Presented originally by NetStandard's Daniel Fluke, Ph.D. at INTERFACE Kansas City, this presentation defines the differences between DoS and DDoS attacks and provides tips for identifying and mitigating attacks on your business.
The Rising Threat of DDoS Attacks: Is Your Business at Risk?
1. The Rising Threat of DDoS Attacks
Is Your Business At Risk?
NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Daniel Fluke, Ph.D
NetStandard Inc.
2. What Is A DoS or DDoS Attack?
A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack is an
attempt by a malicious party to make a machine or network resource (like a
website) unavailable to its intended users (your customers).
Targets:
• Financial Institutions
• Small/Midsized Businesses
• Retail
NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
3. DoS or DDoS: What’s the Difference?
DoS – Denial of Service
A Denial of Service attack is an
attempt by a single machine to
prevent others from utilizing
your website resources.
NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
4. DoS or DDoS: What’s the Difference?
NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
DDoS – Distributed Denial of
Service
A Distributed Denial of Service
attack is an attempt by
multiple machines to prevent
others from utilizing your
website resources.
5. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
There are multiple types of attacks that can effectively make your systems
inaccessible or unresponsive to users.
Three general types of attacks:
1. Volume-Based Attacks
2. Protocol Attacks
3. Application Layer Attacks
6. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
Volume-Based Attacks
Goal: To saturate the bandwidth of the attacked site. The magnitude of this type of
attack is typically measured in bits per second.
Attack Includes:
• UDP Floods
• ICMP Floods
• Spoofed Packet Floods
7. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
Protocol Attacks
Goal: To consume the resources of either the servers or the intermediate
communication equipment, such as routers, load balancers and/or firewalls. Protocol
attacks are usually measured in packets per second.
Attack Includes:
• SYN Floods
• Fragmented Packet Attacks
• The Ping of Death
• Smurf DDoS
8. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
Application Layer Attacks
Goal: To crash web servers. Arguably the most dangerous form of DDoS attack, these
attacks are often comprised of seemingly legitimate and innocent requests.
Application layer attacks are often measured in requests per second.
Attack Includes:
• Slowloris
• Zero-day DDoS attacks
• DDoS attacks on Apache, Windows or OpenBSD vulnerabilities
9. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
In Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown
of the types of attacks being carried out:
10. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Types of DDoS Attacks
In Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown
of the types of attacks being carried out:
• Syn Flood – Spoofed Syn packets fill
the connection tables of your servers
• ICMP Flood – ICMP packets overload
servers and inbound bandwidth
• Non-Service Port Flood – TCP/UDP
packets overload servers and inbound
bandwidth on ports not being used
for services (i.e., Port 81)
• Service Port Flood – Packets overload
servers and inbound bandwidth on
ports being used for services
(i.e., Port 80)
• Fragmented Flood – Fragmented
packets are sent to servers, causing
them to overload as they process
those packets
• HTTP Get Flood – HTTP Get requests
flood servers and incoming
bandwidth on in-use service
ports, mimicking valid traffic
11. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
How Is An Attack Launched?
• In order to launch a DDoS attack, attackers need between several hundred and
several thousand compromised hosts.
Hosts are usually Linux and SUN computers, but tools can be ported to
other platforms
• Compromising a host and installing tools is automated. The process can be divided
into four steps:
1. Attackers initiate scan phase
2. Identified vulnerable hosts are compromised
3. Tools installed on each host
4. Compromised hosts are used for further scanning and compromising
12. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
How Is An Attack Controlled?
Using a command and control system, attackers
create subordinate systems that can control the
attacking machines.
• Attackers can compromise and install tools on a
single host in under 5 seconds
• Several thousand hosts can be compromised in
less than an hour
• Large attacks may have multiple subordinate
control systems and thousands of Bots
• Commands can be passed on to initiate and
control attacking machines
13. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
The Origins of Attacks
Top 10 Attack Source Countries:
*Prolexic Global DDoS Attack Report, Q1 2013
14. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
What Motivates Attackers?
• Revenge against a company’s policies or
practices
• Revenge against a company for something
posted on social media
• Eliciting ransom money to stop the attack
• Ransoming bandwidth and availability
• Because they can
15. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Are You A Target?
• Banks and financial institutions
• Consumer goods retailers
• Manufacturers
• Companies in the news
• Companies engaging in
political, cultural or social hot-button
issues, whether through comments
in social media or day-to-day
practices.
EVERY BUSINESS IS A TARGET.
Some, however, are more popular targets than others:
16. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Know When You’re Under Attack
• Abnormally high or unexpected loads on websites
• “Service Unavailable” messages
• Abnormalities or unusual activity in website statistics
• Suspicious activity in log files
• Abnormally high bandwidth utilization
Key signs your business is under attack:
If your company is in the cloud, you could be affected when another company hosted by
your provider is attacked. Selecting a provider with plenty of additional bandwidth can
help absorb the bandwidth of the demands and mitigate the impact to your business.
17. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Prepare Before An Attack
• Know Your Vulnerabilities – What is happening internally that might make
attackers aware of your presence?
• Increase Resiliency and Availability – Implement industry best practices for
network infrastructure, applications, critical support services and DNS.
• Secure Potential Bottlenecks – Ensure systems are configured correctly.
• Watch Your Systems and Network – Use automated tools to monitor and alert on
suspicious activity.
• Small Attacks Happen, Too – Nearly 50% of attacks are less than 5GB, and 25% are
1GB or less.
• Beware of Application Attacks – These are much harder to recognize than network
layer attacks.
Create a plan before an attack:
18. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
Prepare Before An Attack
• Beware Blended Attacks – Attackers are increasingly combining network and
application layer attacks.
• Look for Suspicious Activity – Be aware of the possibilities of suspicious
activity, like social engineering, during an attack. Sometimes DDoS is used as a
distraction.
• Make Friends Upstream – Your ISP can help identify and mitigate attacks. Work
with them to implement various strategies that can help before an attack and after.
• Sign Up For DoS/DDoS Mitigation Services – Consider signing up for a DoS/DDoS
mitigation service, like those provided by AT&T, Verisign, Arbor Networks and
Prolexic.
Create a plan before an attack, cont.:
19. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
What If I’m Attacked?
• Block the attack with packet filters on your routers. If possible, do this at the
border of your network or through your ISP.
• Null route, or blackhole, the IP address being attacked on your border routers or
on your ISP’s border routers. This will effectively shut down the service running
attached to that IP address, but it could keep other systems online and available.
• Use Anycast and Multicast Source Discovery Protocol (MSDP) if your company has
websites co-hosted at several locations.
Your response to an attack is dependent upon what type of attack is being
waged. Initial steps should include:
20. NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 |
DDoS In The News
Independent Newspapers – Received attack following the publishing of an article
in support of Zimbabwean President Robert Mugabe.
The Spamhaus Project – Spam crusaders have been battling massive DDoS attacks
that have reportedly resulted in a slowdown of the entire Web.
Attacks on U.S. Banks – An Islamic group launched a third wave of high-powered
DDoS attacks against U.S. banks in March 2013 and is reportedly targeting other
financial institutions.
The whole point of a Denial of Service (DoS) attack is to deny your legitimate users access to those resources.
The process of compromising a host and installing the tool is automated. The process can be divided into these steps, in which the attackers: Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability. Compromise the vulnerable hosts to gain access. Install the tool on each host. Use the compromised hosts for further scanning and compromises.
Because an automated process is used, attackers can compromise and install the tool on a single host in under five seconds. In other words, several thousand hosts can be compromised in under an hour. In essence, the Attacker, using a command and control system may create subordinate systems that can control the attacking machines.Very large attacks may have multiple subordinate control systems and hundred or thousands of Bots that will actually be the originating attacking machines.Commands can be passed along to initiate and control the attacking machines, thus denying access to your resources.
According to the Prolexic Global DDoS Attack Report, Q1 2013: The top 10 Attack Source Countries are
Attackers can be motivated by any number of reasons.Revenge against your company for some policy you may haveRevenge against your company for something that your company posted on a social media siteDamaging your business to elicit payment from you to stop the attackAttackers may be seeking to ransom your bandwidth and availability, and if you pay them off they will stop the attack.Sometimes it is just BECAUSE THEY CAN!
Just about every type of business can be a target, and likely have been in some fashion over the course of the last 10 years or so.Some of the favorite targets are:Banks and other financial institutionsConsumer goods retailers and manufacturersCompanies that are in the newsCompanies that have just made someone or some group mad because of their policies, comments in social media or any number of other reasons
How do you know you are being attacked.Regularly monitor your web site performance. If loads are abnormally high and unexpected, you may be under attack.You may start seeing Service Unavailable messages that might indicate that you services are heavily loaded.Pay attention to your web statistics reviewing them for anomalies that might indicate unusual activity.Check your log files for suspicious activity.Monitor bandwidth utilization to identify potential attack activity.
Attacks are cheap to launch and expensive to combat!
Attacks are cheap to launch and expensive to combat!
Attacks are cheap to launch and expensive to combat!
Independent Newspapers has confirmed a report that it has come under a cyber attack. The online division, IOL, was offline on Wednesday amid reports that it had sustained a DDOS attack for publishing an article in support of Zimbabwean president Robert Mugabe.Distributed denial-of-service (DDoS) attacks that could be related have …. slammed the DNS servers of at least three providers of domain name management and DNS hosting services. DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason.Spam crusaders The Spamhaus Project have been battling massive distributed denial of service (DDoS) attacks that have reportedly resulted in a slowdown of the entire Web.An Islamic group that launched a third wave of high-powered dedicated denial-of-service (DDoS) attacks against U.S. banks in March has started targeting other financial organizations, including credit card companies and financial brokerages, security experts say.