DOCSLIB.ORG

F5 DD0S PLAYBOOK 092915 FINAL.Fm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
F5 DD0S PLAYBOOK 092915 FINAL.Fm WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Contents Concept 3 The Five Worksheets 4 Preparing for a DDoS Attack 5 DDos-Resilient Architecture 5 DDoS Mitigation Steps 7 STEP 1–VERIFY THE ATTACK 8 STEP 2–CONFIRM DDOS ATTACK 9 STEP 3–TRIAGE APPLICATIONS 10 STEP 4–PROTECT PARTNERS WITH WHITELISTS 11 STEP 5–IDENTIFY THE ATTACK 12 STEP 6–EVALUATE SOURCE ADDRESSES MITIGATION OPTIONS 13 STEP 7–MITIGATE SPECIFIC APPLICATION LAYER ATTACK 15 STEP 8–INCREASE APPLICATION-LEVEL SECURITY 16 STEP 9–CONSTRAIN RESOURCES 18 STEP 10–MANAGE YOUR PUBLIC RELATIONS 19 Conclusion 20 Worksheet 1: Contacts List 21 Worksheet 2: Whitelists 22 Worksheet 3: Triage Applications 23 Worksheet 4: F5 Device Map 24 Worksheet 5: Attack Log 25 2 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Concept Distributed Denial-of-Service (DDoS) attacks are a top concern for many DDoS organizations today. A DDoS attack creates a security breach with a website, saturates the server’s connections, renders its services inoperable, and prevents legitimate clients from being able to connect to it. For the uninitiated, it can be a scary and stressful ordeal! DDoS attacks are usually coordinated across a large number of client computers (which may have been set up for that purpose), or more likely, have been infected with a virus that allows someone to remotely control the computer, making it participate in the attack. Both financially and politically motivated, DDoS attacks are becoming more 2014 prevalent. Although a first attack can happen randomly, it often occurs when DDoS an attacker with specific knowledge of your high-value service, decides to Attack Frequency take it off-line. This can cause panic, and instigate costly “ransom-like” decisions to triage and stop the attack. Figure 1. Volumetric Attacks Increase in 2014 Organizations that have defended against multiple DDoS attacks understand the importance of having an objective method to assist in combating them. What is their solution? The F5 DDoS Playbook. This document can be the basis for developing that tool for your organization. 3 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks The Five Worksheets There are five worksheets to complete that will assist you in repelling a DDoS attack. Once completed, these worksheets can be kept in your data center and used for reference purposes. • Worksheet 1: Contact List–Fill it out as you initiate contacts (page 21). If you have not recorded this information • Worksheet 2: Whitelists–Map your partners, users, and services (page 22). prior to your first attack, record it as you collect it. • Worksheet 3: Application Triage–Know your own applications (page 23). • Worksheet 4: Device Map–Create a device map (page 24). • Worksheet 5: Attack Log–Note the attack details (page 25). Your organization may have regulatory compliance statutes that require a Regulatory level of reporting around cyber-attacks, breaches, or even DDoS attacks. Compliance “Worksheet 5: Attack Log” on page 25 can assist you in this situation, as you can track and refer to the log later during the reporting process. 4 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Preparing for a DDoS Attack DDoS-Resilient Architecture If you are fortunate enough to be reading this document prior to being attacked, then there are steps that you can take now to make your applications, networks, and processes, DDoS-resilient. Network Defense Architecture Considerations After you have filled out the worksheets, obtain the F5 DDos Recommended Practices document so you can consider how to lay out your network architecture defenses. F5 recommends a Multi-Tier Approach DDoS Architecture, where Multi-Tier Approach Layer 3 and Layer 4 DDoS attacks are mitigated at the Network Tier, with DDoS Architecture firewalls and IP reputation databases (see Figure 2. F5 Recommends a Multi-Tier DDoS Approach Architecture). Figure 2. F5 Recommends a Multi-Tier DDoS Approach Architecture The Application Tier handles high-CPU security functions such as SSL Application Tier termination and web-application firewall functionality. 5 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks To combat DDoS, a modern organization will need a Cloud-based DDoS Cloud-based DDoS Scrubbing Tier. These service offerings can scrub hundreds of gigabytes Scrubbing Tier per second and return “clean” traffic to the customer data center. DNS is handled in the DMZ and partially protected by the Network Tier. DNS This Multi-Tier Approach can assist in the following attack types and effects: • Defeat TCP connection floods • Overcome SNAT port exhaustion • Turn back SSL floods These are just some of the recommended practices and considerations. You can obtain additional resources in the comprehensive F5 DDos Recommended Practices document. 