Petr Lasek, SE, RADWARE. Květen 2012

Transcription

1 Petr Lasek, SE, RADWARE Květen 2012

2 Agenda Understanding online business threats Introducing Radware Attack Mitigation System (AMS) AMS technology overview Emergency response team (ERT) AMS Deployment Customer success Summary Slide 2

3 Online Security Challenges and Threats

4 Security Threat Vectors Large-volume network flood attacks Network scan Intrusion Port scan SYN flood attack Low & Slow DoS attacks (e.g., Sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 4

5 Network and Data Security Attacks: From the News Cost of Breach: Cost of Attack: Cost of Attack: $80M to recover the Reputation theft loss Reputation loss Customer churn Penalties to trading firms Authority investigation Slide 5

6 Multi-Vulnerability Attack Campaigns Large volume network flood attacks Network scan Large volume SYN flood Radware security incidents report 2011: Connection DoS attacks More Business than 70% of Radware reported Web cases application in 2011 vulnerability scan involved at least 3 attack vectors Attackers use multi-vulnerability Directed attack Application campaigns DoS attack: Slowloris making mitigation nearly impossible HTTP & HTTPS flood attacks Web application attack: SQL Injection Slide 6

7 Attackers Seek for Blind Spots DoS Protection IPS Large-volume network flood attacks Large-volume SYN flood Connection DoS attacks Why are Business multi-vulnerability attacks so successful? Current security practices fail to mitigate attacks Directed DoS attack: Slowloris Organizations deploy point security solutions Lack of expertise to analyze emerging HTTP threats & HTTPS flood attacks Slide 7

8 Mapping Security Protection Tools DoS Protection Behavioral Analysis IPS IP Rep. WAF Large volume network flood attacks Network scan Intrusion Port scan SYN flood attack Low & Slow DoS attacks (e.g.sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 8

9 Introducing Radware Attack Mitigation System

10 Radware Attack Mitigation System (AMS) Slide 10

11 AMS Protection Set DoS Protection Prevent all type of network DDoS attacks Reputation Engine Financial fraud protection Anti Trojan & Phishing IPS Prevent application vulnerability exploits WAF Mitigating Web application attacks PCI compliance NBA Prevent application resource misuse Prevent zero-minute malware spread Slide 11

12 OnDemand Switch: Designed for Attacks Mitigation DoS Mitigation Engine ASIC-based Prevent high-volume attacks Up to 12 million PPS of attack protection IPS & Reputation Engine ASIC-based String Match & RegEx Engine Performs deep packet inspection NBA Protections & WAF OnDemand Switch Platform capacity up to 12Gbps Slide 12

13 The Competitive Advantage: Performance Under Attack 12 Million PPS Attack Traffic Attack traffic does not impact legitimate traffic Device handles attack traffic at the expense of legitimate traffic! Multi-Gbps Capacity Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 13

14 Radware Security Event Management (SEM) 3 rd Party SEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 14

15 Radware AMS & ERT Security Operations Center (SOC) Provides weekly and emergency signature updates Maintains on-going application vulnerability protection Emergency Response Team (ERT) Provide 24x7 service for customers under attack Neutralize DoS/DDoS attacks and malware outbreaks Slide 15

16 Compliance and Standardization with AMS Compliance Reports PCI DSS FISMA GLBA HIPPA Slide 16

17 Radware Intellectual Property Eight Patents Secure Radware s Attack Mitigation Solution Slide 17

18 Radware AMS Portfolio DefensePro Anti-DoS, NBA, IPS, Rep. Engine AppWall Web Application Firewall (WAF) APSolute Vision Security Event Management (SEM) Slide 18

19 Technology Overview

20 AMS Technologies Static signature protection Real-time signatures protection Real-time feeds Negative & positive security models Adaptive policy creation Real-time signatures protection Slide 20

21 Network based DoS Protections

22 Network-based DoS Protections Real Time Protections Against: TCP SYN floods TCP SYN+ACK floods TCP FIN floods TCP RESET floods TCP Out of state floods TCP Fragment floods UDP floods ICMP floods IGMP floods Packet Anomalies Known DoS tools Custom DoS signatures Slide 22

23 Network Behavior Analysis & RT Signature Technology Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID ID AND AND IP Packet ID AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 23

