ISSA Nashville Chapter, May 17th 2013

Alexander KarstensSenior Systems Engineer

IXIA Communications

Preparing your organization for DDoS

Agenda

DDoS Trends DDoS Attacks DDoS Mitigation Useful tools Q&A

DDoS Trends

DDoS Trends

• Motivation Behind DDoS/DoS Attacks– Political/Hacktivism– Ransoms– Retaliation– Competition– Unknown

DDoS Trends

Network

Server

Application

Business

Large volume network flood attacks

High & Low rate application DoS attacks

“Low & Slow” DoS attacks

Brute force attack

Web application attacks (e.g. XSS, Injections, CSRF)

SYN flood

Port scan

Network scan

Intrusion

Intrusion, Malware

SHUTDOWN

DDoS TrendsNetwork

Server

Application

Business

• Volumetric network level• Application level , Encrypted• Low & Slow• Directed Application DoS• Intrusions • Web attacks (injections, XSS,…)

DDoS Trends (future?)

• What about IPv6? You may not use in your organization, yet most newer desktops (Windows 7 anyone?)

– Tunnel IPv6 over IPv4 (Utilities moving to IPv6 to address meters)….and on top of that they are wireless as well.

• It’s seem feasible for someone to build a botnet using mobile phones. Add 4G to the mix and you have plenty of bandwidth to ‘play’ with. QR codes anyone?

• WiFi is now carrying critical applications. There are host of WiFi level DDoS attacks (both AP and controller)

• OpenFlow?

DDoS Mitigation

The Attack Cycle

DDoS Attacks• Volume Metric attacks (pipe fillers)

– SYN Floods– UDP Floods– DNS Floods – Amplification attacks (mostly DNS, but could

also be VoIP)• Application layer attacks (low and slow)

– SlowLoris– Hash Attack– PyLoris (HTTP, SMTP, IMAP…)– RUDY (R-U-DEAD-YET)– SSL (server has to work 10 times harder than

the SSL client)

DDoS Mitigation

Internet

Ingress Traffic with Attack

Network

Traffi

c – In

/Out-

boundIngress Clean Traffic

Scrubbing centers

Protected customer

Anti-DDoS 24x7 SOC

MSP

“CPE” Mitigator

Premise Based Scrubbing 1. Better visibility and response time2. Coverage• Low & Slow • Application level DoS attacks• Encrypted attacks • Asymmetrical traffic issues• “Local” Mitigation

3. Signaling capabilities • Detection • Base lines• RT signatures

Scrubbing center

• Bandwidth attacks• High capacity scrubber• Multi-home (Carrier agnostic)• Anti-DoS SOC

Signaling(Diversion decision)

“Always-On” Solution

DDoS Mitigation• Who can solve the problem

– Firewalls– IPS– WAF– ADC– Web Proxies

• A single technology does not solve the problem

• Architecture, Architecture• Elements and Architecture need to

be sized and verified

DDoS Mitigation• Architecture

– Cloud Scrubber- volumetric attacks

– CPE Scrubber- app attacks, low and slow

– Border Routers – Tier 1 FW- presentation– ADC- SSL termination– WAF- application attacks,

SQL Injection– IPS- host based attacks– Tier 2 FW- application

Border Router Border Router

SSL TerminatorCPE Scrubber

SSL TerminatorCPE Scrubber

Border FWBorder FW

ADC ADC

WAFWAF

IPS IPS

Cloud Scrubber

Helmuth von Moltke Explains Modern DDoS

"No plan of operations extends with certainty beyond the first encounter with the enemy's

main strength” or

"no plan survives initial contact with the enemy”

Usefool tools

• Logstalgia (visualization tool…reads NCSA formatted server logs)

• PyLoris (multi purpose application layer attack tool…requires Python)

• SlowLoris (HTTP only)• LOIC (sourceforge.net…Low Orbit because it send attacks at

L3/4)• HOIC (similar to SlowLoris, but has booster back to ‘adapt’ to

countermeasures)

17

How can individual machines cause a big enough distraction with todays typical volume of network traffic?

My lowend Core i3 laptop can put out a 12K PPS DDoS

Multiply that by even a few thousand machines…

Thank You