attacchi informatici: strategie e tecniche per capire ... · attacchi informatici: strategie e...

Attacchi informatici:Strategie e tecniche per capire, prevenire e proteggersi dagli attacchi della rete

Analisi degli attacchi DDOS e delle contromisure

Alessandro Tagliarino

06 Novembre 2017

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 2

WHOISARBORNETWORKS?

100%Percentageofworld’sTier1serviceproviderswhoareArborcustomers

>110NumberofcountrieswithArborproductsdeployed

25% AmountofglobaltrafficmonitoredbytheATLAS securityintelligenceinitiativerightnow!

#1

ArbormarketpositioninCarrier,EnterpriseandMobileDDoSequipmentmarketsegments

NumberofyearsArborhasbeendeliveringinnovativesecurityandnetworkvisibilitytechnologies&products17

http://Digitalattackmap.com

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 3

This presentation provides a summary of the results of ArborNetworks’ 12th annual Worldwide Infrastructure Security Report(WISR)

The WISR documents the collective experiences, observations andconcerns of the operational security community in 2016 plusforecasts for the coming year

The WISR has changed immeasurably in terms of its scope andscale over 12 years, but the core goal is still to provide real insightinto infrastructure security from an operational perspective

Overview

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 4

SurveyDemographics

• SPrespondents:51%Tier2/3operators&25%Tier1• EGErespondent:61%enterprise,35%education&14%government

• Enterprise:32%banking/financeupfrom18%lastyear.• Technology,automotive/transportationandmanufacturingarealsowellrepresented,

roundingoutthetop4• GeographicSplit:32%NorthAmerica,28%Europe,23%APAC,10%MiddleEast/Africa&7%LATAM

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 5

ThingsYouShouldKnowAboutDDoSAttacks

• ItsneverbeeneasiertolaunchaDDoSattack.

• DDoSattacksareincreasinginsize,frequencyandcomplexity.

• DDoSattacksareusedassmokescreensorformsofdiversionduringadvancedthreatcampaigns2.

• OneOftheTop3causesofunplannedoutages,DDoSattacks

arethemostcostlytoanorganization3

DidYouKnow?For$5/hr anyone canlaunch

aDDoSattackancause$100sKindamage

…DDoSattacksizeincreasing1

…IncreaseindemandforDDoSProtection

services1

…experiencedmulti-vectoredattacks1

$5:$100sKDDoSforHire

74% …involvedDDOSasadiversion2

800Gbps

42%

78%

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 6

Scale:VolumetricAttacksIncrease

• Largestattackreportedwas800Gbps withotherrespondentsreportingattacksof600Gbps,550Gbps,and500Gbps

• Onethirdofrespondentsreportpeakattacksover100Gbps

• 41%ofEGErespondentsand61%ofdata-centeroperatorsreportedattacksexceedingtheirtotalInternetcapacity

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 7

Scale:TheATLASPerspective

• Peakmonitoredattackof579Gbps,73%growthfrom2015

• 558attacksover100Gbps,87over200Gbps

– Comparedto223and16in2015• 20%ofattacksover1Gbps,as

opposedto16%in2015• Averageattackssizenow931Mbps,

upfrom760Mbps,a23%increase

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 8

Scale:DrivingFactors,IoT

TheResult• Firsthigh-profileattackusingIoT devicesChristmas2013,usingCPEandwebcams• In2016BotnetownersstartedtorecruitIoT devicesen mass• Attacksof540GbpsagainsttheOlympics,620GbpsagainstKrebs,Dyn etc..

TheProblem• Almosteverypieceoftechnologywebuyis

‘connected’• Devicesaredesignedtobeeasytodeploy

anduse,oftenresultinginlimitedsecuritycapabilities

• Softwareisveryrarelyupgraded.Somemanufacturersdon’tprovideupdates,ortheabilitytoinstallupdates

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 9

Scale:DrivingFactors,Mirai

• BillionsofIoT devicesconnectedtotheInternet

– Estimatesvary,5B+,withmillionsaddedeveryday

• ArborhoneypotdeviceslookforexploitactivityonTelnet/SSHports

• 1Mloginattemptsfrom11/29to12/12from92KuniqueIPaddresses

• Morethan1attemptperminuteinsomeregions

Mirai isdesignedtoinfectandcontrolIoT devicesandcontainsthecodenecessarytomanageandbuildlarge-scalebotnets

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 10

Scale:Driving Factors,ReflectionAmplification

• ReflectionAmplificationattackscontinue,buttherehasbeensomecyclicchangeintheprotocolsfavoredbyattackers.

