Technology

DDoS Attacks and How to Mitigate Them

Posted by on June 26th, 2013 in Technology

You’ve seen it in the news. Hackers release malicious code to infect computers to trigger mass attacks against specific websites, causing them to be inaccessible to legitimate traffic.

Unfortunately, financial institutions are becoming more frequent victims of DDoS attacks. Probably the biggest misconception on DDoS attacks is that once you have a firewall or protective software installed and are running at a well-respected data center, you’re already safe.

Unfortunately, recent attacks to major websites have disproved that. DDoS attacks cannot be prevented. But there are steps that you can take to reduce the time to mitigate a DDoS attack once one begins.

Video Webinar

In today’s Webinar Wednesday episode, our Vice-President of Business Development, Sid Haas, explains what a DDoS attack is, why banks and credit unions should be aware of them, and specific DDoS mitigation strategies.

Video Transcript (Highlights)

What is a DDoS attack?

DDoS = Distributed Denial of Service

  • A DDoS attacker’s goal is that your web site (or a specific web application) becomes inaccessible.
  • to deny service to your members/customers.
  • Distributed across many computers and many internet connections.
  • Typically thousands or millions of routine web server requests are made consecutively until they overwhelm the web servers, firewalls, routers, etc. and consume all of the internet bandwidth available.
  • There is NO WAY TO PREVENT a DDoS attack.

DDoS Attack Phases

Phase One: Target Acquisition.

  • An attacker picks a company, organization, data center, or server to attack.
  • The reason for selection could be financial (someone is paying the attacker), political “hactivism” (the attacker is trying to make a statement), or it could be just for malicious fun.

Phase Two: Groundwork.

  • The attacker compromises a large number of unsecured computers (typically home user machines with broadband internet connections).
  • Software is maliciously installed on each machine that the attacker will later use to target your network.
  • Access to these “botnets” can even be rented by the hour!
  • Hacker collectives bring scale and expertise to attacks.

Phase Three: ATTACK.

  • The attacker sends a command to each of the compromised hosts (now known as zombie computers) and commands them to flood the target with legitimate web requests, overwhelming the web server(s) or choking the bandwidth to a snail’s pace.
  • The attack lasts as long as the attacker wants, or at least for as long as he/she/they can afford.

About Botnets

A botnet can generate 1-Million times the available bandwidth of a business. It takes just 64,000 PCs infected with a virus like Conficker to generate 10 gigabits-per-second of traffic. Mariposa, the largest known botnet, affected 12 million PCs. It could have generated a DDoS attack as large as 31.2 terabytes-per-second. (Source: AT&T)

Botnets by the Hour

There are DOZENS of companies selling DDoS as a service

  • SSH Booter, Empire Stresser, Quantum Stresser, Asylum Stresser, Titanium Stresser, Illuminati Stresser, Agony Stresser
  • Pay with PayPal, Bitcoin or Credit Card
  • One hour for $5, 24-hours for $40 and a week for $260
  • These sites offer “stress testing” so that an organization can check its DDoS defenses.
  • Just one problem: there is no verification that the person buying the “stress test” has any affiliation with the target.

Too easy!

“Low Orbit Ion Cannon”

  • Just one kind of DDoS attack.
  • Easy to use, online accessible tool for the novice hacker.
  • Menu choices enable the hacker to choose protocols for attack(TCP, UDP, ICMP).
  • The rate of attack is also easily adjustable.
  • The hacker can choose to attack a web URL or IP address.

Types of Attacks (for the techies)

Volume Based Attacks

  • Includes UDP floods, ICMP floods, and other spoofed-packet floods.
  • The attack’s goal is to saturate the bandwidth of the attacked site.
  • Magnitude is measured in Bits per Second (Bps).

Protocol Attacks

  • Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more.
  • This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers.
  • Measured in Packets per Second.

Application Layer Attacks

  • Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more.
  • Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server.
  • Magnitude is measured in Requests per Second.
  • A DDoS attacker can change attack profiles on the fly to thwart mitigation efforts.

