the 5 Misconceptions about DDos Attacks

Why DDoS Makes for Risky Business –
And What You Can Do About It: the 5
Misconceptions about DDos Attacks
Dave Shackleford, IANS Faculty
Tom Bienkowski, Director of Product Marketing,
Arbor Networks
The Story Today
➔ There are more and more DDoS attacks every week,
month, and year
➔ Many security teams:
• Don’t fully understand the landscape of modern DDoS
• Believe that DDoS defense is something they should outsource
• Believe their existing tools can cover DDoS
• Believe DDoS is not that sophisticated or advanced
➔ We need to revisit how we think about DDoS attacks
Despite All the Research and Statistics…
Neustar 2014 DDoS Attacks & Impact Report: The Danger
Deepens
DDoS Attacks Still Happen… Why?
4
5 Common Misconceptions about DDoS Attacks
My firewalls
and IPS (Load
balancers, WAF
etc.) will stop
DDoS attacks.
I have adequate
DDoS protection
solutions in
place.
The odds are
we will NOT
be attacked.
DDoS is old news
… I’m concerned
with more
Advanced
Threats
The impact of a
DDoS attack
does not justify
the cost of
protection.
Misconception #1: Firewall / IPS will Stop DDoS Attacks
Fact: Firewalls and IPS (load balancers, WAF etc.) are not
designed to stop DDoS attacks.
 DDoS attacks use legitimate packets and
do not violate protocols rules – thus many
go undetected by firewalls and IPS.
 Because firewalls and IPS (load balancers,
WAF) are required to track state, they are
vulnerable to some DDoS attacks (e.g.
HTTP/TCP SYN floods) – and routinely fail
during attacks.
 Completing The Security Triad:
Firewalls and IPS are designed for protecting
Confidentiality and Integrity. You need
purpose built DDoS protection products to
protect Availability.
Availability?
Confidentiality
Integrity
Misconception #2: In-cloud …or…. On-Prem is Enough
Fact: Modern day DDoS attacks use a dynamic combination of volumetric and
application layer attack vectors. There are best practices to stop both.
Botnet
Legit Traffic
Volumetric Attack
State
Exhaustion
Application
Attack
The Internet
Case Study: “Operation
Ababil”
Your (ISP’s)
Network
Your Data
Centers
 Dynamic combination of volumetric and
application layer attacks.
 Lesson Learned: Targets who only had
on-premises protection realized they
also needed in-cloud protection …and
Vice Versa.
Misconception #3: The Odds Are Low That We Will Be
Attacked
Fact: DDoS attacks are increasing in size , frequency and complexity. Its
getting worse, not better.
Fact: Changes in motivation and plethora of DDoS attack tools and
services make it easy for anyone to launch a DDoS attack.
Misconception #4: Impact Does Not Justify Cost of
Protection
Fact: The impact of a DDoS attack can be immediate and severe.
 Lost Revenue
 Indirect / Business
Continuity Costs
Revenue From Asset
Per Year
Per Week
$200,000,000
$3,846,154
Per Day
$547,945
Per Hour
$22,831
 Unwanted Media Attention
 Operational Costs to
Mitigate Attack.
 Brand repair
 Regulatory Fees
 Customer Credits
 Lost productivity
 Others?
 Executive Impact
Misconception #5: DDoS attacks are Not Advanced
Threats
Fact: Yes, it may be true that DDoS attacks by themselves are not advanced.
However… Arbor’s global threat intelligence has evidence that Botnets/DDoS
attacks are often part of complex, multi-vector, advanced threat “campaigns”
and used during phases of the “Kill Chain”.
Example of Abor’s research of
global threat “campaigns”
consisting of interrelated botnets,
DDoS, malware etc.
