MobileMonday National Summit Akamai Security Gerhard Giese 2013 Nov 25

War Stories from the Cloud

MOMO – 25.11.2013

Gerhard Giese Solution Engineer

©2013 AKAMAI | FASTER FORWARDTM

BAD The State of Internet Security


Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Attack frequency 2013

•  One major DDoS news event happened every two days

•  one common DDoS

attack happened every two minutes.

2013 nsfocus mid year report

'....Half of the 50 biggest banks have faced security incidents affecting their web applications. Fifteen per cent of those incidents were classified as “high” or “critical” risks, a new study has revealed.’ (High Tech Bridge research 2013)


Typical DDoS Attack Size

10 Gbps

0

200

400

600

800

1000

1200

1400

1600

2009 2010 2011 2012 2013 N

umbe

r of A

ttack

s

768

Attacks on Akamai Customers

Attacks are originating from all geographies and are

moving between geographies during the attack

Large DDoS Attack Size

100+ Gbps

14 220

510


Attacks are Varied and Sophisticated

•  SQL Injection is the most common attack type followed by DoS attacks

•  Attack tools such as LOIC, HOIC and SlowLoris evolve rapidly and are easily available

Predictable Resource Location 2%

Cross-Site Forgery 2%

Source: Trustwave, Web Hacking Incident DB –report

Denial of Service

23%

Unreported

37% Top WHID

Attacks

Clickjacking 1%

Stolen Credentials 2%

Banking Trojan 3%

Brute Force 3%

SQL Injection

27%


Why?

State Sponsored

Traditional Hackers: Glory Hounds Political Hacktivism

Profit


Slow DDoS Attacks

•  SlowLoris: Holds connections open by sending partial HTTP requests but continues to send subsequent headers at regular intervals to keep the sockets from closing.

G E T /

•  Slow POST: Similar to the slowloris except that the header is received quickly but the body of the request is sent very slowly, holding resources on the victims’ system

POST / HTTP/1.1 Host: example.com Field1=abc Field2=xyz Field3=123


Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

Denial of Service: Protocol Attacks

SRC PORT: 25578 DST PORT: 80 FLAGS: ACK

GET / HTTP/1.1 Host: example.com

SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: TCP

“Valid” Request

SRC PORT: 25578 DST PORT: 80 FLAGS: SYN





SYN Flood

SRC IP: 18.34.327.32 DST IP: 80.67.614.10 PROT: ICMP























ICMP Flood

HEAD / HTTP/1.1 Host: example.com Range:bytes=0-,5-0,5-1,5-2,5-3....,5-1299

Apache Killer


Low Orbit Ion Cannon (LOIC)

Attack tool developed for Operation Payback

•  Continues to be developed today Range of attack capabilities:

• TCP (SYN Flood) • UDP packet floods • HTTP request floods

Users download the tool, insert the target URL or IP and press GO!


New Attack Tools Being Developed High Orbit Ion Cannon (HOIC)

Variant of LOIC – but harder to block •  High speed multi-threaded HTTP flooding tool •  Targets up to 256 sites at a time •  Rotates header parameters •  Rotates URLs to be targeted

Is this still current?


Why traditional attempts happen to fail

Traditional Data Center

1

10

100

10000

Traffic

1000


Provides protection from the increasing frequency, scale and sophistication of Web attacks. Helps prevent downtime by extending the security perimeter outside the data center.


•  Average traffic levels of over 6 Tbps •  Peak traffic levels to date of ~10Tbps •  Handling ~20 million hits/second, on average •  15-30% of world web traffic

800+ Cities

2,000+ Locations

84 Countries

The Platform 1,100+

Networks 130,000+

Servers


Akamai Web Site Security

Akamai Web Site Security

Network Firewall

Web Application

Firewall

Application or Database

Server Customer Database

Web Server (Origin)

Traditional Data Center Security

Massively scalable solution Coordinated response Highly differentiated

Proven

Limited scalability Self-managed or MSSP

Off the shelf solution

DDoS Protection (Network and Application Layers); Web Application; Direct-to-Origin; and DNS attacks


1

10

100

10000

Origin Traffic

1000

Akamai Traffic

1

10

100

10000

1000

The Akamai Platform Provides a Perimeter Defense

End-User

100000


QR code – did you scan it?

MobileMonday National Summit Akamai Security Gerhard Giese 2013 Nov 25

Technology

Transcript of MobileMonday National Summit Akamai Security Gerhard Giese 2013 Nov 25