Diffusing Denial of Service - Wipro

WWW.WIPRO.COM

DIFFUSING DENIAL OF SERVICE DDoS attacks are proving increasingly catastrophic. The paper covers common attack techniques and what organisations can do to avert them.

Table of contents 02

Abstract

02

Introduction

03

Who is at risk?

03

Why are these attacks so difficult to detect and prevent?

03

Types of DDoS Attacks

04

How to block /mitigate DDoS attacks?

05

Deploying DDoS Prevention Devices in Premises

05

DDoS Prevention at Edge Level

05

DDoS Response Model for Enterprises

06

Conclusion

06

Reference 1

07

About GIS

Abstract: The proliferation of internet connectivity has expanded markets and reduced the inefficiencies associated with doing business across borders. With increasing broadband penetration in emerging markets, services can be delivered to customers from anywhere in the world. While globalization has expanded the possibilities for a business, however, at the same time, this increased reach and access have created many challenges for enterprises. A significant one today is the vulnerability to external attacks. High malware infection rates are common. When malware infected computers are taken over by centralized command-and-control servers, “botnets” are created which can be used by spurious parties with malicious intentions to disrupt the service of a competitor. Global botnets are currently using Distributed Denial of Service (DDoS) attacks to sabotage web services or a specific server. This paper talks about the different types of DDoS attacks and presents an approach to a DDoS protection strategy that empowers enterprises to better respond to such attacks and mitigate their impact on operations.

Introduction: China and the United States, the two biggest economies in the world,

The Hong Kong based trading platform provider was unable to provide

are the victims of significant DDoS attacks on a daily basis. Over the last

access to its application platforms leading to disruption of trading

few years, the scope, nature and magnitude of DDoS attacks have only

services. The company subsequently implemented a DDoS mitigation

intensified. The Prolexic Quarterly Global DDoS Attack Report (Q1

program to avoid further downtime and financial losses.

2013) reveals that the number of attacks rose by 21 percent in Jan-Mar 2013 compared to Q1 2012. Also, the duration of DDoS attacks grew

In another instance, an ecommerce company became the victim of a

to 34.5 hours from 28.5 hours while average attack bandwidth increased

GET flood attack that lasted for two weeks during its busiest season.

to a staggering 48.25 Gbps from 6.1 Gbps in Q1 2012. This places

The attackers used the circuit between the ecommerce site and the

emerging markets under severe threat as they are characterized by

internet service provider to launch the attack. As part of its efforts to

inadequate client control.

protect itself from such attacks and avert business downtime, the company had implemented a DDoS mitigation strategy.

To emphasize the severity of these attacks, some examples are pertinent. A Hong Kong based provider of sophisticated trading

Clearly, having a DDoS mitigation program in place is a key

platforms had to deal with the aftermath when one of its UK based

business imperative for enterprises to avoid loss of customer

clients—a brokerage operating in the London financial district—using its

confidence, customer defection and prevent adverse impact on revenue

proprietary trading technology was targeted by a wave of DDoS attacks.

and profitability.

02

Who is at risk?

While there is no easy solution to prevent such attacks, implementing a proven DDoS protection approach is one way of tackling this issue. The solution should have the capability to restrict damage and allow your

DDoS is a favorite ploy of attackers to shut down organizations at their

system to carry on business-as-usual during an attack. To tackle this

whims and fancies. Not long ago, DDoS attacks were mainly targeted at

problem, organizations learned to detect and mitigate the damage

household names and other obvious targets, but, today, any organization

caused by DDoS attacks that used a common code. However, DDoS

with money to lose, political interests or active enemies is susceptible to

attackers adapted quickly and began encrypting their code again making

such attacks. In fact, anyone is a potential target!

it more difficult for enterprises to detect an attack and control the damage.

