Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Transcription

1 Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

2 Cybercrime Trends Page 2

3 Types of DoS attacks and classical ways of mitigation DoS attacks Non-legitimate usage Of applications (DDoS) DoS attacking vulnerabilities Abnormal network behavior => Rate limiting Static Signatures (IPS) Slide 3

4 Hackers Change in Motivation Vandalism and publicity Hacktivism Financially motivated Attack Risk CodeRed (Defacing IIS web servers) 2001 Nimda (Installed Trojan) 2001 Blaster (Attacking Microsoft web site) 2003 Slammer (Attacking SQL websites) 2003 Agobot (DoS Botnet) Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2008 Georgia Web sites DoS 2008 July 2009 Cyber Attacks US & Korea Time Slide Page 4 4

5 Cyber Crime Organizational Chart Criminal Boss Botnet Crimeware Operator Campaign Managers Flooder Spammer Data Theft Extortion Activism Phishing Stock Scams Advertisers Dump Resellers Slide Page 5 5

6 Data Center Security Trends Hackers motivation change From vandalism to financially-motivated Botnets are the main tool against businesses Organized crime manages cybercrime activities, targeting: Extortion of online businesses Financial fraud Emerging network attacks Attacks that misuse applications and services: Non-vulnerability based attacks Uses legitimate application services for malicious activity Each attack session behaves like a legitimate user transaction Cannot be detected through a static signature because the attack does not exploit a vulnerability in the application Examples: DDoS, HTTP page floods, brute force, application vulnerability scanning Slide Page 6 6

7 SPOF Resiliency Single Point Of Failure Res vs. Blend In Excellent Vacuum! P2P Botnets StormConficker D,E (2007) (2009) Turbot NG Botnets Is it possible? PathBot (2004) Karaken (2008) Conficker A,B,C (2008) Trin00 (1999) Early Botnets Agobot (2004) Black Energy 1.7 (2007) Rustock (2006) Twitter Botnet (2008) HTTP Botnets Poor Blending in common traffic Excellent Slide Page 7 7

8 Your IPS is Vulnerable Page 8

9 Zero-Minute Attacks Vulnerability-Based Threat Lifecycle Attack Spread Velocity & Risk Zero-minute Threats Newly discovered vulnerabilities - Signature does not exist. Another approach is required Known Threats Most accurate protection & reporting technology Old Attacks Threat Retired attacks which are removed from default signature profiles due to performance considerations Another approach is required Exposure period Signature Detection Technology Exposure period days 6-12 Months 2-4 Years Time Attack outbreak Vendor fix Very low and steady spread (*) Random Constant Spread (RCS) Model Slide Page 9 9

10 IPS Standard Feature Set Signature Detection Protects against known Application vulnerabilities Examples: Worms, Trojans, mail & web vulnerabilities, VoIP, etc. Periodic Signature Updates Against newly discovered vulnerabilities Internet Access Router IPS Firewall L2/L3 Switch Web Servers In-line Operation Overload Mechanism Against high load conditions Slide Page 10 10

11 Bot-enabled Attack Scenario Typical DDoS Flood Attack Scenario BOT Command Command & Control DoS Bot (Infected host) Attack Characteristics: High Packets-Per-Second (PPS) rate High Connections-Per-Second (CPS) rate Small packets DoS Bot (Infected host) Internet Attacker Public Server DoS Bot (Infected host) DoS Bot (Infected host) Legitimate User Slide Page 11 11

12 Why Your IPS is Vulnerable DDoS Traffic Max PPS Capacity [PPS] CPU CPU 10%-50% 100% Access Router Network Security IPS Device Firewall L2/L3 Switch Web Servers Your IPS is Vulnerable Any Botnet can paralyze your network protections! Max throughput capacity [Gbps] Slide Page 12 12

13 IPS Vulnerability Threat: Blocking Users IPS overload condition: Device DROPS packets randomly Increased latency Sessions blocked CPU 100% Access Router Network Security IPS Device Firewall L2/L3 Switch Web Servers Your IPS Blocks Users Slide Page 13 13