24 Attack Degree axis Decision Making - Attack Attack Case Z-axis Attack Degree = 10 (Attack) Attack area Suspicious area X-axis Abnormal protocol distribution [%] Normal adapted area Y-axis Abnormal rate of packets, Slide Slide 24 24

25 Flash crowd scenario Adaptive Detection Engine Degree of Attack (DoA) Attack area Suspicious area Low DoA Normal adapted area Rate-invariant input parameter Rate parameter input Slide 25

26 Flood Packet Rate (Millions) Mitigation Performance (DME) Legitimate HTTP Traffic (Gbit/s) Slide 26

27 Application based DoS Protections

28 Application-based DoS Protections Real-time protection against: Bot originated and direct application attacks HTTP GET page floods HTTP POST floods HTTP uplink bandwidth consumption attacks DNS query floods (A, MX, PTR, ) Advanced behavioral application monitoring: HTTP servers real time statistics and baselines DNS server real time statistics and baselines Slide 28

29 HTTP Mitigator

30 Behavioral analysis & Real Time Signatures DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 30

31 Standard Security Tools: HTTP Flood Example BOT Command IRC Server Static Signatures Approach HTTP Bot (Infected host) - No solution for low-volume attacks as requests are legitimate - Connection limit against high volume attacks Agnostic to the attacked page Blocks legitimate traffic High false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources Attacker Public Web Servers HTTP Bot (Infected host) HTTP Bot (Infected host) Slide 31

32 Real-Time Signatures: Accurate Mitigation Case: HTTP Page Flood Attack Behavioral Pattern Detection (1) IRC Server Based on probability HTTP Bot analysis identify which Web page (Infected host) (or pages) has higher than normal hits BOT Command Real Time Signature: Block abnormal users access to the specific page(s) under attack Attacker HTTP Bot (Infected host) Behavioral Pattern Detection (2) Identify abnormal user activity HTTP Bot (Infected host) Internet For example: HTTP Bot - Normal users (Infected download host) few pages per connection - Abnormal users download many pages per connection Misuse of Service Resources Public Web Servers Slide 32

33 Real-Time Signatures: Resistance to False Positive Case: Flash Crowd Access Behavioral Pattern Detection (1) Based on probability analysis identify which web page (or pages) has higher than normal hits Legitimate User Attack not detected No real time signature is generated No user is blocked Legitimate User Internet Behavioral Pattern Detection (2) No detection of abnormal user activity Legitimate User Public Web Servers Legitimate User Slide 33

34 Challenge/Response & Action Escalation System Botnet is identified (suspicious sources are marked) Attack Detection Real-Time Signature Created Light Challenge Actions Strong Challenge Action Selective Rate-limit?? X X TCP Challenge 302 Redirect Challenge Java Script Challenge RT Signature blocking Behavioral Real-time Signature Technology Challenge/Response Technology Real-time Signature Blocking Closed Feedback & Action Escalation Slide 34

35 AMS protections: unique value proposition Attack detection Real-time signature Light challenge Strong challenge Selective rate-limit Best security coverage Prevent all type of network and application attacks Complementing technologies fighting known and zero-day attacks Complete removal of non-browser rogue traffic Best user quality of experience (QoE) Reaching the lowest false-positive rate in the industry Advanced capabilities are exposed only when needed Reduced Cost of Ownership Automatic real-time attack mitigation with no need for human intervention Slide 35

36 DNS Mitigator

37 Behavioral DNS Application Monitoring DNS Query Distribution Analysis Associated threat vectors DNS QPS Rate Analysis per DNS Query Type TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time Slide 37

38 Behavioral DNS Decision Engine DNS Query Distribution Analysis Rate Analysis DNS QPS TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time Degree of Attack per DNS Query Type Fuzzy Logic Inference System Normal Suspect Attack Slide 38

39 Challenge/Response & Action Escalation System Botnet is identified (suspicious traffic is detected per query type) Attack Detection Real-Time signature created DNS query challenge Query rate limit Collective query challenge Collective query rate limit??? X X X Behavioral RT signature technology RT signature scope protection per query type Collective scope protection per query Type Closed Feedback & Action Escalation Slide 39

40 Service Cracking Behavioral Protections

41 Service Cracking Behavioral Protections Real-time protections against information stealth: HTTP servers Web vulnerability scans Bruteforce SIP servers (TCP & UDP) SIP spoofed floods Pre-SPIT activities SIP scanning SMTP/IMAP/POP3,FTP, Application Bruteforce Application scans Slide 41

