Petr Lasek, SE, RADWARE Květen 2012
Agenda Understanding online business threats Introducing Radware Attack Mitigation System (AMS) AMS technology overview Emergency response team (ERT) AMS Deployment Customer success Summary Slide 2
Online Security Challenges and Threats
Security Threat Vectors Large-volume network flood attacks Network scan Intrusion Port scan SYN flood attack Low & Slow DoS attacks (e.g., Sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 4
Network and Data Security Attacks: From the News Cost of Breach: Cost of Attack: Cost of Attack: $80M to recover the Reputation theft loss Reputation loss Customer churn Penalties to trading firms Authority investigation Slide 5
Multi-Vulnerability Attack Campaigns Large volume network flood attacks Network scan Large volume SYN flood Radware security incidents report 2011: Connection DoS attacks More Business than 70% of Radware reported Web cases application in 2011 vulnerability scan involved at least 3 attack vectors Attackers use multi-vulnerability Directed attack Application campaigns DoS attack: Slowloris making mitigation nearly impossible HTTP & HTTPS flood attacks Web application attack: SQL Injection Slide 6
Attackers Seek for Blind Spots DoS Protection IPS Large-volume network flood attacks Large-volume SYN flood Connection DoS attacks Why are Business multi-vulnerability attacks so successful? Current security practices fail to mitigate attacks Directed DoS attack: Slowloris Organizations deploy point security solutions Lack of expertise to analyze emerging HTTP threats & HTTPS flood attacks Slide 7
Mapping Security Protection Tools DoS Protection Behavioral Analysis IPS IP Rep. WAF Large volume network flood attacks Network scan Intrusion Port scan SYN flood attack Low & Slow DoS attacks (e.g.sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 8
Introducing Radware Attack Mitigation System
Radware Attack Mitigation System (AMS) Slide 10
AMS Protection Set DoS Protection Prevent all type of network DDoS attacks Reputation Engine Financial fraud protection Anti Trojan & Phishing IPS Prevent application vulnerability exploits WAF Mitigating Web application attacks PCI compliance NBA Prevent application resource misuse Prevent zero-minute malware spread Slide 11
OnDemand Switch: Designed for Attacks Mitigation DoS Mitigation Engine ASIC-based Prevent high-volume attacks Up to 12 million PPS of attack protection IPS & Reputation Engine ASIC-based String Match & RegEx Engine Performs deep packet inspection NBA Protections & WAF OnDemand Switch Platform capacity up to 12Gbps Slide 12
The Competitive Advantage: Performance Under Attack 12 Million PPS Attack Traffic Attack traffic does not impact legitimate traffic Device handles attack traffic at the expense of legitimate traffic! Multi-Gbps Capacity Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 13
Radware Security Event Management (SEM) 3 rd Party SEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 14
Radware AMS & ERT Security Operations Center (SOC) Provides weekly and emergency signature updates Maintains on-going application vulnerability protection Emergency Response Team (ERT) Provide 24x7 service for customers under attack Neutralize DoS/DDoS attacks and malware outbreaks Slide 15
Compliance and Standardization with AMS Compliance Reports PCI DSS FISMA GLBA HIPPA Slide 16
Radware Intellectual Property Eight Patents Secure Radware s Attack Mitigation Solution Slide 17
Radware AMS Portfolio DefensePro Anti-DoS, NBA, IPS, Rep. Engine AppWall Web Application Firewall (WAF) APSolute Vision Security Event Management (SEM) Slide 18
Technology Overview
AMS Technologies Static signature protection Real-time signatures protection Real-time feeds Negative & positive security models Adaptive policy creation Real-time signatures protection Slide 20
Network based DoS Protections
Network-based DoS Protections Real Time Protections Against: TCP SYN floods TCP SYN+ACK floods TCP FIN floods TCP RESET floods TCP Out of state floods TCP Fragment floods UDP floods ICMP floods IGMP floods Packet Anomalies Known DoS tools Custom DoS signatures Slide 22
Network Behavior Analysis & RT Signature Technology Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID ID AND AND IP Packet ID AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to 10 10+X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 23
Attack Degree axis Decision Making - Attack Attack Case Z-axis Attack Degree = 10 (Attack) Attack area Suspicious area X-axis Abnormal protocol distribution [%] Normal adapted area Y-axis Abnormal rate of packets, Slide Slide 24 24
