BISC 2013: Hosting and security
-
Upload
frank-louwers -
Category
Technology
-
view
56 -
download
1
Transcript of BISC 2013: Hosting and security
Frank Louwers - Security challenges in a hosting environment - 20131024
Frank LouwersOpenminds bvbaCo-founder en COO
Managed Hosting
Frank Louwers - Security challenges in a hosting environment - 20131024
(D)DoS attacks are not new
Used to be targeted at:
•Competing game clans
• IRC servers
•Political parties
Frank Louwers - Security challenges in a hosting environment - 20131024
DDoS attack shift
• “Occupy movement”: a lot of attacks on banks
•Political parties
• “companies and organisations with negative press”
(Monsanto, Press-agency of the Belgian Catholic Church, ...)
Frank Louwers - Security challenges in a hosting environment - 20131024
Attacks we can’t explain
•Radio Stations?!
•Software development companies
•B2B online shops?
Frank Louwers - Security challenges in a hosting environment - 20131024
DDoS attacks: new tricks
•Amplification attacks: attacker sends 2 Mbps stream, gets multiplied by 20, results in 40 Mbps attack
•Now multiply by 100 bots, so 4Gbps attack
•Bad configured DNS servers
•DNSSec increases the problem
Frank Louwers - Security challenges in a hosting environment - 20131024
Protect against DDoS attacks
•UDP: yes, can be blocked by decent routers
•SYN flood: difficult: compare to tickets at butcher
•Huge amount of bandwidth: impossible: 100000 cars on road built for 100 cars (only option: remove roadsigns)
Frank Louwers - Security challenges in a hosting environment - 20131024
Protection by external firms
•Good ones: very very very expensive (but they work!)
•Cheaper ones: no “unlimited” protection
•2013: large number of new cheap players
•Some of them Russian and very cheap
•Would you pay the attacker to block the attack?
Frank Louwers - Security challenges in a hosting environment - 20131024
Conclusion: “the new normal”
•DDoS attacks are here to stay
• Invest in tools to detect the attack
• Invest in procedures: know how to respond
•Get to know the external players
• Insurance? Some insurance companies cover this
Frank Louwers - Security challenges in a hosting environment - 20131024
About that firewall...Or why your firewall isn’t going to help much (in a hosting environment)
Frank Louwers - Security challenges in a hosting environment - 20131024
Traditional big firewall is useless•Will not protect you against 99.5% of break-ins we see
•Bad code in CMS/Websites (> 98%)
•Stolen credentials (caused by spyware)
• Infected customer computers used as launchplatform
•Not flexible enough (Cloud, scaling, ...)
•Unmaintainable, unupgradeable
Frank Louwers - Security challenges in a hosting environment - 20131024
We are under attack...
•All the time
•Every server
• Impossible to filter signal out of the noise
•Or at least very difficult
Frank Louwers - Security challenges in a hosting environment - 20131024
So what does work?
The Onion Model
Frank Louwers - Security challenges in a hosting environment - 20131024
Onion model•Maintained website (ask for maintenance contract)
•written in the right mindset (“we will be attacked”)
•Small, efficient host-firewalls
•Try to detect anomalies
•Force secure credentials or 2-Factor Authentication
•Make customers aware of the problems, teach them ...
•Know what happens on the network
Frank Louwers - Security challenges in a hosting environment - 20131024
... and automate•Human factor weakest link
•so take away human factor where possible
•Automate configuration management:
•Less mistakes
•Quickly apply fix to large # of servers
Frank Louwers - Security challenges in a hosting environment - 20131024
Hosting providersand the law
Frank Louwers - Security challenges in a hosting environment - 20131024
Which laws apply?
• “Laws of country where the server is located, applies”
• “Laws of country where company HQ are, applies”
•But that’s not always the case!
Frank Louwers - Security challenges in a hosting environment - 20131024
Servers in Europe, US laws
•Amazon Ireland, Microsoft Azure Europe, Rackspace UK
•Are all American companies, or controlled by US entity
•So they must follow US law!
•PATRIOT Act
• (so FBI can get a copy of your data without a warrant)
Frank Louwers - Security challenges in a hosting environment - 20131024
Networks
•Almost all of the big networks are American
• So assume “they” can read everything you put on the wire
• So use good encryption or VPN links
•AMS-IX wanted to open US branch
• huge concerns by members!
Frank Louwers - Security challenges in a hosting environment - 20131024
Snowden and the NSA
• It has become clear the the NSA has access to a lot of data
•why is there no real outrage?
•Do we really think this is “normal”? Do we accept this?
Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything
Last proposal for “Internet tap”:
• coffee-bar next door that offers free WiFi
• forced to buy 25 000 € tap box
• to allow police to tap the “public network”
Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything
•Data-retention law:
•Vague, “details” (= entire law) to be filled in by RD
•Clearly targeted at the “small fish”
•Real criminal rents 30 euro dedicated service, no logs
Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything•A lot of “Notice and Take Down” proposals:
• requires us as a hoster, to be a judge.
•We are not judges, and don’t want to be!
•Changes the intent of the current law completely!
• “mere conduit” vs “judge”