42 Application Behavior Analysis Service Cracking Web Vulnerability Scan Scenario HEAD / HTTP/1.0 GET /examples/ HTTP/ OK Get /_vti_bin/shtml.exe HTTP/ Not Found Attacker GET /scripts/admin.pl HTTP/1.0 GET /cgi/websendmail HTTP/1.0 GET /cgi/textcounter HTTP/ OK 404 Not Found 404 Not Found Web Servers 200 OK Launches scan tool Non-detectable attack by standard signature-based IPS All transactions are legitimate Attack volume below rate threshold Slide 42

43 Application Behavior Analysis Service Cracking Standard IPS Approach - No signature protection - All requests are legal - Rate-limit thresholds High false-positive Requires constant tuning High frequency Error response code Blocked One time error Radware AMS Approach Advanced behavioral analysis to eliminate false positive Automatic detection and prevention Public Web Servers Slide 43

44 Network scanning and malware propagation Protections

45 Source-based Behavioral Analysis Behavioral Real-time protection against Zero- Minute Malware Propagation and network scans: UDP spreading worms detection TCP spreading worms detection High and low rate network scans Scanning/spreading pattern identification Infected source identification Slide 45

46 Connection behavioral score Connection behavioral score Source-based Analysis Source behavior analysis Normal Distribution Average Height Abnormal Distribution Width Port&IP Port&IP Decision-Making Mitigation Width Height Others Normal Suspect Attack Automatic RT Signatures Degree of Attack Slide 46

47 Mitigation: Source-based Real Time Signature? X? X? Analysis Analysis Analysis Intense Malware Activities Additional Spreading Activities Safe Environment After Both the Red first and filter Yellow against a objects worm is represent implemented, the malware spreading Closed-Feedback activities. Mechanism decides The Red that Worms the rest of the represent malware the spreading more activities intense spreading may disturb the network activities. operation. It adds additional prevention measures The Green according objects to a less represent intense legitimate criteria on top traffic. of the previous measure Initial Prevention Measure (e.g., source IP -> port 135 (TCP)) Optimization (e,g., source IP -> port 135 (TCP) OR port 445 (TCP) ) Optimization (e,g., source IP -> port 135 (TCP) OR port 445 (TCP) ) AND ( packet size AND TTL AND, ) Slide 47

48 IPS & Reputation Services

49 IPS & Radware s SOC Signatures Protection against: & Reputation Engine Application Vulnerabilities and exploits Web, Mail, DNS, databases, VoIP OS Vulnerabilities and exploits Microsoft, Apple, Unix based Network Infrastructure Vulnerabilities Switches, routers and other network elements vulnerabilities Malware Worms, Bots, Trojans and Drop-points, Spyware Anonymizers IPv6 attacks Protocol Anomalies Security Operation Center Leading vulnerability security research team Weekly and emergency signature updates Slide 49

50 Hello World hello-world-smtp Slide 50

51 Hello World hello-world-smtp hello-world-smatp TCP SMTP Text Hello World Case Sensitive Slide 51

52 Radware s SOC & Security Specialists Radware SOC has world recognition by the security industry and application vendors: SOC researchers and Security Specialists present their latest findings in industry events such as BlackHat and Defcon. Radware SOC is the first to discover application vulnerabilities in Apple iphone Safari web browser, Firefox 3, YATE IP telephony engine and more. Slide 52

53 Reputation Engine: The Need and Solution Malicious web sites have short life span and are created in matter of hours Static Signature Protection, with periodic updates, doesn t keep pace Antivirus & spyware removal software cannot protect against Pharming World-wide real-time research is the way to protect against such threats Anti-Fraud / Anti-Trojan service is a real differentiator for ISP/MSSP RSA Fraud Action One of the most proven and trusted online threat solutions 24x7 command center which constantly analyzes world-wide traffic Widest Phishing URL DB in the world today Takes preventive actions to remove malicious servers from the net DefensePro Service Real-time updates of new indentified malicious points by RSA Protection against: phishing, pharming and Malware (Fraud Trojan) attacks Slide 53

54 Financial Fraud: Methods Install Malware Attacker Web Site Victim Victim Victim Slide 54

55 Reputation Engine Phishing Campaign Malicious Site / Drop Point Fraud activities detected by AFCC service Internet Phishing Mail Trojan Communication to drop point DefensePro APSolute Vision AFCC AFCC Feed to Radware User clicks the Phishing link Insite feeds DefensePro with a real-time signature Slide 55

