financial and gaming services


Summary

More and more businesses are reliant on Internet Services.

More complex attacks, targeting a broader spread of customers more frequently, with wider spread of motivations.

Business costs of attack can be very significant – just look at the press…

IDMS can provide pro-active detection / mitigation of DDoS attacks, ensuring service and business continuity.

Layered solutions are required for complete protection.

Addressing the DDoS Threat to Business


Further Information

Arbor 2010 Infrastructure Security Report, Volume VI

Arbor 2011 Infrastructure Security Report

Arbor Networks White Paper : The Cloud Signaling Coalition

Arbor Networks White Paper : Planning Security Budgets: Quantify the Financial Risk of DDoS

Arbor Networks White Paper : Layered Intelligent DDoS Mitigation Systems

Data Sheet : Arbor ATLAS Intelligence Feed

Data Sheet : Arbor Pravail APS

Data Sheet : Arbor Peakflow SP

For Your Reference

http://www.arbornetworks.com/report

http://www.arbornetworks.com/index.php?option=com_docman&Itemid=974&task=doc_download&gid=563




http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&gid=559&Itemid=974

http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&gid=498&Itemid=974

http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&gid=6&Itemid=

Recommended Reading

Please visit the Cisco Store for suitable reading.


Please complete your Session Survey

Don't forget to complete your online session evaluations after each session.

Complete 4 session evaluations & the Overall Conference Evaluation

(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite

which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the

surveys from your phone, download the app at

www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback

http://m.cisco.com/mat/cleu12/

1. Scan the QR code

(Go to http://tinyurl.com/qrmelist for QR code reader

software, alternatively type in the access URL above)

2. Download the app or access the mobile site

3. Log in to complete and submit the evaluations

http://www.ciscolivelondon.com/onsite

http://www.ciscolivelondon.com/connect/mobile/app.html

http://tinyurl.com/qrmelist


Thank you.

ddos attacks and the ostrich mentality,d2zmdbbm9feqrf.cloudfront.net/2012/eur/pdf/brkgs-2005.pdf ·...

Documents