Extending Your Perimeter of Defense and Visibility Patrick Sullivan, CISSP, GSLC
Jonathan Anderson, CISSP, GCED
©2012 AKAMAI | FASTER FORWARDTM
What We’ve Seen 2012 YTD 170 DDoS or Malicious Attacks on Akamai Customers
• Multiple customers under attack almost every weekend thru June
• Attack durations varied from hours to days
31%
24% 22%
12%
11%
Industry
Commerce
Digital Media
Enterprise
High Technology
Public Sector 74%
6%
19%
Geography
Americas
APAC
EMEA
48%
35%
18%
Severity of A;ack
High Impact
Moderate Impact
Low Impact
©2012 AKAMAI | FASTER FORWARDTM
Agenda
• Easy things you can do with Akamai to reduce your attack surface
• Protect your DNS and Top Level Domain • Disable unnecessary HTTP Methods and Query Strings • Limit unneeded information disclosure about your site • Optimize caching policy for Security • Don’t treat all pages equally • Leverage Akamai’s insights into attack tools • Develop DDoS Runbook
©2012 AKAMAI | FASTER FORWARDTM
Attacks targeting DNS have increased significantly in 2012
• Adversaries are spending more time thinking about DNS than defenders across all adversary classes
• Recreational Hackers: Attacking for the lulz • Chaotic Actors: Hactivism • Organized Crime: Profit motivated • State Sponsored: Nationalistic agenda
• Several high profile Managed DNS providers have suffered outages recently following DNS based DDoS attacks
©2012 AKAMAI | FASTER FORWARDTM
Is Your Top Level Domain Protected?
• www.example.com is CNAMEd to Akamai and protected • DNS RFC’s prevent CNAMEing the top level domain example.com • Do you serve from http://example.com/ ? • Possibly a direct route around Akamai to origin
• Options for the Top Level Domain • Perform a 301/302 at origin from example.com to www.example.com
• Establish separate hosting serve the redirects • Have Akamai eDNS manage the Top Level Domain at the Edge
• Lets Akamai serve the redirects • Akamai Primary DNS is currently in Limited Availability
©2012 AKAMAI | FASTER FORWARDTM
Disable unnecessary HTTP Methods
• Do you need POST enabled for your entire site? • Enabled globally in most Web servers and Akamai configurations
• Only accept the minimum HTTP Methods that you require • Enable POST only on URLs that require it • Do not enable PUT, DELETE, OPTIONS, or TRACE unless truly needed
• Kona Site Defender protects against attacks that use POST • Slow POST protection • Many WAF rules inspect POSTs for application layer attacks • Signature-based controls for many popular attack tools
©2012 AKAMAI | FASTER FORWARDTM
Increase Reconnaissance Work Effort
• Akamai can filter responses to eliminate verbose headers • Rewrite Server header • Remove X-Powered-By headers • Whitelist Akamai “Debug” to specific IP addresses
• Remember robots.txt! Don’t let Google expose vulnerabilities in your site:
©2012 AKAMAI | FASTER FORWARDTM
Optimizing Configuration for Security
• Do you need query string’s to be included in your cache keys? • If not, having Akamai ignore them will reduce attack surface
• With Kona, Akamai can protect against HTTP Request Floods • Rate Controls can be used monitor uncacheable parts of the site • Signature based controls can screen for specific attack tools • Network Layer and Geographic Controls
©2012 AKAMAI | FASTER FORWARDTM
Special Considerations for your Landing Page
• “www” is a very frequent target of attacks • Is Akamai treating your home page differently for you?
• Redirects at the edge • Dynamic page caching provides very powerful defense for the homepage
©2012 AKAMAI | FASTER FORWARDTM
Design Considerations for Login Page(s)
• Our customers are seeing frequent abuse of login pages • Attacks appear to be leveraging large databases of compromised credentials
©2012 AKAMAI | FASTER FORWARDTM
Develop a DDoS Runbook
• Have a plan ready to execute for when you are attacked • Procedures • Contacts
• Akamai can help provide some best practices based on our lessons learned from managing so many DDoS attacks with our customers
©2012 AKAMAI | FASTER FORWARDTM
Summary
• Lots of low-hanging fruit to address when hardening your site • Top level domain, HTTP Methods, Query Strings • Default landing page, login page, etc. • DDoS Runbook – what would you do if you came under attack?
• Come visit us at the Security Booth to see more attack demos! • Slowloris slow POST • Nikto XSS • Havij SQLi • HOIC with custom booster pack • Siege brute-force DDoS • Query string manipulation • Hydra brute-force login
©2012 AKAMAI | FASTER FORWARDTM
How it works
Edge App Session Evaluations
• Click on the agenda icon • Select the session you are currently attending
• Click on the surveys tab
• Click on the session survey made available at the start of your session
• Complete the session survey
• Get points for the Akamai Conference Game and win prizes
1 2
3 4