The 300Gbps March DDoS attack

Subject of the last week, still echoing around, could not be other than the internet war between spam fighters Spamhaus and spam criminals, mainly hosted at CyberBunker. Huge loads of data being created and sent with one single objective: disrupt a company’s service.

CloudFlare, hired to protect Spamhaus, took a ride on the F.U.D. rollercoaster with a self-marketing “Damn! We Are Good!!” post.

They really made all the efforts to explain how they are able to defend clients using cloud-multi-routing-anycast concepts and how our connected lives have been in danger during all these days.

 GodzillaPhotographC10102679

The Attack – according to CloudFlare

One thing is: they really managed to protect Spamhaus.

But, in the other hand, the “biggest attack of all internet history” only truly affected their client, not the Internet, not the Matrix, nor the City of Machines or all existence, as their blog announces.

Gizmodo published one of the first “hold your horses” statements with other side of the story, on Thursday.

We also had Bill Brenner saying pretty much the same thing, one day later.

Being able to browse internet using South and North American internet networks during all those days, and not feeling a single problem, I couldn’t agree more with them.

060910-chihuahua-mrjingles-godzilla

The Attack – according to the rest of internet

In the end, what I really enjoyed was the amount of thoughts, tips, documents, and incident response discussions at forums that took place.

I’ve been trying to get together all valuable stuff derived from these debates to post here as future reference.

My intention is to concentrate good information and guides I saw around, new or old, but relevant to this kind of attack, from monitoring to response, prevention, preparation and so on.

Basic Definitions:

Real-time info about problems:

Protection tools and configurations:

Incident Response preparation guides:

  • Societe Generale’s CSIRT Cheat Sheet
  • D/DoS Incident Response Plan/Runbook (docx format)
  • Radware ‘survival’ ‘handbook’ – Ok, you can’t use that to survive, but it has good historical information and a sample of an IT admin diary during his first experience with a similar problem. Too bad he ends that experience suddenly.

Cybercrime Laws

This is a work in progress! If you have good reading on this subject to suggest, send me a comment!

Cisco Data Center security – the highlights

“Cisco TechWise TV – Data Center Security” highlights

http://www.cisco.com/web/learning/le21/onlineevts/offers/twtv/twtv120port/reg.html?PRIORITY_CODE=000143256

  • IPv6 – is the future
  • Cloud – is happening
  • Security must be enabled in every Cisco SW, HW and ASIC component (architecture)
  • Cisco Security budget for research – more than CheckPoint + Juniper + HP

ASA 9.0

  • Cloud Security integration
  • TrustSec embedded – when you ‘enter’ you are tagged and this tag will be with you once you reach inner layers
  • ASA multiscale, multiplied in clusters.
  • A single appliance is already reaching 40Gbps on FIREWALL and 10Gbps on IPS inspection.
  • High Availability is now session-based. Not chassi-based anymore.

IPS 4510 / 4520

  • Signatures updated 2x a week + reputation every 15 minutes from SIO
  • Cisco still view IPS as a bastion host

Multiple Form Factors for ASA

  • Blades (up to four blades per 6500 catalyst chassis)
  • Appliances
  • Virtuals (ASA 1000V supports vMotions)
  • 70% of Internet infra is Cisco-based
  • Same base code for all ASAs

Cloud Web Security

  • Must follow employee whatever he/she is.
  • Security must be invisible. If users realize it’s there, that’s not good for security teams.

Business class email security

  • Encrypts the message once it has a confidential label after passing the border.
  • Even if it was sent from an android phone.
  • by RLM