Professional Documents
Culture Documents
Defending Against DDoS Attacks
Defending Against DDoS Attacks
December, 2012
v1.3 13.9.11
Agenda
Introduction What is a DDoS Attack Change to Threat Landscape Impact to Conventional Thinking Defensive Approaches Q& A
v1.3 13.9.11
Introduction
v1.3 13.9.11
Introduction
Jason L. Stradley
Currently a Principal Security Consultant with BT US / C Security Practice Lead Provide C-Level Advisory to Fortune 500 Clients 25+ Year IT Veteran Published Author Specialties IT Security & Risk Management, Architecture,
Governance & Compliance
v1.3 13.9.11
v1.3 13.9.11
Protocol abuse/misuse
v1.3 13.9.11
Motivations Political
Radical / fringe groups employ DDoS attacks to make their
positions known by attacking organizations
Financial
Criminal enterprises have been able to shut down commerce sites
resulting in revenue loss and client loss
Used as Smoke Screen for electronic fraud and theft Used for extortion
v1.3 13.9.11
v1.3 13.9.11
Organization hierarchical cyber crime business models and the amalgamation of traditional crime with new technology Sophistication quantum leaps in tool development, tactics, and
methods
v1.3 13.9.11
v1.3 13.9.11
Paradigm Shift
Successfully defending
against DDoS attacks requires exerting control as far upstream as possible
v1.3 13.9.11
Defensive Approaches
v1.3 13.9.11
Defensive Strategies
Conceptual methods to approaching DDoS Defense
Distribute the target
Broaden the target surface Avoid the onslaught of bandwidth turn a laser into a lamp Works well for simple web applications or web front ends from a mufti-tiered
architecture . Does not work well with complex applications
Success directly related to proximity to the attack source further upstream the
better
v1.3 13.9.11
Solution Considerations
Scalability
Flexibility
Globalization
Elasticity
v1.3 13.9.11
Internet
(Primary) ServiceProvider
Greater control over more expensive WAN Links utilizing lower cost Co-Located LAN. Service provider specific with limited scalability.
Co/Lo
Co/Lo
DC1
DC2
v1.3 13.9.11
Internet
POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia) POP (Asia)
Highly distributed points of presence permitting localized access to internet based systems, spreading load and access geographically
GlobalMPLS
Application specific QOS and traffic shaping across segmented VPN connections permitting increased granularity of control and extension of the environment
DC
DC
DC
DC
Provides for scalability of internet capabilities geographically, but requires one or more specific provider relationships
v1.3 13.9.11
v1.3 13.9.11
v1.3 13.9.11
Solution Scenarios
Common Threads
Development of aggregation and control points to support appropriate upstream filtering A Harmonized application of security best practices to the DDoS defenses optimizes layered controls throughout Apply the appropriate defensive measures based on the Value of organizations internet presence A DDoS response capability consisting of specific processes and procedures A point of coordination for the deployment and operation of defensive measures The need to conduct response, recovery and restoration exercises and appropriate post mortem analysis of exercise results incorporate lessons learned back into process
v1.3 13.9.11
Conclusions
v1.3 13.9.11
Conclusions
Educate the organization on the shift in the nature of this threat and the inevitability of an attack Ensure that the organization understands and can articulate the role and value of its internet presence Harmonize the deployment of layered defensive capabilities
v1.3 13.9.11
Q&A
v1.3 13.9.11
v1.3 13.9.11