14 IPS Vulnerability Threats: No Network Protection I was told that the IPS overload mechanism will resolve cases of high volume traffic But now I understand it simply allows the flux in Data Center manager, SafeHosting.com Ltd. CPU CPU 10%-50% 100% Intrusion Access Router Network Security IPS Device Firewall L2/L3 Switch DDoS Server Cracking Web Servers IPS overload condition: Device falls into L2 BYPASS mode All traffic forwarded! Signature engine bypassed No network protection! Attacks evade into your network without inspection Slide Page 14 14

15 IPS Vulnerability Threat: Summary DDoS attacks threatens the on-line industry: ecommerce Government Critical infrastructure Existing IPS vendors force you to make compromises that are not acceptable When your network is under attack you need to choose between: Block legitimate users Dismantle your network protections Slide Page 15 15

16 Product Announcement APSolute Immunity with Booster Shot Page 16

17 Radware: The Smart Choice APSolute Immunity with Booster Shot Eliminate the compromises the IPS industry forces you to make when your network is under attack Slide Page 17 17

18 Introducing Radware DefensePro Radware DefensePro is a real-time Intrusion Prevention System (IPS) and DoS protection device that protects your application infrastructure against known attacks and emerging zero-minute and non-vulnerability network attacks that cannot be detected by static signature IPS using behavioral based real-time signatures Slide Page 18 18

19 DefensePro APSolute Immunity Client Behavioral Analysis Server Behavioral Analysis Network Behavioral Analysis APSolute Immunity Engine Vulnerability Research Center Automatic Real-time Signatures Static Signatures Protocol Anomaly & Rate Limit Protocol Anomaly & Rate Limit Real-time signature Within 18 sec! Slide Page 19 19

20 Next Generation DefensePro: IPS+DoS Architecture Standard IPS Solution ASIC-Based DoS Mitigator Engines Real-time signature injection APSolute Immunity with Booster Shot Real-time Signatures Engine (Multi CPU Cores) Real-time signature Static Signature Engine (DPI) APSolute Immunity booster: Prevent high volume attacks Up to 10 Million PPS of attack DefensePro On-Demand Switch 3: APSolute Immunity Up to 12Gbps of network Engines traffic inspection 4,000,000 concurrent sessions Latency < 100 micro seconds Slide Page 20 20

21 The Secret Sauce How The Engine Works Inbound Traffic Public Network Inputs - Network - Servers - Clients Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide Page 21 21

22 Standard Security Tools: HTTP Flood Example BOT Command Attacker Case: HTTP Page Flood Attack IRC Server Static Signatures HTTP Bot Approach (Infected host) - No solution for low-volume attacks as requests are legitimate - Connection limit against high volume attacks Agnostic to the attacked page Blocks legitimate traffic High false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources HTTP Bot (Infected host) Public Web Servers HTTP Bot (Infected host) Slide Page 22 22

23 Real-Time Signatures: Accurate Mitigation Case: HTTP Page Flood Attack Behavioral Pattern Detection (1) IRC Server Based on probability HTTP Bot analysis identify which web page (Infected host) (or pages) has higher than normal hits BOT Command Real Time Signature: Block abnormal users access to the specific page(s) under attack Attacker HTTP Bot (Infected host) Behavioral Pattern Detection (2) Identify abnormal user activity For example: HTTP Bot (Infected host) HTTP Bot (Infected host) Internet - Normal users download few pages per connection - Abnormal users download many pages per connection Misuse of Service Resources Public Web Servers Slide Page 23 23

24 Real-Time Signatures: Resistance to False Positive Legitimate User Case: Flash Crowd Access Behavioral Pattern Detection (1) Based on probability analysis identify which web page (or pages) has higher than normal hits APSolute Immunity: Alert on abnormal Web hits No real time signature is generated No Legitimate user will Userbe blocked! Internet Behavioral Pattern Detection (2) No detection of abnormal user activity Legitimate User Public Web Servers Legitimate User Page 24 Slide 24

25 Thank You