Defense Against Rapidly Morphing DDOS

Presented at Black Hat USA 2019, Aug. 7, 2019, 5:05 p.m. (25 minutes)

<p>In June 2018 ProtonMail suffered rapidly morphing sustained DDOS attacks that included Syn Floods, TCP handshake violations, TCP Zero Sequence, ACK floods, NTP non-standard port floods, reflection attacks on SSDP, NTP, Chargen, LDAP and Memcache protocols[1].<br><br>We created an attack toolkit that mimics the ProtonMail attacks, and used it to study the efficacy of various defenses against an attack like ProtonMail suffered. We discovered that using standard techniques to fight off rapidly changing bursting attacks is near impossible for SOC operators, as speed of human action to understand the attack and apply well known mitigation is too slow. <br><br>We found that a combination of an unsupervised Machine Learning algorithm to determine a baseline, perform anomaly detection and mitigation, and another Machine Learning algorithm to tune the performance of the first, yielded the most effective defense. With this scheme in place, the SOC operator did not have to react at machine speed but simply monitored the findings and the actions of the machine.<br><br>References : <a href="https://protect-us.mimecast.com/s/sw0IC9rp25Hk4WB5xUoUheB?domain=protonmail.com" data-mce-href="https://protect-us.mimecast.com/s/sw0IC9rp25Hk4WB5xUoUheB?domain=protonmail.com">https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/</a></p>

Presenters:

• Mudit Tyagi - Architect, Security Products, F5 Networks
  Mudit Tyagi is a Strategic Architect with the F5 Product Management team. He has 20 years of experience in Software Engineering and System Architecture design for delivery of secure applications for Financial and HealthCare services. In his current role at F5, Mudit advises CIOs and Enterprise Architects in the use of Cloud and Open Source Technologies, emerging trends such as Software Defined Networking, and modern API based application architectures utilizing microservices. He works with CISOs to evaluate strategies for delivering secure applications. Prior to F5, Mudit was the Founder and CEO of Confiserve, a secure application development firm focused on Financial Services and HealthCare. Mudit was also an early employee at various Networking and Security startup companies including Rapid City(BayNetworks), Nevis Networks(Qualys), Damballa Networks(Core Security), Inkra Networks(Cisco). He has Bachelor’s degrees in Physics and Electrical Engineering from Columbia University and a Masters in Computer Engineering from University of New Mexico.
• Mikhail Fedorov - Product Management Engineer, Security, F5 Networks
  Mikhail Fedorov is a security expert focused on researching DDOS attacks and effectiveness of available detection and mitigation techniques. In his previous project, Mikhail worked on crafting tools to perform penetration testing for evaluating WAF technologies. He has a Masters in Physics and a Bachelors in Information Technology, from Tomsk State University, and also has CCDA, CCNP, and CCNP Security certifications. Prior to working at F5, Mikhail designed and implemented secure application infrastructure as a consultant at Depo Electronics, a system integrator in Russia.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#defense-against-rapidly-morphing-ddos-16440
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Defense Against Rapidly Morphing DDOS.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Defense Against Rapidly Morphing DDOS.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=xCG9zA7fq40

Similar Presentations:

• Black Hat Asia 2021 Virtual / Threat Hunting in Active Directory Environment
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• ShellCon 2021 Virtual / Keynote - Advanced Application of Adversarial AI for Scenario Based Hacking