6 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks DDoS Mitigation Steps If you appear to be suffering a volumetric attack, it can help to have a Monitoring historical sense of your own traffic patterns. Keep a baseline of normal traffic Volumetric Attacks: Remember to keep patterns to compare against. a monitoring web page open to indicate when the If you have determined that you are under a DDoS attack, record the attack may be over (or “estimated start time” (see “Worksheet 5: Attack Log” on page 25). mitigate). You will need to follow up to 10 steps for your DDoS Mitigation: • STEP 1–VERIFY THE ATTACK • STEP 2–CONTACT TEAM LEADS • STEP 3–TRIAGE THE APPLICATIONS • STEP 4–IDENTIFY THE ATTACK • STEP 5–PROTECT REMOTE USERS AND PARTNERS • STEP 6–EVALUATE SOURCE ADDRESS MITIGATION OPTIONS • STEP 7–MITIGATE SPECIFIC APPLICATION ATTACKS • STEP 8–INCREASE APPLICATION-LEVEL SECURITY POSTURE • STEP 9–CONSTRAIN RESOURCES • STEP 10–MANAGE YOUR PUBLIC RELATIONS 7 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 1– VERIFY THE ATTACK Most outages are not caused by a DDoS attack DNS misconfiguration. Upstream routing issues and human error are some common causes. You must first rule out these types of non-DDoS attacks, and distinguish them from a common outage. Common Outages The faster that you can verify the attack is a real DDoS attack, the faster you can respond.Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that may resemble a DDoS attack. The Slashdot Effect occurs when a particular page on your site is featured on Slashdot Effect a very popular forum or blog. Your investigation must rule out such possibilities. Is there outbound connectivity? If not, then the attack is so severe that it is Outbound Connectivity as congesting all inbound and outbound traffic. Check with your usual diagnostic tools (traceroute, ping, dig, etc.), and rule out all such possibilities. Check the following Internet weather reports to determine if the attack is a Global Issue global issue: •Internet Health Report •Internet Traffic Report Attempt to access your application from an external network. Services that External Network can perform this kind of monitoring are: Access •Keynote Testing and Monitoring •GomezSM –Comprehensive Performance-Monitoring Tool from Compuware® •HP® SiteScope™ – Agentless monitoring •SolarWinds® NetFlow Traffic Analyzer •Down for everyone or just me? Check to see if DNS is responding for your website. The following UNIX command DNS Website Response resolves a name against the OpenDNS project server. % dig @208.67.222.222 yourdomain.co 8 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 2–CONFIRM DDOS ATTACK Contact Team Leads Now it is time to contact the leads of the relevant teams. If you have not filled out “Worksheet 1: Contacts List” on page 21, fill it out now. When an outage occurs, your organization may hold a formal conference call including various operations and applications teams. If your organization has such a process, leverage the meeting to officially confirm the DDoS attack with team leads. Contact Your Bandwidth Service Provider One of the most important calls you can make is to the bandwidth service provider. They can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation. Contact Your Fraud Team The number for your service provider should It is especially important to invoke the fraud team as soon as the attack is be listed in verified. DDoS attacks can be used as “cover” to hide an infiltration. Logs “Worksheet 1: that would normally show a penetration may get lost during a DDoS attack. Contacts List” on page 21. This is why using high-speed, off-box logging is so important. 9 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 3–TRIAGE APPLICATIONS If you have not done this exercise yet, now is the time to triage your applications. When faced with an intense DDoS attack and limited resources, triage decisions have to be made. High-value assets typically generate high-value on-line revenue. These are the applications that you will want to keep alive. Ultimately, these are financial decisions–make them appropriately. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so that their CPU and network resources can be put to the aid of the higher-value applications. You may need the input of the team leads to do this. • Record your choices in “Worksheet 3: Triage Applications” on Worksheet 3 page 23 for future reference. takes only a few minutes to fill out, and will greatly assist you in combating • Decide which applications are low-priority and can be disabled (and an actual DDoS event. thus protected) during the attack.
