Transcript The Anatomy of a DDoS Attack

DDoS Attacks: The Latest
Threat to Availability
The Anatomy of a DDoS Attack
© Sombers Associates, Inc. 2013
2
What is a Distributed Denial of Service Attack?
• An attempt to make an Internet service unavailable to its users.
• Saturate the victim machine with external traffic.
• The victim machine:
- can’t respond to legitimate traffic, or
- is so slow as to be essentially unavailable.
• Address of attacker is spoofed:
- Victim machine can’t simply block traffic from a known source.
• Commonly constitutes violations of the laws of nations.
© Sombers Associates, Inc. 2013
3
What is a Distributed Denial of Service Attack?
• Malware attacks do not generally pose a threat to availability:
- They are aimed at stealing personal information and other data.
• DDoS attacks are a major threat to availability.
• They have been used to take down major sites for days
• They are easy to launch and are difficult to defend.
• Reasons for DDoS attacks:
- revenge
- competitive
© Sombers Associates, Inc. 2013
4
How Can So Much Traffic Be Generated?
By Botnets
• Typical attacks generate about 10 gigabits/sec. of malicious traffic.
- One Pc can generate about one megabit/sec. of traffic.
- It takes about 10,000 PCs to generate 10 gigabits of traffic.
- This is a botnet.
• A botnet is a collection of computers:
- whose security defenses have been breached.
- control is conceded to a third party, the bot master.
• The bot master controls the activities of the compromised
computers.
© Sombers Associates, Inc. 2013
5
How Can So Much Traffic Be Generated?
By Botnets
• More recently, servers have been included in botnets.
• A large server can generate a gigabit/sec. of malicious traffic:
- one thousand times that of a PC.
• Ten large servers can generate as much traffic as 10,000 PCs.
• Servers are infected via network vulnerabilities.
• The latest attacks have generated 100 gigabits of malicious data:
- combination of infected PCs and servers.
© Sombers Associates, Inc. 2013
6
The Anatomy of a DDoS Attack
• DDoS attackers depend upon infecting thousands of PCs.
• A typical infection sequence is:
- a user succumbs to a phishing attack (opens a malicious
email or visits a malicious web site).
- a Trojan is injected into the machine which opens a “back door.”
- a bot infection is inserted into the PC via the back door.
- the bot infection establishes a connection with the bot master.
© Sombers Associates, Inc. 2013
7
Phishing
• Phishing masquerades as a trusted entity in an
electronic communication:
– email, web site.
• Designed to get sensitive information like account
numbers, SSNs by:
- tricking users to respond to email.
- leading users to a spoofed web site that looks real.
• Emails can also carry malicious executables or point to malicious web sites.
• Malicious executables or malicious web sites can infect the PC:
- used to inject a Trojan to create a back door into the PC.
• User training – send them phishing messages that take them to a
web site that informs them that they have been lured.
© Sombers Associates, Inc. 2013
8
Trojans
• Creates a “back door” allowing unauthorized
access to the target computer.
• Main purpose is to make the host system open
to access from the Internet.
• Installed via malicious emails or Internet
applications.
• Consequences:
- controlling the computer system remotely (botnets).
- also, keystroke logging, data theft, installing other malware.
© Sombers Associates, Inc. 2013
9
The BYOD Conundrum
• Bring Your Own Devices (BYOD) are the new gateways into corporate
networks:
- Employees using smart phones, tablets, notebook computers.
- Conducting their work at home or on the road.
- Connecting outside the corporate firewall to servers and databases.
• Malware can gain access to a company’s network by infecting these
devices.
• Mobile malware is becoming a greater threat than direct infections of
systems.
© Sombers Associates, Inc. 2013
10
Android Devices are the Primary Target
• Mobile malware most likely to be installed via malicious apps.
• Android is an open operating system modified by each vendor:
- security provisions often bypassed.
• Hundreds of Android app stores not vetted by Google.
• Number of malicious apps has grown 800% over the last year.
• 92% directed at Android devices.
• Apple has tight control over apps:
- tests each one thoroughly.
- does not allow unvetted apps to be downloaded from
the Apple app store.
• Malware can also be downloaded with phishing.
© Sombers Associates, Inc. 2013
11
Jail-Broken and Rooted Devices
• Android and iOS prevent unauthorized access to privileged
OS commands.
• Android device can be modified by user to let apps have access:
- rooted device.
- necessary to run some apps.
• A rooted Android device can be infected with malware that runs
at the operating system level:
- Trojans
- keyloggers
• Similarly, an iOS devices can be jail-broken. However:
- iOS world is tightly controlled.
- several security functions must be bypassed.
- cannot be done by the ordinary user.
© Sombers Associates, Inc. 2013
12
Other Mobile Threats
• Compromised Wi-Fi hot spots:
- coffee shops, airports, hotels.
- corporate data is vulnerable whenever an employee logs
onto a public Wi-Fi hot spot.
- frequently configured so that anyone can see all of the
network traffic.
- commercially available apps provide network monitoring
capability.
• Poisoned DNS servers:
- user must trust the DNS server used by a Wi-Fi hot spot.
- hackers can hi-jack a public DNS server.
- direct traffic to a malicious web site.
- web site can get users private data – passwords, etc.
- malware is downloaded to device from the web site.
