Kona Site Defender Product Description November 2013
TABLE OF CONTENTS Table of Contents 2 Introduction 3 Kona Site Defender Overview 3 Kona Site Defender Features 3 DDoS Mitigation 3 DDoS Fee Protection 4 Web Application Firewall (WAF) 4 Network Layer Controls 4 Application Layer Controls 4 Custom Rules 5 Akamai Common Rules 5 Rate Controls 6 Real Time Reporting 6 Site Shield 6 Adaptive Caching 7 Site Failover 7 Access Controls 7 NetStorage 7 Log Delivery Service 7 Security Monitor 8 Compliance Management 8 User Validation (Optional) 9 DNS Security (Optional) 9 Enhanced Domain Name Service (EDNS) 9 Kona Site Defender Service Management Package (Optional) 9 Kona Site Defender Service Management Package 9 Kona Site Defender Log File and Configuration Review 9 10 2
INTRODUCTION KONA SITE DEFENDER OVERVIEW Kona Site Defender leverages a multi-layered toolset designed to defend against sophisticated attacks employing multiple methodologies. Akamai DDoS defense capabilities are always on. This allows the solution to adapt to the unique nature of each attack method in real time. Moreover, Akamai s view of 20-25% of the world s internet traffic provides a unique view into the threat landscape and serves as an underpinning for constantly evolving rules and updates. Customers can thus continually strengthen their defense posture against DDoS without having to make changes to their infrastructure. Kona Site Defender relieves customers from the technical and operational hassles involved in mitigating DDoS, Web application and Direct-to-Origin attacks. Customers leverage Akamai s years of extensive experience in addressing large scale Web site attacks for quicker time to mitigation. Akamai s expert services team is available to work with customers in integrating the components of the solution to maximize the security. Kona Site Defender can be configured to send email alerts to both designated customer contacts and Akamai personnel. Akamai Customer Care is available 24/7 to assist with customer calls. KONA SITE DEFENDER FEATURES Kona Site Defender includes the following: Mitigation of Distributed Denial of Service (DDoS) attacks at the network and application layer; a full-featured Web Application Firewall, Origin Cloaking (protection against direct-to-origin attacks); adaptive caching, site failover; access control; Net Storage, Log Delivery Service; the ISO 27002 compliance management module and the Security Monitor. The Kona Site Defender Service Management package, HTTPS option, enhanced DNS (edns), GTM, and other compliance management modules are NOT part of Kona Site Defender, and need to be ordered separately. Kona Site Defender: Is available to customers with Aqua Ion, DSA, DSD, RMA, WAA, Terra Alta and existing EdgeSuite implementations Can be sold standalone for use with sites that do not currently need acceleration The Kona Site Defender Service Management Package is recommended for all sales. DDoS Mitigation 3
Kona Site Defender leverages the Akamai Intelligent Platform to detect and block malicious traffic at the edge of the Internet, enabling Akamai to stop DDoS attacks at both the application and network layers. The Akamai Intelligent Platform is architected as a reverse proxy and only accepts traffic via ports 80 (HTTP) & 443 (HTTPS). All network layer (Layers 3&4) DDoS attacks are automatically dropped by the Akamai Intelligent Platform. This includes traffic such as UDP Fragments; ICMP Floods; SYN Floods; ACK Floods; RESET Floods; and UDP Floods. The Akamai Intelligent Platform also absorbs DDoS traffic targeted at the application layer such as GET Floods and authenticates valid traffic at the network edge. Protection is also provided for HTTP slow client ( drip feed ) DDoS attacks, such as a Slowloris (sending partial HTTP requests that proliferate endlessly, update slowly, and never close) DDoS and other application layer attacks such as RUDY (r u dead yet). HTTP/S traffic is routed natively in path with minimal to no added latency and no single point of failure. DDoS Fee Protection Attack traffic usually exceeds normal traffic by several orders of magnitude, causing unexpected levels of traffic on the Akamai Intelligent Platform. The DDoS Fee Protection provides protection against the bursting fees by allowing customers to request a credit on invoice following a DDoS attack. For the month in which an eligible attack occurs, actual burst fees are replaced with the capped burst fee amount by issuing a credit memo. DDoS bursting fees are capped $5,000 for an unlimited number of attacks per month. Flexible caching provides offload from origin servers. Web Application Firewall (WAF) Kona Site Defender includes a WAF that provides a highly scalable layer of protection against application layer (Layer 7) attacks. The Web Application Firewall is implemented inline across a majority of Akamai s globally distributed Edge servers. Akamai s WAF helps detect and deflect threats in HTTP and HTTPS traffic, issuing alerts or blocking attack traffic near its source. Network Layer Controls WAF provides the