Load more

Recommended publications
  • Implicit Structure and the Dynamics of Blogspace
    Implicit Structure and the Dynamics of Blogspace Eytan Adar Li Zhang Lada A. Adamic Rajan M. Lukose HP Information Dynamics Lab Abstract applications for finding the latest information very little attention has been paid to its spread. Weblogs link together in a complex structure through which new ideas and discourse can flow. Such a structure is ideal for In this paper, we study the pattern and dynamics of information the study of the propagation of information. In this paper we spreading in blogspace. We consider both the large scale describe general categories of information epidemics and create aspects of spreading patterns as well as how a specific, a tool to infer and visualize the paths specific infections take individual link may be tracked in blog networks. Our study is through the network. This inference is based in part on a novel enabled by the blog data that is crawled on a daily basis. In our utilization of data describing historical, repeating patterns of study, we will only track link information. While memes can infection. We conclude with a description of a new ranking take many forms, those addressed by URLs are by far the algorithm, iRank, for blogs. In contrast to traditional ranking simplest to track and disambiguate. For example, our system strategies, iRank acts on the implicit link structure to find those will track http://www.giantmicrobes.com instead of discussions blogs that initiate these epidemics. about the Giant Microbe toys, or images copied from the source site. General Terms With the triplets of (URL, blog, day of URL citation), we first Measurement, Experimentation, Algorithm characterize the spreading patterns of information.
    [Show full text]
  • Social Media Skills Dominique Jackson
    13 Must-Have Social Media Skills by Dominique Jackson on January 19, 2016 What are the ingredients of an ideal social media manager? If you were to ask this question 10 years ago, it would probably be a fairly short list. But as social media marketing evolved over the years with new technology and a wider audience, we’ve been able to see certain skills and traits that separate the top marketers from the rest. Learning and sharpening these skills can help propel your social media efforts into elite status, and avoid being one of the many brands that can’t seem to make any progress. Whether you’re looking to hire a new social media manager or simply want to improve your own strategy, focus on building up these 13 social media skills: 1. Community Management When you look at the top brands on social media, you’ll notice something they all have in common is a community aspect. Social media marketing is all about connecting with your audience. Once you’re able to build that connection and grow a community, your audience will start creating user generated content (UGC) and your reach will spread organically. Start by acknowledging your top sharers. These are the people who are consistently engaging with you and your content on social media. You can find this in the Sprout Social Trends report. Want to know what other pieces should be a part of your social team? We partnered with HubSpot to create a free guide on how to build a social media dream team from scratch, including some of the key positions you should fill.Download it here.
    [Show full text]
  • Flash Crowds in an Open CDN
    Going Viral: Flash Crowds in an Open CDN Patrick Wendell* Michael J. Freedman U.C. Berkeley Princeton University Berkeley, CA, USA Princeton, NJ, USA [email protected] [email protected] Abstract To insure themselves against the risk of a flash crowd, sites can outsource static content distribution to CDNs such as Akamai, which Handling flash crowds poses a difficult task for web services. Con- distribute traffic surges over a global network of content caches. This tent distribution networks (CDNs), hierarchical web caches, and strategy, however, does not generally address dynamically generated peer-to-peer networks have all been proposed as mechanisms for content, where CPU cycles are required to construct user-customized mitigating the effects of these sudden spikes in traffic to under- pages. To fill this gap, services are increasingly using cloud infras- provisioned origin sites. Other than a few anecdotal examples of tructure (such as Amazon EC2) to scale dynamic content creation isolated events to a single server, however, no large-scale analysis of in a similar fashion. Provisioning new resources in the cloud, while flash-crowd behavior has been published to date. not instantaneous, can be done orders-of-magnitude more quickly In this paper, we characterize and quantify the behavior of thou- than purchasing and installing new hardware. sands of flash crowds on CoralCDN, an open content distribution While flash crowds have long been used as anecdotal motivation network running at several hundred POPs. Our analysis considers for elastic-computing platforms, little research exists characteriz- over four years of CDN traffic, comprising more than 33 billion ing such events in an operational CDN.
