DDoS protection technology is far from being "install & forget"

Video in TIB AV-Portal: DDoS protection technology is far from being "install & forget"


Purchase DVD

Formal Metadata

DDoS protection technology is far from being "install & forget"
Alternative Title
DDoS protection technology is far from being "install and forget"
Title of Series
Part Number
Number of Parts
Sommerfeld, Jochanan
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Each of these techniques can then also be deployed in few different ways. Both, protection techniques and deployment architectures will obviously affect the quality of protection while under attack. Although many organizations are failing with DDoS protection, I would say, that most of today's attacks can be successfully mitigated. But don't get me wrong, an effective mitigation requires good understanding on how the technology operates plus a deep knowledge of your network and the applications traversing it. No matter what vendors and service providers promise, DDoS protection technology is far from being "install & forget". In this presentation I will discuss common mitigation techniques, deployment methods and misconceptions of DDoS protection.

Related Material

Computer animation
Computer animation
we're writing the year to some fixed and I'm providing network and security consulting key to an online gaming company acting mostly in the Asia-Pacific and called by the weekends and because strange performance offered the services and kind of interactions and of the servers that provide include players after 1st investigation and finding out actually that's the problem they have is not at all related to their own network is that are all related to the service is actually meddling related also to all of its network devices the players actually are 2 rows in order to get to the gaming environment I see you from your perspective very very big delays generous and sensors even total impossibility to reach the gaming servers understanding that's the problem is not and the side recalling the classification provided actually the environment where the solution is and telling them that there is a problem they don't know that nothing begin to investigate on their sites and they're fast actually also understand that everything is external to the border routers nothing is actually wrong in their networks so decides that during the next step and the calling actually the major I it is providing the wife but is actually used in order to have the internet traffic getting to the site when talking to the ice cream that's being tells them that actually yet have seen some problems in the network but that was not really aware about what's going on and the time and we will call you back just check
out what the problem is after a
while the SPD is actually understanding that's been dealing currently with the highly volumetric attack and of the other customers but contacting the customer and telling them look we see you're very very heavy traffic reaching Europe as servers can please take your original places and assist in troubleshooting and seeing
what's going on the customer is beginning to try out all kind of things together with the United States and actually after many many hours of troubleshooting trial the ice understands that he will not get probably solutions from the customer was going actually to the most radical solution these actually deciding to match throughout the entire Traffic of this customer all that we could also in networking buckling and actually from this moment everything is back up and running for 1 or
the other of course also for my customer that actually this customer that was attacked is out of service I think it took something like 10 hours when the attack with over and then also his customer was able to return to service what we see here is actually the entities different entities into some fixed but unprepared 1st of all it is my my customer did not have the right to use to understand that actually when the service was interrupted only there's hardly and it is not related to resources and it is never a literal to his own network infrastructure the next thing was that those of communications provider was totally unprepared they didn't have the tools in order to understand themselves that there is a problem and furthermore you don't to actually you know contractual decisions that they would rely on LAN Manager high-speed meaning that this is a moment when the length of the network of this as being a central that didn't have any alternative and actually their entire customer base is damaged by the effect of this attack were moving remove through food actually the United States and we again we have somebody was unprepared medical thinking that is a possibility and remind you and evidence to some fixed mobile actually thinking of that there's a possibility to get higher volumetric attached and I must say also that when we're talking about a deciduous Asia-Pacific it meant that it is that some islands with really low band was capabilities so also this size was totally unprepared and finally over also the customer the customer at that was the victim of the attack was also prepared sort of this customer also very very to understand that there under attack and actually the problem was also that the customer was nobody to do anything and so as I mentioned the final at the problem was having the speed buckled Internet traffic I would like to ask you to audience here I don't know how experience have the dust that that's the value we let them use this think that something like this can happen also to the 10 years later if an interesting question that they so that there is only 1 answer yes unfortunately it can happen it happens all the time so we're 1st of all say some things about me and my name is not an incentive for this was mentioned by the CEO of concept groups and is rarely um company providing security services security professional services in Israel and abroad with subsidiary in UK as well as the Netherlands then I have many many years after i t and security experiencing will kind of that areas sick is providing the start of the services them at the last simulation service that is actually giving customers the possibility to check and to validate their preparedness and readiness for the use of text what we're doing is we're actually simulating a real attack on customer so that we are working with 3 teams lanky is directing a team of experts that is responsible to the fact that target system to attack the customer system another team is the right it's actually the customer himself but is not in the same thing you world and should do when we have a real attack and was actually trying to fight I asked in order to make sure that whatever we're trying to do is not impacted and in any way the service that we are testing then we 13 as I mentioned the blue team was actually setting next to the customer is