• No results found

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

How valuable DDoS mitigation hardware

is for Layer 7 Sophisticated attacks

Stop DDoS before they stop you!

(2)

What Is Distributed Denial of Service

A Denial of Service attack (DoS) is any intended attempt to

prevent legitimate users from reaching a specific network

resource, from a single source.

Distributed Denial of Service attack (DDoS) is an extension to a

DoS attack however is harder to mitigate because source traffic is

from multiple source addresses. The attack traffic can be difficult

to distinguish from legitimate traffic.

(3)
(4)

Types of DoS Attacks

Layer 3 (Network Protocol) - (DoS, DDoS, DRDoS, CDRDoS)

IP Address attacks targeting network bandwidth - UDP Flood style attacks – DNS, NTP, SSDP, CHARGEN, SNMP.

Layer 7 (Application Protocol) (DoS, DDoS) TCP attacks on server sockets

HTTP attacks on Web server threads Protocol Attacks (SYN flood, fragments) Packet Storm (Excessive PPS)

Resource Starvation (CPU, I/O, Memory) Stealth/Creeper (Slowloris, Slow POST) Exploit (Application or OS Specific DoS)

They attack the top layer OSI model, They have low bandwidth consumption. They have a legitimate and stealth appearance.

They’re mostly non-volumetric. They’re increasingly popular.

There are a variety of methods, targets, and open-source tools. They’re difficult to defend against.

(5)

Common DDoS Defensive Techniques

Simple Site Failover

Null Route (Black Hole) (Automated or Manual)

Anycast – BGP Multi Home

Onsite Web Application Firewall

Load Balancing Appliances

Commercial Hardware Solutions – On Premises

Commercial Solutions – In the Cloud

(6)

Large Global Denial of Service attacks

Second Largest

300G

DDoS Attack in History March 2013 DNS Reflection Attack Largest

400G

DDoS Attack in History February 2014 NTP Reflection Attack

(7)
(8)
(9)

Micron21 Statistics

Long Term Average Since Jan 2013

Long term average attack lasts 34.5 hours

China is #1 origin of DDoS traffic, making up 40-50% of all

unwanted traffic activity

25% of attacks are against Infrastructure (Layers 3 attacks)

75% against Connection and Applications (layer 4 to 7 attacks)

75% of all attacks are under 1 Gbit

20% of all attacks are under 4 Gbit

5% of all attacks are above 4 Gbit

(10)

Tools used by Faceless Hacker in Layer 4 to 7 Attacks HTTP GET Flood

Syn Flood Attack Ack Flood Attack

SSL Based Attacks - CURL back track, THC SSL very hard to detect LOIC Low Orbit Ion Cannon

R.U.DY R U Dead Yet Slowloris

Pylorius DDoSim

THC-SSL-DOS

Dirt Jumper Drive2 – Method: HTTP flood, SYN flood, POST flood, and more. Tor’s Hammer – Method: Slow POST

Nuclear DDoSer – Method: Slow POST Railgun – Method: Slow POST

HTTP has a 60 known vulnerabilities which can be attacked

(11)

Micron21 Total Attacks Since January 2013

Attack Type Attack Count Dropped Traffic Dropped Traffic (packets) Dropped Traffic Percentage of Percentage of Attack Type

SYN-Flood 544,272 260.7 G 547.4 M Less than 1.0% 43%

ACK-Flood 161,204 175.9 G 227.1 M Less than 1.0% 12.8%

UDP-Flood 111,429 2,660,087 G

(2597 TB) 47 Billion 98.0% 8.9%

ICMP-Flood 2,962 243.2 G 310.6 M Less than 1.0% 0.23%

Conn-Flood 173,042 44.2 G 8.6 M Less than 1.0% 13.8%

Stream-Flood 131,076 734.8 G 93.4 M Less than 1.0% 10.4%

(12)

Current Active DDoS Attacks -

42 Current 19th Aug 2014 8:14pm

Total Data PPS Target Type Port Peak Speed

0.05GB 49 111.223.226.91 Others 80 0.0Mbps 0.0GB 20 103.4.18.149 Stream Flood 80 0.0Mbps 0.0GB 4 111.223.232.30 SYN-Flood 443 0.0Mbps 0.0GB 1 27.131.75.35 Conn-Flood 80 0.0Mbps 0.0GB 1 111.223.231.34 ACK-Flood 80 0.0Mbps 0.0GB 1 27.131.75.36 SYN-Flood 80 0.0Mbps 0.0GB 1 27.131.75.35 Conn-Flood 80 0.0Mbps 0.0GB 1 27.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1 111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 1 111.223.231.34 ACK-Flood 80 0.0Mbps 0.0GB 1 27.131.75.35 SYN-Flood 80 0.0Mbps 0.0GB 1 27.131.105.189 Conn-Flood 25 0.0Mbps 0.0GB 1 111.223.228.186 ACK-Flood 80 0.0Mbps 0.0GB 1 111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 1 111.223.231.34 ACK-Flood 21 0.0Mbps 0.0GB 1 27.131.75.36 SYN-Flood 443 0.0Mbps 0.0GB 1 27.131.75.35 SYN-Flood 80 0.0Mbps 0.0GB 1 27.131.105.189 ACK-Flood 80 0.0Mbps 0.0GB 1 111.223.228.178 SYN-Flood 25 0.0Mbps 0.0GB 1 111.223.231.34 Conn-Flood 443 0.0Mbps 0.0GB 1 111.223.228.178 Conn-Flood 80 0.0Mbps 0.0GB 1 27.131.66.209 Others 80 0.0Mbps 0.0GB 1 27.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1 111.223.228.178 SYN-Flood 80 0.0Mbps 0.0GB 1 27.131.75.35 ACK-Flood 443 0.0Mbps 0.0GB 1 27.131.105.189 SYN-Flood 80 0.0Mbps 0.0GB 1 111.223.231.34 Conn-Flood 25 0.0Mbps