“Kill Chain” Du Jour
App BotNet
Gray Pigon RAT
Gartner
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
Attackers
INITIAL COMP
Weaponization
Delivery
Installation
SPREAD OUT
Exploitation
C&C
11
EXTRACT
DATA
Complete
Mission
Attack Activities Over Time
Port
Scanning
Phishing
DDoS
RAT
Evasion
TOR
Port
Scanning
DDoS
Evasion
P2P
Bad
URL
Evasion
POS
Evasion
Zero
Day
Phishing
Target
Org
Malware
Bot
DDoS
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
SPREAD OUT
Exploitation
C&C
EXTRACT
DATA
Complete
Mission
Attack Activities Over Time
Port
Scanning
Phishing
Evasion
DDoS
Bad URL
RAT
Evasion
Evasion
TOR
Port
Scanning
DDoS
P2P
POS
Evasion
Zero Day
Phishing
Malware
Bot
Sizing Up Your
Security Posture
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
Attack Activities Over Time
Port
Scanning
Phishing
Port
Scanning
DDoS
Evasion
P2P
Zero Day
DDoS
Bad
URL
Phishing
SPREAD OUT
Exploitation
C&C
RAT
Evasion
Malware
EXTRACT
DATA
Complete
Mission
TOR
13
Evasion
POS
Evasion
Bot
DDoS
Or Analogous to
Looking for Security
Stickers…
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
Attack Activities Over Time
Port
Scanning
Phishing
Port
Scanning
DDoS
Evasion
P2P
Zero Day
DDoS
Bad
URL
Phishing
SPREAD OUT
Exploitation
C&C
RAT
Evasion
Malware
EXTRACT
DATA
Complete
Mission
TOR
14
Evasion
Or Analogous to
Looking for Security
Stickers…
POS
Evasion
Bot
DDoS
If your were a burglar,
which house would
you rob?
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
SPREAD OUT
Exploitation
C&C
EXTRACT
DATA
Complete
Mission
15
Attack Activities Over Time
Port
Scanning
Phishing
Port
Scanning
DDoS
Evasion
P2P
Zero Day
DDoS
Bad URL
Phishing
RAT
Evasion
Malware
Evasion
TOR
POS
Evasion
Bot
DDoS
Evasion/Overwhelming
your security forensics
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
SPREAD OUT
Exploitation
C&C
EXTRACT
DATA
Complete
Mission
16
Attack Activities Over Time
Port
Scanning
Phishing
Port
Scanning
DDoS
Evasion
P2P
Zero Day
DDoS
Bad URL
Phishing
RAT
Evasion
Malware
Evasion
TOR
POS
Evasion
Bot
DDoS
Evasion/Overwhelming
your security forensics
DDoS Used in Multiple Stages of Kill Chain
Advanced
Attack Kill
Chain
RESEARCH
Recon
INITIAL COMP
Weaponization
Delivery
Installation
SPREAD OUT
Exploitation
C&C
EXTRACT
DATA
Complete
Mission
17
Attack Activities Over Time
Port
Scanning
Phishing
Port
Scanning
DDoS
Evasion
P2P
Zero Day
DDoS
Bad URL
Phishing
RAT
Evasion
Malware
Evasion
TOR
POS
Evasion
Bot
DDoS
Diversion: Analogous to
setting alarms off at one
end of building while
thief slips out the other
end
Arbor’s ATLAS: Global Threat Analysis and Monitoring System
“We See Things Others
Can’t”
The ATLAS Global Threat Analysis and Monitoring System is actively
monitoring more than 120 Tbps. That’s more than 1/3 of all internet traffic!
ATLAS is a collaborative project with more than 300 ISP’s customers sharing
anonymous traffic data through E-mail spam traps, Botnet reconnaissance tools,
the worlds largest distributed honeypot, globally dispersed sensors and publicly
shared intelligence
Examples of DDoS Used in Various Phases of Kill Chain
Reconnaissance
Stage
Weaponization
Stage
Exfiltration
Stage
Evidence of DDoS Interrelationship with Other Advanced Threats
 A single threat
infrastructure that
has both DDoS and
Advanced Threat
malware (DarkComet)
at its disposal.
 High confidence
means recent activity
tracked.
Evidence of DDoS Interrelationship with Other Advanced Threats
 Threat infrastructure
that has botnet,
DDoS and Advanced
Threat malware
(DarkComet, Banking
RAT) at its disposal.
 High confidence
means recent activity
tracked.
Conclusion
➔ There are many misunderstandings about DDoS and DDoS defense
today
➔ Today’s organizations need layered defenses:
1
Stop volumetric attacks InCloud
Botnet, DDoS,
Malware
Scrubbing
Center
3
Intelligent communication
between both environments.
Legit Traffic
Volumetric Attack
Application
Attack
The Internet
4
Backed by continuous threat
intelligence
Your (ISP’s)
Network
Your Data
Centers/ Internal
Networks
2
Stop application layer DDoS attacks
and other advanced threats; detect
abnormal outbound activity.
Thank You!
QUESTIONS?