1 Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER
2 Introduction Denial of Service attacks are rapidly becoming a popular attack vector used by hackers and hacktivists. With the proliferation of botnets, there has been a massive increase of Distributed Denial of Service (DDoS) attacks and more and more organizations, not only large enterprises and service providers, are seeking a solution. One of the major DDoS attacks in 2011 targeted a gaming network and was carried out by the Anonymous hacktivist group. The attack camouflaged a data breach resulting in the theft of over 77 million customer records from an online gaming portal. Several major credit card companies were also hit in 2011 with attacks that took down their web sites for several hours in retaliation to their decision to cut off services to WikiLeaks. Other high profile attacks hit a US government agency, a blog hosting site, a UK anti-crime site, and an Asian stock exchange. FortiWeb Protection Against DoS/DDoS Attacks Multiple DoS/DDoS-specific protection policies Network and Application layer protection Protects both HTTP and HTTPS protocols Sophisticated botnet challenge / response protection Geo IP Analysis Contributing to the popularity of DDoS attacks is the fact that many people support their use for various social and political reasons. Organizations are sometimes targeted because they are associated with a business, country, or policy that these activist organizations find unacceptable. While the attackers do not necessarily gain financial profit from the attacks, the organizations suffer lost revenue, damage to corporate brand and credibility. Ready access botnets are available for hire for as little as 10$ in the digital black market. Using forums and dedicated web sites criminals advertise botnets availability and allow attackers to easily utilize a bot network and execute attacks. The importance of protecting against DDoS attacks is crucial with the critical role web-based applications play in companies revenue models. Availability of these applications becomes an absolute criticality to maintain business viability.
3 What is a DoS/DDoS Attack? A DoS attack is the result of an attacker sending an abnormally large amount of network traffic to a target system. During a DoS attack, a server can be flooded with far more traffic than it can handle. This traffic flood slows down the server, effectively blocking legitimate users. The most common example of a DoS attack is a DDoS attack, in which an attacker directs a large number of computers to attempt apparently normal access of the target system using standard access methods. If enough access attempts are made, the server is overwhelmed and unable to service genuine users. The attacker does not gain access to the target system, but the target server is not accessible to anyone else.
4 Application DoS/DDoS Attack An application-layer DoS attack is an attack targeting the application service itself. While it was only a few years ago that a DoS attack primarily targeted networks using low level protocol attacks such as PING, Smurf and different worms, today s attacks are targeting specific web applications in more sophisticated manners. Attackers use legitimate requests to overload the server. More sophisticated DoS attacks come after site reconnaissance to understand which request creates the most CPU-intensive SQL query to the backend database. Other attacks can try to manipulate server memory, writing to hard disks and server-specific attacks. Anatomy of DDoS Attacks Using Botnets FortiWeb Protection Against DoS/DDoS Attacks SYN Flood Botnets Application Attacks LOIC HOIC HTTP GET/POST request Flood Slowloris and other slow-based attacks Threshold-based attacks Custom attacks Geographic IP based attacks A bot is a computer running malware software that allows a remote attacker to control it in different malicious ways. Attackers use bots to send spam, distribute malware to other users, act as a proxy to conceal real user identity and participate in mass distributed denial of service attacks. Many times the bots reside on compromised systems, with innocent users unaware their computer has been compromised by Trojans after they accessed an infected web site or ran malware programs on their computer inadvertently. In DDoS attacks the compromised computers controlled remotely by the attacker are installed with a program that can generate high rate of traffic. In most cases these programs can create different types of malicious or legitimate traffic that, when clustered together with hundreds and thousands of other computers, create a massive attack that overwhelms the target server. FortiWeb Protection Against DoS/DDoS Attacks Using a variety of protection techniques, FortiWeb can help protect organizations from DoS and DDoS attacks. FortiWeb uses both network and application layer protection mechanisms to identify requests from legitimate users and block access to attacks originating from clients associated with botnets. After identifying an attack FortiWeb adds the malicious client IP to its blocked IPs list and automatically denies access from the IP for a configurable period of time. FortiWeb does not need to inspect additional requests from this source therefore preserving resources.
