Date post: | 15-Jan-2017 |
Category: |
Technology |
Upload: | imperva-incapsula |
View: | 497 times |
Download: | 1 times |
© 2015 Imperva, Inc. All rights reserved.
An Inside Look at a Sophisticated Multi-Vector DDoS AttackNabeel Saeed, Product Marketing Manager, IncapsulaSeptember 2015
© 2015 Imperva, Inc. All rights reserved. Confidential2
Agenda
• What is Imperva Incapsula• Overview of a DDoS attacks• DDoS attack trends• Anatomy of a sophisticated DDoS attack• Lessons learned
© 2015 Imperva, Inc. All rights reserved.3
Speaker Bio for Nabeel Saeed
• Background– 5+ years experience with web application security
and SaaS security solutions– Held product marketing roles at Imperva, Incapsula, Vertical
Systems, etc.
• Contact:• Email: [email protected]
© 2015 Imperva, Inc. All rights reserved. Confidential4
Imperva products
Products that cover both Protect and Comply
Partners
User RightsManagement for File
Data LossPrevention
SecureSphereFile Firewall
File ActivityMonitor
SecureSphere DatabaseAssessment Server
SecureSphereDatabase Firewall
SecureSpherefor Big Data
SecureSphere DatabaseActivity Monitor
User RightsManagement
Data Masking
VulnerabilityAssessment
IncapsulaBack Door Detection
IncapsulaWebsite Security
SecureSphereWAF ThreatRadar
SkyfenceCloud Discovery
SkyfenceCloud Analytics
SkyfenceCloud Protection
SkyfenceCloud Governance
IncapsulaInfrastructure Protection
IncapsulaWebsite Protection
IncapsulaName Server Protection
SecureSphereWAF
© 2015 Imperva, Inc. All rights reserved. Confidential5
Incapsula Overview
PerformanceSecurity Availability
Solving Top Operational Problems
Delivered from the Cloud
© 2015 Imperva, Inc. All rights reserved. Confidential6
Incapsula Application Delivery Cloud
Confidential7 © 2015 Imperva, Inc. All rights reserved.
1An Overview of DDoS Attacks
© 2015 Imperva, Inc. All rights reserved. Confidential8
DDoS Attacks in the News
© 2015 Imperva, Inc. All rights reserved.9
What is a DDoS Attack
• DDoS attacks– Are performed by large groups of infected computers (botnets)– Usually require special tools or services to defend against
LegitimateTraffic
Your Site
Your Internet
ConnectionYour ISP
DDoS Bots
An attack that makes your websites or online infrastructure completely inaccessible
© 2015 Imperva, Inc. All rights reserved.10
DDoS Attack Landscape Trends
The number of DDoS attacks in 2014 vs. 2013
2x
Average DDoS attack size in 2014
15Gbps
© 2015 Imperva, Inc. All rights reserved.11
What Are the Main Types of DDoS Attacks?
• Network layer DDoS attacks• Consume all available upload and download bandwidth to prevent access to websites
“Clogging the Pipe to a website” Your Site
Your Internet
ConnectionYour ISP
© 2015 Imperva, Inc. All rights reserved.12
What Are the Main Types of DDoS Attacks?
• Application layer DDoS attacks– Application requests overwhelm the Web server or database causing it to crash– The website then becomes unavailable
“OverloadingThe
Server” Your Site
Your Internet
ConnectionYour ISP
Application layer requests
© 2015 Imperva, Inc. All rights reserved.13
Who Is Performing These DDoS Attacks?
ExtortionistsLooking for ransom money
VandalsLooking to cause trouble
HacktivistsLooking to make a point
CompetitorsLooking to keep you out of a deal
© 2015 Imperva, Inc. All rights reserved.14
What Is the Impact of a DDoS Attack Cost?
Average Cost ofDDoS Attack
$40,000per hour45%of organizations
are attacked
75%Are attacked
more than once
91%Were attacked in
the last 12 months
10%Are attacked on a weekly basis
15 © 2015 Imperva, Inc. All rights reserved.