© Sombers Associates, Inc. 2013
13
DDoS Strategies
© Sombers Associates, Inc. 2013
14
DDoS Strategies
The Internet Protocol Suite
• Application Layer – used by applications for network communications
(FTP, SMTP).
• Transport Layer – end-to-end message transfer (TCP, UDP)
• Internet Layer – best-efforts datagram transmission between hosts (IP)
• Link Layer – local network topology (routers, switches, hubs, firewalls).
© Sombers Associates, Inc. 2013
15
DDoS Strategies
Attacks Occur at Various Levels
• Network Level:
- Network is bombarded with traffic.
- Consumes all available bandwidth needed by legitimate requests.
• Infrastructure Level:
- Network devices such as firewalls, routers, maintain state in
internal tables.
- Fill state tables of network devices.
- Network devices cannot handle legitimate traffic.
• Application Level:
- Invoke application services:
- Consume processing and disk resources.
- Illegitimate logins.
- Searches (if attacker has obtained user names, passwords).
© Sombers Associates, Inc. 2013
16
DDoS Strategies
Attacks Occur at Various Levels
• ICMP Flood:
- Internet Control Message Protocol (ICMP) returns error messages.
- Attacker sends messages to random ports.
- Most ports will not be used.
- Victim system must respond with “port unreachable.”
- Victim system so busy responding with ICMP messages that it can’t
handle legitimate traffic.
• Ping Attack
- ICMP attack in which victim is flooded with pings.
- Victim must respond with ping-response messages.
© Sombers Associates, Inc. 2013
17
DDoS Strategies
Attacks Occur at Various Levels
• SYN Flood:
- Attacker begins the initiation of a connection.
- Sends a SYN connection request.
- Server assigns resources to connection, responds with SYN-ACK.
- Attacker never sends ACK to complete the connection.
- Spoofed client ignores SYN-ACK since it did not send SYN.
- Victim holds resources for three minutes awaiting connection completion.
- Victim runs out of resources, cannot make legitimate connections.
• GET/POST Flood:
- Commands to retrieve and update data.
- Use extensive compute and disk resources of computer.
- Typically needs user names, passwords.
- Consumes all resources of server.
© Sombers Associates, Inc. 2013
18
DDoS Strategies
Amplified Attacks
• The most vicious kind of attack:
- Generates a great deal of attack data with little effort.
• Example – DNS Reflection:
- Depends upon DNS Open Resolvers.
- Will respond to any DNS request, no matter from where it comes.
- Send DNS URL request with spoofed IP address of victim.
- DNS sends URL response (IP address of URL) to victim.
- Typical request message is 30 bytes.
- Typical response message is 3,000 bytes.
- 100 times amplification.
• Publicly available toolkit – itsoknoproblembro – to launch DNS attacks.
• Open DNS Resolvers were supposed to be phased out:
- Still 27 million Open Resolvers on the Internet.
- Their IP addresses have all been published.
© Sombers Associates, Inc. 2013
19
Major DDoS Attacks
Some Examples
© Sombers Associates, Inc. 2013
20
Major U.S. Banks
September, 2012 – The online banking web sites of six major U.S. banks are taken down
for days by Distributed Denial of Service (DDoS) attacks.
• The Izz ad-Din al-Qassam Cyber Warriors vowed to attack major U.S. banks.
• The attacks will continue until the video “Innocence of Muslims” is removed from the
the Internet.
• September 2012 - DDoS attacks are launched against Bank of America, JPMorgan Chase,
Wells Fargo, U.S. Bank, and PNC Bank.
• The attacks take down their online banking portals for a day.
• Attacks followed against Capital One, SunTrust Banks, and Regions Financial.
• The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and
infected servers.
• December 2012 – Attacks were repeated for several days against all banks.
• Intelligence officials say that cyber attacks and cyber espionage have surpassed
terrorism as the top security threat facing the U.S.
© Sombers Associates, Inc. 2013
21
History’s Largest DDoS Attack
• Spamhaus is a spam-filtering site:
- provides a blacklist of IP addresses for email spammers.
- used by spam-filtering vendors, ISPs, corporations.
• Blocked CyberBunker:
- CyberBunker claims to host anything but terrorism, child
pornography.
• CyberBunker launched a 300 gigabit/sec. attack against Spamhaus:
- lasted for ten days.
• Spamhaus enlisted CloudFlare to help it weather the attack:
- CloudFare spread the malicious load across its 23 data centers.
- scrubbed the data and fed only legitimate data to Spamhaus.
• CyberBunker extended its attack to CloudFlare.
© Sombers Associates, Inc. 2013
22
Summary
© Sombers Associates, Inc. 2013
23
Botnets
• Until recently, DDoS attacks were in the 10 gbps range:
- infected PC botnets.
• Islamic hackers – 100 gbps:
- used tens of thousands of volunteered PCs.
- added infected servers.
• CyberBunker – 300 gbps:
- used PC/server botnet.
- used DNS refection.
© Sombers Associates, Inc. 2013
24
Mitigation
• DDoS attacks are easy to launch, difficult to defend.
• Firewalls and intrusion-prevention (IPV) systems can be overwhelmed.
• Spread load across several data centers to scrub data.
• Use the services of a DDoS mitigation company that can scrub data
over several data centers.
- Prolexic
- Tata
- AT&T
- Verisign
• Include DDoS attacks in your Business Continuity Plan.
© Sombers Associates, Inc. 2013
25