Victoria Secret created self-inflicted DDoS, It was also a demonstration of an inherent weakness of the Internet and the architectures employed to serve up data. So many people attempted to view the Victoria’s Secrets models strut down the runway that the servers failed., ref, Victoria’s Secret case could be considered friendly fire
defining moments in the development of DDoS as a weapon, In 2003 Barrett Lyon was 25 years old, worked IT company who had a client that needed up-to-date sports info, The client was in the business of gathering and disseminating sports information. They provided the up to the minute data used by Las Vegas casinos in their book making operations where gamblers place bets on game scores and even detailed performance of individual athletes. Having reliable Internet access was critical to them. Agents in the field would report every detail of even amateur sports events. Every pitch, every play would be reported by an army of sports data specialists. These results would be displayed on big boards within the casinos where gamblers could bet on any aspect of the games., gather and disseminate, online gambling, threats from Eastern hackers, first threat - encryption ransom, received a threatening email, written convincingly in broken English, informing them that hackers had infiltrated their systems and encrypted their database of sports information, demanding that they pay thousands to obtain the key to decrypt the data., backing up their data and had no problem at all just restoring the critical information, Lyon redesigned arch to resist 2nd threat of DDos, which duly came, Barrett helped his client quickly bolster their defensive posture. The key was to have robust web servers, gateway devices that could filter attacks, and lots and lots of available bandwidth. Within days the hackers did indeed attempt a Denial of Service attack; and, thanks to Barrett’s new architecture, the attack was thwarted., why does it work?, ping flood, The earliest denial of service attack was a ping flood. Anyone with a fast computer running Unix could execute a simple command that would generate ping packets, small one-way communications used by network monitoring products to check to see if a host is still responding, to completely tie up the resources of the target computer or even completely clog its network connection. Ping floods are simple to defend against. A single rule in a router or firewall between the attacker and the target can block all pings., this is an attack because no on thought anyone would do that, easily dispatched with single firewall rule, static rule blocking service request, SYN attack, harder to stop since TCP basis of many legit protocols, An attacker simply sends millions of SYN packets which tie up the web server to the point where it cannot accept any more connections., can only overbook a flight so much, have to block based on source, not service, Once again, just block all traffic from a specific IP address. Today most firewalls are capable of intercepting SYN requests., but this is a dynamic rule, bot approach, many IP addresses, It did not take long for hackers to develop techniques for distributing their attacks among hundreds, thousands and potentially millions of attacking hosts. These are the most effective attack techniques known, and can be very expensive to counter. The winner is usually the one with the most available bandwidth., boils down to duelling bandwidths, also crowdsourcing, reputation grew, development of effective DDoS defenses, began to get requests from a very specific niche industry: online gaming sites, 2003 there was some question about the legality of gambling on line., There were dozens of companies providing such services, most of them hosted off shore in the Caribbean or in Costa Rica., lucrative, One small operation consisting of tele-operators and a closet of servers in an office in Costa Rica claimed to do $2 billion in annual revenue. At that level of turn over it is easy to understand why they were prime targets for extortion threats that targeted their online presence., Being down for even a day meant millions in lost gaming revenue.
onine gambling, Super Bowl XXXVIII in 2004, biggest day of the year for sports betting sites in the US is Super Bowl Sunda, gaming sites began to receive extortion emails from Eastern Europe., The letters said in effect: pay us $30,000 via Western Union by some date or we will take you offline., DDoS hosting defense, why, make that investment once and provide a secure hosting service to all comers?, Barrett embarked on a wild entrepreneurial adventure in partnership with a Costa Rican gambling operation., hosting, The new company was named Prolexic Technologies., Within a year Prolexic hosted 80% of the online gaming websites in the world and succeeded in putting a stop to the nascent extortion racket emanating from Eastern Europe., takedown as well, His efforts included working with international law enforcement to track down, prosecute and send to prison in Siberia one of the kingpins of extortion, a young man known by his screen name, Ivan, architecture, proxy, proxy their customers’ web servers in their own data centers placed strategically around the world. A proxy is just a server that mimics the original site. A request for a web page would go to the Prolexic server which would in turn retrieve the relevant web page from the original server in Costa Rica and serve it back to the requestor, secure BSD, These included finely tuned operating systems that would not be vulnerable to common exploits found in off the shelf operating systems. Barrett called on the expertise of one of the world’s top BSD developers based in Hawaii. BSD is an open source version of UINX. The community of BSD developers has focused on creating as secure an operating system as possible. Prolexic customized BSD by removing all the components not needed by a web server. Then they enhanced its ability to thwart the type of resource restrictions (memory, open ports, etc) that usually caused servers to fail when they received too many connections., load balancing, They also developed load balancing technology so that an attack of millions of requests could be served across multiple servers., specific DDoS network gear, These devices could detect attacks, send alerts, and throttle attack packets. The cost for such devices can exceed $100K and the special security knowledge to run them is not readily available to a typical organization. Prolexic could make that investment because they were protecting multiple paying clients., huge bandwidth, The final component of Prolexic’s defense was bandwidth. The typical heavily trafficked web site uses 10-20 megabits per second of bandwidth., Through its relationships with major backbone Internet providers Prolexic could use up to 18 gigabits per second of bandwidth, an unprecedented amount., easy because not a premium, Most Internet services see the largest amount of bandwidth for outward bound traffic. YouTube, Google’s video hosting service, has to supply terabits of data to its consumers of streaming video. So negotiating contracts with carriers for large amounts of incoming traffic is relatively easy and inexpensive, The largest attacks Prolexic experienced was 11 gigs of traffic., Recent reports indicate that DDoS attacks can exceed 30 gigs of traffic., hardened, load-balanced servers, defensive devices, and massive amounts of available bandwidth are the core of DDoS defense.