responsible for the communication between the writing and directing because you may understand that although many customers sometimes in a confidence level that there is no chance that we can bring them back on it what's always and then actually need the possibility to push the buttons to stop the attack immediately because we're dealing with real sources and 2nd what is also very important is to provide the transparency of the impact to the management of his or during the attack so that we make sure that when we are attacking with full transparency all the results and this is of course very important in order to give the the possibility to remedy to mitigate or in in correct the weaknesses that we find in the system so furthermore before joining claims I was for more than 7 years the chief information officer and chief security officer of plate the biggest online gaming platform providers in the world and that I had the opportunity to deal with a lot of a lot of very aggressive a the does attach very little metadata is attached a singular subtraction of 250 goods and what I'm trying to do and this presentation is actually to bring together both things what is my experience of many many years with then with the this effects as a defender and this is probably the most of you are probably on the other hand due to the fact that we are running a simulations and I can't say I have also the possibility that I integrated in this presentation or kind of experiences that I got from all deals expertise in that is part of those testing simulation exercises so that actually we're bringing perspectives together 1 of the defender but were also
used to and actually also the 1 of the attractive I know that 40 technical audits here it is always there are abundant tools the numbers so I will just really very very shortly talk about some trends in because I think it's important and to mention that and then I will really immediately beetles case studies are actually exercises so that you will see common practices that are used in order to mitigate the was attacks and emphasizing current practices because payment practices are not always best practices and this is where the important to understand next the part of the year of those cases I will point kind of technology limitations that we have a graded are in many many places unknown an important when you supposal because mitigation or when you're planning to deploy something and last but not least I would like also to share with you that it was mitigation life cycle that assist them to avoid many many of the problems and mistakes and that I have personally done in many many
people in industry so let me introduce to you and the targets have decided to use a virtual company name that is targeted has nothing to do with the target that was attacked several uh 2 years ago and so it's really important that you don't connected to target it's not the real target but I think it's there is no better name for a target company that talk so you see you actually event and so also for the quality of the objects it seems that they use query is not the right resolution so let's worry about all the so we have a really and I think that people will very classical at the moment not put and know the network of some online company that is called target could be I think it could be equal and that he has it has a
relatively long or it has a load balancer it has finally this we also include NIPS not not think the economic but can also including in IPS Furthermore we have the front-end servers and we have also of course that consumers and I thought that it is not needed to go into more details about the architecture now as I mentioned I would like just to mention some numbers that you are with what's going on in the world of the those things that are currently comparison offered in Prolexic which is to be part of combined and that is mentioning that we have 133 per cent increase in the use of text in the world there over the last year the amazing thing is that we see a clear dominance of Layer 3 Layer 4 attached and we would like also explain where it comes from it comes mainly because also the attackers are acting under economical assumptions and what it means is just that it is so easy to attack successfully customers or all victims was freely attacks but there is actually no need to go further and if there is no need to go further and there's no need for more investment that will not do that we see an an increase in the average of that duration so if you see if the last year it was about the 17 hours without the already about 20 hours for almost 21 hours and this is something that is really the average so I've seen attacks that are going on about month we see actually that there is a decrease in the paper that was of course so if you look this year you see that the big band was is not something that we've seen in the last year we have seen over time and increase it's not that the woman increasing and what we see is definitely that the volumetric attack on over 100 getting our battled operations that than we had last year and you just you know laughter slidable even if you can read it but what it says in general is that the most attacked industry is the gaming industry this is where I also but all my experience and you see of course also gaming technology of surrealism banking technology also industries that are very very and actively attacked by Beatles but so now I would like to do in the next half an hour is an to give you an idea of the real and simulated Daedalus attacks on target again mentioning it's not the real target is the moment just for the presentation the company that I call the targets and what I will try to show in this presentation so in this case this is really also that's many many of the solutions of the concepts that are implemented actually sold as a bulletproof are not the medicine against the loss and I'm not always doing the job OK so you what is he actually on the layout it Standard or customer it was secretly that we have this some about now all coming from various systems systems affecting all the target company but see call will like to talk about in the real world with the 1st real attack is actually if we did this attack of the method nature and in this case you can see here that targets those who do not have any specific details mitigation capability implemented in the network they have all the standard things we know but there's nothing related to the and actually there currently that target uh security team understand that something is going wrong it is actually trying to 1st think something that naturally arise would do when you're attacked you're looking was attacking you so what they're doing at 1st stage they are actually beginning to search for IP addresses that are coming out as not valid connections and are beginning to walk than with axis lists and the areas very fast they understand actually that's the