    [Show full text]
  • Going Viral: Flash Crowds in an Open CDN IMC 2011 (Short Paper)
    Going Viral: Flash Crowds in an Open CDN IMC 2011 (Short Paper) Patrick Wendell, U.C. Berkeley Michael J. Freedman, Princeton University 1 What is a Flash Crowd? • “Slashdot Effect”, “Going Viral” • Exponential surge in request rate (precisely defined in paper) 2 Key Questions • What are primary drivers of flash crowds? • How effective is cache cooperation during crowds against CDNs? • How quickly do we need to provision resources to meet crowd traffic? 3 CoralCDN • Network of ~300 distributed caching proxies Origin Server HTTP Clients CoralCDN Proxies 4 CoralCDN • Network of ~300 distributed caching proxies 1. Local cache 2. Peer cache 3. Origin fetch Origin Server HTTP Clients CoralCDN Proxies 5 The Data • Complete CoralCDN trace over 4 years • 33 Billion HTTP requests • Per-request logging – <Time, URL, client IP, proxy IP, content cached?, ...> Finding Crowds Source Data 33 Billion HTTP Requests Crowd Detection 3,553 Crowds Pruning Misuse 2,501 Crowds 7 Crowd Sources 8 Common Referrers Referrer # Crowds digg.com 123 reddit.com 20 stumbleupon.com 15 google.com 11 facebook.com 10 dugmirror.com 8 duggback.com 4 twitter.com 4 9 Common Referrers Referrer # Crowds digg.com 123 reddit.com 20 stumbleupon.com 15 google.com 11 facebook.com 10 dugmirror.com 8 duggback.com 4 twitter.com 4 10 Common Referrers Referrer # Crowds digg.com 123 reddit.com 20 stumbleupon.com 15 google.com 11 facebook.com 10 dugmirror.com 8 duggback.com 4 twitter.com 4 11 Common Referrers Referrer # Crowds digg.com 123 reddit.com 20 stumbleupon.com 15 google.com 11 facebook.com 10 dugmirror.com 8 duggback.com 4 twitter.com 4 12 CDN Caching Strategies 13 Cooperation in Caching Greedy Caching Fully Cooperative Caching 14 Benefits of Cooperation? • Depends how clients distribute over proxies vs.
    [Show full text]
  • 2014 Sports and Entertainment Bee Round 3 1. the Slashdot Effect Is
    2014 Sports and Entertainment Bee Round 3 1. The SlashDot effect is sometimes known as an effect named after this website, and in 2013 some of its users garnered controversy for incorrectly identifying the bombers at the Boston Marathon. This website holds questionnaires with celebrities called “Ask Me Anything” and its mascot is an alien. Identify this website where users can “upvote” or “downvote” content. ANSWER: Reddit 2. One character in this novel mispronounces the name “Mary-Lou” which he sees printed on the side of a boat and later takes refuge on God’s Thumb. Featuring characters like Zigzag and X-Ray, a film adaptation of this book includes Tim Blake Nelson as Dr. Pendanski and Jon Voigt as Mr. Sir. Written by Louis Sachar, name this novel in which Stanley Yelnats must dig the title objects. ANSWER: Holes 3. In 2013, this football team lost its first Bowl game since 2008, falling 38-23 to Oregon St. in the Sheraton Hawai’i Bowl. This lost came less than three weeks after the program’s all-time-winningest coach departed after eight seasons and 92 wins. On January 1, 2007, this team shocked a Big 12 power thanks in part to a touchdown pass thrown by Vinny Perretta, rather than quarterback Jared Zabransky. Name this team that upset Oklahoma in the 2007 Tostitos Fiesta Bowl. ANSWER: Boise St. Broncos 4. The Australian men’s team and Netherlands’ women’s team stood atop the first world rankings of 2014 for this sport, in which obstruction and raised ball are common fouls.
    [Show full text]
  • Linkbaiting Hooks
    Hook Combinations for Successful Linkbaiting Todd Malicoat PBS ‘08 Viral Distribution for Links -- (Linkbaiting) If it looks good, you’ll see it. If it sounds good, you’ll hear it. If it’s marketed right, you’ll buy it. BUT… if it’s REAL… You’ll FEEL it. Read the 95 Thesis – Cluetrain.com 1. Markets are conversations. 2. Markets consist of human beings, not demographic sectors. 3. Conversations among human beings sound human. 7. Hyperlinks subvert hierarchy. The self-perpetuating buzz/link/traffic/ $ snowball Some Linkbait WILL Bomb 2 Step Process 1. Target Distribution Channel Get people’s attention 2. Target (link markets)Webmasters Keep their attention Distribution Channels 1. Blogs 2. Email 3. Social Media 4. Other Sites 5. Traditional Media 6. Combinations of above The Link baiting Hooks •News hook •Contrary Hook •Attack Hook •Resource Hook •Humor Hook •Ego Hook •Incentive Hook •Picture/ Video Hook •Sex Hook Combining Hooks (the 1 + 2 punch) Combining Hooks (the 1 + 2 punch) Interviews = Ego Hook + Resource Hook Picture sites aka Work Wasters = Humor Hook + Picture Hook + Resource Hook (aggregation) •icanhascheezburger.com – LOL Catz •YTMND.com Picture sites aka Work Wasters = Humor Hook + Picture Hook + Resource Hook (aggregation) •icanhascheezburger.com – LOL Catz •YTMND.com Editorials = Attack or Contrary Hook + News Hook Awards = Resource + Incentive +Ego Hooks Email Forwards = Humor Hook + Picture Hook + Resource Hook (aggregation) Know Your Hooks and Combinations 1. Distribution Channel 2. Target Link Market Know which 1. Presell page links - types of links 2. Authority links you’re trying 3. Directory links 4. Run of site links to get with which 5.