ability to enforce customer-defined IP whitelists and blacklists. List updates are propagated across Akamai s global network usually within 45 minutes, enabling rapid response to attacks. Allows or restricts requests from specific IP addresses to protect customer Origin from application layer attacks Implements IP blacklists and IP whitelists Geo blocking mitigate DDoS attacks emanating from localized regions 10,000 CIDR (Classless Inter-Domain Routing) entries supported. Named lists e.g. Tor (The Onion Router) exit nodes Application Layer Controls WAF includes a rich collection of pre-defined but configurable application-layer firewall rules, which Akamai maintains with regular updates, for different categories such as: Protocol Violations, Request Limit Violations, HTTP Policy Violations, Malicious Robots, Generic and Command Injection Attacks, Trojan Backdoors and Outbound Content Leakage. Implements the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 2.2.6 Continues support for Core Rule Set 1.6.1 Includes a upgrade wizard for existing customers to upgrade WAF policies from 1.6.1 to 2.2.6 Includes anomaly scoring whereby each rule contributes to an overall risk score. Alert/Deny decisions are made based on the total score. 4
Enables inspection of HTTP Request/Response Headers and HTTP POST Request/Response Bodies through a series of cascading REGEX rules in order to protect against attacks such as SQL Injections and Cross-Site Scripting. Group Protocol Violations Protocol Anomalies Request Limits HTTP Policy Bad Robots Generic Attacks SQL Injection Attacks XSS Attacks Tight Security Trojans Outbound (Leakage) Description Some protocol violations are common in application layer attacks. Validating HTTP requests eliminates a large number of application layer attacks. Limiting the size and length of different HTTP protocol attributes, such as the number and length of parameters or the overall length of the request can prevent many attacks, including buffer overflow and injection attacks. This rule set enables the user to set limits on many different attributes. Please note, however, that, since such limitations are application- and site-specific, the default rule file must be edited manually to provide these limits Some common HTTP usage patterns are indicative of attacks but may also be used by nonbrowsers for legitimate uses. Enforces protection for standard Request Methods, Content-Types, File Extensions, etc Detects requests by malicious automated programs such as robots, crawlers, and security scanners. Malicious automated programs collect information from a web site, consume bandwidth, and might also search for vulnerabilities on the web site. Detecting malicious crawlers is especially useful against comment spam Detects application-level attacks such as those described in the Open Web Application Security Project (OWASP) Top Ten Project (www.owasp.org). This includes attacks such as PHP and Adobe ColdFusion injection attacks. Formerly, in CRS version 1.6.1, this group also included SQL and XSS attacks. Those are now in their own respective groups This group is new to the 2.x CRS and specifically covers SQL Injection attacks This group is new to the 2.x CRS and specifically covers Cross-Site Scripting attacks. Provides rules that screen user-supplied inputs for malicious content or characters that leverage insufficient validation at origin. Detection of attempts to access Trojans already installed on the system. Prevents application error messages and code snippets from being sent to the user. This makes attacking the server much harder and is also a last line of defense if an attack passes through. Custom Rules This feature enables customers to create Akamai metadata-based rules that are enforced after the execution of the Application Layer rules. Custom rules can serve as Virtual Patches in which new website vulnerabilities may be mitigated quickly before standard rules are defined in the WAF. Create policy-based rules that are enforced before or after the execution of the application layer controls. Serve as Virtual Patches for new website vulnerabilities while application is patched and redeployed over time. Configurations done via WAF Fast Channel Akamai Common Rules Akamai professional services have developed rules over the course of the past two years that address some of the most recent threats and attacks against our hundreds of customers. Those rules are updated regularly by Akamai s Threat Intelligence team and are available to all Kona Site Defender customers. The rules protect against attacks such as: Low Orbit Ion Cannon, High Orbit Ion Cannon, HULK, Dirt Jumper, Havij SQL Injection 5