attackers ramping up it begins to be changed form there are also many people to believe that the contacting their eyes and time and and look you have to assist us please what IP addresses so that it will not reach our data center and the ISP is doing exactly the same is beginning to block big IP address spaces that are provided by uh mid targets and is actually trying to get control of the attacked the problem is that what we're dealing here with the higher the nematic attack is actually UDP packets may useful for and that that's and actually the amount of IP addresses the real blocking is so big that what happens actually that there are maybe they're having a bit less stress on the servers that actually also clients real clients are not reaching the sites so actually this is not helping very much then the SPD doesn't you know what I have a very very good idea of what we could do actually is we could begin to deal with the equivalent some kind of access rates so letters limits the amount of new connections that up and let us any old limits the amount of concurrent connections to the site but again the problem is that when you do something like this and for sure when we're talking about development of the time
it will have to to assist you a lot and this is exactly what happened because you're not not only disconnecting the evil that is trying to attack you also legitimate customers so at the end of the day what happens you is that in the ending up in the situation where the eyes speedy is given them an additional advice and tells them look no blueprints only exactly which services you are running on your environment but actually came out is the target was attacked but also kind of unity boats were kind of TCP birds mammals that were related to any service running on the site so actually the last advice the graph from the ice is let as block will those those that we don't need the block it also on ice sphere hours the it also on the entitled borrowers and from this moment actually did that was over and everything returned to normal what we see in this specific case an attack is clearly that's if they would have discussed before the plots and would have considered them properly but in this specific attack as it seemed to be an opportunistic attack another targeted 1 would not do any damage to them so from my perspective just as a side comment at the moment is that you should always even though you don't have yet in your organization's any kind of specifically the mitigation device implement that you should always study your network and the protocols that using various and make sure that you already filtering phase lag ranked words at the border because you know that when you look at the change from the border into your organization is little you're doing this filtering as more expensive it is because the policies of working significantly harder so doing something like this on environmental is very easy and if you have a new opportunity to do together with your eyes speed that he can do even better decided it will all of your link which is definitely a very good thing to do but again all of us you know we are attacked we didn't talk operate very well so we are asking the same is the next thing and of course that was sitting with the experts and was sitting with their speed and they got this solution we need scrubbing the the scrubbing devices then use delivered the protection invited hearing the traffic throughout the spreading center that doesn't mean it means that normally when the traffic goes through the your service that your service and you understand that you are under attack what you're doing actually you are normally connected with during tunnels or any kind of the columns specific times that allows you to be directly connected with the scrubbing center and with BGP advertisements you're making sure that the specific address spaces related to your services are at through the scrubbing center that means that you need for school to technically you need to be aware of the fact that you will traffic is only seen by the scrubbing center unidirectional so only the English traffic to your site is going through 0 the them in scrubbing center and not the entire to them that the returning traffic so have a look here you see that actually as well the attacking traffic from developments and the real user traffic is actually the the moment when you decided and you did the BGP updates is traveling through the scrubbing devices what happens now I'm here at this stage is the describing devised was fully aware that traffic that actually sending those were the good traffic to 5 so the entire idea is actually to have a clean from the spreading center to the sites I would like to Tokyo and another real attack that seen would try that again and again you mean in the sense that it would be very complex is not always the same company target was again at that level semantic attack this time 70 did and as was promised by the experts by the by describing service providers that a really good job and able to move bring down the attack of 70 to 100 20 megabits per 2nd an amazing job but that was not discussed with targets and tell them that even though although spreading service providers in all of driving device vendors telling you that when you are using them you get a clean piped to the data center it is not entirely clear it is actually still in the specific generalities containing bad traffic and this that graphical 128 megabit per 2nd was much for the infrastructure so the routers that they did not replace were crashing again to look up what I think right we have an amazing service that is able to cut down something gigs to 128 mega and so we are suffering and other things that they did not consider is that were actually not taking enough bandwidth commitment from the i speed so that they but actually we only considering band was related to the peak traffic that is real traffic what you need of course we would like to to tackle with such that you need to have some spare so so
