Multi-vector DDOS Attacks Detection and Mitigation

Paul Mazzucco Chief Security Officer August 2015

Key Reasons for Cyber Attacks

Criminal

•  Money … and more money

•  Large number of groups

•  From unskilled to advanced

•  Present in virtually every

country

•  Protest

•  Revenge

•  Large number of

groups

•  Basic skills; a few

standouts with advanced skills who motivate a

potential larger set of followers

Espionage

•  Acquiring secrets for

-  National security

-  Economic benefit

•  Growing number of

countries with capabilities

•  Larger array of supported or tolerated groups

War

•  Motivation is to destroy, degrade,

or deny

•  Politics by another

name

•  Growing number

of countries with capability

•  Non-state actors could be included

Hacktivists

DoS/DDoS Attacks New Cyber Weapon of Choice

Cyber Attack Sophistication Is Increasing •  Lower bandwidth attacks occur more

frequently, last longer, evade detection -  Overwhelm servers' ability to respond;

ultimately take down the site

•  Multi-vector campaigns -  Booter services, low-cost DDoS campaigns

can take down typical business

-  DDoS-for-hire market is expanding -  China, Germany, the U.S. accounted for

more than 50% of all DDoS attacks origins

in Q1 2015

The number of DDoS attacks in Q1 2015 more than doubled the number of DDoS

attacks in Q1 2014

Source: Akamai

The Industry Hit List Expands

Drivers: the rise of the Internet of Things, web vulnerabilities and botnet building Choice Targets

•  SaaS platforms, e.g. healthcare data •  Competitive industries, e.g. gaming •  Multi-tenant platforms because attacks

on one tenant impact all other tenants

Q1 2015 infrastructure attacks were 91% of total DDoS attacks

Source: Akamai

Where Are the Attacks Taking Place?

Network attacks were 90% of attacks in 2005

Session attacks typically defeat conventional firewalls

Application attacks are 90% of attacks in 2015

The 7 Layers of the OSI Model

Q1 2015 vs. Q1 2014: 124.69% increase in

infrastructure layer (Layer 3 & 4) attacks Q1 2015 vs. Q1 2014: 59.83% increase

in application layer (Layer 7) attacks

Significant attack vectors emerged in 2014 •  50% of all Web attacks were encrypted

application-based attacks •  15% of organizations reported attacks

targeting Web application log in pages on a daily basis

•  DNS-based volumetric floods increased

from 10% to 21%, becoming the 2nd most common attack vector

Source: Radware

New Attack Vectors, One Dangerous Commonality

The Simple Service Discovery Protocol (SSDP) - Top Infrastructure-based Attack Vector

SSDP comes pre-enabled on millions of devices – routers, media servers, web cams, smart TVs, printers Allows devices to discover each other on a network, establish communication, coordinate activities Attackers are armed with a list of vulnerable devices; use them as reflectors to amplify a DDoS attack SSDP accounted for more than

20% of Q1 2015 attack vectors

Not Just a Party of One Anymore – Multi-Vector Attacks Take Aim

More than 50% of attack campaigns deployed 5 or more attack vectors in 2014

Keeps the target busy by

releasing one attack vector

at a time vs. launching the

entire arsenal all at once

Sources: Radware, Arbor Networks

Attackers (Quickly) Strike Back

Attackers are continually developing new attack

vectors that defeat newly deployed mitigation tools

They are responding in days – sometimes even

hours – after mitigation tools are deployed

Meaning businesses face two chief challenges:

•  The increasing complexity of security, i.e.

multi-pronged nature of the attacks

•  Speed at which attackers adapt to new

mitigation tools

Minutes to Compromise, Months to Discover

Source: Radware

DDoS attack costs

•  SMB: $52,000 per incident

•  32% of companies would

loose over $100K revenue

per hour of attack

•  11% of US companies would

loose $1 Million+ revenue

per hour of attack

Source: Neustar

88% of companies are hit multiple times, with 39% attacked over 10 times annually

Recap the Challenges

•  Cyber attacks are mainstream

•  Network perimeter disappears;

–  Application data is final frontier

•  Availability-based attacks are main weapon

–  Multi-vector attack campaigns

•  Targeting end-to-end weakness points

–  Pipe, network, servers, applications

•  Targeting multi-tenant environments

–  Amplifies overall impact and

management complexity

•  Disguising techniques

–  Multiple attackers, one IP address

–  Attack using dynamic IP addresses

•  Data (confidentiality) and integrity attacks

•  Envelope Attacks – Device Overload •  Directed Attacks - Exploits •  Intrusions – Mis-Configurations •  Localized Volume Attacks •  Low & Slow Attacks •  SSL Floods

Sources: TierPoint, Radware

Required Detection: Encrypted/Non-Volumetric Attacks

•  Web Attacks •  Application Misuse •  Connection Floods •  Brute Force •  Directory Traversals •  Injections •  Scraping & API Misuse

Sources: TierPoint, Radware

Required Detection: Application Attacks

•  Network DDoS •  SYN Floods •  HTTP Floods

Sources: TierPoint, Radware

Required Detection: Volumetric Attacks

Fight Back – Advice #1

Don’t assume that you’re not a target

Draw up battle plans; learn from the mistakes of others

Ensure buy-in from ALL C-suite executives, not just the CTO or CIO

Fight Back – Advice #2

Protecting your data is not the same as protecting your business

True security necessitates data protection, system integrity, operational availability

Review your current investments, then gauge the increase required to ensure appropriate protection

Fight Back – Advice #3

You can’t defend against attacks you can’t detect

The battle-prepared business harnesses an intelligence network

Fight Back – Advice #4

Evaluate DDoS protection solutions

Consider a hybrid approach of layered DDoS defenses: always on, on-premise hardware blocking plus cloud-based traffic scrubbing

Fight Back – Advice #5

Know your limitations

Enlist specialists that have the expertise to help you fight and win

Thank you