Flash crowd scenario Adaptive Detection Engine Degree of Attack (DoA) Attack area Suspicious area Low DoA Normal adapted area Rate-invariant input parameter Rate parameter input Slide 25
Flood Packet Rate (Millions) Mitigation Performance (DME) 12 10 8 6 4 2 0 0 5 10 15 Legitimate HTTP Traffic (Gbit/s) Slide 26
Application based DoS Protections
Application-based DoS Protections Real-time protection against: Bot originated and direct application attacks HTTP GET page floods HTTP POST floods HTTP uplink bandwidth consumption attacks DNS query floods (A, MX, PTR, ) Advanced behavioral application monitoring: HTTP servers real time statistics and baselines DNS server real time statistics and baselines Slide 28
HTTP Mitigator
Behavioral analysis & Real Time Signatures DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 30
Standard Security Tools: HTTP Flood Example BOT Command IRC Server Static Signatures Approach HTTP Bot (Infected host) - No solution for low-volume attacks as requests are legitimate - Connection limit against high volume attacks Agnostic to the attacked page Blocks legitimate traffic High false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources Attacker Public Web Servers HTTP Bot (Infected host) HTTP Bot (Infected host) Slide 31
Real-Time Signatures: Accurate Mitigation Case: HTTP Page Flood Attack Behavioral Pattern Detection (1) IRC Server Based on probability HTTP Bot analysis identify which Web page (Infected host) (or pages) has higher than normal hits BOT Command Real Time Signature: Block abnormal users access to the specific page(s) under attack Attacker HTTP Bot (Infected host) Behavioral Pattern Detection (2) Identify abnormal user activity HTTP Bot (Infected host) Internet For example: HTTP Bot - Normal users (Infected download host) few pages per connection - Abnormal users download many pages per connection Misuse of Service Resources Public Web Servers Slide 32
Real-Time Signatures: Resistance to False Positive Case: Flash Crowd Access Behavioral Pattern Detection (1) Based on probability analysis identify which web page (or pages) has higher than normal hits Legitimate User Attack not detected No real time signature is generated No user is blocked Legitimate User Internet Behavioral Pattern Detection (2) No detection of abnormal user activity Legitimate User Public Web Servers Legitimate User Slide 33
Challenge/Response & Action Escalation System Botnet is identified (suspicious sources are marked) Attack Detection Real-Time Signature Created Light Challenge Actions Strong Challenge Action Selective Rate-limit?? X X TCP Challenge 302 Redirect Challenge Java Script Challenge RT Signature blocking Behavioral Real-time Signature Technology Challenge/Response Technology Real-time Signature Blocking Closed Feedback & Action Escalation Slide 34
AMS protections: unique value proposition Attack detection Real-time signature Light challenge Strong challenge Selective rate-limit Best security coverage Prevent all type of network and application attacks Complementing technologies fighting known and zero-day attacks Complete removal of non-browser rogue traffic Best user quality of experience (QoE) Reaching the lowest false-positive rate in the industry Advanced capabilities are exposed only when needed Reduced Cost of Ownership Automatic real-time attack mitigation with no need for human intervention Slide 35
DNS Mitigator
Behavioral DNS Application Monitoring DNS Query Distribution Analysis Associated threat vectors DNS QPS Rate Analysis per DNS Query Type TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time Slide 37
Behavioral DNS Decision Engine DNS Query Distribution Analysis Rate Analysis DNS QPS TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time Degree of Attack per DNS Query Type Fuzzy Logic Inference System Normal Suspect Attack Slide 38
Challenge/Response & Action Escalation System Botnet is identified (suspicious traffic is detected per query type) Attack Detection Real-Time signature created DNS query challenge Query rate limit Collective query challenge Collective query rate limit??? X X X Behavioral RT signature technology RT signature scope protection per query type Collective scope protection per query Type Closed Feedback & Action Escalation Slide 39
Service Cracking Behavioral Protections
Service Cracking Behavioral Protections Real-time protections against information stealth: HTTP servers Web vulnerability scans Bruteforce SIP servers (TCP & UDP) SIP spoofed floods Pre-SPIT activities SIP scanning SMTP/IMAP/POP3,FTP, Application Bruteforce Application scans Slide 41