• StronggrowthintheuseofDNS(again)through2016

• Largestmonitoredattackof498.3Gbs,a97%jumpfromlastyear

– DNSandNTPattacksover400Gbps,Chargen over200Gbps

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 11

Complexity:AttackTypes

• VolumetricattacksstillrepresentthemajorityofactivityforbothSPandEGErespondents.• 95%ofSPreportapplicationslayerattacks,93%lastyear,90%in2014• 67%ofSPreportmulti-vectorattacks,56%lastyear,32%in2014

ServiceProviderAttackTypes EGEAttackTypes

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 12

Complexity:TargetedServices

• DNSandHTTPthemostcommonservicestargetedbyapplicationlayerattacks• MajorityofSPandEGErespondentsalsoseeattackstargetingHTTPS• 57%ofEGErespondentsseeattackstargetingtheapplicationbehindHTTPS

– Muchhigherthanthe22%seenbySPs– Ciphersuitesthatpreventtrafficinspectionareakeyproblem

EGEServiceTargets

SPServiceTargets

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 13

Frequency:UpAcrosstheBoardEGE

• 53%ofSPsseemorethan51attackspermonth,upfrom44%• 21%ofdata-centersseemorethan50attackspermonth,upfrom8%• 45%ofEGEseemorethan10attackspermonth,upfrom28%• ATLASistracking135,000Volumetricattacksperweek.

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 14

Motivations:ManyandVaried

• SPsseeOnlineGamingandHackivism astopmotivations

• EGEseeIdeologicalHacktivismandExtortionastop

• 26%ofEGEseeDDoSfordistraction,upfrom12%

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 15

Impact:Targets

• SPsseeGovernment,FinanceandHostingastoptargets

• SPsseeingattacksoncloudservicesdropsfromonethirdtoonequarter

• 42%ofEGErespondentsexperiencedanattack

– 63%offinance,upfrom45%

– 53%ofgovernment,upfrom43%

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 16

Impact:DataCenter

• Nearlythreequartersofdatacenterrespondentssawbetween1and20attacksthatimpactedtheirservicein2016

• Operationalexpensesaretopbusinessimpact

• Significantincreaseinrevenueloss,upfrom33%to42%

• 23%estimatecostofasignificantattackover$100K,5%estimateover$1M

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 17

Mitigation:SPsContinuetoImpress

• 83%ofSPsuseIDMStomitigateDDoSattacks– UseofIDMSandD/RTBHarebothincreasing

• 77%ofSPsmitigateattackinlessthan20minutes– 27%mitigateautomatically

• 78%ofSPsseemoredemandfromcustomers,up4percentoverlastyear– Government,Finance,eCommerce andHostingaredrivingdemand

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 18

Mitigation:DataCenterImproves

• 60%useIDMS• 40%usefirewalls

– downfrom71%

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 19

titolo

Mitigation:EGEImproves

• Firewalls,IPS/WAFandACLsmostcommon

• 35%usecloudDDoSmitigation– Upfrom28%

• 30%uselayeredDDoSmitigation– Upfrom23%

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 20

SPOrganizationalSecurity

• NearlyhalfofSPsnowimplementanti-spoofingfilters• RehearsingDDoSattackprocessesandproceduresiskey

• 10%increaseinSPsrunningsimulations,37%dothisquarterly• EGE55%nowrunsimulations,40%dothisquarterly

• DifficultyinhiringandretainingpersonnelremainsakeyissueforbothSPandEGErespondents

6 Novembre 2017

Alessandro Tagliarino – Presales Team Leader

pag. 21

titolo

Q&A