ddos attacks and the ostrich mentality,d2zmdbbm9feqrf.cloudfront.net/2012/eur/pdf/brkgs-2005.pdf ·...
TRANSCRIPT
BRKGS-2005
DDoS Attacks and the Ostrich Mentality, How to avoid having a very large egg on your face.
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 3
DDoS attack? It’ll Never Happen to Me
Ostrich Mentality : ‘When an ostrich is afraid, it will bury its head in the ground, assuming that because it cannot see, it cannot be seen.’
Historically, the attitude to DDoS as a Service Availability Threat has been similar.
…but this is changing because of:
- AWARENESS : Massive mainstream press around Anonymous, Lulzsec, Sony, etc..
- RISK : More businesses are reliant on Internet Services for their business continuity.
- MOTIVATIONS : Wider spread of attack motivations, broader target set.
- EXPERIENCE : Larger, more frequent, more complex attacks.
Looking at the Internet Threat Landscape
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 4
DDoS, when it Happens
Numerous surveys through 2010 / 2011 indicating that the likelihood of being attacked is increasing:
- Arbor 2010 Infrastructure Security Report
Weighted average of 1.8 attacks/year for medium to large enterprise in 2010
Average down-time of 6.7 hours.
- Verisign, DDoS Finally Getting the Attention it Deserves
63% saw 1 or more attack, 11% saw 6 or more.
46% site down for more than 5 hours, 23% more than 12 hours
And the costs can be significant:
- Ponemom Institute, Annual Cost of Cyber Crime Study
56% increase in cost of Cyber Crime from 2010 study.
DDoS most costly type of attack, average annualized cost of $187,506
- Verisign, DDoS Finally Getting the Attention is Deserves
Costs are spread between: customer impact, productivity, lost revenue, brand damage, SLA violation.
The Business Impact of DDoS attacks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 5
DDoS, when it Happens
Numerous surveys through 2010 / 2011 indicating that the likelihood of being attacked is increasing:
- Arbor 2010 Infrastructure Security Report
Weighted average of 1.8 attacks/year for medium to large enterprise in 2010
Average down-time of 6.7 hours.
- Verisign, DDoS Finally Getting the Attention it Deserves
63% saw 1 or more attack, 11% saw 6 or more.
46% site down for more than 5 hours, 23% more than 12 hours
And the costs can be significant:
- Ponemom Institute, Annual Cost of Cyber Crime Study
56% increase in cost of Cyber Crime from 2010 study.
DDoS most costly type of attack, average annualized cost of $187,506
- Verisign, DDoS Finally Getting the Attention is Deserves
Costs are spread between: customer impact, productivity, lost revenue, brand damage, SLA violation.
The Business Impact of DDoS attacks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 6
What is a Denial of Service attack?
- An attempt to consume finite resources, exploit weaknesses in software
design or implementation, or exploit lack of infrastructure capacity
- Effects the availability and utility of computing and network resources
- Attacks can be Distributed for
even more significant effect
- The collateral damage caused
by an attack can be as bad,
if not worse, than the
attack itself
Load
Balancer
Application-Layer
DDoS Impact
Volumetric
DDoS Impact
DATA
CENTER
(D)DoS Primer
EXHAUSTION
OF STATE
Attack Traffic
Good Traffic
State-Exhaustion
DDoS Impact
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 7
DDoS Attack Vectors
Volumetric Attacks
- Usually botnets or traffic from spoofed IPs generating high bps / pps traffic volume
- UDP based floods from spoofed IP take advantage of connection less UDP protocol
- Take out the infrastructure capacity – routers, switches, servers, links
Reflection Attacks
– Use a legitimate resource to amplify an attack to a destination
– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual victim
– DNS Reflective Amplification is a good example
Attacker Server
DNS RequestV
DNS Server
responds to
request from
spoofed
source.
DNS
Response is
many times
larger than
request.
Repeated many times
Victim
DNS ResponseV
Internet
Backbone
B
UK Broadband
US Corp US Broadband
B
JP Corp. Provider B B
B
B B
B
B
B
Systems
Become
Infected
Controller
Connects
Botnet master
Issues attack
Command
BM
C&C
Bots attack
Bye Bye!
Bots connect to a C&C to create an overlay network (botnet)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 8
DDoS Attack Vectors
TCP state exhaustion
- Take advantage of stateful nature of TCP protocol
- SYN, FIN, RST Floods
- TCP connection attacks
- Exhaust resources in servers, load balancers or firewalls.
