Defending Against DDoS Attacks

Published on July 2016 | Categories: Types, Instruction manuals | Downloads: 48 | Comments: 0 | Views: 300
of 24
Download PDF   Embed   Report

Comments

Content

Defending Against DDoS Attacks
December, 2012

v1.3 13.9.11

Agenda

Introduction What is a DDoS Attack Change to Threat Landscape Impact to Conventional Thinking Defensive Approaches Q& A

v1.3 13.9.11

Introduction

v1.3 13.9.11

Introduction

Jason L. Stradley
– Currently a Principal Security Consultant with BT – US / C Security Practice Lead – Provide C-Level Advisory to Fortune 500 Clients – 25+ Year IT Veteran – Published Author – Specialties – IT Security & Risk Management, Architecture,
Governance & Compliance

– Developed and operated soup to nuts information security
programs for multiple multi-national enterprise environments

v1.3 13.9.11

What is a DDoS Attack

v1.3 13.9.11

What exactly is a DDoS attack?

– DDoS attack is an attempt to deny service to a network or
system through one of three basic techniques:

– Bandwidth exhaustion – Exhaustion of other resources, such as memory, session
count, encryption key exchange requests, and so on

– Protocol abuse/misuse

• Attempts to render a system or network (target)
unavailable to intended users for its intended use

– Coordinates the activities of multiple systems to flood a
target and effectively shut that target down

v1.3 13.9.11

Motivations • Political
– Radical / fringe groups employ DDoS attacks to make their
positions known by attacking organizations

– WikiLeaks November 2010 – US Banks October 2012

• Financial
– Criminal enterprises have been able to “shut down” commerce sites
resulting in revenue loss and client loss

– Used as “Smoke Screen” for electronic fraud and theft – Used for extortion

v1.3 13.9.11

Change to the Threat Landscape

v1.3 13.9.11

Threat Landscape Shift • Frequency and severity of attacks are increasing
– Between Jan 2010 and Dec 2011 attacks are up more than 22%
according to Trust wave

– That trend seems to be holding steady in 2012

• Four primary factors that contribute to today’s increased threat
environment:

– Organization — hierarchical cyber crime business models and the amalgamation of traditional crime with new technology – Sophistication — quantum leaps in tool development, tactics, and
methods

– Complexity — increased technical domain complexity and
interactions at multiple levels, creating layers of abstraction that in turn create a form of camouflage

– Social networking — the blending of business and Internet
services (Facebook, Twitter, Google, etc.)
v1.3 13.9.11

Threat Landscape Shift • Black Hats have adopted
current technologies such as software as a service (SaaS)

– Established “Hacker for
Hire” scenario

– Attackers don’t require
technical expertise.. Just money

– Using large numbers of
compromised computers under centralized control any one can attack any body at any time

v1.3 13.9.11

Impact to Conventional Thinking

v1.3 13.9.11

Paradigm Shift

• Initial response to an attack
of a first time victim is to increase capacity of internet pipes

– Poor approach – not
sustainable

• Typical security controls are
placed close to assets being protected

– Successfully defending
against DDoS attacks requires exerting control as far upstream as possible

v1.3 13.9.11

Defensive Approaches

v1.3 13.9.11

Defensive Strategies
Conceptual methods to approaching DDoS Defense
– Distribute the target
– Broaden the target surface – Avoid the onslaught of bandwidth – turn a laser into a lamp – Works well for simple web applications or web front ends from a mufti-tiered
architecture . Does not work well with complex applications

– Distribute the load
– Creation of multiple ingress points combined with large aggregated bandwidth – Success is dependent on the level and granularity of control at the ingress points – Examples caching services, overlay networks and co-location scenarios

– Filter the load
– Based on filtering the unwanted elements from a given traffic stream – Most dominant solution – prevalent in almost all successful DDoS defense
strategies

– Success directly related to proximity to the attack source – further upstream the
better

v1.3 13.9.11

Solution Considerations

Assumed desired characteristics

Scalability

Flexibility

Globalization

Elasticity

v1.3 13.9.11

Solution Scenario – Provider Co-Location Scenario

Internet

(Primary) Service Provider

Greater control over more expensive WAN Links utilizing lower cost Co-Located LAN. Service provider specific with limited scalability.

Co/Lo

Co/Lo

Limited geo-location flexibility

DC 1

DC 2

v1.3 13.9.11

Solution Scenario – MPLS / Global Internet Overlay

Internet
POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia)
Highly distributed points of presence permitting localized access to internet based systems, spreading load and access geographically

Global MPLS

Application specific QOS and traffic shaping across segmented VPN connections permitting increased granularity of control and extension of the environment

DC

DC

DC 

DC

Provides for scalability of internet capabilities geographically, but requires one or more specific provider relationships

v1.3 13.9.11

Solution Scenario – Cloud Network DDoS Service

v1.3 13.9.11

Solution Scenario – Cloud Application

v1.3 13.9.11

Solution Scenarios
Common Threads
Development of aggregation and control points to support appropriate upstream filtering A “Harmonized” application of security best practices to the DDoS defenses – optimizes layered controls throughout Apply the appropriate defensive measures based on the “Value” of organizations internet presence A DDoS response capability consisting of specific processes and procedures A point of coordination for the deployment and operation of defensive measures The need to conduct response, recovery and restoration exercises and appropriate post mortem analysis of exercise results  incorporate lessons learned back into process

Sounds a lot like DR!

v1.3 13.9.11

Conclusions

v1.3 13.9.11

Conclusions
Educate the organization on the shift in the nature of this threat and the inevitability of an attack Ensure that the organization understands and can articulate the role and value of its internet presence Harmonize the deployment of layered defensive capabilities

– DDoS response coordinator?
Develop a response process and exercise program – Very similar to DR approach

– Borrow from existing DR / IR programs
Develop technical defensive capabilities that utilizes upstream filtering as a primary component

v1.3 13.9.11

Q&A

v1.3 13.9.11

Thank You [email protected]

v1.3 13.9.11

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close