Application Behavior Analysis Service Cracking Web Vulnerability Scan Scenario HEAD / HTTP/1.0 GET /examples/ HTTP/1.0 200 OK Get /_vti_bin/shtml.exe HTTP/1.0 404 Not Found Attacker GET /scripts/admin.pl HTTP/1.0 GET /cgi/websendmail HTTP/1.0 GET /cgi/textcounter HTTP/1.0 200 OK 404 Not Found 404 Not Found Web Servers 200 OK Launches scan tool Non-detectable attack by standard signature-based IPS All transactions are legitimate Attack volume below rate threshold Slide 42
Application Behavior Analysis Service Cracking Standard IPS Approach - No signature protection - All requests are legal - Rate-limit thresholds High false-positive Requires constant tuning High frequency Error response code Blocked One time error Radware AMS Approach Advanced behavioral analysis to eliminate false positive Automatic detection and prevention Public Web Servers Slide 43
Network scanning and malware propagation Protections
Source-based Behavioral Analysis Behavioral Real-time protection against Zero- Minute Malware Propagation and network scans: UDP spreading worms detection TCP spreading worms detection High and low rate network scans Scanning/spreading pattern identification Infected source identification Slide 45
Connection behavioral score Connection behavioral score Source-based Analysis Source behavior analysis Normal Distribution Average Height Abnormal Distribution Width 80 50 78 Port&IP 29 25 33 53 112 70 111 Port&IP Decision-Making Mitigation Width Height Others Normal Suspect Attack Automatic RT Signatures Degree of Attack Slide 46
Mitigation: Source-based Real Time Signature? X? X? Analysis Analysis Analysis Intense Malware Activities Additional Spreading Activities Safe Environment After Both the Red first and filter Yellow against a objects worm is represent implemented, the malware spreading Closed-Feedback activities. Mechanism decides The Red that Worms the rest of the represent malware the spreading more activities intense spreading may disturb the network activities. operation. It adds additional prevention measures The Green according objects to a less represent intense legitimate criteria on top traffic. of the previous measure Initial Prevention Measure (e.g., source IP -> port 135 (TCP)) Optimization (e,g., source IP -> port 135 (TCP) OR port 445 (TCP) ) Optimization (e,g., source IP -> port 135 (TCP) OR port 445 (TCP) ) AND ( packet size AND TTL AND, ) Slide 47
IPS & Reputation Services
IPS & Radware s SOC Signatures Protection against: & Reputation Engine Application Vulnerabilities and exploits Web, Mail, DNS, databases, VoIP OS Vulnerabilities and exploits Microsoft, Apple, Unix based Network Infrastructure Vulnerabilities Switches, routers and other network elements vulnerabilities Malware Worms, Bots, Trojans and Drop-points, Spyware Anonymizers IPv6 attacks Protocol Anomalies Security Operation Center Leading vulnerability security research team Weekly and emergency signature updates Slide 49
Hello World hello-world-smtp Slide 50
Hello World hello-world-smtp hello-world-smatp TCP SMTP Text Hello World Case Sensitive Slide 51
Radware s SOC & Security Specialists Radware SOC has world recognition by the security industry and application vendors: SOC researchers and Security Specialists present their latest findings in industry events such as BlackHat and Defcon. Radware SOC is the first to discover application vulnerabilities in Apple iphone Safari web browser, Firefox 3, YATE IP telephony engine and more. Slide 52
Reputation Engine: The Need and Solution Malicious web sites have short life span and are created in matter of hours Static Signature Protection, with periodic updates, doesn t keep pace Antivirus & spyware removal software cannot protect against Pharming World-wide real-time research is the way to protect against such threats Anti-Fraud / Anti-Trojan service is a real differentiator for ISP/MSSP RSA Fraud Action One of the most proven and trusted online threat solutions 24x7 command center which constantly analyzes world-wide traffic Widest Phishing URL DB in the world today Takes preventive actions to remove malicious servers from the net DefensePro Service Real-time updates of new indentified malicious points by RSA Protection against: phishing, pharming and Malware (Fraud Trojan) attacks Slide 53
Financial Fraud: Methods Install Malware Attacker Web Site Victim Victim Victim Slide 54
Reputation Engine Phishing Campaign Malicious Site / Drop Point Fraud activities detected by AFCC service Internet Phishing Mail Trojan Communication to drop point DefensePro APSolute Vision AFCC AFCC Feed to Radware User clicks the Phishing link Insite feeds DefensePro with a real-time signature Slide 55