The Anatomy of a Sophisticated DDoS Attack2
© 2015 Imperva, Inc. All rights reserved.16
The Target of the Attack
• Successful SaaS platform
• Very competitive industry – Online trading
• Multi-tenant environment; Attacks on a single tenant impact all other tenants
© 2015 Imperva, Inc. All rights reserved.17
Attack Phase 1 – SYN Flood
• 30Gbps SYN Flood (Volumetric / Network Layer attack)
• Typical of any DDoS attack– Easy to perform (given the resources)
• No DNS amplification was used
© 2015 Imperva, Inc. All rights reserved.18
SYN Flood DDoS Trends from Q2 DDoS Report
• SYN floods and Large-SYN floods are two of the top three DDoS attack vectors by– Frequency– Size
Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved.19
Attack Phase 1 – Mitigation
• Geo-distribution of attack traffic– Sharing the load
• Dedicated networking capabilities to deal with volumetric attacks
• Aggressive blacklisting of offending IP addresses
© 2015 Imperva, Inc. All rights reserved.20
Attack Phase 2 – HTTP Flood
• HTTP Flood DDoS attack with 10M requests per second• Targeting “resource intensive” pages• “The smoke screen” for other application layer attacks
– This type and level of attack persisted for weeks
© 2015 Imperva, Inc. All rights reserved.21
Application DDoS Trends from Q2 DDoS Report
• In Q2 2015 we saw that application layer attacks were– Shorter in duration than the
past – More frequently recurring
Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved.22
Attack Phase 2 – Mitigation
• Employ anti-bot technology• Use non-intrusive progressive challenges to
differentiate legit browsers vs. bots– IP Address and ASN Info– Cookie Support Variations– JavaScript Challenges– CAPTCHA
Further notes• Be transparent, don’t punish humans• Be bot friendly (good bots like Google, Baidu, still
need access)
© 2015 Imperva, Inc. All rights reserved.23
Attack Phase 3 – An AJAX Attack
• Primary target – the database
• AJAX requests can sometimes bypass JS Challenges
• Requests were targeting separate sub services in a “registered users only” area of the application
• Used hijacked cookies to make heavy AJAX requests
© 2015 Imperva, Inc. All rights reserved.24
Attack Phase 3 – Mitigation
• Visitor reputation techniques• Detecting abnormal behavioral patterns
– Order and frequency of requests– Interaction between clients and servers– JavaScript Injection to actively classify clients
© 2015 Imperva, Inc. All rights reserved.25
Attack Phase 4 – On Demand Browser Barrage
• The symptoms:– Huge spike in browser based traffic– Browser windows popping up in people’s PCs– Innocent people contacting Incapsula “You’re hijacking my PC!”
• Initial response – CAPTCHA Challenges • Post-mortem analysis conclusion
– A PushDo botnet with 20k bots was opening real browsers on hijacked computers, pointing them at the target application
© 2015 Imperva, Inc. All rights reserved.26
Attack Phase 4 – Mitigation
• Reverse engineering the trojan• Crafting a signature to identify and block the bots
© 2015 Imperva, Inc. All rights reserved.27
Attack Phase 5 – Headless Browsers
• The symptoms:– 150 hours of spike in browser based traffic– 180,000 new IP sources– 861 variants
• Headless browsers leveraging “Phantom JS” were being used to emulate real users– Generating 700 Million requests per day
© 2015 Imperva, Inc. All rights reserved.28
Application DDoS Attack Results from Q2 DDoS Report
In Q2 2015 the largest application layer DDoS attack we saw had 179,712 RPS (that’s 15,527,116,800 requests per day)
Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved.29
Attack Phase 5 – Mitigation
• Reverse engineering the Phantom JS kit• Crafting a signature to identify and block all bots using this kit
© 2015 Imperva, Inc. All rights reserved.30
Findings from Q2 2015 Global DDoS Threat Landscape Report
• In Q2 botnet owners displayed more ability to assume identities to avoid detection
• Roughly 74% of application DDoS attack bots are still primitive
© 2015 Imperva, Inc. All rights reserved.31
Attack Analysis Conclusions
• DDoS attacks are becoming more like APTs• It is an ongoing cat-and-mouse game• Attacks can last for weeks and reappear repeatedly• Don’t expect to have a silver bullet
32 © 2015 Imperva, Inc. All rights reserved.
Five Lessons Learned3
© 2015 Imperva, Inc. All rights reserved.33
Attacks are Increasing in Size, So Should Your Defense Capability
• Network layer DDoS attacks are getting bigger• You’re defenses need to be able to deal with multi-
gigabit attacks• Select a provider with a large scrubbing network
Past Present
© 2015 Imperva, Inc. All rights reserved.34
Don’t Punish Your Users
• Your users don’t need to know or care if you are under attack
• People don’t like to hang out in dangerous places
• DDoS attacks should be mitigated in a way that doesn’t– Cause delays (no hold screens)– Require extra steps (no CAPTCHAs or Splash screens)– Serve outdated content
© 2015 Imperva, Inc. All rights reserved.35
Fail-open for Humans
• All human users should be able to bypass protection mechanisms
• Legitimate users should be given an opportunity to– Express concern or complain if they are affected– Prove they are legitimate with a CAPTCHA
© 2015 Imperva, Inc. All rights reserved.36
Automation
• Automated, always on solutions should be used whenever possible– Web assets should be monitored for attacks
24x7– Identification is always on
• Always on doesn’t mean always “locked down”– DDoS rules should be on call but not
implemented until necessary– Mitigation is on when needed
© 2015 Imperva, Inc. All rights reserved.37
Conclusions
• Ensure you have enough network capacity• Invest in technology:
– Rapid analysis tools– Instant patching infrastructure– Trial and error methodology
• Keep up with your research• Have people at the wheel!
© 2015 Imperva, Inc. All rights reserved.38
Want to Learn More?
Download the Q2 2015 Global DDoS Threat Landscape Report
orsign up for a free 14 day trial by visiting www.incapsula.com
39 © 2015 Imperva, Inc. All rights reserved.
Questions?