DDoS Attack Growth

Q1 2013 Compared to Q4 2012

  • Average attack bandwidth up 718% from 5.9 Gbps to 48.25 Gbps.
  • China retains its position as the top source country for DDoS attacks.

Q1 2013 Compared to Q1 2012

  • 21% increase in the total number of DDoS attacks. (Source: Prolexic)

What’s at stake?

DDoS Attack Costs:

Damage to Your Brand

  • If your site is down, accountholders will question if you provide a safe place to bank.
  • Ruins years of work building your brand.

Loss of Revenue

  • If your website is down, you lose revenue.
  • No online banking, bill pay, forms or applications, account opening, etc.

Bad Member / Customer Experience.

  • Call centers get overwhelmed.
  • Account holder frustration skyrockets.
  • People seek alternatives.

DDoS Attack Mitigation.

  • You want to be covered but you have limited staff and budget.
  • DDoS attack mitigation is inexpensive compared to the other costs.

A DDoS attack can cost a victim organization as much as$10,000 to $50,000 per hour in lost revenue.

And one more…

DDoS attacks are more frequently being used to hide security breaches and data theft.

  • Attention focuses on the attack.
  • Log files get massive, too difficult to analyze quickly.
  • Servers and routers rebooted, often destroying forensic evidence.
  • Attacks end long before any intrusion is identified.

Alarming Figures

Currently up to 130,000 DDoS attacks PER DAY!

Recent attacks have grown as large as 100300 Gbps (Gigabits per second).

  • Small and mid-size banks and credit unions size their bandwidth to handle their average web traffic.
  • NOWHERE CLOSE TO THE SIZE OF THESE DDoS ATTACKS.
  • The 300 Gbps attack on Spam haus (March 27th) slowed internet traffic WORLDWIDE.

What We Know from Recent CU Attacks

Firewalls and Intrusion Detection Systems are ineffective at DDoS Protection.

  • They provided limited protection up to a point.
  • but quickly got overwhelmed by the amount of malicious HTTP traffic.
  • When enormous amounts of DNS traffic was received, these systems crashed and were taken offline completely.

Even those institutions with dedicated DDoS mitigation appliances lacked the trained staff touse them effectively.

So, You’re Not a Large Bank or CU…

Smaller financial institutions are MORE vulnerable.

  • You don’t have the budgets to spend on in-house DDoS protection (hardware, software, and human experience) that you may not need.
  • Even small attacks (the 90% below 1 Gbps) can currently cripple your online operations.
  • How much internet bandwidth do you have? How much can you afford? It doesn’t matter, the DDoS attackers have more.

What Can You Do About DDoS Attacks?

Traditional In-House

  • Costs of hardware and additional bandwidth.
  • Only works for certain types of small scale attacks.
  • Not deployed specifically for DDoS protection

DDoS Appliance

  • High upfront cost.
  • How many locations need appliances? Is it even feasible?.
  • Needs extensive support and expertise

ISP/Web Host

  • Rely on traditional firewalls and intrusion detection systems.
  • Protection for limited attack types.
  • Larger attacks will be black holed, making your site unavailable.

Content Distribution Network

  • Not designed for DDoS.
  • DDoS attacks can bypass cache & send requests to origin servers
  • Limited bandwidth

Cloud-Based Service

  • Reduced costs
  • No capital expenditure.
  • Multi-layered mitigation solutions and dedicated DDoS expertise.
  • Real-time mitigation monitoring and post-event reporting.

Things to Look for in a DDoS Solution

  • Experience and Expertise.
  • Scrubbing Capacity (Bandwidth).
  • Attack / Mitigation Diversity.
  • Technologies Deployed.
  • Time to Mitigate / Service Level Agreements.

Cost

  • Monthly Service.
  • Per Incident Fee.
  • Attack Size / Clean Traffic Bandwidth.
  • Number of Domains/Resources.
  • SSL Protection (Layer 7).
  • POTENTIAL OVERAGE CHARGES.

