issa nashville chapter, may 17 th 2013 alexander karstens senior systems engineer ixia...
TRANSCRIPT
ISSA Nashville Chapter, May 17th 2013
Alexander KarstensSenior Systems Engineer
IXIA Communications
Preparing your organization for DDoS
Agenda
DDoS Trends DDoS Attacks DDoS Mitigation Useful tools Q&A
DDoS Trends
DDoS Trends
• Motivation Behind DDoS/DoS Attacks– Political/Hacktivism– Ransoms– Retaliation– Competition– Unknown
DDoS Trends
Network
Server
Application
Business
Large volume network flood attacks
High & Low rate application DoS attacks
“Low & Slow” DoS attacks
Brute force attack
Web application attacks (e.g. XSS, Injections, CSRF)
SYN flood
Port scan
Network scan
Intrusion
Intrusion, Malware
SHUTDOWN
DDoS TrendsNetwork
Server
Application
Business
• Volumetric network level• Application level , Encrypted• Low & Slow• Directed Application DoS• Intrusions • Web attacks (injections, XSS,…)
DDoS Trends (future?)
• What about IPv6? You may not use in your organization, yet most newer desktops (Windows 7 anyone?)
– Tunnel IPv6 over IPv4 (Utilities moving to IPv6 to address meters)….and on top of that they are wireless as well.
• It’s seem feasible for someone to build a botnet using mobile phones. Add 4G to the mix and you have plenty of bandwidth to ‘play’ with. QR codes anyone?
• WiFi is now carrying critical applications. There are host of WiFi level DDoS attacks (both AP and controller)
• OpenFlow?
DDoS Mitigation
The Attack Cycle
DDoS Attacks• Volume Metric attacks (pipe fillers)
– SYN Floods– UDP Floods– DNS Floods – Amplification attacks (mostly DNS, but could
also be VoIP)• Application layer attacks (low and slow)
– SlowLoris– Hash Attack– PyLoris (HTTP, SMTP, IMAP…)– RUDY (R-U-DEAD-YET)– SSL (server has to work 10 times harder than
the SSL client)
DDoS Mitigation
Internet
Ingress Traffic with Attack
Network
Traffi
c – In
/Out-
boundIngress Clean Traffic
Scrubbing centers
Protected customer
Anti-DDoS 24x7 SOC
MSP
“CPE” Mitigator
Premise Based Scrubbing 1. Better visibility and response time2. Coverage• Low & Slow • Application level DoS attacks• Encrypted attacks • Asymmetrical traffic issues• “Local” Mitigation
3. Signaling capabilities • Detection • Base lines• RT signatures
Scrubbing center
• Bandwidth attacks• High capacity scrubber• Multi-home (Carrier agnostic)• Anti-DoS SOC
Signaling(Diversion decision)
“Always-On” Solution
DDoS Mitigation• Who can solve the problem
– Firewalls– IPS– WAF– ADC– Web Proxies
• A single technology does not solve the problem
• Architecture, Architecture• Elements and Architecture need to
be sized and verified
DDoS Mitigation• Architecture
– Cloud Scrubber- volumetric attacks
– CPE Scrubber- app attacks, low and slow
– Border Routers – Tier 1 FW- presentation– ADC- SSL termination– WAF- application attacks,
SQL Injection– IPS- host based attacks– Tier 2 FW- application
Border Router Border Router
SSL TerminatorCPE Scrubber
SSL TerminatorCPE Scrubber
Border FWBorder FW
ADC ADC
WAFWAF
IPS IPS
Cloud Scrubber
Helmuth von Moltke Explains Modern DDoS
"No plan of operations extends with certainty beyond the first encounter with the enemy's
main strength” or
"no plan survives initial contact with the enemy”
Usefool tools
• Logstalgia (visualization tool…reads NCSA formatted server logs)
• PyLoris (multi purpose application layer attack tool…requires Python)
• SlowLoris (HTTP only)• LOIC (sourceforge.net…Low Orbit because it send attacks at
L3/4)• HOIC (similar to SlowLoris, but has booster back to ‘adapt’ to
countermeasures)
17
How can individual machines cause a big enough distraction with todays typical volume of network traffic?
My lowend Core i3 laptop can put out a 12K PPS DDoS
Multiply that by even a few thousand machines…
Thank You