DDoS Attacks:

DDoS Attacks:The Stakes Have Changed. Have You?

November 17, 2016

Today’s Speakers

Sean PikeProgram Vice President, Security Products, IDC

Tom BienkowskiDirector, Product Marketing, Arbor Networks

Kevin WhalenSr. Director, Corporate & Marketing Communications, Arbor Networks

Recent IoT Botnet Attack Against Dyn

IDC’s Perspectives on DDoS Attack Trends…

Source: Verizon DBIR 2016

Uptick in DDoS Attacks

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Mean Values

Spamhaus

400 GbpsBBC 600GbpsRio 540 Gbps

Source: DBIR 2016

Largest Attacks

Probably vs. Capable

Heavy Spending Priority on Newsworthy Incidents

63.1%

63.4%

Top 2

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Arbor’s Perspectives on DDoS Attack Trends…

DDoS Attacks Increasing in Size, Frequency & Complexity

Fact:

Source: Arbor Networks 11

th

Annual Worldwide Infrastructure Security Report

600+

Gbps

DDoS Attack Trends

(per month)

DDoS Attack Trends

DDoS Attacks Increasing in Size, Frequency & Complexity

Fact:

Source: Arbor Networks 11

th

Annual Worldwide Infrastructure Security Report

DDoS Attack Trends

DDoS Attacks Increasing in Size, Frequency & Complexity

Fact:

Source: Arbor Networks 11

th

Annual Worldwide Infrastructure Security Report

Industry Best Practices Exist to Stop All of These Attacks

The Internet

BotNet

Your ISP

Firewall

Your Data Center

Low and Slow, Stealth

attacks

Crashes application servers

Application Layer Attacks

Legitimate Traffic

Volumetric Attacks

Large(up to 500 Gbps)

Saturates

links

TCP State-Exhaustion Attacks

Crashes

stateful

devices (Load balancers, firewalls, IPSs)

Dynamic, Multi-vector Combination

The Modern Day DDoS Attack Is Complex

Why the Rise in Size, Frequency & Complexity?

$5:$100sK

Cost of DDoS Service

Impact to Victim

DDoS Attacks Are

The Great Equalizer…

Ability

It’s Never Been Easier to Launch a DDoS Attack

Fact:

Source: Arbor Networks 11

th

Annual Worldwide Infrastructure Security Report

Motivations

Many Motivations Behind DDoS Attacks

Fact:

Every Physical Geo-Political Event…

Has a Cyber Reflection…

DDoS Attacks Are The Great Equalizer…

The Cyber Reflection

Attack targets were not necessarily the events themselves,

but organizations tangentially associated with the events.

Examples of Cyber Reflections

What is IDC Hearing

from Their Clients?

Common Questions About DDoS

Reliability?

Continuity?Digital Transformation?

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

The Role of IoT

Protecting Endpoints

Ransom

The Role

IoT

is Playing in DDoS Attacks

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

Recent Dyn Attack

& IoT Botnets

A floating population of approximately 500,000 compromised IoT devices worldwide (Internet-enabled digital video recorders (DVRs), surveillance cameras).Relatively high concentrations of Mirai nodes have been observed in Asia, Brazil, North America and Europe.

Compromised due to default user name and passwords being enabled on devices and open ports in firewalls (Telnet TCP 23/2323). IoT devices are subsumed into the Mirai botnet by continuous, automated scanning by other compromised Mirai botnet IoT devices.Rebooting the device removes the malware running in memory, but its estimated that it will take less than 10 min to be rescanned and become part of botnet again.

Mirai Botnet

Mirai is NOT Just a DNS Attack

Mirai features segmented command-and-control, which allows the botnet to launch simultaneous DDoS attacks against multiple, unrelated targets.To date, no verified spoofed DDoS traffic has been observed being sourced from the Mirai botnet. This could change in future versions/variants of MiraiThe code has been released to wild…we are already seeing signs of alteration and attacks using the botnet.

Mirai is capable of launching multiple types of DDoS attacks, including:SYN-floodingUDP floodingValve Source Engine (VSE)query-floodingGRE-floodingACK-floodingPseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’ attacks)HTTP GET, POST and HEAD attacks.

Mirai Botnet is

a Multi-vector DDoS Attack

July 2014

June 2016

Aug 2016

LizardStresser IoT Botnet Targets Brazil

IoT Botnets: More than Mirai

Targets were organizations affiliated with major international sporting events (e.g. gov’t, banks, sponsors, etc.).

Pre-event activity

Never heard of these?

That’s because the defenders were

prepared

.

They had the proper people, products and processes in place well before the event occurred.

IDC Recommendations for DDoS Attack Protection

IDC Recommendations

© IDC Visit us at IDC.com and follow us on Twitter: @IDC

FW/IPS vs. DDoS Defense

HybridSolutions

ManagedServices

People & Process

Arbor DDoS Attack Protection Solutions

Mirai Botnet is Multi-Vector

The Modern Day DDoS Attack Is Complex

Industry Best Practices Exist to Stop

All of These Attacks

The Internet

BotNet

Your ISP

Firewall

Your Data Center

Volumetric Attacks

Large(up to 500 Gbps)

Saturates

links

TCP State-Exhaustion Attacks

Crashes

stateful

devices (Load balancers, firewalls, IPSs)

Application Layer Attacks

Low and Slow, Stealth

attacks

Crashes application servers

Legitimate Traffic

Dynamic, Multi-vector Combination

Layered DDoS Attack Protection

4

Backed by continuous threat intelligence

Backed by Continuous Threat Intelligence

Your Data Centers/

Internal Networks

The Internet

Your (ISP’s) Network

Volumetric Attack

Application Attack

Scrubbing Center

Stop application layer DDoS attacks & other advanced threats; detect abnormal outbound activity

1

Stop volumetric attacks In-Cloud

3

Cloud Signal

Intelligent communication between both environments

2

Stopping Modern Day DDoS Attacks

Arbor’s DDoS Protection Solution

Comprehensive DDoS Protection Products & Services

Armed with Global Visibility & Actionable

Threat Intelligence

The Internet

In-Cloud

On-Premise

Arbor deployment in

majority of ISPs

Arbor Cloud

Volumetric Attack

Application Attack/Malware

Target/Compromised Hosts

Cloud Signal

SERT

Security Engineering & Response Team

Closing Remarks

Without the proper knowledge of…DDoS Attack Trends (i.e. Ease,motivations, attack types, relationshipwith data breach)Best Practices in DDoS Mitigation(i.e. Products, People and Processes)Impact to Your Business (i.e. Downtime,loss revenue, mitigation costs etc.)…You cannot accurately calculatethe risk of a DDoS Attack.

Knowledge & Preparation Are the Keys to Protection

X

Q&A

Thank You