the return spares and the problem was that was so the network itself not only railroads were separated so that we have here is a very very problematic situation and the way we see that although we have a very efficient solution for scrubbing we are not stable and the air and take care of the now I would like to come to assimilation attack something we didn't have company where we did actually attacked the customer with a very simple attach assignment but we don't actually wells that we were doing it in a highly highly distributed manner meaning that actually the amount of the car and all that the connection weights of the descent at that from specific IP addresses was very very low but this very very low was a consuming altogether aggregating altogether to quite a nice amount that was a joke for the scrubbing center OK that was the problem the problem was that actually describing center as I mentioned sees only 1 direction of the traffic now as the traffic was coming from so many IP addresses the we're not considering any of those things as an attack what is the common solution that you don't know so here's 1 on load balancing is actually send copies right so what you doing actually when you have a feeling that something is going wrong you're actually using a proxy for delayed binding and working with simple case in order to let the other side the response and then you know if it's a real decline trying to access you already is just the center but the problem is that it has to do that you need to see traffic into in both directions you need actually a proxy and as mentioned this device you're describing the rise does not seem the return traffic and therefore this was not that a possibility or capability that could be provided so here again we had a problem that's there and we were not able so we have a great device in place to mitigate this an attack I would like at this stage also to mention that in those troubling device vendors understand of course the limitations and they thought about what kind of solutions and there are solutions but unfortunately None of them are working perfect 1 of the solutions is that there actually running at recess the problem is that when you're running can am resets that you can get very very serious problems with protocols that are time sensitive all services that are time sensitive for example in industry that I will be further if you have a big poker network many many players playing together and you just disconnect them you may understand what it means it's a big problem another thing because our work is actually the HTTP redirects so you're coming with HTTP and I'm redirecting you in this redirection this reaction the possibility to validate if the attacker is all of these cells that coming to me is an attacker when is a real content but this is of course also self explaining only working with which could be it even not working with HTTP S so when you're necessarily this is not a good solution so the cannot with the other things like out of sequence solutions like here back so and then I was sequence and if I have a real client on the other side you will actually reinitiate but as you probably know many many of the network security devices are actually blocking those things because they are actually following the states and the understanding that something you know is not only we just want the bucket and not going through but I'm trying to say is that even though you have a very expensive very good solution place it is doing a lot of good things but it's not good enough another very very important thing is to understand is also of key amplification attacks in amplification of that you have the same problem that we actually using the open source versus the N S and T be a set and again we don't see the returning traffic at those scrubbing devices and therefore it is also very problematic for us to take you I'm in time and that's OK so after having all this trouble after being retired that we spend intended and land and the money and technologies we were sitting again on a customer sitting again with all the experts and that the next very very important you have to go with an online applying In an appliance that he will instill on sites and here you will be able to overcome the problems that you've seen before so let me just say what it means in line in our case means actually that we're still of course using the scrubbing device that actually when traffic is entering our site is going through this device that is now seen both directions of the traffic and is actually also taking care and deleting attacking service
but we should be aware that also those in and devices have their limitations and I would like to show you you know text and our 5 well actually you see you again this about mass and therefore it's always the same layout nothing is changing you know it's just that may be changing on practical level and here again is that that relatively masses and and again very good mitigate its on describing device then let me just see that very good mitigated on describing device but what happens actually that's in the inline device that was not responsible particularly sentences that describe Connecticut was not configured right and it did not do the job so what's the standard the standard within that engineers of that we have to connect to this in an appliance or is installed somewhere remotely Media center in order to adjust the configuration to make sure that nothing wrong that's through surprise surprise again investing a lot of money in the technologies but not understanding that is also very important to design the network in a proper way what happened here is that rather than not taking care of that the management was out there and instead was invented was actually needed to access the device through the set pipes that was fairly settlements with the attack so tender was not able to connect to the device into the adjustments in configuration in order to take control so you see it and there are no other trials than waiting until the attack went over and then they could connect finally to the device and to make the configurations so here again very very important for all you to understand that acknowledges is about important but to make sure that you implementing and applying in the network in the right manner and make sure that you whatever happens can access this device so time did was again sitting with the experts and of course understood the but they have to do is to connect to the device for the private empty last network of their data center provided you may understand that when you are the details of that that's the part that is really problematic to access and use is the public part of the internet but the internal and that which of the provided is notable impact in different this is a moment when you take for example this is a solution and there are also some other problem possibilities that you make sure that no matter what happens you can access all internal devices and make you adjustments and we have to understand that exactly in such a as to the possibility to be dynamic when you're under attack and being able to change things is super super critical another good example of that is again also pointing and architecture so again we decided to uh and attacked target now there are very very sure that they know what they're doing so we make sure that we're going to gain from the and those that work in order to reach the device everything is settled perfectly and we are asked to attack and marketing websites we're doing it again with a very simple attacked and it takes us exactly 2 minutes and the site is down and side down there are other problems happening in the network so we are all and with the writing and and and with the which checking out what happened so very simple because of BCI