Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,051

    [EN] DDoS: Are You Protected Beyond Volumetric Attacks?

    David Monahan
    Mar 31, 2015

    There are numerous types of DDoS protection for your business. I’d like to expand on that topic and discuss how organizations are affected by non-volumetric DDoS attacks and what they can do to recover.

    Volumetric DDoS is the big boy on the field or as I call it – the bully of Internet attacks. It gets the majority of the attention and when aimed at someone’s Internet presence it lumbers in and then bludgeons the services and infrastructure into submission. Without the proper preparation on the part of the target, the bullying and intimidation lasts until either the attacker runs out of money to pay for the service or the target company meets the demands.

    However, volumetric DDoS are only one facet of DDoS and the other types can be even more difficult respond to and to detect. Volumetric attacks are often detected fairly rapidly because of their size and collateral damage, but resource starvation and application level attacks are normally lower key. They often start out well below the radar unless advanced DDoS technology is deployed or specific systems and application monitoring are in place.

    In the case of a resource starvation attack, the goal is usually to attack the hosting system via service calls to the Internet Protocol (IP) stack like tcp-syn requests. Calls to the underlying operating system or authentication system are also used to tie up processes, memory, and IP ports until the system cannot accept or respond to any more requests for connections. To win at this game, the attacker must have done some basic reconnaissance to know what operating system is being run.

    Application-based DDoS attacks perform a similar function but focus not on the network or operating system stack, but on a specific target application. The attacker will present a wide variety of bogus data inputs to forms, attack login screens with bogus credentials and find any other interfaces for the application to throw data at. The goal is to both affect the application, the application server and/or the back end database. To do this well, the attacker has to have done some reconnaissance and know more about these components making this more of a precision attack than the others.

    As the bully, volumetric attacks are designed to make a big show to get attention, but both resource and application DDoS attacks are often much smaller than volumetric attacks because they are targeted. The goal of the latter two is often not to take the system out of commission, but to use the attack to actually compromise the system to create a foothold in the network for the attacker. Though volumetric attacks are often used in conjunction with the resource and application attacks to draw attention from the compromise or data extraction, there is no requirement to do so.

    The defense for resource and application-level attacks requires a significantly higher level of precision than volumetric filtering. Volumetric attacks are very often leveraged as a front for the others because to an untrained eye or less effective defense system, resource and application attacks look like real traffic so they are often passed through to their target which is great for the attacker.

    To be successful the DDoS filtering defense must be system and application aware and preferably integrated with the DDoS volumetric filtering to facilitate a feedback system between them. Without that feedback the problem becomes almost a chicken and an egg scenario. Which comes first? IF volumetric response is first it has to be configured very loosely to try to ensure that all of the good traffic gets through for filtering by resource and application filters. This will most likely not only reduce the efficacy of the volumetric scrubbing but it is bound to still drop some desired traffic and add significant load on the latter two scrubbers. Placing resource and application scrubbers in front of the volumetric scrubbers is a no starter.

    DDoS is a technology problem and requires a strong technology solution. If you are going to come through DDoS unscathed you will need not only a strong technology partner but a strong incident response program. Choose wisely on both counts.
    https://blog.radware.com/security/20...etric-attacks/

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,051

    6 Types of DDoS Protection for Your Business

    David Monahan
    Jul 14, 2014

    DDoS attacks have become commonplace these days. The offending attackers may be hacktivists, cyber-criminals, and nation states or just about anyone else with an Internet grudge and a PayPal or Bitcoin account. These attacks themselves often require no technical skill. Someone with a bone to pick can simply purchase the use of any number of nodes on one or more botnets for an hourly fee (long term rate discounts available); use a Graphical User Interface (GUI) to organize the attack and then launch it.

    The purpose of an attack can be to disrupt business for Internet bullying or extortion, or to distract an organization while other attacks are launched to attain a different target. The latter is a bit scarier because the attacker has a plan to work their way into the victim’s network elsewhere, while the target’s resources are all focused on the DDoS.