Tool, Netsparker, ApacheBench, Webhive, et al Common Rules are available alongside the ModSecurity CRS rules. Rate Controls Kona Site Defender enables a customer to protect both their websites and applications against DDoS attacks by monitoring and controlling the rate of requests against the Akamai Intelligent Platform and customer Origin. Rate Categories can be incorporated as WAF rules thus enabling the customer to dynamically alert and/or block clients exhibiting excessive request rate behaviors. Requests are controlled based on behavior pattern not request structure. Customers can avoid false positives by viewing user agent, cookies, and session ID within the rate control. The Rate Control feature allows the Akamai edge server to differentiate between bots and proxies and identify attacker hiding behind proxies. Kona Site Defender can respond to bursts of requests within seconds. Rate Controls further protect customers by mitigating Slow POST DDoS attacks. POST requests are not sent to the origin until the POST body completes at the edge. POST bodies that take too long to complete are terminated. Real Time Reporting Kona Site Defender supports a logging protocol called Real-Time Reporting. This is a HTTP POST mechanism for sending security events in real-time into a log management or SIEM (Security Information & Event Management) solution at the customer Origin. Site Shield Kona Site Defender includes the ability to cloak (hide) a customer origin from the public Internet. This adds an additional layer of security protection without impeding the quick and reliable delivery of content, regardless of end user location. It is designed to prevent direct-to-origin attacks. Kona Site Defender is designed to prevent direct-to-origin attacks using SiteShield a form of cache-hierarchy that is implemented as a map of Akamai servers. In standard configuration, the access controls create an environment by which the Origin site can only be accessed by IP traffic Originating from a small subset of off Akamai servers referred to as a SiteShield region. Access Control Lists (ACLs) at the customer s firewall will only allow traffic from the SiteShield s server IPs to contact the Origin. This design results in no other machine on the Internet having the ability to directly communicate with the customer Origin At the same time, all of Akamai s distributed Edge servers will continue to have complete access to the current content. This is because Akamai s SiteShield servers are configured to serve as the parent for all Akamai Edge Servers for a specific customer s content. If an Akamai Edge Server needs content that it cannot find from a peer it requests the content from the SiteShield servers. In the event dynamic uncatchable content is requested, the SiteShield server leverages Akamai s advanced routing and protocol acceleration technologies available. As a result, legitimate end-users should always be able to retrieve content quickly and reliably while the Origin remains protected. 6
Adaptive Caching Kona Site Defender will cache static objects similar to how transparent proxies honor cache control headers sent by the customer Origin. This provides Origin defense for attacks that target URLs representing static content. Site Failover Websites that rely on centralized infrastructure often find that ensuring uptime is a continuous challenge. A typical solution involves mirroring a Web site at an alternate location; however, this approach creates additional capital and management costs. Site Failover frees companies from these limitations by storing and delivering Web site content from a global network of thousands of servers on the Akamai Intelligent Platform. With Site Failover, content remains available to requesting users. Access Controls Provides the ability to protect content and control access based on user details. The access is controlled using access control system, which authenticates users and enforces authorization policies. NetStorage Kona Site Defender includes NetStorage for the purpose of log retention. NetStorage is enabled by default and must be explicitly disabled if not wanted. Customers are limited to 10 GB of usage. Under normal usage, NetStorage traffic will not be billed. Additional usage will be subject to overage charges. The number of days for which logs are stored is configurable, with 30 days as the default. Log Delivery Service The Log Delivery Service (LDS) provides customers with logs generated from Kona Site Defender and Kona services. Customers can configure how to receive their log deliveries in the Luna control portal. LDS delivers customer logs based on a predetermined schedule and most of the log files will be delivered within a 24-hour period. Due to the distributed nature of Akamai s network, some number of log lines can be delayed and be part of a later delivery. Note that customers must configure the service to begin receiving logs from that point forward. Logs are not available retroactively. 7
