Post on 17-Jul-2015
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Types of Attacks
Application (Layer 6-7) • Zero Day, SlowLoris, Buffer Overflows, SQL Injections, Cookie Poisoning
• Number of Requests Rps
Protocol (Layer 4-5) • Syn Floods, Fragmented Packet, SMURF and Ping of Death
• Size of Packets (Xbps) Volumetric (Layer 3) • ICMP echo, IP Spoofing, UDP Reflection attacks
• Numbers of packets (Xpps)
Application
Presentation
Session
Transport
Network
Data Link
Physical
6-7
4-5
3
OSI Model
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Layer 3 DDoS / Volumetric Attack
LB R
R Bandwidth
HTTP
OS / WIN
DNS
DDOS Too much traffic
ICMP echo, IP Spoofing, UDP
Reflection attacks
Attacks measured in Xbps
404 /408 Error
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Layer 4 DDoS / Protocol Attack
R Bandwidth
HTTP
OS / WIN
DNS
DDOS Overload Protocol
Requests
Syn Floods, Fragmented
Packet, SMURF and Ping
of Death
Attacks measured in
Xpps
LB Router
Firewall
404 Error
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Layer 7 DDoS / Application Attacks
Bandwidth
DDOS Low & slow exploiting
Application and OS vulnerabilities
Zero Day, SlowLoris, Buffer Overflows, SQL
Injections, Cookie Poisoning
Attacks measured in Rps
Router
Firewall
No Access IDS
HTTP
OS / WIN
DNS
SMTP
VOIP
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Hacker send out a UDP packet spoofed source 10.12.13.4 NTP mon list request 1
NTP Amplification (Volume metric attack) how it works
Abusable NTP Servers
Target 10.12.13.4
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
NTP Amplification (Volume metric attack) how it works
Abusable NTP Servers
Target 10.12.13.4
2 NTP monlist reply upto 500 packets from original servers to the target
©2014 AKAMAI | FASTER FORWARDTM
To exhaust load balancer and application server resources
To bypass load balancers & CDN caches
To bypass IDS/IPS and overload load balancers
To bypass threshold- based mitigation
To seem like regular visitors Legitimate Requests
Low and slow
Encrypted traffic
Random request parameters
High rate of repetitive requests
Why DDoS Attacks Are Hard to Stop
DDoS = Resource Exhaustion
©2014 AKAMAI | FASTER FORWARDTM
Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.
See the black sheep?
Question: What Type of attacks do we visualize here?
©2014 AKAMAI | FASTER FORWARDTM 2.81%
6.39%
1.28%
9.58%
9.71%
1.40%
0.26%
14.56%
0.38%
0.13%
13.15%
17.11%
0.26%
19.91%
0.64%
1.53%
0.77%
0.13%
3.81%
3.92%
0.42%
0.21%
7.42%
8.05%
0.64%
0.11%
0.21%
7.31%
23.09%
0.42%
15.25%
13.88%
4.56%
8.90%
0.53%
0.64%
0.42%
0.21%
2.76%
5.19%
0.27%
0.13%
10.51%
4.18%
0.94%
0.27%
0.40%
0.67%
14.62%
16.91%
0.07%
0.07%
10.58%
13.95%
8.15%
8.42%
0.20%
1.15%
0.54%
0% 5% 10% 15% 20% 25%
ACK
CHARGEN
FIN Floods
FIN PUSH
DNS
ICMP
RESET
RIP
RAINBOW
RP
SNMP
SSDP
SYN
SYN PUSH
TCP Fragment
UDP Floods
UDP Fragment
IGMP Fragment
NTP
HTTP GET
HEAD
HTTP POST
PUSH
SSL GET
SSL POST
Q4 2014 Q3 2014
Q4 2013
©2014 AKAMAI | FASTER FORWARDTM
Average attack bandwidth (Gigabits per second)
4.21
13.93
6.41
0
2
4
6
8
10
12
14
16
Q4 2013 Q3 2014 Q4 2014
Gbp
s
©2014 AKAMAI | FASTER FORWARDTM
Average attack volume (Million packets per second)
Mpp
s
10.09
13.29
2.31
0
2
4
6
8
10
12
14
16
Q4 2013 Q3 2014 Q4 2014
©2014 AKAMAI | FASTER FORWARDTM
NTP servers op het Internet
Zie hier publiek benaderbare NTP servers. En hier de vulnerable NTP servers, Die vulnerable zijn voor het monlist commando +/- 100K !!
https://ntpmonitorscan.shadowserver.org/stats/ http://openntpproject.org/ntp-stats1.cgi
©2014 AKAMAI | FASTER FORWARDTM
Multi-vector attacks
46.24
53.26
44.14
0
10
20
30
40
50
60
Q4 2013 Q3 2014 Q4 2014
©2014 AKAMAI | FASTER FORWARDTM
Attacks over 100 Gbps Media
0
20
40
60
80
100
120
140
160
180 SaaS Enablement Gambling/Gaming
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Know the Enemy – Motivation can come from anywhere?