5 The Next Challenge: Application Layer DDoS With the understanding that DDoS attacks are utilizing botnets running dedicated malware software to create huge amounts of legitimate connections and requests from each compromised computer, the only solution to identify whether these requests are from valid users or infected machines is to create a challenge response system. FortiWeb uses a configurable threshold mechanism to challenge clients for a response. If the client responds correctly to the challenge, FortiWeb allows access to the server for this client. If it does not FortiWeb understands that this is a hijacked user using an automated traffic-generating tool and blocks its IP immediately. For legitimate users this challenge response process is completely transparent and will not affect their browsing experience. Advanced Protection with FortiWeb Web Application Firewall While DDoS attacks are more commonly targeting web servers and network availability, many times they are camouflaging application server breach attempts (such as those performed on the global gaming network described above). Protecting against these types of breaches requires additional protection mechanisms in addition to the DDoS protection capabilities. Combining both Web Application Firewall and sophisticated DDoS protection capabilities in a single platform, the FortiWeb solution allows enterprises to protect against application level attacks targeting the Web application and web services infrastructure. Using advanced techniques to protect against SQL injection, Cross site scripting, and a range of other attacks, FortiWeb helps to prevent identity theft, financial fraud and corporate espionage which can result in significant damage. FortiWeb provides flexible and reliable protection to address a wide range of attacks (such as defined by the OWASP Top Ten), by utilizing a range of in-depth security modules and technologies. Sophisticated attacks are blocked using a multi-layered security approach. Incorporating a positive and a negative security module based on bi-directional traffic analysis and an embedded behavioral based anomaly detection engine means FortiWeb can protect against a broad range of threats, all without the need for network re-architecture and application changes.
6 The FortiWeb: Product Family FortiWeb web application firewalls protect, balance, and accelerate your web applications, databases, and any information exchanged between them. Whether you are protecting applications delivered over a large enterprise, service provider, or cloudbased provider network, FortiWeb appliances will reduce deployment time and simplify security management. Fortinet's FortiWeb has passed ICSA Web Application Firewall Certification. The latest model being tested is FortiWeb 1000C. ICSA Labs certifications are evidence of FortiWeb's commitment to uphold the industry's highest security standards. Achieving this certification ensures that FortiWeb customers benefit from best practices in the security industry for all their Web application needs. FortiWeb is the only product that provides a Vulnerability Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6 Guarantees security of web applications and secures sensitive database content by blocking threats such as cross-site scripting, SQL injection, buffer overflows, file inclusion, denial of service, cookie poisoning, schema poisoning, and countless other attacks Aides in PCI DSS 6.6 compliance by protecting against OWASP Top 10 web application vulnerabilities Automatically and dynamically profiles user activity to create a baseline of allowed activity Application and network based Denial of Server (DoS) policies FortiWeb Product Family FortiWeb-400C FortiWeb-1000C FortiWeb-3000C FortiWeb-4000C SSL encryption co-processing accelerates transaction times, offloads encryption functions, reduces web server processing requirements Server load balancing and content-based routing increases application speeds, improves server resource utilization and stabilizes applications Data Compression allows efficient bandwidth utilization and response time improvements Real time data analysis provides an analytics interface that helps organizations analyze their web application usage from multiple vectors and maps requests to their geographic location Conclusion: FortiWeb Web Application Firewall Attacks on web applications are on the rise, ever changing and advancing in sophistication. Botnets are being used to send spam, distribute malware and above all participate in DDoS attacks which inflict huge damage on companies. FortiWeb web application firewall provides enterprises with the protection techniques that are required to stop these attacks. FortiWeb uses multiple protection layers incorporating both a negative and security model and incorporates sophisticated DDoS protection techniques that help identifying real users from malicious botnet activity. FortiWeb DDoS protection is an add on module to its existing web application firewall. Fortinet also provides a standalone dedicated DDoS solution and DDoS capabilities in its FortiGate offering. See for more information.
7 AMERICAS HEADQUARTERS EMEA HEADQUARTERS APAC HEADQUARTERS 1090 Kifer Road Sunnyvale, CA United States Tel Fax rue Albert Caquot Sophia Antipolis France Tel Fax Beach Road The Concourse Singapore Tel Fax Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Nothing herein should be considered a representation, guarantee, warranty or contractually binding provision.
