Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies.

Slides:

Advertisements

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

Advertisements

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

Working with Proxy Servers and Application-Level Firewalls Chapter 5.

EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao

Chapter 2: Application Layer

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Chapter 7: Working with Proxy Servers & Application-Level Firewalls

Content Distribution Network (CDN) Performance Punit Shah CSE581 Internet Technologies OGI, OHSU 2002, Jan 16th.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

The Role of Content Delivery Networks in Protecting Web Sites from Attacks Bruce Maggs VP for Research, Akamai Technologies.

Norman SecureSurf Protect your users when surfing the Internet.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

On the Use and Performance of Content Distribution Networks Balachander Krishnamurthy Craig Wills Yin Zhang Presenter: Wei Zhang CSE Department of Lehigh.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web application architecture

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.

Web Application Firewall (WAF) RSA ® Conference 2013.

Network Services Networking for Home & Small Business.

1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.

Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.

Akamai Technologies - Overview RSA ® Conference 2013.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Webinar Monday October 6, 2014 aiScaler software is installed on servers to create private point of presence (PoPs) – much like a CDN endpoint. They cache.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Dynamic Programming with PHP (mktime), Cookies, SQL, Authentication.

Drew Reinders | GSEC Principal Solutions Engineer Defending Your Castle.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

TCP/IP (Transmission Control Protocol / Internet Protocol)

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Kona Security Solutions - Overview

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.

End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:

World Wide Web has been created to share the text document across the world. In static web pages the requesting user has no ability to interact with the.

MICROSOFT AJAX CDN (CONTENT DELIVERY NETWORK) Make Your ASP.NET site faster to retrieve.

© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.

Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.

Chapter 9 The Transport Layer The Internet Protocol has three main protocols that run on top of IP: two are for data, one for control.

Report from the Field: A CDN’s Role in Repelling Attacks against Banking Industry Web Sites Bruce Maggs VP for Research and Development, Akamai Technologies.

TMG Client Protection 6NPS – Session 7.

NET 536 Network Security Firewalls and VPN

Content Distribution Networks

CISC103 Web Development Basics: Web site:

HTTP request message: general format

Practical Censorship Evasion Leveraging Content Delivery Networks

Web Caching? Web Caching:.

Utilization of Azure CDN for the large file distribution

IS 4506 Server Configuration (HTTP Server)

Protecting On-Line Services from the Internet of Compromised Things

PHP Forms and Databases.

Presentation transcript:

Protecting Commercial and Government Web Sites: The Role of Content Delivery Networks Bruce Maggs VP for Research, Akamai Technologies

©2013 AKAMAI | FASTER FORWARD TM Attacks on Akamai Customers Attacks are originating from all geographies and are moving between geographies during the attack

©2013 AKAMAI | FASTER FORWARD TM Origin Server End User Origin Traffic 1000 Akamai Traffic The Akamai Platform Provides a Perimeter Defense

©2013 AKAMAI | FASTER FORWARD TM Defeating HTTP flooding attacks – Rate Controls 1.Count the number of Forward Requests 2.Block any IP address with excessive forward requests Client Request Forward Request Forward Response Customer Origin Akamai Edge Server X Custom Error page

©2013 AKAMAI | FASTER FORWARD TM Filtering Out Malformed Requests SQL injection attacks Cache busting attacks

©2013 AKAMAI | FASTER FORWARD TM Relational databases Relational databases store tables consisting of rows and columns. (image from

©2013 AKAMAI | FASTER FORWARD TM Structured Query Language (SQL) Example Query: SELECT * FROM Employees WHERE LName = ’PARKER’; IdNum LName FName JobCode Salary Phone 1354 PARKER MARY FA /

©2013 AKAMAI | FASTER FORWARD TM Example SQL Injection Suppose a program creates the following SQL query, where userName is a variable holding input provided by an end-user, e.g., through a form on a Web page. SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But instead of entering a name like PARKER the user enters ’ or ’1’=’1 Then the query becomes SELECT * FROM Employees WHERE LName = ’’ or ’1’=’1’; This query returns all rows in the Employees table!

©2013 AKAMAI | FASTER FORWARD TM A More Destructive Injection Same code as before: SELECT * FROM Employees WHERE LName = ’” + userName + ”’;” But now suppose the user enters a’; DROP TABLE Employees Then the query becomes SELECT * FROM Employees WHERE LName = ’a’; DROP TABLE Employees; This query might delete the Employees table! (Not all databases allow two queries in the same string.)

