Post on 13-May-2015
description
War Stories from the Cloud
MOMO – 25.11.2013
Gerhard Giese Solution Engineer
©2013 AKAMAI | FASTER FORWARDTM
BAD The State of Internet Security
©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Attack frequency 2013
• One major DDoS news event happened every two days
• one common DDoS
attack happened every two minutes.
2013 nsfocus mid year report
'....Half of the 50 biggest banks have faced security incidents affecting their web applications. Fifteen per cent of those incidents were classified as “high” or “critical” risks, a new study has revealed.’ (High Tech Bridge research 2013)
©2013 AKAMAI | FASTER FORWARDTM
Typical DDoS Attack Size
10 Gbps
0
200
400
600
800
1000
1200
1400
1600
2009 2010 2011 2012 2013 N
umbe
r of A
ttack
s
768
Attacks on Akamai Customers
Attacks are originating from all geographies and are
moving between geographies during the attack
Large DDoS Attack Size
100+ Gbps
14 220
510
©2013 AKAMAI | FASTER FORWARDTM
Attacks are Varied and Sophisticated
• SQL Injection is the most common attack type followed by DoS attacks
• Attack tools such as LOIC, HOIC and SlowLoris evolve rapidly and are easily available
Predictable Resource Location 2%
Cross-Site Forgery 2%
Source: Trustwave, Web Hacking Incident DB –report
Denial of Service
23%
Unreported
37% Top WHID
Attacks
Clickjacking 1%
Stolen Credentials 2%
Banking Trojan 3%
Brute Force 3%
SQL Injection
27%
©2013 AKAMAI | FASTER FORWARDTM
Why?
State Sponsored
Traditional Hackers: Glory Hounds Political Hacktivism
Profit
©2013 AKAMAI | FASTER FORWARDTM
Slow DDoS Attacks
• SlowLoris: Holds connections open by sending partial HTTP requests but continues to send subsequent headers at regular intervals to keep the sockets from closing.
G E T /
• Slow POST: Similar to the slowloris except that the header is received quickly but the body of the request is sent very slowly, holding resources on the victims’ system
POST / HTTP/1.1 Host: example.com Field1=abc Field2=xyz Field3=123
©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Denial of Service: Protocol Attacks
SRC PORT: 25578 DST PORT: 80 FLAGS: ACK
GET / HTTP/1.1 Host: example.com
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: TCP
“Valid” Request
SRC PORT: 25578 DST PORT: 80 FLAGS: SYN
SRC PORT: 25579 DST PORT: 80 FLAGS: SYN
SRC PORT: 25580 DST PORT: 80 FLAGS: SYN
SRC PORT: 25581 DST PORT: 80 FLAGS: SYN
SRC PORT: 25582 DST PORT: 80 FLAGS: SYN
SYN Flood
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP
ICMP Flood
HEAD / HTTP/1.1 Host: example.com Range:bytes=0-,5-0,5-1,5-2,5-3....,5-1299
Apache Killer
©2013 AKAMAI | FASTER FORWARDTM
Low Orbit Ion Cannon (LOIC)
Attack tool developed for Operation Payback
• Continues to be developed today Range of attack capabilities:
• TCP (SYN Flood) • UDP packet floods • HTTP request floods
Users download the tool, insert the target URL or IP and press GO!
©2013 AKAMAI | FASTER FORWARDTM
New Attack Tools Being Developed High Orbit Ion Cannon (HOIC)
Variant of LOIC – but harder to block • High speed multi-threaded HTTP flooding tool • Targets up to 256 sites at a time • Rotates header parameters • Rotates URLs to be targeted
Is this still current?
©2013 AKAMAI | FASTER FORWARDTM
Why traditional attempts happen to fail
Traditional Data Center
1
10
100
10000
Traffic
1000
©2013 AKAMAI | FASTER FORWARDTM
Provides protection from the increasing frequency, scale and sophistication of Web attacks. Helps prevent downtime by extending the security perimeter outside the data center.
©2013 AKAMAI | FASTER FORWARDTM
• Average traffic levels of over 6 Tbps • Peak traffic levels to date of ~10Tbps • Handling ~20 million hits/second, on average • 15-30% of world web traffic
800+ Cities
2,000+ Locations
84 Countries
The Platform 1,100+
Networks 130,000+
Servers
©2013 AKAMAI | FASTER FORWARDTM
Akamai Web Site Security
Akamai Web Site Security
Network Firewall
Web Application
Firewall
Application or Database
Server Customer Database
Web Server (Origin)
Traditional Data Center Security
Massively scalable solution Coordinated response Highly differentiated
Proven
Limited scalability Self-managed or MSSP
Off the shelf solution
DDoS Protection (Network and Application Layers); Web Application; Direct-to-Origin; and DNS attacks
©2013 AKAMAI | FASTER FORWARDTM
1
10
100
10000
Origin Traffic
1000
Akamai Traffic
1
10
100
10000
1000
The Akamai Platform Provides a Perimeter Defense
End-User
100000
©2013 AKAMAI | FASTER FORWARDTM
©2013 AKAMAI | FASTER FORWARDTM
QR code – did you scan it?