�ݺ�ߣ

Frank Louwers - Security challenges in a hosting environment - 20131024
Frank Louwers
Openminds bvba
Co-founder en COO
Managed Hosting
frank@openminds.be

DDoS and how they changed

(D)DoS attacks are not new
Used to be targeted at:
•Competing game clans
•IRC servers
•Political parties

DDoS attack shift
•“Occupy movement”: a lot of attacks on banks
•Political parties
•“companies and organisations with negative press”
(Monsanto, Press-agency of the Belgian Catholic Church, ...)

Attacks we can’t explain
•Radio Stations?!
•Software development companies
•B2B online shops?

DDoS attacks: new tricks
•Ampliﬁcation attacks: attacker sends 2 Mbps stream,
gets multiplied by 20, results in 40 Mbps attack
•Now multiply by 100 bots, so 4Gbps attack
•Bad conﬁgured DNS servers
•DNSSec increases the problem

Protect against DDoS attacks
•UDP: yes, can be blocked by decent routers
•SYN ﬂood: difficult: compare to tickets at butcher
•Huge amount of bandwidth: impossible: 100000 cars on
road built for 100 cars (only option: remove roadsigns)

Protection by external ﬁrms
•Good ones: very very very expensive (but they work!)
•Cheaper ones: no “unlimited” protection
•2013: large number of new cheap players
•Some of them Russian and very cheap
•Would you pay the attacker to block the attack?

Conclusion: “the new normal”
•DDoS attacks are here to stay
•Invest in tools to detect the attack
•Invest in procedures: know how to respond
•Get to know the external players
•Insurance? Some insurance companies cover this

About that ﬁrewall...
Or why your ﬁrewall isn’t going to help much (in a hosting environment)

Traditional big ﬁrewall is useless
•Will not protect you against 99.5% of break-ins we see
•Bad code in CMS/Websites (> 98%)
•Stolen credentials (caused by spyware)
•Infected customer computers used as launchplatform
•Not ﬂexible enough (Cloud, scaling, ...)
•Unmaintainable, unupgradeable

We are under attack...
•All the time
•Every server
•Impossible to ﬁlter signal out of the noise
•Or at least very difficult

So what does work?
The Onion Model

Onion model
•Maintained website (ask for maintenance contract)
•written in the right mindset (“we will be attacked”)
•Small, efficient host-ﬁrewalls
•Try to detect anomalies
•Force secure credentials or 2-Factor Authentication
•Make customers aware of the problems, teach them ...
•Know what happens on the network

... and automate
•Human factor weakest link
•so take away human factor where possible
•Automate conﬁguration management:
•Less mistakes
•Quickly apply ﬁx to large # of servers

Hosting providers
and the law

Which laws?

Which laws apply?
•“Laws of country where the server is located, applies”
•“Laws of country where company HQ are, applies”
•But that’s not always the case!

Servers in Europe, US laws
•Amazon Ireland, Microsoft Azure Europe, Rackspace UK
•Are all American companies, or controlled by US entity
•So they must follow US law!
•PATRIOT Act
•(so FBI can get a copy of your data without a warrant)

Networks
•Almost all of the big networks are American
• So assume “they” can read everything you put on the wire
• So use good encryption or VPN links
•AMS-IX wanted to open US branch
• huge concerns by members!

Snowden and the NSA
•It has become clear the the NSA has access to a lot of data
•why is there no real outrage?
•Do we really think this is “normal”? Do we accept this?

Laws that change everything
Last proposal for “Internet tap”:
•coffee-bar next door that offers free WiFi
•forced to buy 25 000 € tap box
•to allow police to tap the “public network”

•Data-retention law:
•Vague, “details” (= entire law) to be ﬁlled in by RD
•Clearly targeted at the “small ﬁsh”
•Real criminal rents 30 euro dedicated service, no logs

•A lot of “Notice and Take Down” proposals:
•requires us as a hoster, to be a judge.
•We are not judges, and don’t want to be!
•Changes the intent of the current law completely!
•“mere conduit” vs “judge”

�ݺ�ߣ

BISC 2013: Hosting and security

More Related Content

BISC 2013: Hosting and security