Scribd Logo
Upload

Welcome to Scribd!

  • Defending Against DDoS Attacks

    Uploaded by

    Yahya Nursalim
    55 views24 pages
    -

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    -

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    55 views24 pages

    Defending Against DDoS Attacks

    Uploaded by

    Yahya Nursalim
    -

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    Defending Against DDoS Attacks

    December, 2012

    v1.3 13.9.11

    Agenda

    Introduction What is a DDoS Attack Change to Threat Landscape Impact to Conventional Thinking Defensive Approaches Q& A

    v1.3 13.9.11

    Introduction

    v1.3 13.9.11

    Introduction

    Jason L. Stradley
    Currently a Principal Security Consultant with BT US / C Security Practice Lead Provide C-Level Advisory to Fortune 500 Clients 25+ Year IT Veteran Published Author Specialties IT Security & Risk Management, Architecture,
    Governance & Compliance

    Developed and operated soup to nuts information security


    programs for multiple multi-national enterprise environments

    v1.3 13.9.11

    What is a DDoS Attack

    v1.3 13.9.11

    What exactly is a DDoS attack?

    DDoS attack is an attempt to deny service to a network or


    system through one of three basic techniques:

    Bandwidth exhaustion Exhaustion of other resources, such as memory, session


    count, encryption key exchange requests, and so on

    Protocol abuse/misuse

    Attempts to render a system or network (target)


    unavailable to intended users for its intended use

    Coordinates the activities of multiple systems to flood a


    target and effectively shut that target down

    v1.3 13.9.11

    Motivations Political
    Radical / fringe groups employ DDoS attacks to make their
    positions known by attacking organizations

    WikiLeaks November 2010 US Banks October 2012

    Financial
    Criminal enterprises have been able to shut down commerce sites
    resulting in revenue loss and client loss

    Used as Smoke Screen for electronic fraud and theft Used for extortion

    v1.3 13.9.11

    Change to the Threat Landscape

    v1.3 13.9.11

    Threat Landscape Shift Frequency and severity of attacks are increasing


    Between Jan 2010 and Dec 2011 attacks are up more than 22%
    according to Trust wave

    That trend seems to be holding steady in 2012

    Four primary factors that contribute to todays increased threat


    environment:

    Organization hierarchical cyber crime business models and the amalgamation of traditional crime with new technology Sophistication quantum leaps in tool development, tactics, and
    methods

    Complexity increased technical domain complexity and


    interactions at multiple levels, creating layers of abstraction that in turn create a form of camouflage

    Social networking the blending of business and Internet


    services (Facebook, Twitter, Google, etc.)
    v1.3 13.9.11

    Threat Landscape Shift Black Hats have adopted


    current technologies such as software as a service (SaaS)

    Established Hacker for


    Hire scenario

    Attackers dont require


    technical expertise.. Just money

    Using large numbers of


    compromised computers under centralized control any one can attack any body at any time

    v1.3 13.9.11

    Impact to Conventional Thinking

    v1.3 13.9.11

    Paradigm Shift

    Initial response to an attack


    of a first time victim is to increase capacity of internet pipes

    Poor approach not


    sustainable

    Typical security controls are


    placed close to assets being protected

    Successfully defending
    against DDoS attacks requires exerting control as far upstream as possible

    v1.3 13.9.11

    Defensive Approaches

    v1.3 13.9.11

    Defensive Strategies
    Conceptual methods to approaching DDoS Defense
    Distribute the target
    Broaden the target surface Avoid the onslaught of bandwidth turn a laser into a lamp Works well for simple web applications or web front ends from a mufti-tiered
    architecture . Does not work well with complex applications

    Distribute the load


    Creation of multiple ingress points combined with large aggregated bandwidth Success is dependent on the level and granularity of control at the ingress points Examples caching services, overlay networks and co-location scenarios

    Filter the load


    Based on filtering the unwanted elements from a given traffic stream Most dominant solution prevalent in almost all successful DDoS defense
    strategies

    Success directly related to proximity to the attack source further upstream the
    better

    v1.3 13.9.11

    Solution Considerations

    Assumed desired characteristics

    Scalability

    Flexibility

    Globalization

    Elasticity

    v1.3 13.9.11

    Solution Scenario Provider Co-Location Scenario

    Internet

    (Primary) ServiceProvider

    Greater control over more expensive WAN Links utilizing lower cost Co-Located LAN. Service provider specific with limited scalability.

    Co/Lo

    Co/Lo

    Limited geo-location flexibility

    DC1

    DC2

    v1.3 13.9.11

    Solution Scenario MPLS / Global Internet Overlay

    Internet
    POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia)
    Highly distributed points of presence permitting localized access to internet based systems, spreading load and access geographically

    GlobalMPLS

    Application specific QOS and traffic shaping across segmented VPN connections permitting increased granularity of control and extension of the environment

    DC

    DC

    DC

    DC

    Provides for scalability of internet capabilities geographically, but requires one or more specific provider relationships

    v1.3 13.9.11

    Solution Scenario Cloud Network DDoS Service

    v1.3 13.9.11

    Solution Scenario Cloud Application

    v1.3 13.9.11

    Solution Scenarios
    Common Threads
    Development of aggregation and control points to support appropriate upstream filtering A Harmonized application of security best practices to the DDoS defenses optimizes layered controls throughout Apply the appropriate defensive measures based on the Value of organizations internet presence A DDoS response capability consisting of specific processes and procedures A point of coordination for the deployment and operation of defensive measures The need to conduct response, recovery and restoration exercises and appropriate post mortem analysis of exercise results incorporate lessons learned back into process

    Sounds a lot like DR!

    v1.3 13.9.11

    Conclusions

    v1.3 13.9.11

    Conclusions
    Educate the organization on the shift in the nature of this threat and the inevitability of an attack Ensure that the organization understands and can articulate the role and value of its internet presence Harmonize the deployment of layered defensive capabilities

    DDoS response coordinator?


    Develop a response process and exercise program Very similar to DR approach

    Borrow from existing DR / IR programs


    Develop technical defensive capabilities that utilizes upstream filtering as a primary component

    v1.3 13.9.11

    Q&A

    v1.3 13.9.11

    Thank You jason.stradley@bt.com

    v1.3 13.9.11

    You might also like