Transcript Distributed Denial of Service (DDoS) attack

2011 Infrastructure
Security Report
7th Annual Edition
CE Latinamerica Carlos A. Ayala
[email protected]
twitter: @caar2000
Agenda
 DDoS Basics
 Worldwide Infrastructure Security Report and
ATLAS
 LAT statistics
Page 2 - Company Confidential
Distributed Denial of Service (DDoS)
Page 3 - Company Confidential
Distributed Denial of Service (DDoS)
Page 4 - Company Confidential
Distributed Denial of Service (DDoS)
Page 5 - Company Confidential
What is a DDoS Attack?
During a Distributed Denial of Service (DDoS) attack,
compromised hosts (bots) or vigilante users from distributed
sources overwhelm the target with illegitimate traffic so that the
servers can not respond
to legitimate clients.
6
Page 6 - Company Confidential
The DDoS Attack Surface
 Any part of your network or
services that is vulnerable to
an attack
– Network Interfaces
– Infrastructure
– Firewall/IPS
– Servers
– Protocols
– Applications
– Databases
 Attackers will find the
weakness
Page 7 - Company Confidential
DDoS Threats are Top of Mind
Source: Arbor Networks 2011 Infrastructure Security Report
 4 of the top 6 threats seen over the
last 12 months are DDoS related
 The top 4 perceived threats for the
next 12 months are DDoS related
 DDoS threat awareness is high
Page 8 - Company Confidential
Sources of Data
 2011 Worldwide Infrastructure Security Report
– Survey of Internet operators focused on security
practices, incidents and trends
– 114 respondents worldwide
– Data based on measurements, insights and opinions of
respondents
 ATLAS Data Trends
– Data collected from 100+ Arbor deployments and
honeynets sharing attack and traffic statistics
– Empirical data based on measurements taken in
production deployments
Page 9 - Company Confidential
2011 Infrastructure Security Survey




Survey conducted in October through November 2011
114 total respondents across different market segments
54% service providers, 15% T1 providers
“Other” includes VOIP, wholesale internet, DDoS
mitigation, database repository payment and credit sites
Page 10 - Company Confidential
Key Findings in the Survey
 Ideologically-motivated ‘Hacktivism’ and On-line vandalism
DDoS attacks are the most commonly identified attack
motivations
 10 Gbps and Large Flood-Based DDoS Attacks Are The “New
Normal”
 First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on
Production Networks
 Increased Sophistication and Complexity of Application
Layer (Layer 7) DDoS Attacks and Multivector DDoS Attacks
Are Becoming More Common
 Continued Uncertainty Around Visibility & Security of
Mobile/Fixed Wireless Networks
 Stateful Firewalls, IPS and Load-Balancers Devices continue
to Fall Short on DDoS

Page 11 - Company Confidential
DDoS Attack Frequency over last 12 Months
 91% of respondents see at least 1 DDoS attack per
month up from 76% in 2010
 44% of respondents see 10 or more attacks per
month up from 35% in 2010
Page 12 - Company Confidential
Top DDoS Motivations
 Top two attack motivation categories are fueled by
personal beliefs and inclinations of attackers
 Exponential increase in risk of being attacked
Page 13 - Company Confidential
Large Attacks are Now Commonplace
 Aggregate attack sizes have leveled off but remain at levels
capable of overwhelming most Internet operators
 13% of respondents report attacks above 10 Gbps
 40% of respondents report attacks above 1 Gbps
 Largest pps attack reported is 35 Mpps keeping pace with 2010
Page 14 - Company Confidential
Max BPS Misuse DDoS attacks per country in LAT 2011
 Largest bps attack in LAT 10.465 Gbps in Brazil
 Largest bps attack reported is 60 Gbps WW
Page 15 - Company Confidential
Avg BPS Misuse DDoS attacks per country in LAT 2011
 Top Avg BPS attacks above 1 Gbps in LAT, Perú and Uruguay.
 40% of respondents report WW attacks above 1 Gbps
Page 16 - Company Confidential
Max PPS Misuse DDoS attacks per country in LAT 2011
 Largest pps attack in LAT 10.836 Mpps in Brazil
 Largest pps attack reported is 35 Mpps WW
Page 17 - Company Confidential
Avg PPS Misuse DDoS attacks per country in LAT 2011
 Top Misuse Avg PPS attacks in LAT 3.064 M pps in Perú
Page 18 - Company Confidential
Application Layer and Multi-vector DDoS
 A higher percentage of attacks reported on HTTP and IRC relative to 2010
– HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010
 Lower percent of attacks on DNS, SMTP, HTTPS and VOIP
– DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP
(19% vs 38%)
 SSL based attacks reported included TCP and UDP floods against port
443, port scanning attempts and Slowloris
Page 19 - Company Confidential
Destination ports breakout DDoS attacks in LAT 2011
9%  53
7%  80
4%  IP fragment (0)
Page 20 - Company Confidential
Most Common Application Layer Attacks Seen
 Majority of known attack types are focused against web properties
Page 21 - Company Confidential
DDoS Attacks Against Data Centers
Observed DDoS Attacks Targeting IDCs
44%
56%
Yes
No
 56% of Data Center
respondents observed
DDoS attacks in 2011
 The percentage is down
from 2010 which showed
69%
DDoS Attacks Exceeding IDC Bandwidth
 25% of respondents observed
DDoS attacks that exceeded
the total bandwidth into the
Data Center
 2010 which was only 15%
Page 22 - Company Confidential
25%
75%
Yes
No
Fragility of Stateful Devices in the IDC
 Over 40% of respondents
reported an inline firewall and/or
IPS failing due to a DDoS attack.
 This is slightly lower number
than 2010 where 49% reported a
firewall and/or IPS failure.
 10% of respondents do not put
firewalls/IPS in front of IDCs
Firewall/IPS Failure Due to DDoS
Yes
10%
41%
48%
No
Not Deployed in
IDCs
Load Balancer Failure Due to DDoS
4%
Yes
43%
No
54%
Not Deployed in
IDCs
 96% of respondents use load
balancers within their IDCs
 43% of respondents reported
a stateful Load Balancer (or
ADC) going down due to a
DDoS attack
Page 23 - Company Confidential
DDoS Event Response Drills
 Almost 70% of survey respondents have never
practiced responding to a DDoS Attack event
 Only 2% improvement in percentage of respondents
that have rehearsed attack responses
Page 24 - Company Confidential
CERTs
 Does your organization
have a CERT or CSIRT
(e.g., KPRCERT)?
 66% of respondents
collaborate with a
Government or
National CERT/CSIRT
 Those that don’t cite
several reasons why.
Most due to lack of
time or CERT




