Protection against DDoS and WEB attacks Michael Soukonnik Radware Ltd michaels@radware.com
Landscape
Ponemon Research 2012: Cyber security threats Cyber security threats according to risk mitigation priority 10 = Highest Priority to 1 = Lowest Priority Denial of service (DoS) Server side injection Distributed denial of service (DDoS) Viruses, worms and trojans Malware Botnets Malicious insiders Cross site scripting Web scrapping Phishing and social engineering 3.2 3.0 2.8 5.4 6.4 9.0 8.6 8.2 7.9 7.7 0.0 2.0 4.0 6.0 8.0 10.0 3
Attacks Have Become More Complex ERT Cases Attack Vectors 16% 29% 29% 30% 20% 10% 4% 16% 0% 5-6 7-8 7% 2011 2012 Complexity Attacks are more complex: 2013 DoS/DDoS attacks have become more sophisticated, using more complex attack vectors. Note the number of attacks with a complexity level of 7-10. 9-10 4
Botnet Evolution To subdue the enemy without fighting is the acme of skill. Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. Examples: Trin00, TFN, Trinity Botnets Stealthy malicious software installed mostly on personal computers without the owner s consent; controlled by a single entity through indirect channels (IRC, HTTP) Examples: Agobot, DirtJumper, Zemra Voluntary Botnets Many users, at times as part of a Hacktivist group, willingly share their personal computers. Using predetermined and publicly available attack tools and methods, with an optional remote control channel. Examples: LOIC, HOIC New Server-based Botnets Powerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients. 1998-2002 1998 - Present 2010 - Present 2012 5
DDoS from Russia Just business Slide 6
It is cheap! Current prices on the Russian underground market: Hacking corporate mailbox: $500 Winlocker ransomware: $10-$20 Unintelligent exploit bundle: $25 Intelligent exploit bundle: $10-$3,000 Basic crypter (for inserting rogue code into benign file): $10-$30 SOCKS bot (to get around firewalls): $100 Hiring a DDoS attack: $30-$70 / day, $1,200 / month Botnet: $200 for 2,000 bots DDoS Botnet: $700 ZeuS source code: $200-$250 Windows rootkit (for installing malicious drivers): $292 Hacking Facebook or Twitter account: $130 Hacking Gmail account: $162 Email spam: $10 per one million emails Email scam (using customer database): $50-$500 per one million emails 7
Lithuania just weeks before becoming a chairman of EU (1.07.2013) DDoS attack on a news website resulted by harming Internet for the entire country. New waves of the attack are coming every several weeks on governmental and private sites using 7-8 different attack vectors In July new DDoS protection system from Radware installed and protecting sites with coverage of Emergency Response Team 8
Russia Anonymous Caucasus attacking all major banks (Central Bank, Sberbank, VTB, Alfa, Gazprombank) a month ago Old fashion systems/services they used before that (IPS, Russia Anonymous Caucasus attacking IDS, DDoS, NG all major Firewalls, banks (Central Kaspersky Bank, etc) were unable to stop the attacks 9
US Op Ababil all major banks were attacked in multiple waves by Iranian and Arab fundamentalists since 09\12 5-6 vectors per attack including TCP, UDP, HTTP, HTTPS floods, DNS amplification attacks etc Old fashion systems they used before that (IPS, IDS, DDoS, NG Firewalls, etc) were unable to stop the attacks Radware DDoS protection was installed in march just before 3 rd wave of attack and stopped 3 rd and 4 th waves 10
Attacks become more complex! Attacks become longer! More financially motivated attacks, but at the same time more politically motivated attacks on government and private organizations! You never know if you are on sight of future attack! 11
Radware Attack Mitigation System (AMS)
Old fashion systems are volnurable Firewall, IPS (even NG) cannot stop DDoS! Radware Confidential Jan 2012 13
In the cloud DDoS protection DoS protection Behavioral analysis SSL protection IPS WAF To fight back you need: Business Mapping Security Protection Tools UDP Garbage flood on ports 80 and 443 ICMP flood attacks SYN/TCP OOS flood attacks An integrated solution with all security technologies Mitigate attacks beyond the perimeter Server cracking attacks SSL/TLS negotiation attacks HTTP flood attack HTTPS flood attack Web attacks: XSS, SQL Injection, Brute force 14
Radware Attack Mitigation System (AMS) 15
Radware AMS Architecture Volumetric DoS Protection L3 7 Anomaly Detection Application Firewall IPS & FRAUD PROTECTION Application Attacks Web Application Protection & Reputation Engine Behavior protection mechanisms Static signatures HW/SW specially developed to fight against all levels of attacks!
Radware AMS Portfolio DefensePro On demand 200Mbps 40Gbps of legitimate traffic Anti-DoS, NBA, IPS, Rep. Engine AppWall Appliance & VA Web Application Firewall (WAF) APSolute Vision HW или VA Security Event Management (SEM) 17
DefensePro Protection Layers Network Available Service Application HTTP Flood Protection Server Cracking Signature Protection Server DNS Protection Anti-Scan Connection Limit Connection PPS Limit Behavioral DoS SYN Protection Out-Of-State BL/WL
US Banks Under Attack: AMS Deployment Mitigate all type of DDoS attacks Mitigate SSL attacks Alteon AppWall DefensePro Mitigate web application explits Application Infrastructure 19
Customer Success - Leading the DDoS Protection Market
Top Account Wins in Every Segment Online Businesses Critical Infrastructure Carrier/ISP DDoS Mitigation Service Hosting Radware is THE leader in the DDoS protection market. Cloud Scrubbers Carrier Backbone 21
Our Customers Select AMS Financial Services Retail Services Government, Healthcare & Education Carrier & Technology Services 22
We Protect Against the Top Attack Campaigns 23
Radware AMS Application SLA Assurance Even Under Attack! 24