Client Server SYNC
SYNS, ACKC
Listening…
Store data (connection state, etc.)
Repeated many times System runs
out of TCP
listener
sockets or out
memory for
stored state
Application layer attacks
– Exploit limitations, scale and functionality of specific applications
– Can be low-and-slow
– HTTP GET / POST, SIP Invite floods
– Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
– Multiple malware families capable
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 9
So, how is DDoS Evolving?
In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.
Two data sources being presented here:
- Preview of Arbor World-Wide Infrastructure Security Survey, 2011.
- Arbor ATLAS Internet Trends data.
Arbor World-Wide Infrastructure Security Survey, 2011
- 7th Annual Survey
- Concerns, observation and experiences of the OpSec community
- 114 respondents, broad spread of network operators from around the world
Arbor ATLAS Internet Trends
- 180+ Arbor customers
- Hourly export of anonymised DDoS and traffic statistics
Looking at the Internet Threat Landscape
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 10
Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators
13% of respondents report attacks above 10 Gbps
40% of respondents report attacks above 1 Gbps
Largest pps attack reported is 35 Mpps keeping pace with 2010
Large Attacks are Now Commonplace
Key Findings in the 2011 Survey
0.14 1.2 2.5 10
17 24
40 49
100
60
0
20
40
60
80
100
120
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
Largest Attack in Gbps
43%
13%
27%
17%
Highest BPS DDoS in 2011
Don't Know
> 10Gbps
1 - 10 Gbps
< 1Gbps
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 11
A higher percentage of attacks reported on HTTP and IRC relative to 2010
- HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010
Lower percent of attacks on DNS, SMTP, HTTPS and VOIP
- DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP (19% vs 38%)
SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris
Application Layer and Multi-Vector Attacks
Key Findings in the 2011 Survey
87%
67%
25%
24%
19%
11%
7%
0% 20% 40% 60% 80% 100%
HTTP
DNS
SMTP
HTTPS
SIP/VOIP
IRC
Other
Services Targeted by Application Layer DDoS Attacks
27%
41%
32%
Have You Experienced Multi-vector Application / Volumetric DDoS
Attacks
Don't Know
No
Yes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 12
91% of respondents see at least 1 DDoS attack per month up from 76% in 2010
44% of respondents see 10 or more attacks per month up from 35% in 2010
Key Findings in the 2011 Survey
Reported Attack Frequencies Increasing
9%
47%
15%
7% 10% 11%
1%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 500
Number of DDoS Attacks per Month
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 13
ATLAS Intelligence
The Growth of Volumetric Attacks
1861
0
500
1000
1500
2000
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Average Monthly Mbps of Attacks
Average monitored volumetric attack is now 1.86Gb/sec / 1.74Mpps in size
- Enough to saturate some enterprise / data-centre connectivity
Clear trend towards higher PPS attacks in 2011
- 143% growth in proportion of monitored attacks over 10Mpps
- 37% drop in proportion of monitored attacks over 10Gbps compared to 2010
- …but 2010 saw a 470% rise over 2009.
Largest monitored attacks continue to grow in size.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 14
ATLAS Intelligence
The Growth of Volumetric Attacks
World 2010 Size Break-Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
World 2011 Size Break-Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
Average monitored volumetric attack is now 1.86Gb/sec / 1.74Mpps in size
- Enough to saturate some enterprise / data-centre connectivity
Clear trend towards higher PPS attacks in 2011
- 143% growth in proportion of monitored attacks over 10Mpps
- 37% drop in proportion of monitored attacks over 10Gbps compared to 2010
- …but 2010 saw a 470% rise over 2009.
Largest monitored attacks continue to grow in size.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 15
ATLAS Intelligence
The Growth of Volumetric Attacks
75.97
0
20
40
60
80
100
120
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Ja
nua
ryF
ebru
ary
Ma
rch
Ap
ril
Ma
yJu
ne
Ju
lyA
ug
ust
Se
pte
mb
er
Octo
be
rN
ove
mb
er
De
ce
mb
er
Peak Monthly Gbps of Attacks
Average monitored volumetric attack is now 1.86Gb/sec / 1.74Mpps in size
- Enough to saturate some enterprise / data-centre connectivity
Clear trend towards higher PPS attacks in 2011
- 143% growth in proportion of monitored attacks over 10Mpps
- 37% drop in proportion of monitored attacks over 10Gbps compared to 2010
- …but 2010 saw a 470% rise over 2009.
