HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 1

Survivability of Peaking Interest and

Denial-of-Service Attacks

Volker Tanger, Managing IT Security Consultant

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 2

Set-List

1 White Flag

Fame

Messin‘ With The Kid

Flash - Ahaaaarghl…

Dumb Ways To Die

2 Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Friends Will Be Friends

Run For Cover

Benny Hill

SURVIVABILITY OF PEAKING INTEREST AND (D)DOS-ATTACKS

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 3

Fame …I want to live forever?!

Ritter Sport Chocolate

Rügenwalder Mühle (sausages)

Mett Schokolade

= minced raw meat & onions chococolate

Public product announcement 2014

immediately went viral

http://www.ritter-sport.de survived

http://shop.ritter-sport.de died

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 4

Fame …I want to live forever?!

Ritter Sport Chocolate

Rügenwalder Mühle (sausages)

Mett Schokolade

= minced raw meat chococolate

Public product announcement 2014

immediately went viral

http://www.ritter-sport.de survived

http://shop.ritter-sport.de died

Ritter-Sport online shop was offline for most of 1st april 2014

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 5

Fame …I want to live forever?!

Saturn (electronics & media markets)

rushed into the MP3-sales frenzy

for Christmas season 2009

Massive marketing campaign

Platform not ready

started overloaded / on&offline

Crashes with database corruption

(songs missing – or foreign showing up)

Project halted after a few days, re-started months later, finally scrapped.

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 6

Fame … I want to live forever?!

Heat Wave

Twitter, Facebook, …

Slashdot, Heise, Spiegel, Fefe, …

Quite often: own marketing department

Characteristics

Start: office hours / advertisements

Ramp-Up: within 1-3 hours

Shape: fast peak, slower decay

Duration: hours

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 7

Messin‘ With The Kid

Daily operations

Mail / SPAM waves

Seasonal variations

Problematic if already running low on capacity

(esp. if operations = cost factor, bureaucracy)

Characteristics

Start: coming & going (seasonal)

Ramp-Up: some hours / days

Shape: nondestinct wave-envelopes

Duration: days / weeks

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 8

Flash - Ahaaaarghl…

Targeted attack

Uplink saturation (max. 600s Gbit/s)

Increasingly L5 attacks (slowloris, LOIC)

Cheap weapon: $200 for 1 day

of 100.000 zombies = 10-100Gbit/s)

Characteristics

Start: suddenly

Ramp-Up: seconds

Shape: nothing (device crashed) / rectangular block (link saturation)

Duration: first wave few hours, often followed by „offer you can‘t deny“

repeat waves longer, up to weeks

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 9

Dumb Ways To Die

Admin-interfaces reachable from internet

Trivial passwords (admin, test, 123456, …)

Unpatched / unmonitored sytems

Single: uplink / server / data center

(also DoS-Attacks: Mastercard eBay-DNS .mil-DNS)

Characteristics

Start: accidental

Ramp-Up: instantaneous

Shape: empty

Duration: depends on recovery procedures

WHITE FLAG

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 10

Beat It

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 11

Beat It

Shadow on the Wall

Projects missing realistic load-predictions & -tests

Rumors regarding „quantum leap“ projects

Explicitly so named high-risk / legacy systems

Ceiling too close for comfort („Unused capacity is a waste!“)

Flag-Day switch for maximum marketing impact instead of more

controllable gradual roll-out (invite-only alpha, restricted beta, …)

Simply as the administrators?

Before throwing the switch?

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 12

Beat It

Shadow on the Wall

Drums of Doom

Monitoring: thresholds, trends

Automatic, realtime logfile evaluation / SIEM

Alerts! Alerts!! Alerts!!!

Advanced: automatic additional instances / rerouting / rolling blackout

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 13

Beat It

Shadow on the Wall

Drums of Doom

An other One bites the dust

WWW / DNS externally hosted

CDN

Mail routed via CloudFilter (eleven/cyren, antispameurope, …)

or completely external (classic Hoster, Mailbox.org, Posteo, Gmail)

= Classic Hosting / Cloud

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 14

Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Sufficient capacity (shiftable, bookable)

Fast & efficient webpages (lean, cacheable) => nicer for visitors!