Achilles heel of web infrastructure DNS, attackers have recognized and attacked, what it does, The Internet is based on protocols that use source and destination packets to route traffic. When a web address, a URL, is entered into a web browser there has to be some way to translate www.threatchaos.com to 184.108.40.206, its IP address, before packets can be exchanged and a visitor can see a web page., the DNS is a layer of servers all over the world that provide that function., DNS details, There are multiple tiers to the DNS. The Top Level Domains (TLD) are .com, .net, .gov, .edu, and the many country codes such as .ee for Estonia, and .uk for the United Kingdom. Each of these top level domains is supported by different organizations. When you type www.threatchaos.com in to the URL window of your browser you generate a request to the .com TLD server (hosted by Verisign in over 400 data centers around the world.) That server replies with the IP address of the name server that is responsible for keeping track of all of the IP addresses associated with the domain Threatchaos.com. Your browser quickly checks with that server (NS1.MEDIATEMPLE.NET at 220.127.116.11) which promptly directs you to www.threatchaos.com., owner of a web site may not own the DNS server that provides the critical function of pointing at the web site., In other words, an attacker could target the DNS server and effectively take down the web site. The problem is compounded because a DNS server often provides name service for hundreds, even thousands, of separate domains., helped some other online stores to prevent DNS attacks at Christmas?, In other words, an attacker could target the DNS server and effectively take down the web site. The problem is compounded because a DNS server often provides name service for hundreds, even thousands, of separate domains.
BGP, naked under belly of the Internet., decentral, The Internet is a marvel of self organization with many components that work seamlessly on top of each other, layered architecture, Web servers, layers of protocols, social networks, and routing infrastructure, all work together to provide a communication, business, and social platform that is fueling change in society and the world of commerce. But those underlying components were designed and deployed before today’s threats were apparent., big idea, There is a weak link in the way the Internet is architected., It is the underlying routing protocol. This weak link is well known by aggressors but has not been exploited in an overt malicious act. Yet., pakistan incident, On February 24th, 2008 an engineer at an ISP in Pakistan removed YouTube from the Internet. He did this in response to a government decree. His intention was to follow the letter of the law and block access to YouTube from within Pakistan., choose to do this by playing with routing protocol, Packets on the Internet flow through routers. These routers maintain a list of routes based on blocks of IP addresses. When a packet is received the router reads its intended destination, looks it up in a big table and forwards it on to the next router. Where does that router get that big lookup table? From other routers, of course. The protocol used to transmit those route tables is Border Gateway Protocol (BGP)., BGP to announce which IP addresses it controls to the rest of the routers on the Internet, The engineer at PIENet loaded a new route into his router that said the small block of addresses that contained the IP address of www.youtube.com were controlled by him., The result was almost instantaneous. His upstream provider in Hong Kong picked up on the new route and broadcast it to the world. Most routers treated those routes as authoritative because they were more granular than those announced by Google. Every attempt to watch a YouTube video was routed from anywhere in the world to a small ISP in Pakistan., Those requests were so numerous that it flooded the links to Pakistan to such an extent that Pakistan was effectively knocked off the Internet as well., DoS, Thanks to Barrett Lyon the YouTube outage was repaired by the end of that fateful Sunday., content delivery business gave him access to backbone networks to fix this