Issuu on Google+

Ubiquitous Reliable Uninterrupted Delivery

DDoS ATTACK MITIGATION

an introduction

“Invented� around the end of the 20th century, DDoS attacks have become a major network issue - one that all online presence is threatened by today. Increasing number of sites fall prey to this incessantly growing menace, and no one is safe anymore. The ease and constantly falling costs for launching and sustaining DDoS attacks have made them a weapon of choice for criminals meaning to do your business harm by intentionally forcing your content offline through depletion of some critical availability resource.


Ubiquitous Reliable Uninterrupted Delivery

INTRO

TO A MODERN PLAGUE Today’s World Wide Web spans over millions of computers scattered throughout the world with millions of people using the Internet for professional and personal needs. The everlasting necessity to maintain billions of connections uninterrupted, thus ensuring access to sites and services turns main internet nodes into attractive targets for violators who flood this structure or parts of it with all kinds of “bad” traffic, rendering it inaccessible to legitimate traffic. Even a short-lived denial of service attack can cause serious disruptions in revenue streams and may have devastating consequences for both private and public online entities. The turn of the 20th century marked the birth of this major network threat, relentlessly gaining speed and affecting growing numbers of victims. Prominent sites are no longer the only targets of the onslaught - nowadays anyone with an online presence may fall prey to intentionally inflicted null or lackluster online performance. Recent evidence suggests that it is becoming increasingly easy and inexpensive to launch such assaults, whereas protecting one’s site or service, without employing external expert services, is becoming almost impossible to achieve due to the associated infrastructure and software investment.

“Defending against denial of service attacks and largescale worm outbreaks depends on network topology. Our work allows computer scientists to experiment with a range of random graphs that match Internet characteristics. This work is also useful for determining the sensitivity of particular techniques – like routing protocols and congestion controls – to network topology and to variations in network topology,” - Priya Mahadevan Jacobs School of Engineering, UCSD. “What The Internet Looks Like” Image based on “Digital dandelion or new semi-random Internet map?” - courtesy of Jacobs School of Engineering, UCSD.

2


GET IN TOUCH WITH US Impletec Technologies Ltd 4 Lale Street, Lozenetz Dist., 1421 Sofia, Bulgaria ph. 359 2 442 0451, fax 359 2 866 1812 www.impletec.com

WHAT’s

a DDoS ATTACK?

The Denial of Service (DoS) attack is a particular class of network threat designed to cripple or render completely inaccessible an online service to valid, clean traffic. Typically, such an attack is affected by initiating a horrendous amount of connections to a victim server, thus flooding its resources or the connection to it. Such invasions are easily detected and the initiator of the attack identified, or at least his actions efficiently blocked. To shed these faults, this type of attack evolved into a new generation of network plague - the Distributed Denial of Service (DDoS) attack. The violator remotely commands and controls a number of hacked computer systems (collectively called “botnet”).

The botnets are dispersed all over the world, concealing the attacker’s own location, boosting the attack’s power and effectiveness. DDoS type attacks work well and are quickly becoming weapons of choice due to achieving effective depletion of the targeted object’s most vulnerable resources: network capacity, processor time, main memory. Resource depletion is achieved in most cases by employing various methods to emulate legitimate user flow in amounts that render the victim incapable to deal with such loads. Historical analysis of data accumulated over the past years, shows the average number of attacking hosts in a single attack to vary between 10 and 20 thousand individual machines, each sending 1-2 requests per second. Few systems are capable of maintaining continuous service when faced with an excess of 200-500 requests/sec. simultaneously, every request specially built to convey a maximum load.

“The ZeroAccess botnet is so big, it can be “seen” from space” Image generated with Google Earth. Courtesy of F-Secure.

3


Ubiquitous Reliable Uninterrupted Delivery

HOW

IS DDoS EFFECTED?

As explained before, DDoS attacks are first and foremost bulk raids by design and intended impact. In order for the attacks to be effective, an enormous collection of computer resources must be secured. This is usually done in advance, not by the DDoS attackers but by other agents, whose job is to make available and sell to the interested parties the bulk of compromised resources. The process of obtaining access to mass computer muscle involves infecting hundreds of thousands of innocent users’ machines with special software devised to enable a DDoS attack launch. According to research, the most likely and easy prey to infection are the home computers – one, they are the most wide-spread and numerous on the net, and two – in most cases, unlike most business machines, they lack serious protection against such interventions.

