distributed denial of service introduction
DESCRIPTION
presentation on DDoS and potential countermeasures for enterprise applications.TRANSCRIPT
Distributed Denial of Service attacks(DDoS)
101
History Basic Protection
Advanced
Protectio
n
What is it?
Next Steps
AGENDA
Examples
2002
DNS root serversattacked
2007
DNS attacks
Estoniaattacks
2010 2012
commercialtargets
What is it?
too many requests...can’t handle* this actually happened at a CCC congress in Berlin
infrastructure backupinfrastructure
application
What is it?
L1 L1
L2
L2’
L2’
Level 1 : Network-based (D)DoSLevel 2 : Application-level (D)DoSLevel 2’ : Economic (D)DoS
Process (D)DoS
What is it?
@
c
c
c
c
c
cc
cc
c
c
c
c
c
main backup
s s s s s s
L1infrastucture
some terminology:•node•command&control•recruitment•attrition•rate of growth/decay:
What is it?
L2application
server
web
app
app
server
db server
db
db
<?xml version="1.0"?><!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>
Basic
Protection
@
c
c
c
c
c
cc
cc
c
c
c
c
c
main backup
ISP
ONPREMISE s
s
s
s
s
s
CDNcontent
distributionnetwork
- hardware limitations- no control over bandwidth- limited ‘intelligence’
- hardware limitations+ (some) control over bandwidth+ increased ‘intelligence’
+ no hardware limitations+ no bandwidth limits+ intelligence
appserver
web
app
server
db server
db
db
Advanced
Protection
centralized mgmt
secureconfig
secureconfig
secureconfig
secure config
Web Application Firewall
SDLC- cloud- “devops”
APPDN
S SSL
XML
Advanced
Protection
Next
Steps?
process
Incident Response
• Prepare• Integrate service providers• “know your enemy”
Duringan attack
• Containment• Communications• Business Continuity
After the attack
• Return to normal operations• lessons learned• forensics
Next
Steps?
quick wins
★ Build standard security components★ encryption★ AuthN/AuthZ★ Logging★ Input/Output validation★ ...
★ Automate standardized processes (leverage tech)★ deployment (including vuln scanning)★ load balancing
Q&A
some terminology:•node•a computer ‘recruited’ to the botnet and controlled by the botnet owner.
•command&control (C2)•a ‘central’ authority controlling the botnet, providing the nodes with instructions.
•recruitment•the methods used by the botnet owner to add nodes to his botnet.
•attrition•the loss of nodes from the botnet.
•rate of growth/decay: size + recruitment - attrition