Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Multi-vector DDOS Attacks Detection and Mitigation
Paul Mazzucco Chief Security Officer August 2015
Key Reasons for Cyber Attacks
Criminal
• Money … and more money
• Large number of groups
• From unskilled to advanced
• Present in virtually every
country
• Protest
• Revenge
• Large number of
groups
• Basic skills; a few
standouts with advanced skills who motivate a
potential larger set of followers
Espionage
• Acquiring secrets for
- National security
- Economic benefit
• Growing number of
countries with capabilities
• Larger array of supported or tolerated groups
War
• Motivation is to destroy, degrade,
or deny
• Politics by another
name
• Growing number
of countries with capability
• Non-state actors could be included
Hacktivists
DoS/DDoS Attacks New Cyber Weapon of Choice
Cyber Attack Sophistication Is Increasing • Lower bandwidth attacks occur more
frequently, last longer, evade detection - Overwhelm servers' ability to respond;
ultimately take down the site
• Multi-vector campaigns - Booter services, low-cost DDoS campaigns
can take down typical business
- DDoS-for-hire market is expanding - China, Germany, the U.S. accounted for
more than 50% of all DDoS attacks origins
in Q1 2015
The number of DDoS attacks in Q1 2015 more than doubled the number of DDoS
attacks in Q1 2014
Source: Akamai
The Industry Hit List Expands
Drivers: the rise of the Internet of Things, web vulnerabilities and botnet building Choice Targets
• SaaS platforms, e.g. healthcare data • Competitive industries, e.g. gaming • Multi-tenant platforms because attacks
on one tenant impact all other tenants
Q1 2015 infrastructure attacks were 91% of total DDoS attacks
Source: Akamai
Where Are the Attacks Taking Place?
Network attacks were 90% of attacks in 2005
Session attacks typically defeat conventional firewalls
Application attacks are 90% of attacks in 2015
The 7 Layers of the OSI Model
Q1 2015 vs. Q1 2014: 124.69% increase in
infrastructure layer (Layer 3 & 4) attacks Q1 2015 vs. Q1 2014: 59.83% increase
in application layer (Layer 7) attacks
Significant attack vectors emerged in 2014 • 50% of all Web attacks were encrypted
application-based attacks • 15% of organizations reported attacks
targeting Web application log in pages on a daily basis
• DNS-based volumetric floods increased
from 10% to 21%, becoming the 2nd most common attack vector
Source: Radware
New Attack Vectors, One Dangerous Commonality
The Simple Service Discovery Protocol (SSDP) - Top Infrastructure-based Attack Vector
SSDP comes pre-enabled on millions of devices – routers, media servers, web cams, smart TVs, printers Allows devices to discover each other on a network, establish communication, coordinate activities Attackers are armed with a list of vulnerable devices; use them as reflectors to amplify a DDoS attack SSDP accounted for more than
20% of Q1 2015 attack vectors
Not Just a Party of One Anymore – Multi-Vector Attacks Take Aim
More than 50% of attack campaigns deployed 5 or more attack vectors in 2014
Keeps the target busy by
releasing one attack vector
at a time vs. launching the
entire arsenal all at once
Sources: Radware, Arbor Networks
Attackers (Quickly) Strike Back
Attackers are continually developing new attack
vectors that defeat newly deployed mitigation tools
They are responding in days – sometimes even
hours – after mitigation tools are deployed
Meaning businesses face two chief challenges:
• The increasing complexity of security, i.e.
multi-pronged nature of the attacks
• Speed at which attackers adapt to new
mitigation tools
Minutes to Compromise, Months to Discover
Source: Radware
DDoS attack costs
• SMB: $52,000 per incident
• 32% of companies would
loose over $100K revenue
per hour of attack
• 11% of US companies would
loose $1 Million+ revenue
per hour of attack
Source: Neustar
88% of companies are hit multiple times, with 39% attacked over 10 times annually
Recap the Challenges
• Cyber attacks are mainstream
• Network perimeter disappears;
– Application data is final frontier
• Availability-based attacks are main weapon
– Multi-vector attack campaigns
• Targeting end-to-end weakness points
– Pipe, network, servers, applications
• Targeting multi-tenant environments
– Amplifies overall impact and
management complexity
• Disguising techniques
– Multiple attackers, one IP address
– Attack using dynamic IP addresses
• Data (confidentiality) and integrity attacks
• Envelope Attacks – Device Overload • Directed Attacks - Exploits • Intrusions – Mis-Configurations • Localized Volume Attacks • Low & Slow Attacks • SSL Floods
Sources: TierPoint, Radware
Required Detection: Encrypted/Non-Volumetric Attacks
• Web Attacks • Application Misuse • Connection Floods • Brute Force • Directory Traversals • Injections • Scraping & API Misuse
Sources: TierPoint, Radware
Required Detection: Application Attacks
• Network DDoS • SYN Floods • HTTP Floods
Sources: TierPoint, Radware
Required Detection: Volumetric Attacks
Fight Back – Advice #1
Don’t assume that you’re not a target
Draw up battle plans; learn from the mistakes of others
Ensure buy-in from ALL C-suite executives, not just the CTO or CIO
Fight Back – Advice #2
Protecting your data is not the same as protecting your business
True security necessitates data protection, system integrity, operational availability
Review your current investments, then gauge the increase required to ensure appropriate protection
Fight Back – Advice #3
You can’t defend against attacks you can’t detect
The battle-prepared business harnesses an intelligence network
Fight Back – Advice #4
Evaluate DDoS protection solutions
Consider a hybrid approach of layered DDoS defenses: always on, on-premise hardware blocking plus cloud-based traffic scrubbing
Fight Back – Advice #5
Know your limitations
Enlist specialists that have the expertise to help you fight and win
Thank you