Defending Against DDoS Attacks
December, 2012
v1.3 13.9.11
Agenda
Introduction What is a DDoS Attack Change to Threat Landscape Impact to Conventional Thinking Defensive Approaches Q& A
v1.3 13.9.11
Introduction
v1.3 13.9.11
Introduction
Jason L. Stradley
– Currently a Principal Security Consultant with BT – US / C Security Practice Lead – Provide C-Level Advisory to Fortune 500 Clients – 25+ Year IT Veteran – Published Author – Specialties – IT Security & Risk Management, Architecture,
Governance & Compliance
– Developed and operated soup to nuts information security
programs for multiple multi-national enterprise environments
v1.3 13.9.11
What is a DDoS Attack
v1.3 13.9.11
What exactly is a DDoS attack?
– DDoS attack is an attempt to deny service to a network or
system through one of three basic techniques:
– Bandwidth exhaustion – Exhaustion of other resources, such as memory, session
count, encryption key exchange requests, and so on
– Protocol abuse/misuse
• Attempts to render a system or network (target)
unavailable to intended users for its intended use
– Coordinates the activities of multiple systems to flood a
target and effectively shut that target down
v1.3 13.9.11
Motivations • Political
– Radical / fringe groups employ DDoS attacks to make their
positions known by attacking organizations
– WikiLeaks November 2010 – US Banks October 2012
• Financial
– Criminal enterprises have been able to “shut down” commerce sites
resulting in revenue loss and client loss
– Used as “Smoke Screen” for electronic fraud and theft – Used for extortion
v1.3 13.9.11
Change to the Threat Landscape
v1.3 13.9.11
Threat Landscape Shift • Frequency and severity of attacks are increasing
– Between Jan 2010 and Dec 2011 attacks are up more than 22%
according to Trust wave
– That trend seems to be holding steady in 2012
• Four primary factors that contribute to today’s increased threat
environment:
– Organization — hierarchical cyber crime business models and the amalgamation of traditional crime with new technology – Sophistication — quantum leaps in tool development, tactics, and
methods
– Complexity — increased technical domain complexity and
interactions at multiple levels, creating layers of abstraction that in turn create a form of camouflage
– Social networking — the blending of business and Internet
services (Facebook, Twitter, Google, etc.)
v1.3 13.9.11
Threat Landscape Shift • Black Hats have adopted
current technologies such as software as a service (SaaS)
– Established “Hacker for
Hire” scenario
– Attackers don’t require
technical expertise.. Just money
– Using large numbers of
compromised computers under centralized control any one can attack any body at any time
v1.3 13.9.11
Impact to Conventional Thinking
v1.3 13.9.11
Paradigm Shift
• Initial response to an attack
of a first time victim is to increase capacity of internet pipes
– Poor approach – not
sustainable
• Typical security controls are
placed close to assets being protected
– Successfully defending
against DDoS attacks requires exerting control as far upstream as possible
v1.3 13.9.11
Defensive Approaches
v1.3 13.9.11
Defensive Strategies
Conceptual methods to approaching DDoS Defense
– Distribute the target
– Broaden the target surface – Avoid the onslaught of bandwidth – turn a laser into a lamp – Works well for simple web applications or web front ends from a mufti-tiered
architecture . Does not work well with complex applications
– Distribute the load
– Creation of multiple ingress points combined with large aggregated bandwidth – Success is dependent on the level and granularity of control at the ingress points – Examples caching services, overlay networks and co-location scenarios
– Filter the load
– Based on filtering the unwanted elements from a given traffic stream – Most dominant solution – prevalent in almost all successful DDoS defense
strategies
– Success directly related to proximity to the attack source – further upstream the
better
v1.3 13.9.11
Solution Considerations
Assumed desired characteristics
Scalability
Flexibility
Globalization
Elasticity
v1.3 13.9.11
Solution Scenario – Provider Co-Location Scenario
Internet
(Primary) Service Provider
Greater control over more expensive WAN Links utilizing lower cost Co-Located LAN. Service provider specific with limited scalability.
Co/Lo
Co/Lo
Limited geo-location flexibility
DC 1
DC 2
v1.3 13.9.11
Solution Scenario – MPLS / Global Internet Overlay
Internet
POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia)
Highly distributed points of presence permitting localized access to internet based systems, spreading load and access geographically
Global MPLS
Application specific QOS and traffic shaping across segmented VPN connections permitting increased granularity of control and extension of the environment
DC
DC
DC
DC
Provides for scalability of internet capabilities geographically, but requires one or more specific provider relationships
v1.3 13.9.11
Solution Scenario – Cloud Network DDoS Service
v1.3 13.9.11
Solution Scenario – Cloud Application
v1.3 13.9.11
Solution Scenarios
Common Threads
Development of aggregation and control points to support appropriate upstream filtering A “Harmonized” application of security best practices to the DDoS defenses – optimizes layered controls throughout Apply the appropriate defensive measures based on the “Value” of organizations internet presence A DDoS response capability consisting of specific processes and procedures A point of coordination for the deployment and operation of defensive measures The need to conduct response, recovery and restoration exercises and appropriate post mortem analysis of exercise results incorporate lessons learned back into process
Sounds a lot like DR!
v1.3 13.9.11
Conclusions
v1.3 13.9.11
Conclusions
Educate the organization on the shift in the nature of this threat and the inevitability of an attack Ensure that the organization understands and can articulate the role and value of its internet presence Harmonize the deployment of layered defensive capabilities
– DDoS response coordinator?
Develop a response process and exercise program – Very similar to DR approach
– Borrow from existing DR / IR programs
Develop technical defensive capabilities that utilizes upstream filtering as a primary component
v1.3 13.9.11
Q&A
v1.3 13.9.11
Thank You
[email protected]
v1.3 13.9.11