56 URL Types and Their Protection RSA Feed Type HTTP + Domain + Path Network Footprint GET /phishing.html HTTP 1.1 User agent: Firefox Host: Accept: text/html Advanced Filter: PATH + Host (Domain) HTTP + Domain GET /index.html HTTP 1.1 User agent: Firefox Host: Accept: text/html Basic Filter Host (domain) only HTTPS TCP Handshake TLS negotiation Encrypted Traffic Blocking the website entirely: [1]Translating the domain to an IP [2] Blocking that IP to port 443 Slide 56

57 SSL

58 Clear AMS Encrypted Attacks Mitigation Application cookie engines L7 ASIC Regex engine Traffic Anomalies Floods Network-Based DoS Attacks Application-Based DoS Attacks (Clear and SSL) Directed Application DoS Attacks (Clear and SSL) Clear Encrypted Web Cookie Challenge In case the client passes the HTTP filter check, DefensePro generates a Web cookie challenge (302 Client-side or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client termination responses point are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is authenticated (application level authentication ) and forced to open a new connection Alteon s directly SSL to the protected server. Acceleration Engine Encrypted Clear Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s): Authenticated Encrypted SYN Attack Protection DefensePro authenticates the source through clients a safe-reset cookie mechanism, verifying the validity of the source IP and its TCP/IP stack. HTTP Signature Packet anomalies, DefensePro receives Behavioral DoS the & decrypted 1 st HTTP client request from the SSL engine Black & white lists TCP cookie engines and applies application layer signatures. This is done in order to remove the Directed HTTP DoS attacks that can only be mitigated by pre-defined or custom signatures. Slide 58

59 Policy Exceptions Black & White Lists Statefull ACL

60 Policy Exceptions Policies are defined in the Network/Server Protection table per network segments or servers There are cases where you want to set exception for the network policies: An infected host generates attack traffic and you want to block all traffic from this host till disinfected A management station polls regularly hosts to validate their software version thus creates semi scanning activity A host on the Internet launches an attack on your network, but you do not want to block it permanently by a policy More Policy exceptions can be set using: Black List White List Page 60

61 Black List The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. Page 61

62 Access Control List The Access Control List (ACL) module is a stateful firewall, which enables you to configure up to 500 flexible and focused stateful access-control policies. You can modify and view active ACL policies. You can also manage and view ACL report summaries in Web Based Management. ACL now contains access-control behavior and all block actions previously handled in the BWM module. The relevant ACL configuration takes precedence over the Session Table Aging parameter. To operate correctly, ACL needs to know the direction of session packets. Page 62

63 Bandwidth Management

64 Why to use Bandwidth Management? Managing your bandwidth prevents filling the link to capacity or overfilling the link, which may result in network congestion and poor performance. Tracking the bandwidth used by each application enables you the following: Ensure a guaranteed bandwidth for certain applications. Set limits as to how much bandwidth each classified traffic pattern can utilize. Page 64

65 Bandwidth Management Components

66 Counter Attacks

67 Radware s ERT Fights Back Slide 67

68 Stage 1- Simple connection Level

69 LOIC/Mobile LOIC Setup Slide 69

70 LOIC Attack traffic is dropped Slide 70

71 Mobile LOIC Attack traffic is dropped Slide 71

72 Mobile LOIC Attack traffic is dropped and connection is reset Slide 72

73 Stage 2 Advanced Connection Level

74 IP Protocol Manipulations TCP Sequence no: Send sequence no above window size, send illegal sequence no. Ack no: Send Ack no above/below correct seq. Window: Send window size = 0, send small window size. Urgent pointer: Send urgent pointer with very large/small number. Options: Send TCP options with a long no-op option string. UDP Send a packet with data incompatible with length Send ICMP Time exceeded message Send ICMP Parameter problem message Send ICMP Source Quench message Send ICMP Redirect with different destinations (try specifying the source as destination) HTTP Redirect to tar pit/source Elongated response Slide 74

75 LOIC - Preliminary Attack traffic is dropped and TCP zero window is sent to the source Slide 75

76 Stage 3 Integration within DP

77 Detection Forensics Integration Forensics Attack Detection THC SSL Tool Mobile LOIC Tool HTTP Flood SSL Flood Action = Window Size 0 Action = Drop &Suspend Attack Action = ƒ(detection, Forensics)

