DDoS Survival

Source Presentation

Presented at the (ISC)² Twin Cities Area Chapter October 2013 Meeting on October 18, 2013 by Matthew J. Harmon and Phil Reno.

What Is DDoS?

Distributed Denial of Service – or just Denial of Service, or Resource Exhaustion. It originated on IRC. Today it is used as a form of protest and for financial gain.

Recent News

“Anonymous,” AntiSec, and Lulzsec had been making headlines. DDoS was also being used for fraud as part of larger bank heists. The itsoknoproblembro DDoS tool was deployed against Bank of America, Chase, PNC, and others. References: scmagazine.com and infosecurity-magazine.com.

itsoknoproblembro: PHP Injection + JS = Browser Botnet

This attack combined PHP injection with JavaScript to create a browser botnet. Skill needed: high – a motivated attacker. The technique was further demonstrated by Jeremiah Grossman and Matt Johansen at BlackHat 2013. Hijack an advertising network, Akamai, or any other similar service and you have a Million Browser Botnet.

Latest DDoS Numbers

Attack volumes were tracked by Arbor Networks’ Q3 findings from ATLAS: arbornetworks.com/corporate/blog/5025-q3-findings-from-atlas.

Purpose of DDoS Attacks

• Revenge
• Demonstration of Power (botnet rental)
• Criminals (extortion)
• Espionage or competition
• Political (protest)

Threat Sources

• Competitor
• Industrial Espionage
• Organized Crime
• Radical or Civil Activist
• Government Cyberwarrior
• Insider or Employee (reckless, untrained)
• Good Publicity (the “Slashdot Effect”)

The OSI Model and DDoS

Attacks map across the OSI layers, analogous to the postal system:

• Application: Package/letter contents (HTTP, DNS, SMTP)
• Transport: Certified Return Receipt (TCP) or Bulk (UDP)
• Network: Source and Destination and ICMP
• Data Link: Address Resolution Protocol (ARP)

XOIC and LOIC (Low Orbit Ion Cannons)

Skill needed: low – script kiddie with botnet amplification. These tools are easy to obtain and operate, making volumetric attacks accessible to unsophisticated attackers.

Good Publicity / Slashdot Effect

Complexity: “Slashdot Effect.” Skill needed: a “Killer App” or service that draws massive organic traffic. Impact: system instability, system overload, pipes full. Solution: scale up and deploy a Content Distribution Network.

Attacks: TCP + SSL

Complexity: easy. Skill needed: low – script kiddie with botnet amplification. SSL costs attackers resources, but impact includes exhausting the router/firewall NAT table, upstream network capacity, and physical port capacity.

Attacks: HTTP

Complexity: moderate. Skill needed: low/moderate – a motivated attacker with intelligence. Impact targets the web server and kernel/operating system. Specific techniques include the Chunked Header Attack (affecting Apache, NGINX, IIS) and Slowloris memory exhaustion (affecting all web servers).

Attacks: ICMP, UDP, TCP

Complexity: easy. Skill needed: low – script kiddie with botnet amplification. Impact includes router/firewall NAT table exhaustion, upstream network capacity saturation, and physical port capacity limits. Examples: ping -f, LOIC, XOIC.

Risk Transference

• Content Distribution Network (CDN)
• Cloud Hosted Front End (Linode, Digital Ocean, Rackspace)
• CDN + Anti-DDoS (CloudFlare)

Mitigation Strategies

• Risk Transference (“somebody else’s problem”)
• Null Routing with BGP
• Bigger Pipes
• Application / Network Tweaks

DDoS Defense Architecture: Four Approaches

1. ISP – including AT&T, Verizon, Century Link, Time-Warner (possibly others)
2. Cloud SOC, single IP or website via Proxy/DNS Redirect – services like Cloudflare, Neustar, Akamai KONA
3. Cloud SOC, able to do entire subnet – Prolexic, Radware, Arbor, Imperva
4. In House / Homegrown

DDoS Defense Architecture: ISP

The ISP manages and maintains equipment; some ISPs offer dedicated services and shared services.

Pros: Protects against volumetric and resource exhaustive attacks. Scrubbing before your circuit. Knowledgeable staff with lots of practice mitigating other customers getting attacked. 24/7 monitoring with fast SLAs. Affordable (depending on ISP) – seen as a value add for existing circuit customers. Extended view – like having a sniffer on the edge of the internet.

Cons: Scrubbing at the edge means bad traffic from inside the ISP may get through (more scrubbers = more cost). Scrubbing at the core is easier to size correctly at the edge, but the combination of peering routers’ throughput may exceed core scrubbing capability.

DDoS Defense Architecture: Cloud SOC Proxy/DNS

A cloud provider that relies on changing DNS records to point traffic at them, typically used to protect a single URL.

Pros: Affordable – typically low monthly cost to retain service with increases during an event. Great for websites running in the cloud with little supporting infrastructure. Knowledgeable staff with lots of practice when other customers get attacked.

Cons: They are not actively monitoring your traffic because they can’t see it until you redirect your A records. Your origin IP is still open to attack, so this really only works when the attack is heading towards your URL. Not scalable for entire subnets; does not protect your circuit.

DDoS Defense Architecture: Full Service

Similar to ISP, this service provider puts a collection device in front of your firewall and uses BGP injection to route your traffic to their cloud during an event.

Pros: Protects against volumetric and resource exhaustive attacks. Scrubbing before your circuit. Knowledgeable staff. 24/7 monitoring with fast SLAs.

Cons: More hops – scrubbers are not located inline with your ISP, so more hops exist between you and the scrubbers. Not all are created equal – some say they are a full SOC in the cloud but really only offer one-to-one IP scrubbing (Proxy/DNS types). Make sure you are asking a lot of questions and bring in more than one vendor to compare.

Questions to Ask Your DDoS Provider

• Definitely drill into their cost structure
• Know what their capabilities are for mitigation – do they do more than just signatures? Can they mitigate HTTP, FTP, DNS, or VOIP based attacks?
• Understand the exact process they use from DDoS event start to finish
• Will they start scrubbing just because you are concerned?
• Did they build their own solution or are they using a known vendor partner?
• What kind of training does their staff get? Do they perform fire drills?
• How many customers do they have?
• How frequently are they running mitigations?
• What are the SLAs?
• How long will they leave your traffic in a scrubber?
• What are you doing for DDoS protection against yourself? (for data centers)

Start Planning Today

Test the load of your applications. Have normal and during-attack configurations available.

Be Ready to Scale

Automation tools for scaling infrastructure:

• Chef: opscode.com/chef/
• Puppet: puppetlabs.com
• Ansible: ansibleworks.com
• Salt Stack: saltstack.com
• Fabric: docs.fabfile.org/en/1.8/

Presented by Matthew J. Harmon and Phil Reno. (ISC)² Twin Cities Area Chapter: isc2tc.org, @isc2tc on Twitter, (ISC)² Twin Cities Area Chapter on LinkedIn. Licensed under Creative Commons Attribution-NonCommercial 3.0 Unported License.