DDoS Attacks

And How to Mitigate Them

LKCS

What is a DDoS attack?

DDoS = Distributed Denial of Service
A DDoS attackers goal is that your web site (or a specific web application) becomes inaccessible to deny service to your members/customers. Distributed across many computers and many internet connections. Typically thousands or millions of routine web server requests are made consecutively until they overwhelm the web servers, firewalls, routers, etc. and consume all of the internet bandwidth available.

There is NO WAY TO PREVENT a DDoS attack.

DDoS Attack Phases

Phase One: Target Acquisition.
An attacker picks a company, organization, data center, or server to attack. The reason for selection could be financial (someone is paying the attacker), political hactivism (the attacker is trying to make a statement), or it could be just for malicious fun.

DDoS Attack Phases (cont.)

Phase Two: Groundwork.
The attacker compromises a large number of unsecured computers (typically home user machines with broadband internet connections). Software is maliciously installed on each machine that the attacker will later use to target your network. Access to these botnets can even be rented by the hour! Hacker collectives bring scale and expertise to attacks

DDoS Attack Phases (cont.)

Phase Three: ATTACK.
The attacker sends a command to each of the compromised hosts (now known as zombie computers) and commands them to flood the target with legitimate web requests, overwhelming the web server(s) or choking the bandwidth to a snails pace. The attack lasts as long as the attacker wants, or at least for as long as he/she/they can afford.

About Botnets
A botnet can generate It takes just Mariposa, the largest known botnet, affected

64,000 PCs
infected with a virus like Conficker to generate

1 Million times
the available bandwidth of a business.

12 million PCs
It could have generated a DDoS attack as large as

10 gigabits per second

of trafc.

31.2 terabytes per second

Source: AT&T

Botnets by the Hour

There are DOZENS of companies selling DDoS as a service
SSH Booter, Empire Stresser, Quantum Stresser, Asylum Stresser, Titanium Stresser, Illuminati Stresser, Agony Stresser Pay with PayPal, Bitcoin or Credit Card One hour for $5, 24-hours for $40 and a week for $260 These sites offer stress testing so that an organization can check its DDoS defenses. Just one problem: there is no verification that the person buying the stress test has any affiliation with the target.

Too easy!

Low Orbit Ion Cannon Just one kind of DDoS attack Easy to use, online accessible tool for the novice hacker Menu choices enable the hacker to choose protocols for attack (TCP, UDP, ICMP) The rate of attack is also easily adjustable The hacker can choose to attack a web URL or IP address

A Few Others

Types of Attacks for the techies

Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attacks goal is to saturate the bandwidth of the attacked site. Magnitude is measured in Bits per Second (Bps).

Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers. Measured in Packets per Second.

Types of Attacks for the techies

Application Layer Attacks
Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server. Magnitude is measured in Requests per Second.

A DDoS attacker can change attack profiles on the fly to thwart mitigation efforts.

DDoS Attack Growth

Q1 2013 Compared to Q4 2012
Average attack bandwidth up 718% from 5.9 Gbps to 48.25 Gbps China retains its position as the top source country for DDoS attacks

Q1 2013 Compared to Q1 2012

21% increase in the total number of DDoS attacks
Source: Prolexic

POLL QUESTION
How likely will your company become a victim of a DDoS attack within the next 12 months?

Whats at stake?

DDoS Attack Costs

Damage to Your Brand
If your site is down, account holders will question if you provide a safe place to bank. Ruins years of work building your brand.

Loss of Revenue
If your website is down, you lose revenue.

Bad Member/ DDoS Attack Customer Mitigation Experience You want to be

Call centers get overwhelmed covered but you have limited staff and budget. DDoS attack mitigation is inexpensive compared to the other costs.

No online Account holder banking, bill pay, frustration forms or skyrockets. applications, account opening, People seek alternatives. etc.

A DDoS attack can cost a victim organization as much as $10,000 to $50,000 per hour in lost revenue.

And one more

DDoS attacks are more frequently being used to hide security breaches and data theft.
Attention focuses on the attack. Log files get massive, too difficult to analyze quickly. Servers and routers rebooted, often destroying forensic evidence. Attacks end long before any intrusion is identified.

Alarming Figures
Currently up to 130,000 DDoS attacks PER DAY! Recent attacks have grown as large as 100 300 Gbps (Gigabits per second)
Small and mid-size banks and credit unions size their bandwidth to handle their average web traffic NOWHERE CLOSE TO THE SIZE OF THESE DDoS ATTACKS The 300 Gbps attack on Spamhaus (March 27th) slowed internet traffic WORLDWIDE.

What We Know from Recent CU Attacks

Firewalls and Intrusion Detection Systems are ineffective at DDoS Protection.
They provided limited protection up to a point but quickly got overwhelmed by the amount of malicious HTTP traffic. When enormous amounts of DNS traffic was received, these systems crashed and were taken offline completely.

Even those institutions with dedicated DDoS mitigation appliances lacked the trained staff to use them effectively.

So, Youre Not a Large Bank or CU

Smaller financial institutions are MORE vulnerable.
You dont have the budgets to spend on in-house DDoS protection (hardware, software, and human experience) that you may not need. Even small attacks (the 90% below 1 Gbps) can currently cripple your online operations. How much internet bandwidth do you have? How much can you afford? It doesnt matter, the DDoS attackers have more.

