Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks

advertisement 
Protecting Commercial and Government
Web Sites: The Role of Content Delivery
Networks
Bruce Maggs
VP for Research, Akamai Technologies
Attacks on Akamai Customers
Typical Attack Size
900
10 Gbps
100+ Gbps
Attacks are originating from
all geographies and are
moving between geographies
during the attack
Number of Attacks
Large Attack Size
768
800
700
600
510
500
400
220
300
200
100
0
14
2009
©2013 AKAMAI | FASTER FORWARDTM
2010
2011
2012
The Akamai Platform Provides a Perimeter Defense
Origin Server
End User
Origin
Traffic
Akamai
Traffic
10000
10000
1000
1000
100
100
10
10
1
1
©2013 AKAMAI | FASTER FORWARDTM
Defeating HTTP flooding attacks – Rate Controls
1. Count the number of Forward Requests
2. Block any IP address with excessive forward requests
Akamai
Edge Server
Customer
Origin
Forward
Request
Client
Request
X
Custom
Error page
Forward
Response
©2013 AKAMAI | FASTER FORWARDTM
Filtering Out Malformed Requests
• SQL injection attacks
• Cache busting attacks
©2013 AKAMAI | FASTER FORWARDTM
Relational databases
Relational databases store tables consisting of rows and columns.
(image from http://support.sas.com)
©2013 AKAMAI | FASTER FORWARDTM
Structured Query Language (SQL)
Example Query:
SELECT * FROM Employees WHERE LName = ’PARKER’;
IdNum
1354
LName
PARKER
FName
MARY
JobCode
FA3
©2013 AKAMAI | FASTER FORWARDTM
Salary
65800
Phone
914/455-2337
Example SQL Injection
Suppose a program creates the following SQL query, where userName is a variable
holding input provided by an end-user, e.g., through a form on a Web page.
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But instead of entering a name like PARKER the user enters
’ or ’1’=’1
Then the query becomes
SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’;
This query returns all rows in the Employees table!
©2013 AKAMAI | FASTER FORWARDTM
A More Destructive Injection
Same code as before:
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But now suppose the user enters
a’; DROP TABLE Employees
Then the query becomes
SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees;
This query might delete the Employees table! (Not all databases allow two queries in
the same string.)
©2013 AKAMAI | FASTER FORWARDTM
bobby-tables.com: A guide to preventing SQL injection
(from the comic strip xkcd)
©2013 AKAMAI | FASTER FORWARDTM
Filtering SQL Injection Attacks
The CDN filters suspicious-looking inputs, not because the
content provider can’t filter them correctly, but because the
content provider should not expend resources processing
bad inputs.
©2013 AKAMAI | FASTER FORWARDTM
Cache Busting
Idea: The attacker sends multiple requests for the same large object, but with different
query strings attached, e.g.,
http://www.xyz.com/downloads/large_file.pdf?value=asjdfw3be
http://www.xyz.com/downloads/large_file.pdf?value=cjsjxassj2
If the CDN cache treats every distinct URL as a unique object, it will have to fetch a
new copy of the object from the content provider each time it receives a request with a
new query string.
Even worse, as Triukose, Al-Qudah, and Rabinovich observe, the CDN might pull the
entire object from the content provider at high speed even if the attacker is
downloading the object slowly or not at all – thus using the CDN to leverage the client’s
attack.
©2013 AKAMAI | FASTER FORWARDTM
Query String Filtering
Solution:
At the content provider’s request, the CDN can ignore the query
string when identifying the object, i.e., only fetch and cache one
copy of the object. (Available for many years.)
The CDN can also filter out multiple requests by the same client for
a single object with different query strings.
The CDN can limit the rate it which it fetches an object from the
content provider to the rate at which the client is downloading the
object.
©2013 AKAMAI | FASTER FORWARDTM
Operation Ababil
“none of the U.S banks will be safe from our attacks”
Phase 1
Sep 12 – Early Nov 2012
• DNS packets with
“AAAAA” payload
• Limited Layer 7 attacks
• Early-mid Oct 2012
announced names of
banks where attacks
succeeded
• (Did not announce bank
names if attacks were
unsuccessful)
• Began use of HTTP
dynamic content to
circumvent static
caching defenses
Phase 2
Dec 12, 2012 – Jan 29
• Incorporate random
query strings and
values
• Addition of random
query strings against
PDFs
• Additions to bot
army
• Burst probes to
bypass rate-limiting
controls
• Addition of valid
argument names,
random values
©2013 AKAMAI | FASTER FORWARDTM
Phase 3
Late Feb 2013 – Now
• Multiple probes
• Multiple targets
• Increased focus on Layer 7
attacks
• Target banks where attacks work
• Fraudsters take advantage
A layer 7 attack is
also known as an
application layer
attack.
Phase 1 Attack – Sept 2012
DNS Traffic Handled by Akamai
1.8 M
Attack Traffic:
1.6 M
23 Gbps
1.4 M
(10,000X normal)
1.2 M
1.0 M
0.8 M
Duration:
4.5 Hours
0.6 M
0.4 M
High volume of non-standard packets sent to UDP port 53
Packets did not include a valid DNS header
Packets consisted of large blocks of repeating “A”s
The packets were abnormally large
Simultaneously, a SYN-Flood was directed against
TCP port 53
0.2 M
s
0.0
Tues 12:00
Wed 00:00
Total eDNS
15
©2013 AKAMAI | FASTER FORWARDTM
Wed12:00
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted PDF files
Akamai Dynamic Caching
Rules offloaded 100% of the
traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted marketing web pages
Rate controls automatically activated
Attack was deflected, far from bank’s datacenter
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted SSL
Akamai offloaded 99% of the
traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
NOT on Akamai
Bank #1
Bank #2
Bank #3
Gomez agents in 12 cities measuring hourly
12:03 PM
Bank #4
Bank #5
Error/Outage—site not responding
©2013 AKAMAI | FASTER FORWARDTM
9:00 AM
Phase 2 Attacks - January 2nd, 2013
NOT on Akamai
Bank #1
Bank #2
Bank #3
Gomez agents in 12 cities measuring hourly
12:44 PM
Bank #4
Bank #5
Error/Outage—site not responding
©2013 AKAMAI | FASTER FORWARDTM
6:21 PM
Phase 3 Attack Example
• Attack started at March 5, 2013 morning
• Peak Attack Traffic > 126 thousand requests per second
• 70x normal Edge Bandwidth (29Gbps)
•
Origin Traffic stayed at normal levels
• ~2000 Agents participated in the 20 minute assault
•
80% of the agents were new IP addresses that had not participated in earlier
campaigns
©2013 AKAMAI | FASTER FORWARDTM
Attack Tactics - Pre-attack Reconnaissance
Attackers test the site with short burst high speed probes
• Short bursts of attack requests on non-cacheable content every 10 minutes
• Peak of 18 million requests per second
If the site falters, they announce that they will attack that bank and return
later with a full scale attack
If the site is resilient they move on
©2013 AKAMAI | FASTER FORWARDTM
Related documents
Engineering a Content Delivery Network Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Presentation
Presentation
Akamai OS War Stories Bruce Maggs
Akamai OS War Stories Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs COMPSCI 514
Engineering a Content Delivery Network Bruce Maggs COMPSCI 514
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Document
Document
Download
advertisement