URL Types and Their Protection RSA Feed Type HTTP + Domain + Path http://www.godaddy.com/phishing.html Network Footprint GET /phishing.html HTTP 1.1 User agent: Firefox Host: www.godaddy.com Accept: text/html Advanced Filter: PATH + Host (Domain) HTTP + Domain http://www.paypal.phish.com GET /index.html HTTP 1.1 User agent: Firefox Host: www.paypal.phish.com Accept: text/html Basic Filter Host (domain) only HTTPS https://www.godaddy.com/phishing.html TCP Handshake TLS negotiation Encrypted Traffic Blocking the website entirely: [1]Translating the domain to an IP [2] Blocking that IP to port 443 Slide 56
SSL
Clear AMS Encrypted Attacks Mitigation Application cookie engines L7 ASIC Regex engine Traffic Anomalies Floods Network-Based DoS Attacks Application-Based DoS Attacks (Clear and SSL) Directed Application DoS Attacks (Clear and SSL) Clear Encrypted Web Cookie Challenge In case the client passes the HTTP filter check, DefensePro generates a Web cookie challenge (302 Client-side or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client termination responses point are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is authenticated (application level authentication ) and forced to open a new connection Alteon s directly SSL to the protected server. Acceleration Engine Encrypted Clear Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s): Authenticated Encrypted SYN Attack Protection DefensePro authenticates the source through clients a safe-reset cookie mechanism, verifying the validity of the source IP and its TCP/IP stack. HTTP Signature Packet anomalies, DefensePro receives Behavioral DoS the & decrypted 1 st HTTP client request from the SSL engine Black & white lists TCP cookie engines and applies application layer signatures. This is done in order to remove the Directed HTTP DoS attacks that can only be mitigated by pre-defined or custom signatures. Slide 58
Policy Exceptions Black & White Lists Statefull ACL
Policy Exceptions Policies are defined in the Network/Server Protection table per network segments or servers There are cases where you want to set exception for the network policies: An infected host generates attack traffic and you want to block all traffic from this host till disinfected A management station polls regularly hosts to validate their software version thus creates semi scanning activity A host on the Internet launches an attack on your network, but you do not want to block it permanently by a policy More Policy exceptions can be set using: Black List White List Page 60
Black List The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. Page 61
Access Control List The Access Control List (ACL) module is a stateful firewall, which enables you to configure up to 500 flexible and focused stateful access-control policies. You can modify and view active ACL policies. You can also manage and view ACL report summaries in Web Based Management. ACL now contains access-control behavior and all block actions previously handled in the BWM module. The relevant ACL configuration takes precedence over the Session Table Aging parameter. To operate correctly, ACL needs to know the direction of session packets. Page 62
Bandwidth Management
Why to use Bandwidth Management? Managing your bandwidth prevents filling the link to capacity or overfilling the link, which may result in network congestion and poor performance. Tracking the bandwidth used by each application enables you the following: Ensure a guaranteed bandwidth for certain applications. Set limits as to how much bandwidth each classified traffic pattern can utilize. Page 64
Bandwidth Management Components
Counter Attacks
Radware s ERT Fights Back Slide 67
Stage 1- Simple connection Level
LOIC/Mobile LOIC Setup Slide 69
LOIC Attack traffic is dropped Slide 70
Mobile LOIC Attack traffic is dropped Slide 71
Mobile LOIC Attack traffic is dropped and connection is reset Slide 72
Stage 2 Advanced Connection Level
IP Protocol Manipulations TCP Sequence no: Send sequence no above window size, send illegal sequence no. Ack no: Send Ack no above/below correct seq. Window: Send window size = 0, send small window size. Urgent pointer: Send urgent pointer with very large/small number. Options: Send TCP options with a long no-op option string. UDP Send a packet with data incompatible with length Send ICMP Time exceeded message Send ICMP Parameter problem message Send ICMP Source Quench message Send ICMP Redirect with different destinations (try specifying the source as destination) HTTP Redirect to tar pit/source Elongated response Slide 74
LOIC - Preliminary Attack traffic is dropped and TCP zero window is sent to the source Slide 75
Stage 3 Integration within DP
Detection Forensics Integration Forensics Attack Detection THC SSL Tool Mobile LOIC Tool HTTP Flood SSL Flood Action = Window Size 0 Action = Drop &Suspend Attack Action = ƒ(detection, Forensics)