Security Monitor The Security Monitor provides a dynamic interface enabling users to visually investigate rule activities. Data is displayed in real-time. The Security Monitor provides an important tool for tuning WAF rules. The Security Monitor is a security data visualization solution that incorporates WAF and rate control data in realtime. This significantly improves the customer s ability to investigate WAF activities by supporting advanced filtering, search and eventually notification functions. The Security Monitor also provides the capability to drill down into attack alerts to retrieve detailed information on who is attacking, what they are attacking, what defense capabilities triggered the attack declaration and what specifically was seen in the requests that triggered site defenses. Compliance Management Kona Site Defender includes the ISO 27002 compliance management component. This component helps customers understand and validate how their relationship with Akamai impacts their own compliance initiatives. It includes a core base to address generic requirements coupled with the ISO 27002 module. 8
USER VALIDATION (OPTIONAL) Kona Site Defender validates whether clients attempting to access customer content are real browsers and real users or bots. The module distinguishes between the two by asking the client to follow a redirect, execute a javascript, solve a math problem, and set a cookie with an answer to the math problem. If the client is able to do this, it is allowed to make requests to the origin. DNS SECURITY (OPTIONAL) Enhanced Domain Name Service (EDNS) EDNS provides a secure, robust and scalable outsourced DNS solution designed to reliably direct end users to an organization s Web sites and applications. Configured as an authoritative Secondary DNS service, EDNS is designed to enable the customer to leverage the unparalleled performance, scalability, and reliability of Akamai s distributed global name server platform without changing their existing DNS administration processes. Using EDNS, the customer s primary DNS servers are not directly exposed to end users, therefore mitigating the risk of cache poisoning and denial-of-service attacks. Moreover, EDNS leverages a number of technologies, including IP Anycast, secured zone transfers, router-protected name servers, and non-bind-based DNS to provide customers with a highly secure and fault-tolerant solution. KONA SITE DEFENDER SERVICE MANAGEMENT PACKAGE (OPTIONAL) Kona Site Defender Service Management Package Kona Site Defender Service Management Package is a Professional Services solution that provides on-going expert assistance to keep your Kona Site Defender configuration up-to-date. The Kona Site Defender Service Management Package gives you access to Akamai s Web security experts consultants familiar with the threat landscape and your Web security requirements. Web security experts who help your team keep your Kona Site Defender set up optimized. Kona Site Defender Log File and Configuration Review Kona Site Defender Service Management Package helps you analyze the Kona Site Defender log files via a biannual Log File and Configuration Review. The review covers detailed analysis of your Kona Site Defender log files and configuration. Findings of the analysis are presented in an easy-to-consume report. The report enables better understanding of the voluminous log data. The review focuses on three main areas: Area False Positive Analysis True Positive Analysis Kona Site Defender Configuration Recommendations Description An analysis will be performed to identify those URLs that received valid requests but triggered WAF rules. A list of the URLs triggering such false positives will be provided for review. The False Positive Analysis helps determine the likelihood and impact of triggering false positives for each reviewed rule. This is important when you want to minimize the amount of legitimate (non-attack) traffic being blocked. An analysis will be performed to identify those URLs that received malicious requests and subsequently triggered WAF rules. A list of the URLs receiving (what appear to be) malicious requests will be provided for review. Upon analysis of your Kona Site Defender configuration, Akamai security experts will make recommendations that can help reduce occurrences of false positives and improve Web site security in case of true positives. These may include: Rule configuration changes Web site configuration changes Recommendations to use additional Kona Site Defender features 9
Ongoing Expert Support Examples of assistance include: Drafting a customer-specific Kona Site Defender Run Book Providing consultation and discussing best practices around specific change requests Evaluating proposed site changes and advising on potential behavior of existing rules Analyzing events observed by you that have triggered alerts for existing rules Conducting post security-incident analysis and updating the Run book Managing Rate Control buckets & thresholds Implementing minor changes to Kona Site Defender configuration The Akamai Difference Akamai is the leading cloud platform for helping enterprises provide secure, high-performing user experiences on any device, anywhere. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter. Akamai Technologies, Inc. Global Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001 U.S. toll-free 877.4AKAMAI 877.425.2624 10 www.akamai.com International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore 2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.