    [Show full text]
  • An Extended Approach for Identifying and Resolving Privacy Conflicts in Social Media
    © 2018 JETIR May 2018, Volume 5, Issue 5 www.jetir.org (ISSN-2349-5162) An Extended Approach for Identifying and Resolving Privacy Conflicts in Social Media Zoya Erum1, S.Venkatramulu2 1Student, Master of Technology, KITS, Warangal 2Associate Professor, KITS, Warangal ABSTRACT Things shared through Social Media may influence more than one user's privacy for ex. photographs that delineate various users, remarks that mention numerous users, occasions in which various users are welcomed, and so forth. The absence of multi-party privacy administration support in current standard Social Media foundations makes users unfit to properly control to whom these things are all things considered shared or not. Computational instruments that can blend the privacy inclinations of different users into a solitary arrangement for a thing can help tackle this issue. Be that as it may, consolidating various users' privacy inclinations isn't a simple undertaking, since privacy inclinations may conflict, so techniques to determine conflicts are required. Moreover, these techniques need to consider how users' would as a matter of fact achieve an understanding about a solution to the conflict in order to propose solutions that can be adequate by the greater part of the users influenced by the thing to be shared. Current methodologies are either excessively demanding or only consider settled methods for conglomerating privacy inclinations. In this paper, we propose the primary computational component to determine conflicts for privacy administration in Social Media that can adjust to various situations by demonstrating the concessions that users make to achieve a solution to the conflicts.We likewise display consequences of a user consider in which our proposed instrument outperformed other existing methodologies as far as how often each approach coordinated users' behavior.
    [Show full text]
  • Predicting Network Response Times Using Social Information
    Predicting Network Response Times Using Social Information Chen Liang, Sharath Hiremagalore, Angelos Stavrou and Huzefa Rangwala Center for Secure Information Systems George Mason University, Fairfax, VA 22030 +1-(703)-993-3772, +1-(703)-993-4776 (fax) {cliang1,shiremag,astavrou,hrangwal}@gmu.edu Abstract—Social networks and discussion boards have the services provided by the website. But how prevalent become a significant outlet where people communicate and is this “Flash Crowd” phenomenon? express their opinion freely. Although the social networks themselves are usually well-provisioned, the participating We show that a large portion of the websites that be- users frequently point to external links to substantiate their come popular through stories on public discussion boards discussions. Unfortunately, the sudden heavy traffic load suffer from the flash crowd phenomenon. These websites imposed on the external, linked web sites causes them to exhibit high latency and response time variation as they become unresponsive leading to the “Flash Crowds” effect. increasingly become popular. To support our hypothesis, In this paper, we quantify the prevalence of flash crowd we measured periodically and over a large period of time events for a popular social discussion board (Digg). We mea- sured the response times of 1289 unique popular websites. the download times for all the external URLs that were We were able to verify that 89% of the popular URLs submitted to a social discussion board using many network suffered variations in their response times. By analyzing vantage points. We used PlanetLab, a distributed platform the content and structure of the social discussions, we were that provides servers located all over the globe.
