Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies.

Published byDebra Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies."— Presentation transcript:

1 The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies

2 ©2013 AKAMAI | FASTER FORWARD TM The Akamai Platform and Services Daily Traffic: 25+ Tbps peak 19+ million hits per second 600+ million IPv4 clients/day 4+ trillion deliveries/day 30+ petabytes/day 10+ million concurrent streams Delivering 130,000+ Domains All top 60 ecommerce sites All top 30 media & entertainment companies 9 of the top 10 banks All of the top Internet portals 160,000+ Servers 1,100+ Networks 2,500+ Physical Locations 650+ Cities 81 Countries A Global Platform:

3 Embedded Image Delivery (e.g., Amazon) <html><head> Welcome to xyz.com! Welcome to xyz.com! </head><body> <img src=“ Welcome to our Web site! Welcome to our Web site! Click here to enter Click here to enter </body></html> http://www.xyz.com/logos/logo.gif”> http://www.xyz.com/jpgs/navbar1.jpg”> Embedded URLs are Converted to ARLs ak

4 End User Akamai DNS Resolution Akamai High-Level DNS Servers 10 g.akamai.net 1 Browser’s Cache OS 2 Local Name Server 3 xyz.com’s nameserver 6 ak.xyz.com 7 a212.g.akamai.net 9 15.15.125.6 16 15 11 20.20.123.55 Akamai Low-Level DNS Servers 12 a212.g.akamai.net 30.30.123.5 13 14 4 xyz.com.com.net Root (Verisign) 10.10.123.55 akamai.net8 select cluster select servers within cluster

5 ©2013 AKAMAI | FASTER FORWARD TM Distributed Denial of Service (DDOS) Attacks The attacker hopes to overwhelm the content provider’s resources with requests for service. Sometimes the attacker employs a “bot army” of compromised machines. The attacker tries to issue requests for content that cannot be cached. The attacker looks for “amplification” where an easy-to-generate request requires a difficult-to-generate response.

6 ©2013 AKAMAI | FASTER FORWARD TM 991 1317 2002 2936 2013 2011 2010 2012 Attack Frequency (Attacks Detected and Mitigated) 5634 2014

7 ©2013 AKAMAI | FASTER FORWARD TM Gbps Mpps 2009 2008 2005 11 2 2006 18 8 2007 22 11 39 15 48 29 2010 68 38 2011 79 45 2012 82 69 2014 320 270 2013 190 144 Largest Attacks by Year

8 ©2013 AKAMAI | FASTER FORWARD TM Attack Types Q3 2014

9 ©2013 AKAMAI | FASTER FORWARD TM US 23.95% China 20.07% Germany 5.78% Korea 6.13% Mexico 14.16% Brazil 17.60% Japan 4.10% Russia 2.97% India 2.81% Thailand 2.43% Attack Origins Q3 2014

10 ©2013 AKAMAI | FASTER FORWARD TM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Targeted Industry Sectors

11 ©2013 AKAMAI | FASTER FORWARD TM Origin Server End User 1 10 100 10000 Origin Traffic 1000 Akamai Traffic 1 10 100 10000 1000 The Akamai Platform Provides a Perimeter Defense

12 ©2013 AKAMAI | FASTER FORWARD TM Defeating HTTP flooding attacks – Rate Controls 1.Count the number of Forward Requests 2.Block any IP address with excessive forward requests Client Request Forward Request Forward Response Customer Origin Akamai Edge Server X Custom Error page

13 ©2013 AKAMAI | FASTER FORWARD TM Filtering Out Malformed Requests SQL injection attacks Cross-site scripting (XSS) attacks Cache busting attacks

14 ©2013 AKAMAI | FASTER FORWARD TM Relational databases Relational databases store tables consisting of rows and columns. (image from http://support.sas.com)

15 ©2013 AKAMAI | FASTER FORWARD TM Structured Query Language (SQL) Example Query: SELECT * FROM Employees WHERE LName = ’PARKER’; IdNum LName FName JobCode Salary Phone 1354 PARKER MARY FA3 65800 914/455-2337

16 ©2013 AKAMAI | FASTER FORWARD TM Example SQL Injection Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page. SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But instead of entering a name like PARKER the user enters ’ or ’1’=’1 Then the query becomes SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’; This query returns all rows in the Employees table!

17 ©2013 AKAMAI | FASTER FORWARD TM A More Destructive Injection Same code as before: SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But now suppose the user enters a’; DROP TABLE Employees Then the query becomes SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees; This query might delete the Employees table! (Not all databases allow two queries in the same string.)