Quite frequently, the infection of a computer is carried out through inadvertent and oblivious to the possible dangers access to a compromised web resource. When accessing such a resource, the victim computer’s browser client is subjected to a severe attack whose intent is to exploit one or more of hundreds of existing vulnerabilities within the software. Once the browser is exposed – the job is done. The victim machine then receives a “loader” – an application that enables the loading and execution of any other code delivered by the violator. Currently, scripts forcing loader installation are successful 80% of the cases. Eight in ten computers that accessed the compromised web resource are converted into zombie-machines - standing by to be controlled and commanded into launching DDoS attacks as members of the collective botnet. Once the loader is in place, violators use it install special DDoS attack software (DDoS Bot) on the zombie-machines. With this, the preparatory stage is concluded and all that’s left for the violator is to direct the onslaught to a victim. The figure on the right shows how a bot is “hooked up” and exploited after it has been compromised.

The Process of Turning a PC into a “Zombie” and Becoming Part of a Botnet 4


GET IN TOUCH WITH US Impletec Technologies Ltd 4 Lale Street, Lozenetz Dist., 1421 Sofia, Bulgaria ph. 359 2 442 0451, fax 359 2 866 1812 www.impletec.com

MAIN

TYPES OF DDoS ATTACKS

Altering DDoS attack method and magnitude have traditionally been the criminals’ tweaks of choice. Lately, we are seeing a trend towards shorter, sharper assaults, with a pronounced preference to using Application Layer scripts.

HTTP GET Flood - 47.10% SYN Flood - 45.23% UDP Flood - 2.47% ICMP Flood - 2.26% TCP Data Flood - 1.47% DNS under DDoS - 1.19%

Share of DDoS Attack Type by occurrence in 2011 What does the DDoS Bot do? It all depends on the attack objective. There are around 20 types of DDoS attacks, classified by their directivity concept, that are known today. In general, all DDoS attacks could be split into two main groups – those that target connection bandwidth, and those aiming to discontinue a service. Depending on the attacker’s wish, attacks vary in duration - from a short-lived racketeer attack, to a prolonged detrimental invasion. Attacks aiming to deplete available bandwidth try (and usually succeed) to sever connectivity between the victim and legitimate users by overloading of the data transfer channels and/or the servicing equipment. This is achieved by initiating transmission of a huge amount of packets through the most vulnerable segments of the victim’s infrastructure and, in most cases, these packets are specially generated

in order to effect greater loading of the target network equipment. Thus, all network equipment resources are used up and the connection appears to be non-existent for valid traffic because it’s busy routing “trash” packets. In some instances, it also excludes itself from the routing process, breaking victim’s connectivity with the world including legitimate users. The most popular bandwidth oriented DDoS attacks types are SYN Flood (using three-way handshake of TCP protocol), UDP Flood, and ICMP Flood, using UDP and ICMP protocols respectively. Service- oriented attacks focus on crippling specific network services (most often web services.) The invasion emulates legitimate user activity in quantities that force the victim computer to commence providing access only to attacking machines, thus effectively denying its service to valid traffic. 5


Ubiquitous Reliable Uninterrupted Delivery

DDoS

TODAY’s MAIN NETWORK THREAT

With today’s deepening dependence on the Internet, many businesses find themselves the victim of DDoS attacks. Cheaper and easier to launch than ever, these assaults on online presence bring victims’ operation to a halt. One of the key factors making DDoS attacks the most popular threat nowadays is that, by and large, this activity requires no special qualification. In fact, any criminal who wishes to commit a DDoS attack could easily find all instruments needed in the course of an evening, just browsing the net. And he doesn’t need to have any IT degree. Unfortunately, this is a 10 dollar bomb that anyone can buy in the nearest drugstore... Also, there are a lot of manuals and know-how readily available on the internet for DDoS attacks organization. Logically, DDoS attacks are becoming an increasingly popular weapon in the hands of students, political hacktivists, supporters of international terrorism, etc. Criminals, harvesting networks of infected machines (Botnets) and powering DDoS attacks, more and more rarely work alone but often join traditional criminal communities. Most of them don’t shy from entering partnerships, thus pooling their resources for guaranteed victim elimination. The second reason why DDoS attacks are so dangerous and prolific comes from “internal” competition among criminals that drives prices lower. On average, a 10,000 machine botnet attack costs less than USD 400 today, and prices are falling by the day. The process is to be expected and is irreversible due to the ongoing expansion of the Internet with growing numbers of computers that could be used for criminal aims, “fresh” ones, appearing by the thousands daily in the global network.

“Can You Fight Them All? And They Keep Coming ...”

The two factors combined, cater to an extremely low entry threshold for all interested parties, greatly diminishing the possibility for the attack occurrences to decrease in number. On the contrary, this number will most likely continue to rise to unprecedented levels. Levels, which we are already witnessing in the latest years and months, and which have given rise to “cyber war” anxieties in all business spheres.