78 Summary

79 Summary: Counter Attacks Simple IP Protocol operations can affect attacker side and slow it down The same Idea may be extended to more elaborate Counter measures Integration of forensics and deeper awareness of attacker side can improve mitigation DP Modules to cross reference forensics and act accordingly Slide 79

80 WAF

81 The Secret Sauce Adaptive Policy Creation (1 of 3) App Mapping Threat Analysis Reservations.com /config/ /admin/ Risk analysis per application-path SQL Injection Spoof identity, steal user information, data tampering /register/ CCN breach Information leakage /hotels/ /info/ Directory Traversal Gain root access control /reserve/ Buffer Overflow Unexpected application behavior, system crash, full system compromise Slide 81

82 The Secret Sauce Adaptive Policy Creation (2 of 3) Reservations.com App Mapping Threat Analysis Policy Generation /config/ /admin/ SQL Injection Prevent access to sensitive app sections /register/ CCN breach ***********9459 Mask CCN, SSN, etc. in responses. /hotels/ /info/ Directory Traversal Traffic normalization & HTTP RFC validation /reserve/ Buffer Overflow P Parameters inspection Slide 82

83 The Secret Sauce Adaptive Policy Creation (3 of 3) App Mapping Threat Analysis Policy Generation Policy Activation Reservations.com /config/ Virtually zero false positive Time to protect /hotels/ /admin/ /register/ SQL Injection CCN breach ***********9459 Known vulnerabilities protections: Optimization of negative rules for best accuracy /info/ Directory Traversal /reserve/ Buffer Overflow P Add tailored application behavioral rules for Zero day protection Best coverage Slide 83

84 The Secret Sauce Unique Value Proposition App Mapping Threat Analysis Policy Generation Policy Activation Reservations.com Best security coverage Auto detection of potential threats Other WAFs require admins intervention and knowledge to protect Lowest false-positives Adaptive security protections optimized per application resource ( app- path ) Other WAFs auto generate global policies Shortest time to protect Highly granular policy creation and activation ( app-path ) Immediate policy modification upon application change Other WAFs wait upon global policy activation Reduced Cost of Ownership Automatic real-time attack mitigation with no need for human intervention Slide 84

85 Radware s SIEM

86 Radware Security Event Management (SIEM) APSolute Vision Management and security reporting & compliance Slide 86

87 Radware s built-in SIEM engine Built-in SEM Historical Reporting Engine Customizable Dashboards Event Correlation Engine Advanced Forensics Reports Compliance Reports Ticket Work Flow Management 3 rd Party Event Notifications Role/User Based Access Control Works with all Radware s Security Modules Slide 87

88 Radware s built-in SEM engine Unified Reports Threat analysis Target service Trend analysis Slide 88

89 Radware s built-in SEM engine - Dashboards Per user dashboard Slide 89

90 Radware s built-in SEM engine Event Correlation Event Correlation Rules by: Attack duration & time interval Managed devices Attack ID, Attack type Destination IP Protected Web Application Event description Source IP Action Risk weight definition Slide 90

91 Radware s built-in SEM engine Customer Report Per customer scheduled reports & alarms Scheduled Security Reports Scheduled Forensics Reports Event correlation & alarms Slide 91

92 PCI Compliance Summary Report Analysis Info PCI Requirement Action Plan Slide 92

93 Emergency Response Team

94 Radware s SOC Slide 94

95 Heads Up From SOC to Radware s RSM: We have been following the communications on various IRC channels used by the renowned Anonymous group This is a heads up to let you know that is currently under DDOS attack by Anonymous. The attack is performed using the LOIC tool. Here is a screen shot of the tool connected to the hive mind mode: the attack is planned for 2/6/11 at 13:00 GMT+1 (France time). Target: Warner Music Group Target: US Chamber of commerce Slide 95

96 Counter Attack A counter-offensive is the term used by the military to describe large scale, usually strategic offensive operations by forces that had successfully halted an enemy's offensive, while occupying defensive positions A counter-offensive is considered to be the most efficient means of forcing the attacker to abandon offensive plans. - Clausewitz Slide 96

97 Radware s ERT Fights Back 1 st step: AMS automatic defenses 2 nd step: ERT s Counterattack Choked Choked Choked Protected Servers Slide 97