requirements there were required to have log reviews on the basis for the stamp and server as for the all the other servers were actually payment information will 43 as most of you know of course don't have the the possibility to review labs in basis all of them are going to the same solution and they're actually using the same setting up around which is definitely considered by PCI DSS is a compensated control for billion level that what happened here is that they didn't follow this storefront and so and it was just you know filling up the scene and there were blind and so on nothing more than and of course the server was interrupted itself but also the security team was not able to see anything that is going on in terms of security in the company you may understand that there are many many details attached to them but they're actually small in order to have other text-mining next to it and you're exactly examples security team totally blind OK and by the way I've seen also situations to there we are in the age of big data we like to collect everything and you know so you become very easily student to apply and were a you might have to aggressive data collection that is actually running infrastructures and making your travel map specific and the server that is the fact that a lot of things that are an influence on public next also induces occlusion what we did is we said OK let's try and their amplification at that and what we did actually we did not find that offensive attacking the fossil over with the 1 request and we were not required to do too many requests and and therefore
also the end device was not recognizing us as any kind of an attack and what happened actually that we were able to fill up the bandwidth capacity with the returning traffic because it was a 1 page request bringing back and several megabytes of files for each of those requests so this is also very important to understand that you might be in consideration the situation that you are reducing the amount of connections you're reducing the amount of the concurrent uh setups at the end of the day it might be amplified with the request the return and therefore is also very important to consider those things because them very very close to the end of timing so I would like just to mention some other things and that are also very important to consider in many many areas situations customers are using CDM solutions so um the dust mitigation please be aware that this is a very effective solution but it might be very problematic when you're using and dynamic content so it will work very
well for static content higher distributed it's a big problem for dynamic content
and I would like also maybe and touch the 1 thing that I was even asked yesterday when I was meeting with the customer many many customers are asking about how effective is the usage of duplication so you can tell you also that we did a simulation of the target again and we were attacking them from around the world there were understanding that the services that they have provided to customers was all the relevant for specific geographical regions so what they did was very simple there were just blocking everything that was not coming from this region it of course block just for a moment but we understood that they're doing the same as probably each an experienced attacker would understand and then what we did we were just using all about that that was in the same region and were again able to bring them down and that the service without any problems so let me know just ran that and if you look at the and scenarios that we have there golf or you see a lot of them actually very personal thing so I think the most important is that customers are not prepared customers and like probably say human nature think that it will happen to others and it will never happen to us and they are not prepared to accordingly and that letters from my perspective the most important thing can before further technologies that you're implementing is really make sure that you are thinking about how to set up your network you are making sure that you're creating the tools because what you've seen as well as many many situations where people were not able to detect that they're under attack and the worst thing a lot of time with a kind of troubleshooting instead of taking care of the specific that it is very important to make sure that people at trent OK it's requires incident response like any other security incidents and this is also something that is somehow so in many cases not done so you're doing very well with other security attacks but when it comes to the tools we were not really thinking about it and definitely asking each and every 1 of you to do testing so when you plan that use simulations and sometimes you can do it yourself would definitely not recommend to try to get any attacks from the dark matter so if you need then you should really kind of companies that are doing that and then what is also very very helpful is to collect and intelligence in order to know in advance what is happening in the industry and what might happen to you specific OK I think because of the time I will not go through the entire cycle neural that you just to read through it but it would just mention identification super super important making sure that you have the capability to identify and to detect the during the attack traced back over it is not always possible because it's very often supposed etc cetera if you able to trace back is that something that can assist us a lot if we are understanding the regions we can work with any kind of blocking techniques to understand impact is sometimes you know we are panicking where we don't need and send them verbal Richard and I think that what is most important in many many times not that when it comes to the DOS is post people are so happy that the attack is over so happy that the signal and the bird is like traveling them anymore but they're not doing the most important thing actually talking with the team's again about the attack talking about what went wrong and what can we do better in order to reduce the impact I think that's uh I would likely to finish with the same sentence that was at the beginning of the year of the presentation because protection technology is far from being in stolen from got so whatever you're doing whatever technologies you implement don't think that you put in place and you're done it so we're through it's something that requires the right architecture it's something that requires attention all the time and it's something that needs to be dynamic because the world outside is trying to attack us is as well dynamic and what I'm saying all the time the only thing that is relevant and security that is constant insecurity is the change thank you very much in the way you have addressed the question the theft


  543 ms - page object


AV-Portal 3.15.0 (0adb9429a9b6d91003da50b8636c932b69ab95bb)