Image borrowed from “The Matrix - Revolutions” Official Movie Poster, courtesy of Warner Brothers Entertainment Inc.

6


GET IN TOUCH WITH US Impletec Technologies Ltd 4 Lale Street, Lozenetz Dist., 1421 Sofia, Bulgaria ph. 359 2 442 0451, fax 359 2 866 1812 www.impletec.com

DDoS

IS A THREAT TO ALL

All the time, the quality of DDoS attack software is improving; criminals use virtual machines with specifically designed algorithms that make zombie-machines almost indistinguishable from real users.

Apart from the more “obvious” ones (please, see chart below), we’re seeing an ever increasing number of truly unexpected attacks on sites that are hard to believe anyone in their right mind would want to attack. But they do, and the resulting dismay is even further fueled by the fervor and dedication of the criminal mind - bent on bringing a bakery shop’s website down, for instance.

Criminals use peer-to-peer technologies for controlling Botnets that makes tracing them very difficult and almost impossible. All of the above accomplishments of the hackers make investments in DDoS attacks more and more effective.

Such occurrences do not usually make it to the headlines, where only the prominent and significant ones get mentioned. Yet they are real, and the alarming rate, at which we see unexpected types of businesses join the list of DDoS victims is apparently a good indicator of how easy and “cheap” it has become to kill someone’s uptime.

DDoS attacks remain the single most horrendous threat for organizations with an online business. A small-scale inaccessibility of important resources greatly impacts an organizations’ prestige, customer loyalty, severing vital revenue streams, inflicting significant, and sometimes irreparable financial losses. Today, no online business is safe from the DDoS torment.

Protecting a business from DDoS is an expensive endeavor - from the bandwidth costs to withstand attacks, to machines to handle it, to software and specially trained personnel - it could amount to serious cash that not all businesses can afford or is feasible to invest. So how does one protect their business effectively, without wasting valuable resources at costs that could run astronomically high?

eCommerce - 28.48% Financial Services & Banking - 24.21% Online Gaming - 22.98% Sites with Adult Content - 6.65% Forums/Blogs - 6.50% News & Media - 5.78% Public Sector - 2.44% Other - 1.68% Government - 1.28% Industries that were most affected by DDoS Attacks in 2011 7


Ubiquitous Reliable Uninterrupted Delivery

DIY

VS. HIRED PROTECTION

For convenience, existing DDoS attack mitigation and protection approaches can be examined in two groups: (i) protection that the victim company decides to build internally, and (ii) such provided by various DDoS protection companies.

THE DO-IT-YOURSELF APPROACH

HIRING EXTERNAL SERVICES

Historically, most protection methods deployed by victim companies have displayed a disturbing tendency to suffer from critical shortcomings that can be summarized as follows:

Methods employed by core-business DDoS protection providers are safe from the shortcomings that go with the DIY approach, but manifest others, in some cases equally annoying:

the protection is limited within the site of the protected network: neighboring network elements and border segments are not affected or controlled

lack of possibility for immediate deployment - if the protection is not in place at the time of the attack, the company has no means to respond to it as it happens

case-specific customers receive access to a default configuration of the protection system that does not necessarily reflect specific service requirements, target groups, and other critical needs adequately. This is generally due to intended large-scale and massmarket product design, trained on maximizing general applicability

inability to mitigate various attack types - usually, the protection covers a limited range of attack types

limited resource availability - the most detrimental DDoS invasion types require enormous financial, labor and time investment in network infrastructure, specialized software solutions and connectivity

lack of well organized and timely feedback, leading to misunderstandings in the customer-provider chain, resulting in disgruntled customers demanding extensive information on attacks and measures taken to mitigate them, in some rare cases, protection providers engage in attack statistics juggling and manipulation, aiming at blowing up of estimates for obvious reasons

the considerably high cost of setting up, maintaining and staffing a protection scheme usually makes the inhouse approach not feasible

With customers in the dark for lack of complete attack information, it is not impossible to still experience denial of service, while paying excessive charges for protection

Often, self-protection techniques and endeavors are not merited with outstanding efficacy and expectations are not met duly. The attempted elimination of these defects, in most cases, costs more than the attack damage, thus rendering remedies useless.

