This document discusses security challenges in hosting environments, including DDoS attacks and how they have evolved over time. It also addresses how laws and government surveillance programs can impact hosting providers. Some key points include:
- DDoS attacks are increasingly large in scale and use amplification techniques, making them difficult to defend against. External protection services are very expensive.
- Traditional firewalls are ineffective against many modern attacks which exploit weaknesses in websites or use stolen credentials. The "onion model" of multiple layers of security is recommended.
- Hosting servers located in one country may still be subject to laws and surveillance programs of the country where the hosting company is headquartered or network owner is based. This can allow governments
1. Frank Louwers - Security challenges in a hosting environment - 20131024
Frank Louwers
Openminds bvba
Co-founder en COO
Managed Hosting
frank@openminds.be
2. Frank Louwers - Security challenges in a hosting environment - 20131024
DDoS and how they changed
3. Frank Louwers - Security challenges in a hosting environment - 20131024
(D)DoS attacks are not new
Used to be targeted at:
•Competing game clans
•IRC servers
•Political parties
4. Frank Louwers - Security challenges in a hosting environment - 20131024
DDoS attack shift
•“Occupy movement”: a lot of attacks on banks
•Political parties
•“companies and organisations with negative press”
(Monsanto, Press-agency of the Belgian Catholic Church, ...)
5. Frank Louwers - Security challenges in a hosting environment - 20131024
Attacks we can’t explain
•Radio Stations?!
•Software development companies
•B2B online shops?
6. Frank Louwers - Security challenges in a hosting environment - 20131024
DDoS attacks: new tricks
•Amplification attacks: attacker sends 2 Mbps stream,
gets multiplied by 20, results in 40 Mbps attack
•Now multiply by 100 bots, so 4Gbps attack
•Bad configured DNS servers
•DNSSec increases the problem
7. Frank Louwers - Security challenges in a hosting environment - 20131024
Protect against DDoS attacks
•UDP: yes, can be blocked by decent routers
•SYN flood: difficult: compare to tickets at butcher
•Huge amount of bandwidth: impossible: 100000 cars on
road built for 100 cars (only option: remove roadsigns)
8. Frank Louwers - Security challenges in a hosting environment - 20131024
Protection by external firms
•Good ones: very very very expensive (but they work!)
•Cheaper ones: no “unlimited” protection
•2013: large number of new cheap players
•Some of them Russian and very cheap
•Would you pay the attacker to block the attack?
9. Frank Louwers - Security challenges in a hosting environment - 20131024
Conclusion: “the new normal”
•DDoS attacks are here to stay
•Invest in tools to detect the attack
•Invest in procedures: know how to respond
•Get to know the external players
•Insurance? Some insurance companies cover this
10. Frank Louwers - Security challenges in a hosting environment - 20131024
About that firewall...
Or why your firewall isn’t going to help much (in a hosting environment)
11. Frank Louwers - Security challenges in a hosting environment - 20131024
Traditional big firewall is useless
•Will not protect you against 99.5% of break-ins we see
•Bad code in CMS/Websites (> 98%)
•Stolen credentials (caused by spyware)
•Infected customer computers used as launchplatform
•Not flexible enough (Cloud, scaling, ...)
•Unmaintainable, unupgradeable
12. Frank Louwers - Security challenges in a hosting environment - 20131024
We are under attack...
•All the time
•Every server
•Impossible to filter signal out of the noise
•Or at least very difficult
13. Frank Louwers - Security challenges in a hosting environment - 20131024
So what does work?
The Onion Model
14. Frank Louwers - Security challenges in a hosting environment - 20131024
Onion model
•Maintained website (ask for maintenance contract)
•written in the right mindset (“we will be attacked”)
•Small, efficient host-firewalls
•Try to detect anomalies
•Force secure credentials or 2-Factor Authentication
•Make customers aware of the problems, teach them ...
•Know what happens on the network
15. Frank Louwers - Security challenges in a hosting environment - 20131024
... and automate
•Human factor weakest link
•so take away human factor where possible
•Automate configuration management:
•Less mistakes
•Quickly apply fix to large # of servers
16. Frank Louwers - Security challenges in a hosting environment - 20131024
Hosting providers
and the law
17. Frank Louwers - Security challenges in a hosting environment - 20131024
Which laws?
18. Frank Louwers - Security challenges in a hosting environment - 20131024
Which laws apply?
•“Laws of country where the server is located, applies”
•“Laws of country where company HQ are, applies”
•But that’s not always the case!
19. Frank Louwers - Security challenges in a hosting environment - 20131024
Servers in Europe, US laws
•Amazon Ireland, Microsoft Azure Europe, Rackspace UK
•Are all American companies, or controlled by US entity
•So they must follow US law!
•PATRIOT Act
•(so FBI can get a copy of your data without a warrant)
20. Frank Louwers - Security challenges in a hosting environment - 20131024
Networks
•Almost all of the big networks are American
• So assume “they” can read everything you put on the wire
• So use good encryption or VPN links
•AMS-IX wanted to open US branch
• huge concerns by members!
21. Frank Louwers - Security challenges in a hosting environment - 20131024
Snowden and the NSA
•It has become clear the the NSA has access to a lot of data
•why is there no real outrage?
•Do we really think this is “normal”? Do we accept this?
22. Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything
Last proposal for “Internet tap”:
•coffee-bar next door that offers free WiFi
•forced to buy 25 000 € tap box
•to allow police to tap the “public network”
23. Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything
•Data-retention law:
•Vague, “details” (= entire law) to be filled in by RD
•Clearly targeted at the “small fish”
•Real criminal rents 30 euro dedicated service, no logs
24. Frank Louwers - Security challenges in a hosting environment - 20131024
Laws that change everything
•A lot of “Notice and Take Down” proposals:
•requires us as a hoster, to be a judge.
•We are not judges, and don’t want to be!
•Changes the intent of the current law completely!
•“mere conduit” vs “judge”