100 likes | 210 Views
DDoS Protection, An Inside Look. The 3 main types of attacks Will I be victim ? Why Us ? The Top 3 Misconceptions Fact vs Fiction A Realistic Defense. # 1 Big and Dumb - UDP, ICMP floods Attackers try to overwhelm your available Bandwidth resources
E N D
DDoS Protection, An Inside Look • The 3 main types of attacks • Will I be victim ? Why Us ? • The Top 3 Misconceptions Fact vs Fiction • A Realistic Defense
# 1 Big and Dumb - UDP, ICMP floods Attackers try to overwhelm your available Bandwidth resources Your ISP or Carrier may “Null route you” If your attack is disruptive to their network A good ISP or carrier will filter this out for you Although it still happens it is rarely the cause for outages Unfortunately it may be combined with other types of attack Consider having all non-essential traffic(ports) denied, as part of normal operations The 3 Main Types of Attack
#2 SYN Floods • Syn type floods try to overwhelm CPU, Memory, OS limitations or Network gear • There are a variety of good DDoS mitigation devices available today for 10-60K • Beware of false positives, keep the rate limiting “loose “or just right The 3 Main Types of Attack
#3 Layer 7 attacks • HTTP get attacks, CPU intensive, slows web server to a crawl * Sometimes hard to even detect, leads to misdiagnoses * Low bandwidth, low PPS • Requires large(2K-200K+) Botnet • Existing off the shelf mitigation gear is not very effective The 3 Main Types of Attack
Our Observations over the last 12 months ending May 2010 The 3 Main Types of Attack • UDP/ICMP flood only attacks account for less than 10% of total number of attacks • SYN Flood only type attacks, account for less than 30% of total attacks • Layer 7 only type attacks account for approximately 60 % of total attacks • 80% of all attacks have 2 or more of the above components • 80% of all attacks have a layer 7 component
Will I Be a Victim ? Why us ? • Given the number of attacks VS number of websites • Overall risk is still very low, but very unpredictable • Renting Botnets are cheap and easy to operate (see control panel sample) • 30% of attacks are sector targeted, 5-25 websites of similar nature are attacked at the same time. i.e. Jewelry, Electronics, Car Parts, Fitness Gear, etc • The perpetrator is most likely a competitor trying to gain market share • 40% are High risk sectors • E-gaming, Social/Dating Networks, Online Pharmacies, Investment Info, Payment processors, etc • The perpetrator is most likely a disgruntled customer or competitor • Extortion is sometimes involved, but rare • 30% are “one offs” • No Logical reason
Will I Be a Victim ? Why us ? • Rent-a-Bot • Botnet control panel • Can be rented for less • Than $100.00/day • Easy to operate
#1 My Firewall/DDoS device will handle anything • There is no easy to operate off-the-shelf box that will effectively stop all types of attacks in real-time • #2 My engineers are brilliant and will be able to stop anything • In reality most technical staff have very little experience in real world DDoS attacks • Attack intensities and types change too often • #3 My Hosting/Network provider will help me • Most hosting providers are ill equipped to handle all types of attacks on an ad-hock basis • Can be too time intensive for many hosting providers • They will not risk network disruptions to other customers/ collateral damage The Top 3 Misconceptions Fact vs Fiction
A Realistic Defense A simple layered approach Have your provider filter Everything except TCP port 80/443 Buy a box that has good SYN protection 1 million PPS + Use a reverse proxy and/or cache array UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP UDP ICMP TCP TCP port * 80 * TCP port 443 * TCP/SYN * layer 7 attacks TCP port * 80 * TCP port 443 * layer 7 attacks Legitimate TCP requests