Not my job
None in my region
We don’t see a need
Organization not big
enough
 Input from such
bodies not deemed
useful
Page 25 - Company Confidential
Mobile Services are Pushing Technology Adoption
 27% of survey respondents
offered mobile services
 Ranging from 1M to over
100M subs
 Range of subs shifted up,
reflecting growth in Mobile
 LTE availability accelerating
 LTE offered by 28.6%, up
from 9% last year
 Another 52% plan to have
LTE deployed by 2014
 IPv6 goes ahead
 50% plan to introduce IPv6
within next 12 months.
 9.6% already have it.
Page 26 - Company Confidential
Mobile Infrastructure DDoS Attacks
 50% see application layer attacks on their networks
 Broad spread of attack types - similar to what we see elsewhere
 DNS is the most common target – target with the most widespread
damage potential
 Surprise that HTTP was not top as last year, especially given general
trends
Page 27 - Company Confidential
IPv6 Rollout and Growth
 Two thirds of respondents have deployed IPv6 in their networks
 Majority of those who deployed IPv6 are using IPv6 for internal addressing of
their network infrastructure
 Two thirds of those who have not deployed IPv6 plan to do so in near term
 Traffic and volume remain low with varied forecasts for growth
 One respondent provided following answer indicating overall mood:
– “depends of what youtube and company are doing ;)”
Page 28 - Company Confidential
IPv6 DDoS Attacks
 First report of an IPv6 DDoS attack in the history of
the WISR
 Low frequency of attacks reflect low adoption of IPv6
for critical services
Page 29 - Company Confidential
DNS Security is a Focus
 87% of all respondents offer DNS services.
 77% have security teams responsible for DNS Services
– 63% Main Security Group
– 23% No Security Group
– 14% Specific Security Group
 Numbers are consistent with 2011 survey.
Page 30 - Company Confidential
Outages from DNS Attacks
 Overall attack frequency has increased year over year
 DNS attacks are down a little
– 67% in 2011 vs 76% in 2010
 Outages from DNS attacks are much lower
– 13% in 2011 vs 32% in 2010
 Conclusion: DNS attack defense is improving
Page 31 - Company Confidential
Misuse BPS breakout DDoS attacks in LAT 2011/2010
Page 32 - Company Confidential
Misuse PPS breakout DDoS attacks in LAT 2011/2010
Page 33 - Company Confidential
Duration breakout DDoS attacks in LAT 2011
>30 <60 min – 43%
>1 <3 hrs - 30%
Page 34 - Company Confidential
Misuse Duration DDoS attacks in LAT 2011
 Top 3 longest DDoS attacks
 Brazil
14d 6h 29m
 Argentine
2d 0h 25m
 Dominican Rep 1d 0h 14m
 Average duration DDoS attacks
 1h 45 m
Page 35 - Company Confidential
Overall breakout comparison LAT 2011vs2010
Page 36 - Company Confidential
Thank You
CE Latinamérica Carlos A. Ayala
[email protected]
twitter: @caar2000