(13)

Firewalls and Layer 4 to 7 Attacks

(14)

Juniper SSG550M Firewall Specifications

ScreenOS version tested ScreenOS 6.2

Firewall Perf (Large Packets) 1+ Gbps

Firewall Performance (IMIX) 1 Gbps

Firewall Packets Per Second 600,000 PPS

3DES+SHA-1 VPN Perf 600 Mbps

Concurrent VPN Tunnels 1,000

Max Concurrent Sessions 256,000

New Sessions/Second 15,000

Max Security Policies 4,000

(15)
(16)

ACK Flood – Juniper SSG 550m Firewall

BOTNET 983 hosts

Each bot sends 8 packets per second at 25 bytes in size 7832 packets per second – 1.5mbits of traffic

Juniper SSG 550m 0.25m TCP sessions fails in 32 seconds Juniper SRX 1400 / Sonic Wall SuperMassive 9000 1.5m TCP sessions fails in 3.2 minutes Juniper SRX 3400 / Sonic Wall SuperMassive E10200 TCP 3.0m sessions fails in 6.4 minutes Juniper SRX 5800 / 100m sessions (over $1m investment) unlikely to fail with this attack

(17)

Layer 4 to 7 Attacks Prevention

How Does Micron21 Prevents Stateful devices from failing?

IE. Firewalls and Load Balancers ?

(18)
(19)

So How Does NSFOCUS work

(20)

NSFOCUS ADS - 6020

Collapsar 流量清洗系列 ADS 4020(10-20G) 8,928,000 pps ADS 6020 (20-40G) 14,880,000 pps Attack Mitigation ADS ADS 2010 (2G) 1,488,000 pps ADS 2020 (4G) 2,976,000 pps

(21)

ADS -- Multilayer Cleaning

Rate Limit

2. Access Control List

 Layer 4 ACL  Conn-Exhaustion ACL  URL ACL 1. Protocol Analysis Protocol Validation by RFC Check 3. Reputation List  White/Black List  Dynamic Prioritizing 4. Layer 4 Flood Mitigation Source/destination IP address check/verification  Various mitigation algorithms Traffic Cleaning Center Internet 5. Layer 7 Flood Mitigation  Various mitigation algorithms Pattern Matching P ro to co l A na ly sis A cce ss C o nt ro l L is t Re p ut at io n L ist La ye r 4 F lo o d M it ig at io n La ye r 7 Flo o d M it ig at io n Attacker 6: Rate Limit

Restricts traffic and

ensures the critical business.

1 2 3 4 5

(22)

Packet Inspection and Capture

Netflow information is useless in application DDoS detection; you need advance packet inspection along with behavioral patterns.

(23)
(24)
(25)

Selected Clients - NSFOCUS provides over

4000G+

DDoS mitigation

capacity to global customers

Telecommunications

Korea Telecom

Banking and Finance

Enterprises

Hosting , IDC, ISP, MSSP

(26)

HQ

Place your text here

Overview

Place your text here

Regional Subsidiaries

Place your text here

Jan. 2014 IPO

Over 13 years experience in DDoS mitigation

Dedicated to network security

About NSFOCUS

US: Santa Clara, US EMEA: London, UK Japan: Tokyo, JP APAC: Singapore Global Business HQ:

Santa Clara, USA CN HQ: Beijing Founded in 2000

Over 1,600 employees

(27)

THANK YOU !

come and talk with us on our booth.

References

Download now ( PDF - 27 Page - 3.47 MB )

Related documents

A converse bound for cache-aided interference networks

We obtain an information-theoretic lower bound on both the peak normalized delivery time (NDT), and the expected NDT of cache-aided interference networks with uniform

Development and research on secure autonomous robot communication method

37 duomenys teisingi ir serveris / brokeris šiuo metu yra pasiekiamas, robotas sėkmingai prisijungia prie serverio, tačiau prieš siunčiant žinutę įsitikinama, ar komunikacija

DIRECTORY. Care Improvement Plus Medicare Advantage (PPO) Care Improvement Plus Gold Rx (PPO SNP)

To get the most up-to-date information about the Plan’s network providers in your area, you can visit www.CareImprovementPlus.com or call Customer Service Department toll-free

NOTICE: This publication is available at:

Regional Information Technology (IT) Program Manager (PM): The regional IT PM is responsible for day-to-day monitoring of EMRS and ensures IT maintenance requests are

Role of Cold Fronts in South American Monsoon Onset

In this study, regional variability of monsoon onset in South America was analyzed using composites of GPCP rainfall and NCEP/NCAR Reanalysis upper and lower level variables. The

UNRESTRICTED EXTERNAL

 shell server if an ‘S’ (0x53) is sent as the first byte, the connection is cached as a bind shell drozer makes use of this server throughout exploitation to host the

AVA Victorian Division Annual Conference 2016

Annual Conference 2016 Keynote speaker Dr David Vail Equine Lectures on Friday of conference... about

Female employment and higher fertility policy goals in perfect harmony?

Data source: Eurostat: labor force participation rate by gender, part-time employment, February 2013. Increase in female labor force participation rate in percentage