98 ERT has identified LOIC s weakness point: Radware s ERT Fights Back An advanced discard action chokes the LOIC attack tool many attackers volunteer to quit By discarding a single packet at a certain offset position in the TCP stream, the mitigation layer causes the attackers machines to spend more than expected compute cycles managing more simultaneous connections. After about 10 minutes of this discard action, attackers complained in the Anonymous IRC channel about the tool slowing down their computers or LOIC crashing after a period of attack. Volunteers started to quit and attack volume was significantly decreased. Slide 98

99 Radware s ERT Fights Back How does it work Congestion window [bytes] Normal Attack Connection Data Transmitted Transmission time 0 sec 1 sec 2 sec Transmission time Slide 99

100 Radware s ERT Fights Back How does it work Advance packet discarding causes one connection to spread over more time ongestion window [bytes] Data is fragmented into smaller pieces 1 st data packet discard 2 nd data packet discard 3 rd 4 th Long transmission time 0 sec 1 sec 2 sec 3 sec 4 sec Transmission time Slide 100

101 Testimonials Hello ERT, We Of had an all the attack sites Monday these miscreants night directly pointed to Istanbul their "weapons" Police web at, sites XXX and was Cyber the Crime only revenuegenerating service that was targeted, and the only one that stayed up. Division web sites which is our customer(defensepro, AppDirector, AppWall), to protest Anonymous arrestments in I just Turkey wanted ( to send a quick note privately to make sure you are all aware that the DefensePro has been a key hardware component, no, THE key hardware component keeping our site We online. just watched we couldn't the attacks have done and it without DefensePro Radware, easily eliminated the attacks. We didn t My even team see has also any asked latency me during to make the sure attacks. we recognize Istanbul the huge Police contributions is thankful of Radware's to us and ERT to who was essentially part of our team 24x7 during these attacks, you. While most of the state websites gets unresponsive during the attacks, they One didn t of the feel toughest anything. critics on our team, put it like this: "This is a testament of them caring about their customers. They are in a business of making people happy in a crisis and they achieved it I really appreciate your partnership with flying and colors. dedication for supporting us. I am Thank you, glad that we have Radware as part of our critical infrastructure. Truly a superior product!! Slide 101

102 AMS Deployment & Control Options

103 Layered security needs Anti-DoS NBA IPS WAF Volumetric attacks Low & Slow, stateful -based application attacks & intrusions Directed Web attacks Virtual DC DefensePro Appwall DefensePro DefensePro s CI DC Anti DoS Scrubbing Center Slide 103

104 Layered security deployment options Anti-DoS NBA IPS WAF WAF VA Inline LOOP Copy DefensePro Virtual DC Out-of-path Appwall DefensePro DefensePro s CI DC Bridge T-Proxy ADC reverse proxy / cluster Anti DoS Scrubbing Center Slide 104

105 DP Local Out of Path (LOOP) Peacetime Copy LOOP Intelligent Switch Learning & attack detection Network DoS Application DoS Network Scanning & Malware propagation Application scanning Service cracking Datacenter Slide 105

106 DP Local Out of Path (LOOP) Attack time Copy Dynamic Redirect command LOOP Intelligent Switch Learning & attack detection Redirection done per attack target only: Network DoS (IP, Vlan, L4 Port, ) Application DoS Network Scanning & Malware propagation Inline mitigation only under attack. Application scanning Service cracking Datacenter Slide 106

107 Layered security deployment options Anti-DoS NBA IPS WAF WAF VA Inline LOOP Copy DefensePro Virtual DC Out-of-path Appwall DefensePro DefensePro s CI DC Bridge T-Proxy ADC Reverse proxy / cluster Anti DoS Scrubbing Center Slide 107

108 Appwall cluster deployment Web Servers DefensePro Load Balancer (AD / Alteon) Switch Application Servers Appwall cluster ADC Solution Traffic redirection of web application only High availability, health monitoring and scalability of Appwall Slide 108

109 Unified situational cloud awareness Unified situational awareness Pro-active threat detection & mitigation Dynamic risk mitigation engine Log management Compliance ROI reports Reduce cost Virtual DC CI DC Anti DoS Scrubbing Center Slide 109

110 Customer Success

111 Online Business Case: Reservation Site Pizza DDoS Attack hits German Sites More than 100,000 botnet clients have been making mass page requests Targeted 31 German sites: Pizza reservation sites such as pizza.de Real estate sites Travel reservation sites About the customer Large online travel site in Germany Offers low cost flights, hotels and car rental deals AMS in action Customer fully protected against the Pizza Bot attacks! Slide 111