    Types of DDoS Attacks

    There are three main types of DDoS attacks and multiple subtypes. It is important to note this because each solution handles the different types with various levels of efficacy.

    Volumetric/Flood: This straight-up bully attack hits a target with so much traffic that it is overwhelmed. These attacks often affect the Internet connection as much as they impact the end-target host

    Resource Starvation: Attacks the underlying operating system and network stack resources in an attempt to crash either or both. This does not rely so much on the total volume of traffic but more on the types and combinations of traffic that will best affect the application or application services.

    Application: This assaults the application at layer 7 of the OSI model and is an attempt to crash the application itself or the underlying application server. Again, this does not rely on total traffic volume but the types and combinations of traffic that will best affect those subsystems.

    What can you do?

    Fortunately, there are options available to protect against DDoS attacks. Let’s take a look.

    1: Nothing

    Description

    Go on with business as usual. Every day is a roll of the dice and for smaller companies without a significant web presence, this may work. For companies with a more significant web presence, each day is a roll of the dice with some probability that you will become a victim.

    Cost

    Short Term: Nothing to implement.
    Long Term: May cost the business everything in the event of an attack.


    2: Disaster Recovery Site

    Description

    This involves having a back-up site in case the primary business site is attacked. If by some odd chance the attacker is identifying you only by IP address, this will work. However, it is flawed at best.

    Since the vast majority of Internet traffic is identified by DNS, as soon as you roll over, the DDoS traffic will follow you to the Disaster site when the DNS is rerouted

    Cost

    This will vary by the size (floor space, CPU’s RAM, connection) and type (hot, warm, or cold) of the Disaster Recovery site. However, since DR planning generally does not include provisions for DDoS, you will most likely not get much usefulness out of this.

    3: Purchase an On-Premises DDoS Mitigation Appliance(s)

    Description

    These appliances are made by a number of reputable vendors but differ in their throughput and efficacy against the various types of attacks. They use proprietary and patented engines to sort the bad traffic from the good, letting only the good traffic through.

    As with any process of this sort, there will be some mislabeling. Some good traffic will probably get filtered while some bad traffic will get through. However, the losses are not enough to cause the servers and applications to see a significant change in performance.

    The critical issue is if you experience a volumetric DDoS attack, your internet pipe will fill up so non-malicious traffic will still be essentially stopped because of the access connection “traffic jam.”

    Cost

    The appliances supporting these solutions can be purchased through vendors and cost may vary by vendor, time of the month/quarter, amount purchased, and also the volume of attacks that you are trying to repel.
    Think about what you expect your Internet connection growth to be over the next 3-5 years and size your purchase based upon that number plus 25%.


    4: Purchase a DDoS Mitigation Service From Your Hosting or Internet Provider

    Description

    Some hosting and cloud vendors offer DDoS mitigation as a premium service add-on. Check your contract to see if this add-on is available.
    Many of them only deal with volumetric attacks, taking advantage of their connections and resources to deal with the volume. This option may not be wholly effective against resource and application attacks. (In many cases they are reselling one of the mitigation services and purchasing the carrier grade DDoS mitigation appliances.)

    This type of service is generally better at fighting volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being effective. Depending upon the technology or provider being used, effectiveness against the resource or application attacks will vary.

    Cost

    The good news is these are generally operating expenses, not capital expense charges. The bad news? You have to be very watchful and deliberate about the service provider you choose.

    There are (generally) two charging models. The 1st is a flat rate. While more expensive up front, the advantage is cost awareness.

    The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks. Lower up-front costs, but when attack(s) come, the costs cannot be foreseen. It boils down to risk tolerance and luck.

    Note: For large volumetric attacks against companies with large Internet connections and recurring attacks – the charge for the by-the-attack/by-volume services can get into the millions of dollars.


