Customer Cases. Andreas Nordenadler, Sales Manager

Similar documents
Debunking Myths About DDoS Attacks: Radware 2011 Global Security Report.

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

SecurityDAM On-demand, Cloud-based DDoS Mitigation

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

SHARE THIS WHITEPAPER

Radware s Attack Mitigation Solution On-line Business Protection

DENIAL-OF-SERVICE ATTACKS

TDC s perspective on DDoS threats

Four Steps to Defeat a DDoS Attack

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

How To Block A Ddos Attack On A Network With A Firewall

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Four Steps to Defeat a DDoS Attack

Defense4All: Anti-DoS for OpenDaylight. July 18, 2013

DDoS - Distributed Denial of Service

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

VALIDATING DDoS THREAT PROTECTION

DDoS Overview and Incident Response Guide. July 2014

Four Steps to Defeat a DDoS Attack

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013

Service Description DDoS Mitigation Service

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

FortiDDos Size isn t everything

A Primer for Distributed Denial of Service (DDoS) Attacks

A Layperson s Guide To DoS Attacks

SHARE THIS WHITEPAPER. Attack Mitigation Service Fully Managed Hybrid (Premise & Cloud) Cyber-Attack Mitigation Solution - Whitepaper

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

How To Protect Yourself From A Dos/Ddos Attack

Analysis of a DDoS Attack

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

DDoS Protection on the Security Gateway

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Global DDoS Prevention Market

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

Distributed Denial of Service protection

CS 356 Lecture 16 Denial of Service. Spring 2013

Cheap and efficient anti-ddos solution

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Stop DDoS Attacks in Minutes

How To Protect A Dns Authority Server From A Flood Attack

ITRC Forum 2014 萬 雲 皆 有 險 : 雲 計 算 的 安 全 怎 影 響 你 的 管 理 概 念

DDoS Attack and Its Defense

Arbor s Solution for ISP

2011 Global Application

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

Firewall Firewall August, 2003

DDoS Mitigation Techniques

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Automated Mitigation of the Largest and Smartest DDoS Attacks

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Radware s Behavioral Server Cracking Protection

Application Security Backgrounder

How To Attack A Website With An Asymmetric Attack

Web Application Defence. Architecture Paper

Stop DDoS Attacks in Minutes

First Line of Defense

Check Point DDoS Protector

SHARE THE ERT REPORT GLOBAL APPLICATION & NETWORK

How To Stop A Ddos Attack On A Website From Being Successful

Are you safe from DDoS attacks?

Ferramentas de Ataques de DDoS e a Evolução de ameaças a disponibilidade contra serviços Internet. Julio Arruda Gerente America Latina Engenharia

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall. White Paper

Manage the unexpected

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

Denial of Service Attacks, What They are and How to Combat Them

Cloud Security In Your Contingency Plans

Technical Series. A Prolexic White Paper. 12 Questions to Ask a DDoS Mitigation Provider

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Complete Protection against Evolving DDoS Threats

Protect Your Infrastructure from Multi-Layer DDoS Attacks

Radware Solutions for NGDC

TLP WHITE. Denial of service attacks: what you need to know

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Executive Suite Series A Prolexic White Paper

Transcription:

Customer Cases Andreas Nordenadler, Sales Manager

CERT-XX Attacks May 19 th and onward

AGENDA Motivation Attack Campaign Timeline Attack Vectors Summary

Motivation

Operation OpXX May 3 rd 2012 - Department of Telecom XX publicly orders all ISPs to block access to file sharing sites like Vimeo, The Pirate Bay, Torrentz etc. Anonymous XX and other hacktivists being against any internet censorship, react immediately Multiple DoS/DDoS attacks against XX Government sites - Supreme Court, All XX Congress Committee and more. Slide 6

CERT-XX is targeted Newspaper XX publishes that CERT-XX is mandated to write reports on the attacks May 19 th, Anonymous targets CERT-XX and start a three-day attack campaign CERT-XX, Computer Emergency Response Team XX, is the national nodal agency for responding to computer security incidents as and when they occur. Slide 7

Attack Timeline

Thursday May 17 th - before the attacks Day 0 Thu May 17 th 12:00 Department of Telecom orders ISP s to block file sharing. Supreme Court, All XX Congress Committee and others were hit by a DDoS attack 16:00 Preliminary contact is made by Radware XX engineers with CERT with respect to this threat Radware XX initiates contact with CERT-XX Slide 9

Attack begins and causes outage Saturday May 19 th - Day I Day 1 Sat May 19th 10:00 CERT-XX website is taken down by Anonymous. The site is down for 4 ½ hours. ERT Invoked, DP mitigates the attack Radware XX installs new DP-ODS2 device at ISP 14:30 16:15 20:00 CERT-XX contacts Radware XX personnel Radware XX engineers arrive on site. ERT receives first heads-up. Existing DefensePro AS4 4.X on CERT-XX site mitigates the HTTP flood and TCP-REST attack successfully. New DefensePro ODS2 device is installed at ISP to protect the pipe main raison for downtime. ERT mitigates the attack 22:00 ERT connects to the device, configures it and mitigates the attack. Slide 10

Sun May 20 th - Day II Day2 Sunday May 20 th 10: 00-17:00 Attack s intensify, higher rate of HTTP Floods and PSH+ACK garbage floods ERT continuously monitors and optimizes protections on DefensePro per new attack vectors. Attack Mitigated by DefensePro and ERT Slide 11

Mon May 21 st - Day III Day3 Mon May 21 st 10: 00-17:00 Attacks continue. DefensePro automatically mitigates the attacks. Attacks Mitigated by DefensePro Slide 12

Attack Continues Mitigation is Automatic No ERT invocation The End (so far) Slide 13

Attack Vectors

Attack Vector I: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Vector Impact Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake ~120 PPS from a single attacker Bandwidth saturation of the pipe and IPS to crash Port 80 traverses the security devices along the way Out-of-state (OOS) IPS Signatures Garbage Data Slide 15

Attack Vector II: HOIC HTTP Flood Attack Vector Description Vector Impact Mitigation HOIC HTTP Flood HTTP requests (including references) loops every ~30-60 secs HTTP header values changes between sources (use of a booster) Exhaust web server resources as well as bandwidth. JS web cookies Blacklist Slide 16

Attack Vector III: Slowloris Attack Vector Description Vector Impact Mitigation Slowloris attack Slow HTTP DoS tool sending incomplete HTTP requests Sends one CRLF at the end of HTTP requests headers (instead of two) Very little computing resources required on attacker s side Web server time out IPS Signatures Slide 17

Attack Vector IV: Network Scans Attack Vector Description Vector Impact Mitigation TCP, UDP, ICMP Network Scans Network Scans intended to identify hosts and services Exhaust web server resources as well as bandwidth. Anti-Scanning Protection ICMP Scans UDP Scans TCP Scans detected by DP Slide 18

Attacks seen in Vision Sonar Green: Intrusion attack (slowloris) Pink: DDoS attacks (SYN Floods) White: Packet anomalies -non RFC compliant or Out of state packets.

Summary

Full Spectrum Technology to mitigate multi vector attack BODS Out-of-State SYN Protection IPS Signatures DME (DoS Mitigation Engine) Blocks 2M PPS ERT Quick security deployment Detect new attack vectors Detect new weak point: Router, DefensePro Sizing Slide 21

Business Impact CERT-XX Original Budget 1 DP AS4 Budget Change After the Attack 2 DP ODS3 1 Vision Slide 22

Public Conclusions from CERT-XX, Countermeasures Slide 23

Scandinavian Hosting Company Slide 25

WikiLeaks Revenge Attacks

Background In December 2010, WikiLeaks came under intense pressure to stop publishing secret United States diplomatic cables. Corporations such as Amazon, PostFinance, MasterCard and Visa either stopped working with or froze donations to Wikileaks, apparently bowing to political pressure. Slide 27

Operation Payback In response, members of the Anonymous group (people behind Operation Payback) made available a relatively simple to-use tool to quickly direct a Distributed Denial-of-Service (DDoS) attack against any company that was perceived to be conspiring against Wikileaks. Most of the targeted sites experienced major service disruptions resulting in multi-hour business outages. Slide 28

Operation Payback Initial Target Set 29

From the news Slide 30

Distributing attack tools and coordination Send updates Coordinator Twitter LOIC attack tool Internet Hactivist Slide 31

Coordinated attacks Coordinator LOIC Attack Tool LOIC Attack Tool Internet Public Web Servers LOIC Attack Tool LOIC Attack Tool Legitimate User Slide 32

Multi-vector attacks Network DDoS attacks: High PPS SYN flood and UDP flood attack (up to 8M packets-persecond) Oversized UDP frames Connection flood attacks LOIC Attack Tool Application DDoS attacks: HTTP page request floods HTTP data floods SlowLoris LOIC Attack Tool Internet Public Web Servers LOIC Attack Tool LOIC Attack Tool Legitimate User Slide 33

Why are the attacks so challenging Attack High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks HTTP page flood attacks Slowloris Impact Equipment Bottlenecks Consume network bandwidth Consume equipment resources Consume TCP stack resources Consume server resources Slide 34

Mapping protection measures Attack High PPS attacks Oversized UDP frames Fragmented and corrupted UDP frames Connection flood attacks Protection DoS Protection DoS Protection DoS protection IPS HTTP page flood attacks Slowloris NBA No single protection tool can IPS handle today s emerging network threats Slide 35

Anti-DoS for MSSPs

Deployment: Scrubbing Center Unique capabilities for Scrubbing Center deployments: Full coverage against all type of DoS attacks: Packet & BW attacks Application DDoS attacks Directed DoS attacks Best SLA: Time to protect - immediate (in seconds) Multi-tenant reporting engine Management & SEM Attack Mitigation System Slide 37

MSSP Customer Case Business Requirements Offer value-added DDoS Protection for their hosted data center customers Why AMS? Best & proven coverage against all type of DDoS attacks Most accurate attacks detection and mitigation Advanced reporting per customer About the customer A major telecommunications provider in North America Over $15 billion revenue (2010) Slide 38

Floods Managed Security Service Providers MSSP Solutions Radware Proprietary Slide 39

MSSP Landscape MSSP The Service Provider Angle - Many new and sophisticated attacks (application and network) impact famous companies. Business impact is very clear! - Customer awareness no need to educate, risks understood - Customers (even large enterprise) can t afford and/or don t understand how to cope - Business opportunity for the service providers! Network-based service. How to guarantee SLA? MSSP The Customer Angle - Require portal-based access, dedicated reports and real-time alerts. False positives! Slide 40

Deployment: Out-of-path Scrubbing Center Unique capabilities for Scrubbing Center deployments: Full coverage against all type of DoS attacks: Packet & BW attacks Application DDoS attacks Directed attacks Best SLA: Time to protect - immediate (in seconds) Multi-tenant reporting engine Management & SEM Attack Mitigation System Slide 41

MSSP Radware s Unique Value Proposition Differentiated protection Superior attacks coverage SSL HTTP DNS Application floods/direct attacks WAF Transparent (wire) out-of-path deployment Key point - bgp redirection and GRE/LSP backhaul MSSP Multi-tenant reporting Best cost performance ratio in the industry ERT (Emergency Response Team)! Slide 42

ERT Case Studies Cyber Attacks

Robin Hoods or Criminals? SONY Example Massive DoS attack taking down the PlayStation network for hours Initiated after filing a sue against hacker who broke PS3 protection mechanism During attack CC data of millions of users was stolen Anonymous involvement was partially denied 44

Robin Hoods or Criminals? Sic Semper Tyrannis Long campaign against the Vatican web infrastructure Started with a failed attempt to hack Vatican systems and databases Continued as a massive DoS attack lasting for days, in repeating waves 45

Robin Hoods or Criminals? Russian Presidential Elections During elections time in Russia, first Duma and then for Presidency... DDoS attacks on protestors blogs, parties websites, reporting websites etc. It can t be long before we observe a DDoS attack between two political parties based on one and the same botnet. Eugene Kaspersky (blog) 46

Course Of Events January 3 rd Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information. January 16 th Early Morning 0xOmar and the Pro-Palestinian Nightmare hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website. 9:30 AM EL-AL, Tel-Aviv Stock Exchange, First International Bank of Israel and Discount Bank websites are attacked and are unavailable for hours. January 17 th Israeli hacker group IDF-Team retaliates by attacking Saudi and UAE s Stock Exchanges websites January 18 th More Israeli websites targeted: Bank of Israel website under attack 47

Israeli sites under attack In the following weeks, dozens of Israeli web sites were attacked by Pro- Palestinian hacker groups A Cyber War emerged 48

Verified Attackers Conclusions: Attacks were highly distributed Generated by an international collective or a Botnet Geo-IP blocking renders useless 49

Aftermath Major banks, and government sites were actively protected by Radware AMS and ERT To fully protect online businesses you need: DDoS Protection from the service provider Based on Radware AMS To remove volumetric network attacks On-premises Anti-DoS and Behavioral Analysis Based on Radware AMS Remove the application flood attacks and directed DoS attacks 50

Radware end-to-end mitigation solution fighting the DDoS threat 51

Thank You www.radware.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information