Summary
Summary: Counter Attacks Simple IP Protocol operations can affect attacker side and slow it down The same Idea may be extended to more elaborate Counter measures Integration of forensics and deeper awareness of attacker side can improve mitigation DP Modules to cross reference forensics and act accordingly Slide 79
WAF
The Secret Sauce Adaptive Policy Creation (1 of 3) App Mapping Threat Analysis Reservations.com /config/ /admin/ Risk analysis per application-path SQL Injection Spoof identity, steal user information, data tampering /register/ CCN breach Information leakage /hotels/ /info/ Directory Traversal Gain root access control /reserve/ Buffer Overflow Unexpected application behavior, system crash, full system compromise Slide 81
The Secret Sauce Adaptive Policy Creation (2 of 3) Reservations.com App Mapping Threat Analysis Policy Generation /config/ /admin/ SQL Injection Prevent access to sensitive app sections /register/ CCN breach ***********9459 Mask CCN, SSN, etc. in responses. /hotels/ /info/ Directory Traversal Traffic normalization & HTTP RFC validation /reserve/ Buffer Overflow P Parameters inspection Slide 82
The Secret Sauce Adaptive Policy Creation (3 of 3) App Mapping Threat Analysis Policy Generation Policy Activation Reservations.com /config/ Virtually zero false positive Time to protect /hotels/ /admin/ /register/ SQL Injection CCN breach ***********9459 Known vulnerabilities protections: Optimization of negative rules for best accuracy /info/ Directory Traversal /reserve/ Buffer Overflow P Add tailored application behavioral rules for Zero day protection Best coverage Slide 83
The Secret Sauce Unique Value Proposition App Mapping Threat Analysis Policy Generation Policy Activation Reservations.com Best security coverage Auto detection of potential threats Other WAFs require admins intervention and knowledge to protect Lowest false-positives Adaptive security protections optimized per application resource ( app- path ) Other WAFs auto generate global policies Shortest time to protect Highly granular policy creation and activation ( app-path ) Immediate policy modification upon application change Other WAFs wait upon global policy activation Reduced Cost of Ownership Automatic real-time attack mitigation with no need for human intervention Slide 84
Radware s SIEM
Radware Security Event Management (SIEM) APSolute Vision Management and security reporting & compliance Slide 86
Radware s built-in SIEM engine Built-in SEM Historical Reporting Engine Customizable Dashboards Event Correlation Engine Advanced Forensics Reports Compliance Reports Ticket Work Flow Management 3 rd Party Event Notifications Role/User Based Access Control Works with all Radware s Security Modules Slide 87
Radware s built-in SEM engine Unified Reports Threat analysis Target service Trend analysis Slide 88
Radware s built-in SEM engine - Dashboards Per user dashboard Slide 89
Radware s built-in SEM engine Event Correlation Event Correlation Rules by: Attack duration & time interval Managed devices Attack ID, Attack type Destination IP Protected Web Application Event description Source IP Action Risk weight definition Slide 90
Radware s built-in SEM engine Customer Report Per customer scheduled reports & alarms Scheduled Security Reports Scheduled Forensics Reports Event correlation & alarms Slide 91
PCI Compliance Summary Report Analysis Info PCI Requirement Action Plan Slide 92
Emergency Response Team
Radware s SOC Slide 94
Heads Up From SOC to Radware s RSM: We have been following the communications on various IRC channels used by the renowned Anonymous group This is a heads up to let you know that www.ciu.cat is currently under DDOS attack by Anonymous. The attack is performed using the LOIC tool. Here is a screen shot of the tool connected to the hive mind mode: the attack is planned for 2/6/11 at 13:00 GMT+1 (France time). Target: Warner Music Group Target: US Chamber of commerce Slide 95
Counter Attack A counter-offensive is the term used by the military to describe large scale, usually strategic offensive operations by forces that had successfully halted an enemy's offensive, while occupying defensive positions A counter-offensive is considered to be the most efficient means of forcing the attacker to abandon offensive plans. - Clausewitz Slide 96
Radware s ERT Fights Back 1 st step: AMS automatic defenses 2 nd step: ERT s Counterattack Choked Choked Choked Protected Servers Slide 97