Cloud-Based DDoS Mitigation Options

Option 1: Always-On

  • Your web traffic is continuously monitored for DDoS attacks.
  • Mitigation can begin as soon asa potential attack is identified.
  • NO DOWNTIME.
  • Dedicated server/router required.
  • may not be available with shared web hosting.
  • Expensive.
  • Starts at $2,000 per month (approx.).

Option 2: On-Demand

  • Your web traffic is diverted to the DDoS provider when you are under attack.
  • Mitigation begins within minutes of traffic diversion (DNS change).
  • Typically 5-15 minutes downtime (depends on complexity).
  • Economical.
  • Starts at $700 per month plus mitigation costs if needed.

Option 3: Emergency Mitigation

  • Your web traffic is diverted at the time of attack.
  • Mitigation begins within minutes of traffic diversion (DNS change).
  • Downtime depends on vendor provisioning and attack complexity (4 hours estimated).
  • Available for any web site or web application.
  • Emergency setup fees may apply.
  • Ranges from Expensive to Very Expensive.
  • $10,000 and up (approx.).

One Thing You Should Do NOW

Reduce the TTL on Your DNS A Records.

  • During a DDoS attack, you will need to redirect your web site traffic to your DDoS provider.
  • This is done by changing the IP address that your domain name points to.
  • This is a Domain Name System (DNS) change to an “A” record which provides servers around the world with the IP address of your domain.
  • These IP addresses are cached by servers worldwide for a period of time known as the Time to Live (TTL).
  • You can control this TTL value. It is listed in seconds.
  • A long TTL will enable DNS servers to cache your IP Address for several hours/days and reduce the number of requests made to your primary DNS host. However, these servers will continue to direct traffic to that cached IP address until the TTL expires.

Example: A TTL of 259200 = 3 Days

  • A short TTL will increase the load on your DNS host
  • BUT will enable you to redirect all web site requests to a new IP address within a few minutes (to your DDoS provider or back to normal, for example).

Example: A TTL of 300 = 5 Minutes

Who Manages Your DNS?

The Possibilities:

  • You do?
  • Your ISP or web host (LKCS)?
  • Your core processor or home banking provider?
  • Your domain name registrant?
  • Your computer consultant (or prior consultant)?

What You Need to Do:

  1. Find Out Who Manages Your DNS.
  2. Ask if there is a minimum TTL value.
  3. Ask if the TTL value will revert to a default value on its own.
  4. Check the TTL value on the A record(s).
  5. Change them if necessary (LKCS recommends a value of 300-600).
  6. Change DNS providers if necessary (NOT EXPENSIVE) LKCS CAN HELP!

What does DDoS Mitigation cost?

It’s the wild, wild west out there…

Pricing can vary widely, but so can both the quality and level of DDoS mitigation service. We’ve spoken to dozens of DDoS providers. Here are very rough costs that we’ve seen FROM OTHER PROVIDERS:

  • Always-On Protection: starting at $2,000 per month.
  • On-Demand Protection: starting at $700 per month (relatively low bandwidth) but could be up to $6K per attack.
  • Emergency Mitigation: starting at $10,000 AND UP.

DDoS Mitigation from LKCS

  • LKCS partnering with a major DDoS mitigation provider.
  • On-Demand Solution with Emergency Mitigation Option.
  • Unlimited attack size (no overage costs).
  • Service Level Agreement guarantees for fast response.
  • Multiple DDoS mitigation technologies protecting all TCP web services (web sites, e-mail, home banking, etc.).
  • Layer 7 SSL mitigation available.
  • Pricing based on clean traffic bandwidth (the internet traffic that you are already getting).
  • Low monthly cost with per mitigation fee (don’t pay for what you don’t need).
  • Real-time and post-mitigation reporting.
  • DDoS protection starts at $500 per month depending on clean traffic bandwidth and other factors.