Decoupled services, e.g. only self-contained webcontent, separate

servers / hosters (=> WWW / Shop @ Ritter Sport ),

Firewalling, SynFlood protection, QoS (provider-side)

Preparing for high load (loadbalancing, cluster, reverse-proxy)

Secondary lines, ability to selectively re-route traffic (DNS?)

Prepared rolling blackout, static copy of website, 4xx/5xx error pages

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 15

Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Friends Will Be Friends

Verify contracts for sufficient service offers

Continuous emergency drills => Enhancements

(extreme: Netflix‘ Simian Army / Chaos Monkey)

Establish procedures & contact to partners BEFORE you need them

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 16

Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Friends Will Be Friends

Run For Cover

Priority 1: keep communication channels open!

Priority 2: provide current (basic) information to customers/visitors

Coordinate response with providers & partners

Prioritize services, leave others behind

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 17

Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Friends Will Be Friends

Run For Cover

Benny Hill

On-premises Anti-DoS appliance – behind the bottleneck

DNS-based Anti-DDoS-CDN (Cloudflare…) does not prevent

IP-based attacks (Cloudpiercer finds backend systems)

BGP-blackholing = preemptive suicide (though ok for sacrifice)

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 18

Beat It

Shadow on the Wall

Drums of Doom

An other One Bites the Dust

Call to Arms

Friends Will Be Friends

Run For Cover

Benny Hill

…just beat it.

BEAT IT

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015

THANKS!

QUESTIONS?

Volker Tanger

HiSolutions AG

Bouchéstraße 12

12435 Berlin

tanger@hisolutions.com

www.hisolutions.com

+49 30 533 289-0

19

White Flag • Fame

• Messin‘ With The Kid

• Flash - Ahaaaarghl…

• Dumb Ways To Die

Beat It • Shadow on the Wall

• Drums of Doom

• An other One Bites the

Dust

• Call to Arms

• Friends Will Be Friends

• Run For Cover

• Benny Hill

SET-LIST

HiS-Blau

R:0

G:45

B:95

Dunkelgrau

R:60

G:60

B:60

Dunkelgrün

R:0

G:120

B:70

Gelb

R:250

G:185

B:0

Marker-Rot

R:215

G:0

B:30

Hellgrün

R:150

G:180

B:0

Hellblau

R:50

G:170

B:250

Orange

R:240

G:125

B:0

Lila

R:150

G:15

B:150

HA

US

FA

RB

EN

H

erv

orh

eb

un

gs-

farb

en

A

KZ

EN

TF

AR

BE

N

(ISC)2 Security Congress EMEA 2015 20

Contact Information & References

Contact

volker.tanger@wyae.de / tanger@hisolutions.com

http://www.wyae.de/volker.tanger/papers/

References

Excavator: http://de.wikipedia.org/wiki/Bagger#mediaviewer/Datei:CAT_325_Raupenbagger.JPG

Ritter Sport Mett

http://www.ritter-sport.de/blog/2014/04/01/sonderedition-ritter-sport-mett-ab-sofort-erhaltlich/

Saturn MP3-Shop

http://www.heise.de/newsticker/meldung/Saturns-MP3-Shop-dem-Ansturm-nicht-gewachsen-

894193.html

Staminus DoS Attack https://www.staminus.net/mitigation-of-attacks-exceeding-40-gbps/

To the music of:

Blues Brothers, Bronski Beat, Dido, The Edwin Davids Jazz Band, Gary Moore, Irene Cara, Manowar,

Metro Trains Melbourne/Tangerine Kitty, Michael Jackson, Mike Oldfield, Queen

SURVIVABILITY OF PEAKING INTEREST AND (D)DOS-ATTACKS