ERT has identified LOIC s weakness point: Radware s ERT Fights Back An advanced discard action chokes the LOIC attack tool many attackers volunteer to quit By discarding a single packet at a certain offset position in the TCP stream, the mitigation layer causes the attackers machines to spend more than expected compute cycles managing more simultaneous connections. After about 10 minutes of this discard action, attackers complained in the Anonymous IRC channel about the tool slowing down their computers or LOIC crashing after a period of attack. Volunteers started to quit and attack volume was significantly decreased. Slide 98
Radware s ERT Fights Back How does it work Congestion window [bytes] Normal Attack Connection Data Transmitted Transmission time 0 sec 1 sec 2 sec Transmission time Slide 99
Radware s ERT Fights Back How does it work Advance packet discarding causes one connection to spread over more time ongestion window [bytes] Data is fragmented into smaller pieces 1 st data packet discard 2 nd data packet discard 3 rd 4 th Long transmission time 0 sec 1 sec 2 sec 3 sec 4 sec Transmission time Slide 100
Testimonials Hello ERT, We Of had an all the attack sites Monday these miscreants night directly pointed to Istanbul their "weapons" Police web at, sites XXX and was Cyber the Crime only revenuegenerating service that was targeted, and the only one that stayed up. Division web sites which is our customer(defensepro, AppDirector, AppWall), to protest Anonymous arrestments in I just Turkey wanted (http://www.bbc.co.uk/news/technology-13762626) to send a quick note privately to make sure you are all aware that the DefensePro has been a key hardware component, no, THE key hardware component keeping our site We online. just watched we couldn't the attacks have done and it without DefensePro Radware, easily eliminated the attacks. We didn t My even team see has also any asked latency me during to make the sure attacks. we recognize Istanbul the huge Police contributions is thankful of Radware's to us and ERT to who was essentially part of our team 24x7 during these attacks, you. While most of the state websites gets unresponsive during the attacks, they One didn t of the feel toughest anything. critics on our team, put it like this: "This is a testament of them caring about their customers. They are in a business of making people happy in a crisis and they achieved it I really appreciate your partnership with flying and colors. dedication for supporting us. I am Thank you, glad that we have Radware as part of our critical infrastructure. Truly a superior product!! Slide 101
AMS Deployment & Control Options
Layered security needs Anti-DoS NBA IPS WAF Volumetric attacks Low & Slow, stateful -based application attacks & intrusions Directed Web attacks Virtual DC DefensePro Appwall DefensePro DefensePro s CI DC Anti DoS Scrubbing Center Slide 103
Layered security deployment options Anti-DoS NBA IPS WAF WAF VA Inline LOOP Copy DefensePro Virtual DC Out-of-path Appwall DefensePro DefensePro s CI DC Bridge T-Proxy ADC reverse proxy / cluster Anti DoS Scrubbing Center Slide 104
DP Local Out of Path (LOOP) Peacetime Copy LOOP Intelligent Switch Learning & attack detection Network DoS Application DoS Network Scanning & Malware propagation Application scanning Service cracking Datacenter Slide 105
DP Local Out of Path (LOOP) Attack time Copy Dynamic Redirect command LOOP Intelligent Switch Learning & attack detection Redirection done per attack target only: Network DoS (IP, Vlan, L4 Port, ) Application DoS Network Scanning & Malware propagation Inline mitigation only under attack. Application scanning Service cracking Datacenter Slide 106
Layered security deployment options Anti-DoS NBA IPS WAF WAF VA Inline LOOP Copy DefensePro Virtual DC Out-of-path Appwall DefensePro DefensePro s CI DC Bridge T-Proxy ADC Reverse proxy / cluster Anti DoS Scrubbing Center Slide 107
Appwall cluster deployment Web Servers DefensePro Load Balancer (AD / Alteon) Switch Application Servers Appwall cluster ADC Solution Traffic redirection of web application only High availability, health monitoring and scalability of Appwall Slide 108
Unified situational cloud awareness Unified situational awareness Pro-active threat detection & mitigation Dynamic risk mitigation engine Log management Compliance ROI reports Reduce cost Virtual DC CI DC Anti DoS Scrubbing Center Slide 109
Customer Success
Online Business Case: Reservation Site Pizza DDoS Attack hits German Sites More than 100,000 botnet clients have been making mass page requests Targeted 31 German sites: Pizza reservation sites such as pizza.de Real estate sites Travel reservation sites About the customer Large online travel site in Germany Offers low cost flights, hotels and car rental deals AMS in action Customer fully protected against the Pizza Bot attacks! Slide 111