What Can You Do About DDoS Attacks?

Traditional In-House
Costs of hardware and additional bandwidth Only works for certain types of small scale attacks Not deployed specifically for DDoS protection High upfront cost How many locations need appliances? Is it even feasible? Needs extensive support and expertise Rely on traditional firewalls and intrusion detection systems Protection for limited attack types Larger attacks will be blackholed, making your site unavailable Not designed for DDoS DDoS attacks can bypass cache & send requests to origin servers Limited bandwidth Reduced costs no capital expenditure Multi-layered mitigation solutions and dedicated DDoS expertise Real-time mitigation monitoring and post-event reporting

DDoS Appliance

ISP/Web Host Content Distribution Network Cloud-Based Service

Things to Look for in a DDoS Solution

Experience and Expertise Scrubbing Capacity (Bandwidth) Attack / Mitigation Diversity Technologies Deployed Time to Mitigate / Service Level Agreements Cost
Monthly Service Per Incident Fee Attack Size / Clean Traffic Bandwidth Number of Domains/Resources SSL Protection (Layer 7)

POTENTIAL OVERAGE CHARGES

Cloud-Based DDoS Mitigation Options

Option 1: Always-On
Your web traffic is continuously monitored for DDoS attacks Mitigation can begin as soon as a potential attack is identified NO DOWNTIME Dedicated server/router required may not be available with shared web hosting Expensive Starts at $2,000 per month (approx.)

Option 2: On-Demand
Your web traffic is diverted to the DDoS provider when you are under attack Mitigation begins within minutes of traffic diversion (DNS change) Typically 5-15 minutes downtime (depends on complexity) Economical Starts at $700 per month plus mitigation costs if needed.

Cloud-Based DDoS Mitigation Options

Option 3: Emergency Mitigation
Your web traffic is diverted at the time of attack Mitigation begins within minutes of traffic diversion (DNS change) Downtime depends on vendor provisioning and attack complexity (4 hours estimated) Available for any web site or web application Emergency setup fees may apply Ranges from Expensive to Very Expensive $10,000 and up (approx.)

POLL QUESTION Which of these options seem to be the best fit for you?

One Thing You Should Do NOW

Reduce the TTL on Your DNS A Records
Let me explain
During a DDoS attack, you will need to redirect your web site traffic to your DDoS provider. This is done by changing the IP address that your domain name points to. This is a Domain Name System (DNS) change to an A record which provides servers around the world with the IP address of your domain. These IP addresses are cached by servers worldwide for a period of time known as the Time to Live (TTL). You can control this TTL value. It is listed in seconds.

One Thing You Should Do NOW (cont.)

Reduce the TTL on Your DNS A Records
A long TTL will enable DNS servers to cache your IP Address for several hours/days and reduce the number of requests made to your primary DNS host. However, these servers will continue to direct traffic to that cached IP address until the TTL expires. Example: A TTL of 259200 = 3 Days A short TTL will increase the load on your DNS host BUT will enable you to redirect all web site requests to a new IP address within a few minutes (to your DDoS provider or back to normal, for example). Example: A TTL of 300 = 5 Minutes

Who Manages Your DNS?

The Possibilities:
You do Your ISP or web host (LKCS) Your core processor or home banking provider Your domain name registrant Your computer consultant (or prior consultant)

What You Need to Do:

1. 2. 3. 4. 5. 6. Find Out Who Manages Your DNS Ask if there is a minimum TTL value Ask if the TTL value will revert to a default value on its own Check the TTL value on the A record(s) Change them if necessary (LKCS recommends a value of 300-600) Change DNS providers if necessary (NOT EXPENSIVE) LKCS CAN HELP!

POLL QUESTION Has your financial institution budgeted for DDoS protection or mitigation expenses?

What does DDoS Mitigation cost?

Its the wild, wild west out there Pricing can vary widely but so can both the quality and level of DDoS mitigation service Weve spoken to dozens of DDoS providers. Here are very rough costs that weve seen FROM OTHER PROVIDERS: Always-On Protection: starting at $2,000 per month On-Demand Protection: starting at $700 per month (relatively low bandwidth) but could be up to $6,000 per attack mitigation Emergency Mitigation: starting at $10,000 AND UP

DDoS Mitigation from LKCS

LKCS partnering with a major DDoS mitigation provider. Designing our solution to include:
On-Demand Solution with Emergency Mitigation Option Unlimited attack size (no overage costs) Service Level Agreement guarantees for fast response Multiple DDoS mitigation technologies protecting all TCP web services (web sites, e-mail, home banking, etc.) Layer 7 SSL mitigation available

DDoS Mitigation from LKCS (cont.)

Pricing based on clean traffic bandwidth (the internet traffic that you are already getting) Low monthly cost with per mitigation fee (dont pay for what you dont need) Real-time and post-mitigation reporting DDoS protection starts at $500 per month depending on clean traffic bandwidth and other factors

Interested?
Contact me for more details:
Sid Haas Vice President of Business Development Direct: 815-220-3904 sid.haas@lk-cs.com

THANK YOU for attending todays webinar!