©2013 AKAMAI | FASTER FORWARD TM bobby-tables.com: A guide to preventing SQL injection (from the comic strip xkcd)

©2013 AKAMAI | FASTER FORWARD TM Filtering SQL Injection Attacks The CDN filters suspicious-looking inputs, not because the content provider can’t filter them correctly, but because the content provider should not expend resources processing bad inputs.

©2013 AKAMAI | FASTER FORWARD TM Cache Busting Idea: The attacker sends multiple requests for the same large object, but with different query strings attached, e.g., If the CDN cache treats every distinct URL as a unique object, it will have to fetch a new copy of the object from the content provider each time it receives a request with a new query string. Even worse, as Triukose, Al-Qudah, and Rabinovich observe, the CDN might pull the entire object from the content provider at high speed even if the attacker is downloading the object slowly or not at all – thus using the CDN to leverage the client’s attack.

©2013 AKAMAI | FASTER FORWARD TM Query String Filtering Solution: At the content provider’s request, the CDN can ignore the query string when identifying the object, i.e., only fetch and cache one copy of the object. (Available for many years.) The CDN can also filter out multiple requests by the same client for a single object with different query strings. The CDN can limit the rate it which it fetches an object from the content provider to the rate at which the client is downloading the object.

©2013 AKAMAI | FASTER FORWARD TM Operation Ababil Phase 1 Sep 12 – Early Nov 2012 DNS packets with “AAAAA” payload Limited Layer 7 attacks Early-mid Oct 2012 announced names of banks where attacks succeeded (Did not announce bank names if attacks were unsuccessful) Began use of HTTP dynamic content to circumvent static caching defenses Phase 2 Dec 12, 2012 – Jan 29 Incorporate random query strings and values Addition of random query strings against PDFs Additions to bot army Burst probes to bypass rate-limiting controls Addition of valid argument names, random values Phase 3 Multiple probes Multiple targets Increased focus on Layer 7 attacks Target banks where attacks work Fraudsters take advantage Late Feb 2013 – Now “none of the U.S banks will be safe from our attacks” A layer 7 attack is also known as an application layer attack.

©2013 AKAMAI | FASTER FORWARD TM DNS Traffic Handled by Akamai 1.8 M 1.6 M 1.4 M 1.2 M 1.0 M 0.8 M 0.6 M 0.4 M 0.2 M 0.0 Total eDNS Tues 12:00Wed 00:00Wed12:00 s Phase 1 Attack – Sept Attack Traffic: 23 Gbps ( 10,000X normal) Duration: 4.5 Hours High volume of non-standard packets sent to UDP port 53 Packets did not include a valid DNS header Packets consisted of large blocks of repeating “A”s The packets were abnormally large Simultaneously, a SYN-Flood was directed against TCP port 53

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted PDF files Akamai Dynamic Caching Rules offloaded 100% of the traffic No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted marketing web pages Rate controls automatically activated Attack was deflected, far from bank’s datacenter No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 QCF targeted SSL Akamai offloaded 99% of the traffic No Origin Impact

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 12:03 PM 9:00 AM Error/Outage—site not responding Gomez agents in 12 cities measuring hourly NOT on Akamai

©2013 AKAMAI | FASTER FORWARD TM Phase 2 Attacks - January 2 nd, 2013 Bank #1 Bank #2 Bank #3 Bank #4 Bank #5 Gomez agents in 12 cities measuring hourly NOT on Akamai 12:44 PM 6:21 PM Error/Outage—site not responding

©2013 AKAMAI | FASTER FORWARD TM Phase 3 Attack Example Attack started at March 5, 2013 morning Peak Attack Traffic > 126 thousand requests per second 70x normal Edge Bandwidth (29Gbps) Origin Traffic stayed at normal levels ~2000 Agents participated in the 20 minute assault 80% of the agents were new IP addresses that had not participated in earlier campaigns

©2013 AKAMAI | FASTER FORWARD TM Attack Tactics - Pre-attack Reconnaissance Attackers test the site with short burst high speed probes Short bursts of attack requests on non-cacheable content every 10 minutes Peak of 18 million requests per second If the site falters, they announce that they will attack that bank and return later with a full scale attack If the site is resilient they move on