    [Show full text]
  • Widening the Lens on Content Moderation
    American University Washington College of Law Digital Commons @ American University Washington College of Law Joint PIJIP/TLS Research Paper Series 7-2021 Widening the Lens on Content Moderation Jenna Ruddock Technology, Law & Security Program, [email protected] Justin Sherman Technology, Law & Security Program Follow this and additional works at: https://digitalcommons.wcl.american.edu/research Part of the Business Organizations Law Commons, Communications Law Commons, Computer Law Commons, Consumer Protection Law Commons, Internet Law Commons, Marketing Law Commons, and the National Security Law Commons Recommended Citation Ruddock, Jenna and Sherman, Justin, "Widening the Lens on Content Moderation" (2021). Joint PIJIP/TLS Research Paper Series. 69. https://digitalcommons.wcl.american.edu/research/69 This Article is brought to you for free and open access by the Program on Information Justice and Intellectual Property and Technology, Law, & Security Program at Digital Commons @ American University Washington College of Law. It has been accepted for inclusion in Joint PIJIP/TLS Research Paper Series by an authorized administrator of Digital Commons @ American University Washington College of Law. For more information, please contact [email protected]. Widening the Lens on Content Moderation Mapping the Ecosystem of Online Content Dissemination July 2021 AUTHORS: Jenna Ruddock, Senior Researcher Justin Sherman, Research Fellow PROJECT DIRECTOR: Gary Corn Tech, Law & Security Program American University Washington College
    [Show full text]
  • When the Audience Is the Producer: the Art of the Collaborative Weblog Lou Rutigliano April 2004
    When the Audience is the Producer: The Art of the Collaborative Weblog Lou Rutigliano April 2004 Introduction Web logs, the online daily journals that link to and comment on everything from pornography to the war in Iraq, are often compared by their boosters to the printing press and upheld as the salvation of democracy in general and journalism in particular. Millions produce them, millions read them, and the mainstream media is gradually incorporating them as the reputation of “weblogs” as a source of news rises in stature. A bilingual resident of Baghdad drew an audience to his weblog with his ruminations on everyday life before, during, and after the war in Iraq. A freelance Web correspondent raised enough money from his readers through his weblog to fund his independent coverage. Weblogs helped break the story that led Senate Majority Leader Trent Lott to resign from his post, and provided eyewitness, breaking accounts of the attacks on New York City on Sept. 11. In the few years since blogging software made it possible for almost anyone with access to a computer – regardless of technical ability – to set up a website on a shoestring budget, the medium has evolved beyond a fad. As the influence and usage of weblogs grows in the field of journalism, it becomes increasingly important to study the structure and content of this medium. This paper will explore an relatively unorthodox variation on the blogging concept – the group weblog. Weblogs have evolved significantly since their birth in 1999, and now encompass a variety of formats – from the individual-based structures that are already considered “traditional” to the more collaborative and open group-based structures, which rely on the contributions of thousands of members.
    [Show full text]
  • Exit from Hell? Reducing the Impact of Amplification Ddos Attacks
    Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz, Ruhr-University Bochum https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kuhrer This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kuhrer,¨ Thomas Hupperich, Christian Rossow, Thorsten Holz Horst Gortz¨ Institute for IT-Security, Ruhr-University Bochum Abstract However, the adversaries evolved and modern DDoS Amplification vulnerabilities in many UDP-based net- attacks typically employ so called amplification attacks, work protocols have been abused by miscreants to launch in which attackers abuse UDP-based network protocols Distributed Denial-of-Service (DDoS) attacks that ex- to launch DDoS attacks that exceed hundreds of Gbps ceed hundreds of Gbps in traffic volume. However, up in traffic volume [21, 22]. This is achieved via reflec- to now little is known about the nature of the amplifica- tive DDoS attacks [31] where an attacker does not di- tion sources and about countermeasures one can take to rectly send traffic to the victim, but sends spoofed net- remediate these vulnerable systems. Is there any hope in work packets to a large number of systems that reflect the mitigating the amplification problem? traffic to the victim (so called reflectors). Often, attackers In this paper, we aim to answer this question and tackle choose reflectors that send back responses that are signif- the problem from four different angles.
    [Show full text]
  • The Structure of Search Engine Law James Grimmelmann*
    GRIMMELMANN_FINAL.DOC 11/20/2007 2:46 PM The Structure of Search Engine Law James Grimmelmann* INTRODUCTION ........................................................................................... 3! I.! SEARCH ENGINE TECHNOLOGY AND BUSINESS ........................................... 6! A.! TECHNOLOGY ....................................................................................... 7! 1.! Indexing ....................................................................................... 7! 2.! Queries ......................................................................................... 8! 3.! Results .......................................................................................... 9! 4.! Content ...................................................................................... 11! B.! BUSINESS ............................................................................................ 11! II.! THE STRUCTURE OF SEARCH ENGINE LAW ............................................... 15! A.! USERS’ INTERESTS ............................................................................... 17! 1.! Query Privacy ............................................................................. 17! 2.! Unbiased Results ....................................................................... 20! B.! PROVIDERS’ INTERESTS ........................................................................ 24! 1.! Minimizing Costs ....................................................................... 24! 2.! Avoiding Unfair Competition .................................................
    [Show full text]