112 Critical Infrastructure Customer Case Business Requirements Smooth and secure migration of its legacy voice infrastructure to pure VoIP technology Mobile service protection Why AMS? Network DDoS protection SIP and DNS focused protections Mobile infrastructure protection Accurate detection and prevention About the customer Austria's leading Telco provider 5.1 million mobile customers 2.3 million fixed access lines. Over 5 billion in yearly revenues (2010) Slide 112

113 MSSP Customer Case Business Requirements Offer value-added DDoS Protection for their hosted data center customers Why AMS? Best & proven coverage against all type of DDoS attacks Most accurate attacks detection and mitigation Advanced reporting per customer About the customer A major telecommunications provider in North America Over $15 billion revenue (2010) Slide 113

114 Heads Up From SOC to Radware s RSM: We have been following the communications on various IRC channels used by the renowned Anonymous group This is a heads up to let you know that is currently under DDOS attack by Anonymous. The attack is performed using the LOIC tool. Here is a screen shot of the tool connected to the hive mind mode: the attack is planned for 2/6/11 at 13:00 GMT+1 (France time). Target: Warner Music Group Target: US Chamber of commerce Slide 114

115 Radware Security Expertise : ERT Cases (1 of 2) Radware ERT helped High Council for Telecommunications (TIB) to achieve full protection against Anonymous attacks Anonymous group published a poster calling its fans to attack Turkish government agency Target: High Council for Telecommunications (TIB) When: June 9 th (Thursday) 2011 at 6PM Attack tool: Low Orbit Ion Canon (LOIC) Type of attack - Multi-vulnerability campaign HTTP Get flood attack TCP connection flood on port 80 SYN flood attack UDP flood attack Slide 115

116 Radware Security Expertise : ERT Cases (2 of 2) Radware ERT helped Istanbul police to achieve full protection against Anonymous attacks We just Anonymous watched the group attacks attacks and Istanbul DefensePro police easily revenge eliminated of the attacks. the arrest We didn t even see any latency during the attacks. Istanbul Police Target: is Istanbul thankful police to site us and to you. While most of the state websites When: gets June unresponsive 13 th 2011 during the attacks, they didn t feel anything. Attack tool: Low Orbit Ion Canon (LOIC) Istanbul police Type integrator of attack - Multi-vulnerability campaign Slide 116

117 Hong Kong Stock Exchange attacked from the news Since the interruption, HKEx s Information Technology team has been working closely with local and overseas security experts to investigate the cause of the attack and restore normal service. Slide 117

118 ERT case invoked HKSE site was attacked on the morning of August 10 th Web site crashed due to the attack Radware Hong Kong office shipped immediately attack mitigation device on site ERT opened war room, performing: Attacks analysis Device remote configuration 24x7 inspection Slide 118

119 Analysis: Multi-vulnerability attack campaign Attack UDP flood Impact Equipment Bottlenecks 1 SYN flood TCP connection flood HTTP page flood Consume TCP stack resources Consume Web application server resources (1) Firewall crashed under the attack Slide 119

120 Behavioral technology protects HKSE Traffic monitoring - UDP UDP flood attack detected UDP flood attack mitigated by Behavioral DoS feature in seconds Slide 120

121 TCP connection flood mitigation Legitimate traffic monitoring TCP connection flood detection and mitigated immediately Slide 121

122 Summary

123 Summary: Radware AMS Differentiators Best security solution for online businesses: DoS protection Network behavioral analysis (NBA) Intrusion prevention (IPS) Reputation Engine service Web application firewall (WAF) Built-in SEM engine Emergency Response Team (ERT) 24x7 Service for immediate response Neutralize DoS/DDoS attacks and malware outbreaks Lowest CapEx & OpEx Multitude of security tools in a single solution Unified management and reporting Radware offers low product and maintenance cost, as compared with most competitors. Greg Young & John Pescatore, Gartner, December 2010 Slide 123

124 Summary Attackers deploy multi-vulnerability attack campaigns Organizations deploy point security solutions Attackers seek blind spots Radware offers Attack Mitigation System (AMS): The only solution that can defend against emerging cyber-attack campaigns No blind spots in perimeter security The only attack mitigation solution that keeps your business up! Online business protection Data center protection MSSP Slide 124

125 Thank You