Based on our experience, we have found that some industries such as banking and financial services, internet service providers, internet data centers, cloud service providers and ecommerce are more vulnerable to

Types of DDoS Attacks:

DDoS attacks than others. The banking and financial services sector characterized by large volumes of transactions, data and traffic is

It is useful to understand the various types of DDoS attacks possible and

especially susceptible to DDoS attacks with frequency as high as one

prepare better to tackle them.

every week. According to industry analyst reports, during 2012, out of 50 publicly documented DDoS attacks, the financial services sector

1. TCP Connection Flood: A TCP connection flood tries to

accounted for 26 suffering an average outage of seven hours and

occupy all the available TCP connections on a server. It floods the server

average estimated loss of $17,057,214 per incident. Internet data

with requests for new connections, thereby preventing valid requests

centers play a key role in providing real time business-critical functions

from being established and served.

such as sales, communications, technical support etc., at the same time

2. ICMP Flood, Ping Flood, Smurf Attack: These attacks deluge

they also create new security challenges rendering traditional security

the server with ICMP requests without waiting for a response. The

mechanisms obsolete. According to the Worldwide Infrastructure

objective is to overburden the server and adversely impact its ability to

Security Report 2012 released by Arbor Networks, DDoS attacks

respond thereby blocking legitimate requests.

targeted at internet data centers have increased in frequency as well as severity and pose a significant risk to enterprises using such hosted services. Furthermore, with more and more companies moving their services to the cloud, the shared infrastructure model of cloud

3. PUSH and ACK Flood: A PUSH or ACK flood DDoS attack inundates the server with fake PUSH and ACK requests to prevent the server from responding to legitimate traffic.

computing can result in attacks on a specific target negatively impacting

4. SYN Flood: During a SYN flood attack, huge numbers of SYN

many or all tenants using the same infrastructure.

requests are sent by the client. When the server returns SYN-ACK messages, the client does not respond which leaves the server with

Why are these attacks so difficult to detect and prevent?

open connections while it waits for further communication from the client. The TCP connection table tracks each of these half-open connections so that the table is filled up thereby blocking additional connection attempts, valid or otherwise.

There are multiple reasons that make DDoS attacks dangerous. First, the attacks are becoming more frequent and bigger in magnitude than ever before. Second, the type of attacks and the targeted components are so varied that they are not easy to detect. Third, DDoS attacks are usually targeted at a variety of network components such as routers, appliances,

5. Teardrop Attack:

In a teardrop attack, the client sends a

malformed information packet which has the ability to take advantage of the error that occurs when the packet is reassembled. This could lead to a crash in the operating system or the application that handles the packet.

firewalls, applications, ISPs or data centers in different ways. Also, the

6. UDP Flood: In a UDP flood attack, the server is overwhelmed

increase in DDoS attacks is partly due to a gap in mitigation controls in

with requests. The connection tables are saturated with requests on

enterprises—industry research shows that about 20% of organizations

every accessible port on a server blocking legitimate requests from being

have implemented a mitigation strategy.

served. Also, legitimate clients may not be able to access the server.

03

7. DNS flood: NXDOMAIN Flood: The DNS server receives a

10. GET Flood: In this type of attack, two different kinds of attacks can

deluge of requests for invalid or nonexistent records and wastes time

be mounted by using the same request either by requesting static URLs

looking for records that do not exist instead of serving valid requests.

at a high rate or by successively asking for every single object on the

The cache on the DNS server is filled with bad requests and clients are

website. The objective is to overburden the server with a multitude of

unable to find the servers they need.

requests so that its resources are exhausted leaving it incapable of

8. DNS flood: Query Flood: In a DNS query flood attack, a network

serving legitimate traffic.

of clients is utilized to send a flood of valid requests to a single DNS

11. Hash Denial of Service (DoS) Attack: The main web service

server. DNS servers are unable to differentiate this from normal traffic

platforms such as Java, ASP.NET, and Apache use a common algorithm

as the requests are valid and targeted at a single DNS server.

for their dictionary tables. In a Hash DoS attack, a single POST message

9. SSL Flood and SSL Renegotiation Attacks: While making a request for a secure connection from a server is a simple task for the client, the server uses significant processing power while responding to

with thousands of variables is sent so that the hashing function overloads and the server is engaged in processing a single such request for around an hour.

such a request. An SSL flood or renegotiation attack exploits this imbalance in workload by asking for a secure connection, and subsequently renegotiating the relationship.

How to block /mitigate DDoS attacks? There are several ways to block DDoS attacks using multiple security products.