Critical Infrastructure Customer Case Business Requirements Smooth and secure migration of its legacy voice infrastructure to pure VoIP technology Mobile service protection Why AMS? Network DDoS protection SIP and DNS focused protections Mobile infrastructure protection Accurate detection and prevention About the customer Austria's leading Telco provider 5.1 million mobile customers 2.3 million fixed access lines. Over 5 billion in yearly revenues (2010) Slide 112
MSSP Customer Case Business Requirements Offer value-added DDoS Protection for their hosted data center customers Why AMS? Best & proven coverage against all type of DDoS attacks Most accurate attacks detection and mitigation Advanced reporting per customer About the customer A major telecommunications provider in North America Over $15 billion revenue (2010) Slide 113
Heads Up From SOC to Radware s RSM: We have been following the communications on various IRC channels used by the renowned Anonymous group This is a heads up to let you know that www.ciu.cat is currently under DDOS attack by Anonymous. The attack is performed using the LOIC tool. Here is a screen shot of the tool connected to the hive mind mode: the attack is planned for 2/6/11 at 13:00 GMT+1 (France time). Target: Warner Music Group Target: US Chamber of commerce Slide 114
Radware Security Expertise : ERT Cases (1 of 2) Radware ERT helped High Council for Telecommunications (TIB) to achieve full protection against Anonymous attacks Anonymous group published a poster calling its fans to attack Turkish government agency Target: High Council for Telecommunications (TIB) When: June 9 th (Thursday) 2011 at 6PM Attack tool: Low Orbit Ion Canon (LOIC) Type of attack - Multi-vulnerability campaign HTTP Get flood attack TCP connection flood on port 80 SYN flood attack UDP flood attack Slide 115
Radware Security Expertise : ERT Cases (2 of 2) Radware ERT helped Istanbul police to achieve full protection against Anonymous attacks We just Anonymous watched the group attacks attacks and Istanbul DefensePro police easily revenge eliminated of the attacks. the arrest We didn t even see any latency during the attacks. Istanbul Police Target: is Istanbul thankful police to site us and to you. While most of the state websites When: gets June unresponsive 13 th 2011 during the attacks, they didn t feel anything. Attack tool: Low Orbit Ion Canon (LOIC) Istanbul police Type integrator of attack - Multi-vulnerability campaign Slide 116
Hong Kong Stock Exchange attacked from the news Since the interruption, HKEx s Information Technology team has been working closely with local and overseas security experts to investigate the cause of the attack and restore normal service. Slide 117
ERT case invoked HKSE site was attacked on the morning of August 10 th Web site crashed due to the attack Radware Hong Kong office shipped immediately attack mitigation device on site ERT opened war room, performing: Attacks analysis Device remote configuration 24x7 inspection Slide 118
Analysis: Multi-vulnerability attack campaign Attack UDP flood Impact Equipment Bottlenecks 1 SYN flood TCP connection flood HTTP page flood Consume TCP stack resources Consume Web application server resources (1) Firewall crashed under the attack Slide 119
Behavioral technology protects HKSE Traffic monitoring - UDP UDP flood attack detected UDP flood attack mitigated by Behavioral DoS feature in seconds Slide 120
TCP connection flood mitigation Legitimate traffic monitoring TCP connection flood detection and mitigated immediately Slide 121
Summary
Summary: Radware AMS Differentiators Best security solution for online businesses: DoS protection Network behavioral analysis (NBA) Intrusion prevention (IPS) Reputation Engine service Web application firewall (WAF) Built-in SEM engine Emergency Response Team (ERT) 24x7 Service for immediate response Neutralize DoS/DDoS attacks and malware outbreaks Lowest CapEx & OpEx Multitude of security tools in a single solution Unified management and reporting Radware offers low product and maintenance cost, as compared with most competitors. Greg Young & John Pescatore, Gartner, December 2010 Slide 123
Summary Attackers deploy multi-vulnerability attack campaigns Organizations deploy point security solutions Attackers seek blind spots Radware offers Attack Mitigation System (AMS): The only solution that can defend against emerging cyber-attack campaigns No blind spots in perimeter security The only attack mitigation solution that keeps your business up! Online business protection Data center protection MSSP Slide 124
Thank You www.radware.com