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
DDoS: How bad is it today recent example?
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
DDoS: Is there a threat?
Launched Christmas 2014 and untill january (hacked) 13,000 users signed up for the LizardStresser service: • about 250 actually did anything with it:
• More than half the users launched less than 20 short attacks; • (could purchase from 100 seconds several days) • Pricing from $6 upto $500
• with only 30 users launching more than 100 • 16000 attacks launched in total!
* Information from: http://arstechnica.com/security/2015/01/a-hacked-ddos-on-demand-site-offers-a-look-into-mind-of-booter-users/
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
DDoS: Tools/ What is happening now?
53% 109% 83%
39% 100%
164%
51% 61% 144%
48% 69% 53%
335%
1100%
0%
200%
400%
600%
800%
1000%
1200%
1-‐Oct 8-‐Oct 15-‐Oct 22-‐Oct 29-‐Oct 5-‐Nov 12-‐Nov 19-‐Nov 26-‐Nov 3-‐Dec 10-‐Dec 17-‐Dec 24-‐Dec 31-‐Dec
Akamai Changes in DDoS attacks per week Q4 2014 vs. Q4 2013
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
DDoS: Security is like Dental Floss?
• Small Displine • Have Commitment to make it work
Het gaat er niet om wat de kans is of je wordt aangevallen maar wat is de impact als het gebeurd!
©2014 AKAMAI | FASTER FORWARDTM
Questionnaire “ How vulnerable are you?”
Hoe kwetsbaar ben je, wie zou een aanval op de media kunnen lanceren?
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
High performance Protect websites from DDoS and Web attacks while improving performance
Akamai Edge Network
Massive scale More than 157,000 servers deployed in over 1200 networks and 92 countries
Distributed resources Users and attackers connect to websites through the closest edge server
Built-in resiliency Built on the assumption that individual components will fail
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Data Center Protection Services (plx – Prolexic)
Web Site Protection Services (KSD -Kona)
Akamai Web Security Solutions Portofolio
©2013 AKAMAI | FASTER FORWARDTM
Number of applications
Leve
l of P
rote
ctio
n (c
ompl
exic
ty)
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Protecting Multiple Perimeters in the Cloud
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
7 Layers of Web Application Firewall Defense
1. Scale 150,000 servers inline and always on
2. Reverse Proxy Automatically drops traffic not on port 80 or port 443
3. Geo-based blocking Refuse requests from customer-selected list of countries
4. Validate against known list of attackers Positive or negative security model (black or white lists)
5. Rate Controls Block requests that are too fast or too slow (anomaly scoring)
6. Kona Rule Set WAF rules continuously refined based on visibility into web
7. Caching Dynamic and static caching to serve requests
©2014 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Global DDoS Mitigation Network
©2014 AKAMAI
©2014 AKAMAI | FASTER FORWARDTM
DDoS: Trends / problems in a CyberAttack
Scale!
Losse tools probleem
Human Intelligence needed
©2014 AKAMAI | FASTER FORWARDTM
DDoS: Trends in DDOS Complexiteit neemt toe!
2.81%
6.39%
1.28%
9.58%
9.71%
1.40%
0.26%
14.56%
0.38%
0.13%
13.15%
17.11%
0.26%
19.91%
0.64%
1.53%
0.77%
0.13%
3.81%
3.92%
0.42%
0.21%
7.42%
8.05%
0.64%
0.11%
0.21%
7.31%
23.09%
0.42%
15.25%
13.88%
4.56%
8.90%
0.53%
0.64%
0.42%
0.21%
2.76%
5.19%
0.27%
0.13%
10.51%
4.18%
0.94%
0.27%
0.40%
0.67%
14.62%
16.91%
0.07%
0.07%
10.58%
13.95%
8.15%
8.42%
0.20%
1.15%
0.54%
0% 5% 10% 15% 20% 25%
ACK
CHARGEN
FIN Floods
FIN PUSH
DNS
ICMP
RESET
RIP
RAINBOW
RP
SNMP
SSDP
SYN
SYN PUSH
TCP Fragment
UDP Floods
UDP Fragment
IGMP Fragment
NTP
HTTP GET
HEAD
HTTP POST
PUSH
SSL GET
SSL POST
Q4 2014 Q3 2014
Q4 2013