DDoS Mitigation Mitigation - In premises

Attacker

Mitigation - At Edge Level

Attacker User

ISP

User

ISP

Mitigation

Mitigation

Reference 1 gives an expansion of terms used in this section. 04

Deploying DDoS Prevention Devices in Premises:

So, what are the components of a comprehensive internal DDoS mitigation plan? Engaging with a third party service provider to implement a hybrid solution which incorporates cloud based services and appliances will improve visibility of the network. While the cloud

Security firewalls and intrusion prevention system devices which support prevention of DDoS attacks can be deployed or the existing devices can be upgraded with the latest version of images to help mitigate small scale DDoS attacks. These measures ensure that DDoS attacks do not allow traffic to reach destination servers/applications. However, the attack disrupts business as it increases consumption of internet bandwidth tremendously as mitigation occurs at in-house device levels. Also, this type of downstream response only helps protect against small attacks and is inadequate against attacks of a longer duration. Enterprises would need to solution with access to upstream traffic to prevent large scale attacks.

DDoS Prevention at Edge Level:

aspect will provide the versatility required for ‘always-on’ threat monitoring and detection as well as the agility to handle a DDoS attack in real time, using appliances will help identify the compromised host in the network besides logging all the communications and transactions. Implementing a hybrid solution would enable real-time threat notification and detection, quick remediation, better damage control and limit post event costs. Organizations need to put in place a strategy to counter DDoS attacks or they risk losing valuable time that could potentially delay recovery after an attack. Figure 2 shows the steps involved in an effective incident response plan: •

Preparation: list the services that your ISP can provide and

understand what can be done at the provider level •

Identification: detect the attack, define its scope and engage with

the appropriate parties In this method, malicious traffic gets blocked at the service provider

•

network level itself so that your internet bandwidth is used for

environment and initiate remedial measures

original/real traffic. To ensure that legitimate traffic does not get blocked, security professionals continuously analyze customer traffic. Usually, the internet service provider can prevent DDoS attacks on your network.

•

Mitigation: contain the effects of the attack on the targeted

Post incident analysis: record the details of the attack, identify

gaps in preparation and mitigation •

Improvement: assess the efficacy of your response plan and

rework your strategy based on the post event analysis report

DDoS Response Model for Enterprises The complex and dynamic nature of the DDoS threat landscape makes it imperative for enterprises to adopt a services based internal defence strategy to protect against such attacks. The complexity as well as the increasing number of DDoS attacks have rendered deploying anti-malware platforms and firewalls an inadequate defence.

05

About GIS Global Infrastructure Services (GIS), a unit of Wipro Limited, is an end to end IT infrastructure & outsourcing services provider to global customers across 61 countries. Its suite of Technology Infrastructure services spanning Data Center, End User Computing, Networks, Managed Services, Business Advisory and Global System Integration. Wipro, is a pioneer in Infrastructure Management services and is amongst the fastest-growing providers across the world. GIS enables customers to do business better by enabling innovation via standardization and automation, so that businesses can be more agile & scalable, so that they can find growth and succeed in their global business. Backed by our strong network of Integrated ServiceNXT™ Operation Centers and 11 owned data centres spread across US, Europe and APAC, this unit serves more than 500+ clients across with a global team of 23,800 professionals and contributes to over 30% of Wipro’s IT Services revenues of Wipro Limited.

About Wipro Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do O

business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For information visit www.wipro.com

07

DO BUSINESS BETTER W WW. WIPRO.C OM

NYSE :W I T | OV E R 140, 000 EM PLOYEES | 61 COUN TRIES | CON SULTIN G | SYSTEM IN TEG RATION | O U T S O U R CIN G

WIPRO LIMITED, DODDAKANNELLI, SARJAPUR ROAD, BANGALORE - 560 035, INDIA TEL : +91 (80) 2844 0011, FAX : +91 (80) 2844 0256, email : [email protected] © WIPRO LIMITED 2013. “No part of this booklet may be reproduced in any form by any electronic or mechanical means (including photocopying, recording and printing) without permission in writing from the publisher, except for reading and browsing via the world wide web. Users are not permitted to mount this booklet on any network server.” IND/TMPL/DEC2013