DDoS FOR DUMmIES CORERO NETWORK SECURITY EDITION by Lawrence C. Miller DDoS For Dummies, Corero Network Security Edition Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com
Load Balancing Microsoft Exchange 2013 with FortiADC Highly Available, High Performing, and Scalable Deployment with FortiADC E-Series Appliances Exchange 2013 and Application Delivery Microsoft Exchange
How to Protect Your from Hackers Web attacks are the greatest threat facing organizations today. In the last year, Web attacks have brought down businesses of all sizes and resulted in massive-scale data
Nine Essential Requirements for Web Security Enabling safe, productive access to social media and other web applications Table of Contents Executive Summary...3 Introduction...4 Web Security Concerns....4
DATA SHEET Coyote Point Equalizer Application Delivery Controllers Coyote Point Equalizer Equalizer E250GX, E370LX, E470LX, E670LX and E970LX Application Delivery Controllers From simple server load balancing
WHITE PAPER Protecting Your Network From the Inside-Out Internal Network Firewall (INFW) Protecting Your Network From the Inside-Out Internal Network Firewall (INFW) Table of Contents Summary 3 Advanced
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
INTRODUCING THE WATCHGUARD INTELLIGENT LAYERED SECURITY ARCHITECTURE: BETTER SECURITY FOR THE GROWING ENTERPRISE NOVEMBER 2005 WHY INTELLIGENT LAYERED SECURITY? The security landscape grows more complex
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Secure, private, and trustworthy: enterprise cloud computing with Force.com WHITE PAPER Contents Abstract... 1 Introduction to security, privacy, and trust... 1 Cloud computing and information security
Controlling Web 2.0 Applications in the Enterprise SOLUTION GUIDE FORTINET Controlling Web 2.0 Applications in the Enterprise PAGE 2 Summary New technologies used in Web 2.0 applications have increased
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
FortiGate -3700D High Performance Data Center Firewall Data centers, cloud providers, carriers and service providers need a high-speed, high-capacity firewall to stay ahead of ever-increasing network performance
CYBER SECURITY FOR VIRTUAL AND CLOUD ENVIRONMENTS August 2011 Rev. A 08/11 SPIRENT 1325 Borregas Avenue Sunnyvale, CA 94089 USA Email: Web: email@example.com www.spirent.com AMERICAS 1-800-SPIRENT +1-818-676-2683
whitepaper Using Risk Modeling & Attack Simulation for Proactive Cyber Security Predictive Solutions for Effective Security Risk Management Executive Summary For years, security concerns have been a major
IBM Global Technology Services Managed Security Services Research Report IBM Security Services 2014 Cyber Security Intelligence Index Analysis of cyber attack and incident data from IBM s worldwide security
DATA SHEET FortiGate 300D and 500D Accelerated security for mid-enterprise and branch office FortiGate FortiGate 300D and 500D Accelerated security for mid-enterprise and branch office With cyber threats
www.ijcsi.org 487 A Framework for Secure Cloud Computing Ahmed E. Youssef 1 and Manal Alageel 2 1 Dept. of Information Systems, King Saud University Riyadh, 11543, KSA 2 Dept. of Information Systems, King
WHITE PAPER Securing Virtualized Environments and Accelerating Cloud Computing May 2010 securing virtualized environments and accelerating cloud computing Nimrod Vax CA Security Management we can table
SECURE your network. 2010 Full Year Top Cyber Security Risks Report In-depth analysis and attack data from HP DVLabs. Contributors Producing the Top Cyber Security Risk Report is a collaborative effort
WHITE PAPER NUCLEAR PLANT CONTROL SYSTEM CYBER VULNERABILITIES AND RECOMMENDATIONS TOWARD SECURING THEM Enabling Comprehensive Network- Based Security for Control Systems Copyright 2009, Juniper Networks,
TOP WEB INCIDENTS AND TRENDS OF 2009 AND PREDICTIONS FOR 2010 BY: RYAN BARNETT JANUARY 2010 Breach Security, Inc. Corporate Headquarters 2141 Palomar Airport Road, #200 Carlsbad, CA 92011 USA tel: (760)
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of