18 ©2013 AKAMAI | FASTER FORWARD TM bobby-tables.com: A guide to preventing SQL injection (from the comic strip xkcd)

19 ©2013 AKAMAI | FASTER FORWARD TM Cross-Site Scripting Attacker types this into text entry form: http://theftsRus.com/script.js Attacker hopes that later the site will insert this into the HTML that it outputs, and then the victim’s browser will execute the script.

20 ©2013 AKAMAI | FASTER FORWARD TM Cache Busting Attacker adds query strings to the end of a requested URL, e.g., http://ak.xyz.com/logo.gif?id=832164328 Attacker hopes that the CDN will view each request with a different query string as a request for a different object, and fetch a new copy from the content provider.

21 ©2013 AKAMAI | FASTER FORWARD TM Operation Ababil Phase 1 Sep 12 – Early Nov 2012 DNS packets with “AAAAA” payload Limited Layer 7 attacks Early-mid Oct 2012 announced names of banks where attacks succeeded (Did not announce bank names if attacks were unsuccessful) Began use of HTTP dynamic content to circumvent static caching defenses Phase 2 Dec 12, 2012 – Jan 29 Incorporate random query strings and values Addition of random query strings against PDFs Additions to bot army Burst probes to bypass rate-limiting controls Addition of valid argument names, random values Phase 3 Multiple probes Multiple targets Increased focus on Layer 7 attacks Target banks where attacks work Fraudsters take advantage Late Feb 2013 – May 2013 “none of the U.S banks will be safe from our attacks” Phase 4 Used fake plug-ins to infect files July 2013 –

22 ©2013 AKAMAI | FASTER FORWARD TM DNS Traffic Handled by Akamai 1.8 M 1.6 M 1.4 M 1.2 M 1.0 M 0.8 M 0.6 M 0.4 M 0.2 M 0.0 Total eDNS Tues 12:00Wed 00:00Wed12:00 s Phase 1 Attack – Sept 2012 22 Attack Traffic: 23 Gbps ( 10,000X normal) Duration: 4.5 Hours High volume of non-standard packets sent to UDP port 53 Packets did not include a valid DNS header Packets consisted of large blocks of repeating “A”s The packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53

23 ©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted PDF files Akamai Dynamic Caching Rules offloaded 100% of the traffic No Origin Impact

24 ©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted marketing web pages Rate controls automatically activated Attack was deflected, far from bank’s datacenter No Origin Impact

25 ©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted SSL Akamai offloaded 99% of the traffic No Origin Impact

26 ©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 12:03 PM 9:00 AM Error/Outage—site not responding Gomez agents in 12 cities measuring hourly NOT on Akamai

27 ©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 Gomez agents in 12 cities measuring hourly NOT on Akamai 12:44 PM 6:21 PM Error/Outage—site not responding

28 ©2013 AKAMAI | FASTER FORWARD TM Phase 3 Attack Example Attack started at March 5, 2013 morning Peak Attack Traffic > 126 thousand requests per second 70x normal Edge Bandwidth (29Gbps) Origin Traffic stayed at normal levels ~2000 Agents participated in the 20 minute assault 80% of the agents were new IP addresses that had not participated in earlier campaigns

29 ©2013 AKAMAI | FASTER FORWARD TM Attack Tactics - Pre-attack Reconnaissance Attackers test the site with short burst high speed probes Short bursts of attack requests on non-cacheable content every 10 minutes Peak of 18 million requests per second If the site falters, they announce that they will attack that bank and return later with a full scale attack If the site is resilient they move on

30 ©2013 AKAMAI | FASTER FORWARD TM Observations Due to recent attack sizes, infrastructure capacity build out is not economical, and may not work anyway Attacks range from 13X to 70X normal traffic, 25X to 120X normal request volume The burst speed of attacks has become too fast for reactive mitigation – a proactive “always-on” defense is necessary

Download ppt "The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Akamai Content Delivery Network Slides from Bruce Maggs.

Akamai Content Delivery Network Slides from Bruce Maggs.
Akamai DNS Offerings RSA © Conference 2013. ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.

Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.
Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.

Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Key Algorithms in a Content Delivery System Akamai Technologies and Carnegie Mellon University Bruce Maggs.

Key Algorithms in a Content Delivery System Akamai Technologies and Carnegie Mellon University Bruce Maggs.
Engineering a Content Delivery Network COMPSCI 214 Computer Networks and Distributed Systems Bruce Maggs.

Engineering a Content Delivery Network COMPSCI 214 Computer Networks and Distributed Systems Bruce Maggs.
Engineering a Content Delivery Network Bruce Maggs.

Engineering a Content Delivery Network Bruce Maggs.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.

CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google