    4a: On-Demand DDoS Mitigation 4b: Automatic DDoS Mitigation
    Description
    This type of service is only activated when the customer identifies an issue and contacts its provider. The technologies are generally the same as the automatic services but the provider has a little more set up to do to make it operable. This implementation is often done to reduce the provider’s cost-of-service or infrastructure so they can purchase a less capacity system or service and only use it when a customer calls in to enable it.
    Description
    Automatic should respond faster, but that depends on whether it is “Always-on” or “Always Available.” “Always-on” generally means the service is integrated into the infrastructure and always looking for trouble against subscribed customers. “Always Available” generally means that you are using an on-demand service. The primary difference being that the provider is performing internal monitoring and will activate the service for you without the need to call them.
    Cost
    This is generally a lower cost than an automatic solution. Providers can oversubscribe the service, assuming not all customers will be attacked simultaneously. The downside is activation speed and the pre-activation impacts, since it may take some time to get the mitigation operational.
    Cost
    This type of service is generally a little more costly than the on-demand because it is Always-on” or “Always Available” so the provider has to purchase more solutions or service to support each active customer.


    (continua)

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,051
    5: Purchase a DDoS Mitigation Service from a Specialized Mitigation Service

    Description

    This skips the middle man of the provider model above.

    Customers who purchase this service either change their DNS or their Internet routing so all traffic, normal and attack, is redirected to the provider as a middle-man. The mitigation services’ facility is purpose-built with specialized hardware and a “secret sauce” that the provider has created to identify and remove the bad traffic.

    This type of service is generally better at dealing with the volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being affected. Depending upon the technology or provider that it is using, effectiveness against resource or application attacks will vary.

    Cost

    The good news is these are generally operating expenses, not capital expense charges. The bad news? You have to be very watchful and deliberate about the service provider you choose.

    There are (generally) two charging models. The 1st is a flat rate. While more expensive up front, the advantage is cost awareness.

    The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks. Lower up-front costs, but when attack(s) come, the costs cannot be foreseen. It boils down to risk tolerance and luck.

    5a: On-Demand DDoS Mitigation 5b: Automatic DDoS Mitigation
    Description
    This type of service is only activated when the customer identifies an issue and contacts its provider. This approach is often done to remediate an attack in progress for organizations that do not currently have protection. There is a significant delay in operationalizing these because all of the network/DNS changes have to be made and propagate across the Internet.
    Description
    All of your traffic passes through the provider, making this always-on and ready to go. For the major providers, it is very possible you will not know there is a DDoS attack until the provider notifies you.
    That is just the way it should be, business as usual.
    Cost
    This has no cost until activated but be forewarned that if you are suffering from an attack to the point where you call one of the providers, it is highly probable that the emergency-setup fees will be significant.
    Cost
    For the DDoS Mitigation service, the cost comes down to which defense model you choose: by the number of attacks, by attack volume or a fixed rate. If you choose one of the former then the cost may be lower for the months or years that you do not get attacked, but can skyrocket when activated.

    6: DDoS Hybrid System

    Description

    This approach uses a combination of an on-premise system and the specialized mitigation or provider-based solution. The goal here is to gain the best of both worlds by having the external service clear out the bulk traffic and then use the on-premise system to surgically remove any other remnants of the resource or layer 7 attacks that are getting through.

    Cost

    Most effective but also most expensive as it uses both solutions.


    There you have it. Choose your solution based upon your risk tolerance and your budgetary constraints. Options abound.

    http://blog.radware.com/security/201...os-protection/

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,051

    DDoS Attacks 101

    by Calyptix, April 26, 2015

    Types of DDoS Attacks

    Type #1: Volumetric attacks

    Volumetric are the most common types of DDoS attack, making up for about 65% of the total reported, according to Arbor.