One should keep in mind that, fairly often, DDoS Protection companies copy each other’s solutions, market approach and service presentation with varying degrees of promise-to-customer fulfillment

8


GET IN TOUCH WITH US Impletec Technologies Ltd 4 Lale Street, Lozenetz Dist., 1421 Sofia, Bulgaria ph. 359 2 442 0451, fax 359 2 866 1812 www.impletec.com

OUR

PROXY SOLUTION

On the diagram above, one sees a typical DDoS Attack being filtered by the Impletec Protection Network layer. Hacker(s) sit at a remote terminal connected to a Control & Command Centre, which in turn commands individual user machines en masse – the botnet. Bad/Attack traffic is directed to our protected network, which consists of a number of Points of Presence (PoP) placed around the world, ensuring ubiquitous, adequate and uninterrupted connectivity with

your global visitors, allowing us to receive and balance all malicious traffic at the best transfer speeds available. To ensure effective functioning of the filtering and cleaning processes in our PoP’s, Impletec use a Decision-Making Control Cluster, which monitors the work of the PoP’s, analyses the data and sends fresh and/or revised instructions as necessary. In addition, Impletec have dispatched Monitoring Points scattered throughout the globe that report client site status from real valid visitor locations. These also send information to the Control Cluster, thus effecting corrective action.

9


Ubiquitous Reliable Uninterrupted Delivery

PoP

HOW IT WORKS

As needed, traffic is sent for additional filtering to the filtering server farm - dozens of servers running on high-performance software.

The Impletec Point of Presence (PoP) is one of several similar structures in our DDoS mitigation network, carrying out direct transit traffic filtering, guided by rules and applying policies defined for it by the decision-making cluster.

The structure allows not only to perform a series of inspections of incoming traffic, but also to gather additional statistical information, based on which a decision is made - i.) traffic is terminated as malicious, ii.) additional checks and parameterization are performed, iii.) traffic is sent to the recipient.

So, how is traffic processed inside the PoP?

In addition, the PoP’s house a number of support structures:

First, clearly non-targeted traffic is seethed out - often this happens at the border router. For example, UDP traffic is completely cut off if the specific client does not use UDPbased services.

Server recovery - comprehensive configuration data for speedy recovery of under-performing components,

Next, traffic comes to the core-router, where, depending on the rules, it is determined whether to carry out additional filtering or traffic should pass directly to the PROXY / VPN server farm, from where it is sent to the target destination.

Server for statistical data preparation - collects and processes “raw” statistics. Ready reports are sent via a secure channel to the decision-making cluster, Local monitoring server system - gathers statistics on the technical serviceability of all elements of the PoP.

10


GET IN TOUCH WITH US Impletec Technologies Ltd 4 Lale Street, Lozenetz Dist., 1421 Sofia, Bulgaria ph. 359 2 442 0451, fax 359 2 866 1812 www.impletec.com

OUR

ON-PREMISE SOLUTION

There are situations and scenarios, where an organization will not, or cannot use an external service to filter malicious traffic and mitigate DDoS attacks. The fact that their traffic goes to an external Data Center (DC) for scrubbing and then enters the organization’s network may constitute a breach of this organization’s internal data security regulations and may not be viewed as politically correct from a strategic point of view. Standard proxy-shield protection services for such organizations are largely inappropriate and sometimes merely impossible.

Due to establishment specifics and data security requirements that govern in your organization, you may require special “on-premise” protection setups, where the entire protection solution stack is located within your own DC, serviced and maintained by your own trained staff with your own channels accommodating all attack traffic to be cleaned and fed to your servers. We understand such needs very well, and readily offer bespoke configurations based on our iCore DDoS Mitigation Stack as well as staff training to closely match your precise goals and performance requirements in DDoS Protection. Illustrated below are two typical iCore integration setups and their operation in the “Attack-free” and “Under-attack” modes. Depending on the existing or preferred hardware specification, iCore can work either with a switch or a router.

Router

Switch

/24

Border Router

Border Router

/32

iCore DDoS Mitigation Stack

PROTECTED RESOURCE

iCore DDoS Mitigation Stack

PROTECTED RESOURCE

In “Attack-free” mode, traffic from external networks to a protected resource passes through the routers directly.

In “Attack-free” mode, ingress traffic to the protected resource is channeled through the router and switch directly.

In “Under-attack” mode, traffic to protected destination is routed for cleaning to iCore by sending /32 BGPAnnouncement (preferred route) to the Border Router. As the attack ceases, iCore removes the /32 BGP-Announcement, and all traffic returns to the normal direct route.

In “Under-attack” mode, the route is modified by the iCore’s detector (ARP-flow) to the switch. Thus, DDoS traffic is redirected to the iCore for cleaning. Once the attack stops, traffic routing is switched back to direct mode.

11


DDoS Attacks 101 and what to do about it