Largest monitored attacks continue to grow in size.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 16
DDoS, a Growing Problem
Most current DDoS attacks are designed to thwart general defenses
- Use large, distributed botnets
- Employ low-and-slow application layer attacks
- Combine the above for obfuscation
Existing security devices / routers / switches can help with small, simple attacks (ACLs, DRTBH / SRTBH, FlowSpec)
- Won’t stop application layer attacks
- Won’t stop widely distributed attacks (1000s of hosts)
- Can be targeted by state-exhaustion attacks, in some cases.
- Require expert users for configuration.
So, how can we protect ourselves?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 17
The Solution : IDMS
Intelligent DDoS Mitigation Systems (IDMS) are specifically designed to detect and mitigate DDoS attacks using more advanced techniques.
IDMS equipment uses a combination of Deep Packet Inspection (DPI), proxy inspection and heuristic based techniques to separate malicious traffic from good traffic.
- Counter-measures to deal with the specific DDoS threats.
- Minimal state, so the device does not become a target.
- Actionable intelligence / automation.
Arbor Networks is the market leading supplier of IDMS solution to the majority of ISPs, and has over 11 years of experience in this area.
- ATLAS / ASERT intelligence on the Internet Threat Landscape
Intelligent DDoS Mitigation Systems
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 18
DATA CENTER
IPS Load
Balancer
Cloud Scrubbing
Center
Firewall
Peakflow SP
TMS
Pravail APS
In-Cloud DDoS Protection Block attacks before they reach the
customer infrastructure
CPE-Based DDoS Protection Stop application DDoS attacks on the
customer premise
Cloud Signaling
“I need help!”
Arbor’s Intelligent, Layered DDoS Protection Solution
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 19
CPE Solution - Arbor Pravail APS
‘Out-of-the-Box’ Protection Immediate protection from all types of
DDoS threat
Minimal configuration, utilises Arbor
ASERT expertise.
Advanced DDoS Blocking Packet-based detection & mitigation for
slow-and-low application-layer DDoS
ATLAS Intelligence Feed Leverage ATLAS intelligence to block
current DDoS malware / tool attack
vectors.
Diverse Deployment Models Fits many IDC and enterprise on-
premise deployment scenarios
Little maintenance or expertise required
by users
Firewall Load
Balancer
Firewall Load
Balancer
Arbor Pravail APS
Public Web
Servers
Corporate
Servers
DNS
Servers
VoIP
Gateways
Data
Cente
r Netw
ork
Arbor Pravail APS
Pravail APS 2100-Series Appliance
Pervasive and cost-effective visibility and security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 20
Pervasive Network Visibility & Deep Insight into Services
- Leverage Cisco Netflow technology for broad traffic visibility across service provider networks.
Comprehensive Threat Management
- Granular threat detection, surgical mitigation and reporting of DDoS attacks that threaten business services.
In-Cloud Services Enabler
– A platform which offers the ability to deliver new, profitable, revenue-generating services i.e DDoS Protection
Cloud Solution – Arbor Peakflow SP & TMS
Pervasive and cost-effective visibility and security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 21
DATA CENTER
IPS Load
Balancer
Pravail
APS
Peakflow
SP * TMS
Cloud Signaling: “Help stop the
volumetric attack!
Firewall
Cloud Signaling The Bridge Between Cloud-based and CPE-based DDoS Protection
Integrated protection for government, business, financial and gaming services
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 22
Summary
More and more businesses are reliant on Internet Services.
More complex attacks, targeting a broader spread of customers more frequently, with wider spread of motivations.
Business costs of attack can be very significant – just look at the press…
IDMS can provide pro-active detection / mitigation of DDoS attacks, ensuring service and business continuity.
Layered solutions are required for complete protection.
Addressing the DDoS Threat to Business
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 23
Further Information
Arbor 2010 Infrastructure Security Report, Volume VI
Arbor 2011 Infrastructure Security Report
Arbor Networks White Paper : The Cloud Signaling Coalition
Arbor Networks White Paper : Planning Security Budgets: Quantify the Financial Risk of DDoS
Arbor Networks White Paper : Layered Intelligent DDoS Mitigation Systems
Data Sheet : Arbor ATLAS Intelligence Feed
Data Sheet : Arbor Pravail APS
Data Sheet : Arbor Peakflow SP
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKGS-2005 25
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations