Debunking Myths About DDoS

Attacks: Radware 2011 Global

Security Report.

Mick Stephens, General Manager - Australia &

New Zealand, Radware Ltd.

March 2012

AG

END

A

About 2011 Global Security Report

Key Findings:

Debunking a Myth: Does Size Matter?

Hacktivism, the Rise of Anonymous and Attack

Campaigns.

ERT Case Studies: Cyber Attacks against Israeli

websites

2012 Recommendations

2011 Global Application & Network Security Report

3

Information Resources

• Radware Security Survey

– External survey

– 135 participant

organisations

– 80% are not using

Radware DoS mitigation

solution

• ERT Survey

– Internal survey

– Unique visibility into attacks

behaviour

– 40 selected cases

• Customer identity remains

undisclosed

4

Annual revenue of participants

ERT gets to see attacks in

real-time on daily basis

AG

END

A

About 2011 Global Security Report

Key Findings:

Debunking a Myth: Does Size Matter?

Hacktivism, the Rise of Anonymous and Attack

Campaigns.

ERT Case Studies: Cyber Attacks against Israeli

websites

2012 Recommendations

Debunking a Myth: Is Size all that Matters?

• DDoS attacks are portrayed in the media using size

measures

– “a 10Gbps DDoS attack hit site X”

– “an 8 Million packet-per-second DDoS flooded site Y”

• Numbers are easy to understand

• Should one rely on these numbers when planning network

security solutions?

6

Size does not matter!

• Reality:

– Most organization may never experience an intense attack

– Less intensive application attacks can cause more damage than network

attacks

7

76 percent of the

attacks surveyed were

under 1Gbps

The impact of application flood attacks

are much more severe than network

flood attacks

76% of attacks are below 1Gbps

Network Attack and Application Attack Coexist

• Radware Security Survey: Attack count by type and bandwidth

8

Lessons learned

• Understand the DoS attack landscape.

– Type of attacks

– Megabits-per-second

– New & concurrent connections-per-second

– transactions-per-second

– Size is only one measurement dimension

9

Hacktivism and the Rise of Anonymous

Anonymous Opens Fire -

“Operation Payback”, Dec

2010

LOIC DoS Tool

S

T

O

P

Attack !

Cablegate

10

Anonymous Attacks Grows

11

More Organization Are Threatened by DoS

12

DDoS Attack tools Become Prevalent

Mobile LOIC LOIC webLOIC

Public Attacks

‘Inner Circle’ Attacks

Network Application

Flood

Low & Slow Vulnerability

based

UDP Floods

SYN Floods

Fragmented floods

FIN+ACK

Dynamic HTTP

HTTPS Floods

RUDY

Slowloris

Pyloris

Intrusion attempts

SQL Injection

#refref

xerex

13

Which Elements Are Bottlenecks For DDoS?

14

Stateful devices are

vulnerable to DDoS

(36% of the attacks)

Internet link

is saturated

(27% of the

attacks)

Multi-Vulnerability Attack Campaigns

Business

Large volume network flood attacks

Directed Application DoS attack: Slowloris

Large volume SYN flood

Connection DoS attacks

HTTP & HTTPS flood attacks

15

70% of the 2011 attacks had

5 or more attack vectors

Lessons learned

1. You may be a target.

– Financial service providers.

– eCommerce site

– Government agency

– Affiliated with copyright industry

– National brand

2. Get ready !

– Be prepared for Multi-Vulnerability Attack Campaigns.

– Test your security solutions against the tools.

3. Deploy DDoS Protection from your service provider

– Mitigate volumetric attacks that may saturate your bandwidth

4. Deploy anti-DoS and network behavioral technologies

on site in front of the firewall

– To protect your IT infrastructure from becoming bottlenecks

16

AG

END

A

About 2011 Global Security Report

Key Findings:

Debunking a Myth: Does Size Matter?

Hacktivism, the Rise of Anonymous and Attack

Campaigns.

ERT Case Studies: Cyber Attacks against Israeli

websites

2012 Recommendations

Cyber Attacks against Israeli websites

Course Of Events

January 3rd

Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information.

January 16th Early Morning

0xOmar and associated “Nightmare” hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website.

9:30 AM

EL-AL, Tel-Aviv Stock Exchange, First International Bank of Israel and Discount Bank websites are attacked and are unavailable for hours.

January 17th

Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s Stock Exchanges websites

January 18th

More Israeli websites targeted: Bank of Israel website under attack

18

Cyber Attacks against Israeli websites

Targets under attack

• In the following weeks, dozens of Israeli web sites were

attacked by these hacker groups

• A Cyber War emerged…..

19

Cyber Attacks against Israeli websites

Verified Attackers

20

• Attacks were highly distributed

• Generated by an international collective or a Botnet

• Geo-IP blocking renders useless

End-to-end solution countering the DDoS threat

Attack Mitigation System

ISP Core Network

In-the-cloud

Anti-DoS Service

Attack Mitigation System

Internet

Customer site

Anti-DoS

NBA

IPS

SSL attacks

Protection

Anti-DoS

On-premises protection against:

• Application DDoS attacks

• SSL based attacks

• Low & Slow attacks

In-the cloud protection against:

• Volumetric bandwidth attacks

21

AG

END

A

About 2011 Global Security Report

Key Findings:

Debunking a Myth: Does Size Matter?

Hacktivism, the Rise of Anonymous and Attack

Campaigns.

ERT Case Studies: Cyber Attacks against Israeli

websites

2012 Recommendations

2012 Recommendations

ERT recommendations to fight DoS/DDoS attacks:

• Understand the DoS threat landscape.

– Collect information about the tools and types of attacks.

– Perform risk analysis at the business level.

• Make sure your service provider can mitigate volumetric attacks.

• Deploy Anti-DoS and Network Behavioral technologies on-

premises.

23

Thank You www.radware.com