    These attacks use multiple infected systems—which are often part of a botnet– to flood the network layers with a substantial amount of seemingly legitimate traffic. This consumes an excessive amount of bandwidth within and/or outside of the network and drives network operations to become painfully sluggish or simply nonfunctional.

    Since volumetric attacks essentially “gang rush” a network, they’re much more difficult to mitigate than attacks from a single source.

    Volumetric attacks come in a variety of forms, including:

    • User Datagram Protocol (UDP) Floods. Random ports on a server are flooded with UDP packets, causing the server to repeatedly check for and respond to non-existent applications at the ports. As a result of the UDP Flood, the system is unable to respond to legitimate applications.


    • ICMP floods. A server is flooded with ICMP echo requests from multiple spoofed IP addresses. As the targeted server processes and replies to these phony requests, it is eventually overloaded and unable to process valid ICMP echo requests.


    Type #2. Application-layer attacks

    Application-layer attacks comprise about 17% of all reported DDoS attacks. They target web application packets in order to disrupt the transmission of data between hosts.

    For example, a HTTP Flood uses multiple infected machines to force a target to expend an excessive amount of resources when responding to a HTTP request.

    From the attacker’s standpoint, a HTTP Flood is a far more effective threat than other types of attacks since it doesn’t need to consume a great deal of bandwidth to handcuff a server.

    Though a HTTP Flood is typically the most common application-layer attack experienced, it’s merely one of many application-layer attack tools available. The table below from Arbor demonstrates how attackers are constantly finding new ways to compromise the application-layer.



    Since HTTP floods and other application-layer DDoS attacks mimic human-user behavior, they’re also much more difficult to detect than other types of attacks. Additionally, application layer attacks can also come from a single machine, which causes less traffic to be generated. In turn, these attacks often go under the radar of detection systems.

    While HTTP and DNS services are the primary targets of application-layer attacks, HTTPS and SMTP were also commonly targeted in 2014, although less often, according to the Arbor Network report.

    The chart below shows the percentage of respondents who received attacks to the application-layer targets listed.



    Type #3. State-exhaustion attacks

    Also known as protocol attacks, state-exhaustion attacks target the connection state tables in firewalls, web application servers, and other infrastructure components.

    State-exhaustion attacks occur somewhat more frequently than application-layer attacks, accounting for about 20% of reported DDoS attacks in 2014, according to Arbor.

    One of the most common state-exhaustion attacks is the notorious ping of death, in which a 65,536-byte ping packet is defragmented and sent to a target server as fast as possible.

    Once the target reassembles the large packet, a buffer overload typically occurs. In the likely scenario that the target attempts to respond to the pings, even more bandwidth is consumed, eventually causing the targeted system to crash.

    It’s important to note that these types of DDoS attacks are often used in conjunction with one another to compromise a single target. 42% of respondents in the Arbor Networks report claim to have experienced a multiple-threat attack in 2014, a 3% increase from 2013.

    http://www.calyptix.com/top-threats/...s-motivations/

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,051

    The Top 10 DDoS Attack Trends - Imperva (2015)

    This white paper presents the top ten current methods and trends in DDoS attacks based on real-world observation and data. It provides insight regarding:


    • Volumetric attacks
    • SYN flood attacks
    • NTP amplification attacks
    • ’Hit and Run’ attacks
    • Browser based bot attacks
    • Multi target DDoS botnets
    • Spoofed user-agents
    • Multi-vector attacks
    • Attacks from mobile devices
    • Geographic locations for attack origination


    PDF (14p) https://www.imperva.com/docs/DS_Inca...ends_ebook.pdf

  6. #6
    Aspirante a Evangelist
    Data de Ingresso
    Nov 2010
    Localização
    São Paulo
    Posts
    386
    Excelente material muito bom mesmo!
    Carlos Nunes
    Analista de sistemas
    Desenvolvimento de Soluções para web.
    Criarnaweb E-Solutions
    www.criarnaweb.com.br
    https://br.linkedin.com/in/nunescarlos

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •