Protect Your Infrastructure from Multi-Layer DDoS Attacks

Similar documents
Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen

The Difference between Extensive and Good Security Environments. Manuel Haehr F5

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

How To Make A Cloud Bursting System Work For A Business

The F5 DDoS Protection Reference Architecture

Software Defined everything Internet of Things

The F5 DDoS Protection Reference Architecture

Business Case for a DDoS Consolidated Solution

How To Attack A Website With An Asymmetric Attack

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Application centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014

DDoS Overview and Incident Response Guide. July 2014

F5 fra Lastbalansering til Sikkerhet med Applikasjonene i fokus. Jon Bjørnland F5 Norway j.bjornland@f5.com

A Layperson s Guide To DoS Attacks

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Acquia Cloud Edge Protect Powered by CloudFlare

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

TDC s perspective on DDoS threats

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Arbor s Solution for ISP

Debunking Myths About DDoS Attacks: Radware 2011 Global Security Report.

Datacenter Transformation

DENIAL-OF-SERVICE ATTACKS

CloudFlare advanced DDoS protection

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

Web Application Defence. Architecture Paper

Manage the unexpected

Security F5 SECURITY SOLUTION GUIDE

Automated Mitigation of the Largest and Smartest DDoS Attacks

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Mitigating DDoS Attacks with F5 Technology

Defense In Depth To Fight Against The Most Persistent DDoS

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Four Steps to Defeat a DDoS Attack

Seguridad ante los Ataques Ciberneticos DNS. ENRIQUE MEDINA

DDoS Attack and Its Defense

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

The F5 DDoS Playbook: Ten Steps for Combating DDoS in Real Time

Cloud Security In Your Contingency Plans

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

CHECKLIST: ONLINE SECURITY STRATEGY KEY CONSIDERATIONS MELBOURNE IT ENTERPRISE SERVICES

ADC Survey GLOBAL FINDINGS

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

VALIDATING DDoS THREAT PROTECTION

Four Steps to Defeat a DDoS Attack

Securing Your Business with DNS Servers That Protect Themselves

IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

WHITEPAPER. Designing a Secure DNS Architecture

RETHINK SECURITY FOR UNKNOWN ATTACKS

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Security Solutions for the New Threads

10 Things Every Web Application Firewall Should Provide Share this ebook

Networking for Caribbean Development

A Primer for Distributed Denial of Service (DDoS) Attacks

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Automated Mitigation of the Largest and Smartest DDoS Attacks

Securing Your Business with DNS Servers That Protect Themselves

The Hillstone and Trend Micro Joint Solution

CS5008: Internet Computing

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Distributed Denial of Service protection

FortiDDos Size isn t everything

Application Security in the Cloud with BIG-IP ASM

Vladimir Yordanov Director of Technology F5 Networks, Asia Pacific Developments in Web Application and Cloud Security

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Aplikacija novi vladar poslovanja. Dino Novak F5 Networks

Cutting the Cost of Application Security

Load Balancing Security Gateways WHITE PAPER

Being Ready to Face DDoS Challenge. Vodafone Power to you. DDoS

IAAS REFERENCE ARCHITECTURES: FOR AWS

Corero Network Security plc

SHARE THIS WHITEPAPER

How To Protect Yourself From A Dos/Ddos Attack

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Corero Network Security First Line of Defense Executive Overview

Akamai Cloud Security Solutions:

efending The New Perimeter nd Protecting Applications Anywhere

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

Transcription:

Protect Your Infrastructure from Multi-Layer DDoS Attacks F5 EMEA Webinar February 2014 Presenter: Keiron Shepherd Title: Field Systems Engineer

Protecting Against DDoS is Challenging Webification of apps 71% of internet experts predict most people will do work via web or mobile by 2020 Device proliferation 95% of workers use at least one personal device for work 130 million enterprises will use mobile apps by 2014 Evolving security threats 58% of all e-theft tied to activist groups 81% of breaches involved hacking Shifting perimeter 80% of new apps will target the cloud. 72% of IT leaders have or will move applications to the cloud F5 Networks, Inc 2

The Evolution of Attackers January 2008 Anonymous executes a series of high-profile DDoS attacks against the Church of Scientology December 2010 WikiLeaks supporters hit PayPal, Visa, Mastercard, and other financial sites with DDoS attacks April 2011 Attackers use a DDoS attack against Sony to mask the theft of millions of customer records April 2012 Anonymous knocks down the sites of the U.S. Dept. of Justice, the CIA, and the British Secret Intelligence Service September 2012 Syrian Cyber Fighters launch Operation Ababil with DDoS attacks on 13 U.S. banks to protest an anti-muslim video 2007 2008 2009 2010 2011 2012 2013 Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 3

65% [of surveyed organisations] reported experiencing an average of 3 DDoS attacks in the past 12 months, with an average downtime of 54 minutes. Ponemon Institute Survey F5 Networks, Inc 4

Attack Types and Targets are Expanding 2012 Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 F5 Networks, Inc 5

Attack Types and Targets are Expanding 2013 Non Profit EDU Non Profit Industrial Industrial Auto SVC Non Profit SVC News & Media SVC News & Media Edu Svc Food Svc Telco Consumer Electric News & Media E-comm Cnsmr Electric Cnsmr Electric News & Media Utility Software Utility News & Media Telco News & Media Telco Svc Non- Profit Software Software News & Media Edu e Edu News & Media Food Service Edu ing Gaming Retail Education Software Util Telco Gaming Edu Svcs Cnsmr Elec Software Industrial Health News & Media Auto Airport Auto Auto Software Entnment News & Media Retail News & Media Telco DNS Provider DNS Provider DNS Provider Auto DNS Provider Edu Consumer Electronics Global Delivery DNS Provider Attack Type Spear Phishing Physical Access Unknown Size of circle estimates relative impact of incident in terms of cost to business Jan Feb Mar Apr May Jun 2013 F5 Networks, Inc 6

The Business Impact of DDoS The business impact of DDoS Cost of corrective action Reputation management F5 Networks, Inc 7

DDoS Hides the Real Threat DDoS Attack on Hid $900,000 Cyberheist Feb 13, 2013 F5 Networks, Inc 8

Cyber Fighters vs s TARGET: $2.5 BILLION IN ECONOMIC DAMAGE /* Based on popularity of Innocence of Muslims video */ T = 26546482 /* total views */ L = 73721 /* total likes */ D = 194906 /* total dislikes */ DF = 10 /* coefficient dislike factor */ CF = 100$ /* ransom per each view/like */ C = 30000$ /* Approximate Cost on US banks per each DDoS minute */ TC = (T+L-F*D) * CF = 2,467,114,300$ TM TC/C = 82237 minutes S = 420 minutes ===> TD = TM/S = 196 days PD = (6-1+4)*3 = 27 days REM = TD-PD = 169 days ( about 56 weeks or 14 months ) GLOBAL BANKING SECURITY SPEND TOPS $25 BILLION JPMORGAN CHASE SPENDS $200 MILLION ON CYBER SECURITY F5 Networks, Inc 9

More Sophisticated Attacks are Multi-Layer Application SSL DNS Network F5 Networks, Inc 10

DDoS Mitigation Increasing difficulty of attack detection OSI stack: Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) Network attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods, Smurf Attacks Session attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Application attacks OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods Protect against DDoS at all layers Withstand the largest attacks Gain visibility and detection of SSL encrypted attacks F5 Networks, Inc 11

Full Proxy Security Client / Server Client / Server Application health monitoring and performance anomaly detection Web application Web application HTTP proxy, HTTP DDoS, and application security Application Application SSL inspection and SSL DDoS mitigation Session Session L4 firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical F5 Networks, Inc 12

It is simply not cost-effective to run all your traffic through a scrubbing center constantly, and many DoS attacks target the application layer demanding use of a customer premises device anyway. Securosis, Defending Against DoS Attacks F5 Networks, Inc 13

Which DDoS Technology to Use? CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE Content delivery network Network firewall with SSL inspection Communications service provider Web application firewall Cloud-based DDoS service On-premises DDoS solution Intrusion detection/prevention F5 Networks, Inc 14

Which DDoS Technologies Do YOU Use? CLOUD/HOSTED SERVICE Content delivery network Communications service provider STRENGTHS Completely off-premises so DDoS attacks can t reach you Amortised defense across thousands of customers DNS anycast and multiple data centers protect you Cloud-based DDoS service WEAKNESSES Customers pay, whether attacked or not Bound by terms of service agreement Solutions focus on specific layers (not all layers) F5 Networks, Inc 15

Which DDoS Technologies Do YOU Use? ON-PREMISES DEFENSE Network firewall with SSL inspection Web application firewall STRENGTHS Direct control over infrastructure Immediate mitigation with instant response and reporting Solutions can be architected to independently scale of one another On-premises DDoS solution Intrusion detection/prevention WEAKNESSES Many point solutions in market, few comprehensive DDoS solutions Can only mitigate up to max inbound connection size No other value, only providing benefit when you get attacked (excludes F5) F5 Networks, Inc 16

Reference Architectures DDoS Protection S/Gi Network Simplification Security for Service Providers Application Migration to Cloud DevOps Secure Mobility LTE Roaming DNS Cloud Federation Cloud Bursting F5 Networks, Inc 17

DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 18

DDoS Reference Architecture Tier 1 Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS TIER 1 KEY FEATURES The first tier at the perimeter is L3 and 4 network firewall services Simple load balancing to a second tier IP reputation database Mitigates volumetric and DNS DDoS attacks Scanner Anonymous Proxies Anonymous Requests Botnet Attackers F5 Networks, Inc 19

DDoS Reference Architecture Tier 2 TIER 2 KEY FEATURES The second tier is for application-aware, CPU-intensive defense mechanisms SSL termination Web application firewall Mitigate asymmetric and SSL-based DDoS attacks SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application F5 Networks, Inc 20

DDoS Protection Small/Medium Business Deployment Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Protecting L3 7 and DNS Network Firewall + DNS + Web Application Firewall + Compliance Control Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager Simplified Business Models GOOD BETTER BEST BIG-IP Application Security Manager F5 Networks, Inc 21

DDoS Protection Large Enterprise Deployment Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Tier 1: Protecting L3 4 and DNS Network Firewall + DNS + Simple Load Balancing to Tier 2 Tier 2: Protecting L7 Web Application Firewall + SSL Termination Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform + IP Intelligence (IPI) Module Can inspect SSL at either tier BIG-IP Platform Cloud Scrubbing Service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST + IP Intelligence F5 Networks, Inc 22

DDoS Protection Financial Deployment Customers DDoS Attack ISPa Tier 1: Protecting L3 4 and DNS Network Firewall + Simple Load Balancing to Tier 2 AFM L LTM Tier 2: Protecting L7 Web Application Firewall + SSL Termination ASM LTM Partners DDoS Attack ISPb Multiple ISP strategy VIPRION Platform + IP Intelligence (IPI) Module DNS BIG-IP Platform Network HSM (FIPS-140) SSL re-encryption GTM SSL inspection at either tier Cloud Scrubbing Service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager Simplified Business Models GOOD BETTER BEST BIG-IP Application Security Manager + IP Intelligence F5 Networks, Inc 23

Which DDoS Technology to Use A Closer Look CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE Content delivery network Network firewall with SSL inspection Communications service provider Web application firewall Cloud-based DDoS service On-premises DDoS solution Intrusion detection/prevention F5 Networks, Inc 24

Content Delivery Network CLOUD/HOSTED SERVICE Content delivery network Communications service provider STRENGTHS Completely off-premises so DDoS attacks can t reach you Amortised defense across thousands of customers DNS anycast and multiple data centers protect you Cloud-based DDoS service WEAKNESSES The government is reading your booty call texts Hackers can find you anyway You may not be allowed to use a CDN Can t process your SSL or form transactions F5 Networks, Inc 25

Communications Service Provider CLOUD/HOSTED SERVICE Content delivery network STRENGTHS Very convenient Cheap, usually a flat fee Amortised defense across thousands of customers Communciations service provider Cloud-based DDoS service WEAKNESSES Can t process your SSL or form transactions Not as smart or as bulletproof as the next guys in this list F5 Networks, Inc 26

Cloud-Based DDoS Service CLOUD/HOSTED SERVICE Content delivery network Communications service provider STRENGTHS DNS anycast and multiple data centers protect you Enormous capacity Amortised defense across thousands of customers Can leverage intel across customers Cloud-based DDoS service WEAKNESSES Expensive Can t process your SSL or form transactions You may not be allowed to use a cloud provider F5 Networks, Inc 27

Network Firewall with SSL Inspection ON-PREMISES DEFENSE Network firewall with SSL inspection STRENGTHS Focused on layer 3-4 protection Web application firewall On-premises DDoS solution Intrusion detection/prevention WEAKNESSES Susceptible to many attacks Typically can t process SSL at scale of any kind Can t handle application-layer attacks F5 Networks, Inc 28

Web Application Firewall ON-PREMISES DEFENSE Network firewall with SSL inspection STRENGTHS Application awareness Cohabits with SSL termination Already watching users (for things like web scraping) Web application firewall On-premises DDoS solution WEAKNESSES CPU usage presents scaling challenges Intrusion detection/prevention F5 Networks, Inc 29

On-Premises DDoS Solution ON-PREMISES DEFENSE Network firewall with SSL inspection STRENGTHS Very good at what they do May have cloud offerings Web application firewall On-premises DDoS solution Intrusion detection/prevention WEAKNESSES No other value, only providing benefit when you get attacked Does not do SSL, so you will need F5 anyway F5 Networks, Inc 30

Intrusion Detection/Prevention ON-PREMISES DEFENSE Network firewall with SSL inspection STRENGTHS Efficient at looking for specific OS vulnerabilities Web application firewall On-premises DDoS solution WEAKNESSES Doesn t offer speed, scale, and key functionality for effective DDoS protection Intrusion detection/prevention F5 Networks, Inc 31

Key Benefits of the DDoS Reference Architecture Maintain application availability Protect network infrastructure Safeguard your brand reputation Defend against targeted attacks Stay one step ahead Save money for your company ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES F5 Networks, Inc 32

DDoS Solution Definition Workshop PREPARE Gather information about your current architecture and identify people in your organisation to participate in workshop. ANALYSE Workshop participants discuss and agree on current-state DDoS architecture, including perceived performance, and assess potential risks and challenges. ARCHITECT The workshop team, comprised of your team and F5 subject matter experts, engineer future DDoS architecture with focus on business and design goals and any prioritised technical requirements. PLAN F5 consultants lead discussion on best approach for transitioning from your current architecture to proposed architecture and produce a high-level plan to document assessed risk, timelines, and budgetary requirements. REPORT At the conclusion, you will receive a report and summary presentation outlining attack vectors and mitigating DDoS. F5 Networks, Inc 33

Explore Key Resources The F5 DDoS Protection Reference Architecture https://f5.com/solutions/architectures/ddos-protection Placemat: DDoS Protection Reference Architecture White paper: The F5 DDoS Protection Reference Architecture Best Practices: F5 DDoS Protection Recommended Practices F5 Networks, Inc 34

Solutions for an Application World.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information