Embed Size (px)
DESCRIPTION
-
Citation preview
v1.3 13.9.11
December, 2012
Defending Against DDoS Attacks
v1.3 13.9.11
Agenda
Introduction
What is a DDoS Attack
Change to Threat Landscape
Impact to Conventional Thinking
Defensive Approaches
Q& A
v1.3 13.9.11
Introduction
v1.3 13.9.11
Introduction
Jason L. Stradley– Currently a Principal Security Consultant with BT
– US / C Security Practice Lead
– Provide C-Level Advisory to Fortune 500 Clients
– 25+ Year IT Veteran
– Published Author
– Specialties – IT Security & Risk Management, Architecture, Governance & Compliance
– Developed and operated soup to nuts information security programs for multiple multi-national enterprise environments
v1.3 13.9.11
What is a DDoS Attack
v1.3 13.9.11
What exactly is a DDoS attack?
– DDoS attack is an attempt to deny service to a network or system through one of three basic techniques:
– Bandwidth exhaustion
– Exhaustion of other resources, such as memory, session count, encryption key exchange requests, and so on
– Protocol abuse/misuse
• Attempts to render a system or network (target) unavailable to intended users for its intended use
– Coordinates the activities of multiple systems to flood a target and effectively shut that target down
v1.3 13.9.11
Motivations
• Political
– Radical / fringe groups employ DDoS attacks to make their positions known by attacking organizations
– WikiLeaks November 2010
– US Banks October 2012
• Financial
– Criminal enterprises have been able to “shut down” commerce sites resulting in revenue loss and client loss
– Used as “Smoke Screen” for electronic fraud and theft
– Used for extortion
v1.3 13.9.11
Change to the Threat Landscape
v1.3 13.9.11
Threat Landscape Shift
• Frequency and severity of attacks are increasing
– Between Jan 2010 and Dec 2011 attacks are up more than 22% according to Trust wave
– That trend seems to be holding steady in 2012
• Four primary factors that contribute to today’s increased threat environment:
– Organization — hierarchical cyber crime business models and the amalgamation of traditional crime with new technology
– Sophistication — quantum leaps in tool development, tactics, and methods
– Complexity — increased technical domain complexity and interactions at multiple levels, creating layers of abstraction that in turn create a form of camouflage
– Social networking — the blending of business and Internet services (Facebook, Twitter, Google, etc.)
v1.3 13.9.11
Threat Landscape Shift
• Black Hats have adopted current technologies such as software as a service (SaaS)
– Established “Hacker for Hire” scenario
– Attackers don’t require technical expertise.. Just money
– Using large numbers of compromised computers under centralized control any one can attack any body at any time
v1.3 13.9.11
Impact to Conventional Thinking
v1.3 13.9.11
Paradigm Shift
• Initial response to an attack of a first time victim is to increase capacity of internet pipes
– Poor approach – not sustainable
• Typical security controls are placed close to assets being protected
– Successfully defending against DDoS attacks requires exerting control as far upstream as possible
v1.3 13.9.11
Defensive Approaches
v1.3 13.9.11
Defensive Strategies
Conceptual methods to approaching DDoS Defense– Distribute the target
– Broaden the target surface
– Avoid the onslaught of bandwidth – turn a laser into a lamp
– Works well for simple web applications or web front ends from a mufti-tiered architecture . Does not work well with complex applications
– Distribute the load – Creation of multiple ingress points combined with large aggregated bandwidth
– Success is dependent on the level and granularity of control at the ingress points
– Examples caching services, overlay networks and co-location scenarios
– Filter the load – Based on filtering the unwanted elements from a given traffic stream
– Most dominant solution – prevalent in almost all successful DDoS defense strategies
– Success directly related to proximity to the attack source – further upstream the better
v1.3 13.9.11
Solution Considerations
Scalability Flexibility Globalization Elasticity
Assumed desired characteristics
v1.3 13.9.11
Solution Scenario – Provider Co-Location Scenario
Greater control over more expensive WAN Links utilizing lower cost Co-Located LAN. Service provider specific with limited scalability.
Limited geo-location flexibility
DC 1 DC 2
Internet
(Primary)Service Provider
Co/Lo Co/Lo
v1.3 13.9.11
Solution Scenario – MPLS / Global Internet Overlay
Application specific QOS and traffic shaping across segmented VPN connections permitting increased granularity of control and extension of the environment
Provides for scalability of internet capabilities geographically, but requires one or more specific provider relationships
DC DC
POP(Asia)
Internet
POP(Asia)
POP(Asia)
POP(Asia)
POP(Asia)
POP(Asia)
Global MPLS
DC DC
Highly distributed points of presence permitting localized access to internet based systems, spreading load and access geographically
v1.3 13.9.11
Solution Scenario – Cloud Network DDoS Service
v1.3 13.9.11
Solution Scenario – Cloud Application
v1.3 13.9.11
Solution Scenarios
Common ThreadsDevelopment of aggregation and control points to support appropriate upstream filtering
A “Harmonized” application of security best practices to the DDoS defenses – optimizes layered controls throughout
Apply the appropriate defensive measures based on the “Value” of organizations internet presence
A DDoS response capability consisting of specific processes and procedures
A point of coordination for the deployment and operation of defensive measures
The need to conduct response, recovery and restoration exercises and appropriate post mortem analysis of exercise results incorporate lessons learned back into process
Sounds a lot like DR!
v1.3 13.9.11
Conclusions
v1.3 13.9.11
Conclusions
Educate the organization on the shift in the nature of this threat and the inevitability of an attack
Ensure that the organization understands and can articulate the role and value of its internet presence
Harmonize the deployment of layered defensive capabilities
– DDoS response coordinator?
Develop a response process and exercise program – Very similar to DR approach
– Borrow from existing DR / IR programs
Develop technical defensive capabilities
that utilizes upstream filtering as a
primary component
v1.3 13.9.11
Q & A
