Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.

Similar documents
DefensePro Whitepaper Fighting Cybercrime: Rethinking Application Security By Ron Meyran

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Radware s Attack Mitigation Solution On-line Business Protection

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Introducing Radware Attack Mitigation System. Presenter: Werner Thalmeier September 2013

SHARE THIS WHITEPAPER

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Complete Protection against Evolving DDoS Threats

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Radware Solutions for NGDC

Check Point DDoS Protector

Radware s Behavioral Server Cracking Protection

Promoting Network Security (A Service Provider Perspective)

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Current Threat Scenario and Recent Attack Trends

A Decision Maker s Guide to Securing an IT Infrastructure

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Detecting peer-to-peer botnets

How To Prevent Hacker Attacks With Network Behavior Analysis

DDoS Attacks & Mitigation

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

TDC s perspective on DDoS threats

Attacks from the Inside

Protecting against DoS Attacks

On-Premises DDoS Mitigation for the Enterprise

Malicious Network Traffic Analysis

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Enabling PCI Compliance with Radware APSolute Solutions Solution Paper

Denial of Service Attacks and Resilient Overlay Networks

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Stop DDoS Attacks in Minutes

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

FortiDDos Size isn t everything

CYBERTRON NETWORK SOLUTIONS

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Streamlining Web and Security

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

McAfee Network Security Platform

Multi-Layered VoIP Security. A DefensePro White Paper - Avi Chesla, VP Security

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

CS 356 Lecture 16 Denial of Service. Spring 2013

Stop DDoS Attacks in Minutes

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

Security Solutions for the New Threads

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Detecting P2P-Controlled Bots on the Host

4 Delivers over 20,000 SSL connections per second (cps), which

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

IBM Protocol Analysis Module

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

PART D NETWORK SERVICES

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

The HoneyNet Project Scan Of The Month Scan 27

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

Arbor s Solution for ISP

The Hillstone and Trend Micro Joint Solution

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Modular Network Security. Tyler Carter, McAfee Network Security

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Networking for Caribbean Development

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Firewalls and Intrusion Detection

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

A Critical Investigation of Botnet

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

DDoS Attacks Can Take Down Your Online Services

Symantec Advanced Threat Protection: Network

Four Steps to Defeat a DDoS Attack

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Transcription:

Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.2010

Cybercrime Trends Page 2

Types of DoS attacks and classical ways of mitigation DoS attacks Non-legitimate usage Of applications (DDoS) DoS attacking vulnerabilities Abnormal network behavior => Rate limiting Static Signatures (IPS) Slide 3

Hackers Change in Motivation Vandalism and publicity Hacktivism Financially motivated Attack Risk CodeRed (Defacing IIS web servers) 2001 Nimda (Installed Trojan) 2001 Blaster (Attacking Microsoft web site) 2003 Slammer (Attacking SQL websites) 2003 Agobot (DoS Botnet) Republican website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) 2008 Georgia Web sites DoS 2008 July 2009 Cyber Attacks US & Korea Time 2001 2005 2009 Slide Page 4 4

Cyber Crime Organizational Chart Criminal Boss Botnet Crimeware Operator Campaign Managers Flooder Spammer Data Theft Extortion Activism Phishing Stock Scams Advertisers Dump Resellers Slide Page 5 5

Data Center Security Trends Hackers motivation change From vandalism to financially-motivated Botnets are the main tool against businesses Organized crime manages cybercrime activities, targeting: Extortion of online businesses Financial fraud Emerging network attacks Attacks that misuse applications and services: Non-vulnerability based attacks Uses legitimate application services for malicious activity Each attack session behaves like a legitimate user transaction Cannot be detected through a static signature because the attack does not exploit a vulnerability in the application Examples: DDoS, HTTP page floods, brute force, application vulnerability scanning Slide Page 6 6

SPOF Resiliency Single Point Of Failure Res vs. Blend In Excellent Vacuum! P2P Botnets StormConficker D,E (2007) (2009) Turbot NG Botnets Is it possible? PathBot (2004) Karaken (2008) Conficker A,B,C (2008) Trin00 (1999) Early Botnets Agobot (2004) Black Energy 1.7 (2007) Rustock (2006) Twitter Botnet (2008) HTTP Botnets Poor Blending in common traffic Excellent Slide Page 7 7

Your IPS is Vulnerable Page 8

Zero-Minute Attacks Vulnerability-Based Threat Lifecycle Attack Spread Velocity & Risk Zero-minute Threats Newly discovered vulnerabilities - Signature does not exist. Another approach is required Known Threats Most accurate protection & reporting technology Old Attacks Threat Retired attacks which are removed from default signature profiles due to performance considerations Another approach is required Exposure period Signature Detection Technology Exposure period 0 2-4 days 6-12 Months 2-4 Years Time Attack outbreak Vendor fix Very low and steady spread (*) Random Constant Spread (RCS) Model Slide Page 9 9

IPS Standard Feature Set Signature Detection Protects against known Application vulnerabilities Examples: Worms, Trojans, mail & web vulnerabilities, VoIP, etc. Periodic Signature Updates Against newly discovered vulnerabilities Internet Access Router IPS Firewall L2/L3 Switch Web Servers In-line Operation Overload Mechanism Against high load conditions Slide Page 10 10

Bot-enabled Attack Scenario Typical DDoS Flood Attack Scenario BOT Command Command & Control DoS Bot (Infected host) Attack Characteristics: High Packets-Per-Second (PPS) rate High Connections-Per-Second (CPS) rate Small packets DoS Bot (Infected host) Internet Attacker Public Server DoS Bot (Infected host) DoS Bot (Infected host) Legitimate User Slide Page 11 11

Why Your IPS is Vulnerable DDoS Traffic Max PPS Capacity [PPS] CPU CPU 10%-50% 100% Access Router Network Security IPS Device Firewall L2/L3 Switch Web Servers Your IPS is Vulnerable Any Botnet can paralyze your network protections! Max throughput capacity [Gbps] Slide Page 12 12

IPS Vulnerability Threat: Blocking Users IPS overload condition: Device DROPS packets randomly Increased latency Sessions blocked CPU 100% Access Router Network Security IPS Device Firewall L2/L3 Switch Web Servers Your IPS Blocks Users Slide Page 13 13

IPS Vulnerability Threats: No Network Protection I was told that the IPS overload mechanism will resolve cases of high volume traffic But now I understand it simply allows the flux in Data Center manager, SafeHosting.com Ltd. CPU CPU 10%-50% 100% Intrusion Access Router Network Security IPS Device Firewall L2/L3 Switch DDoS Server Cracking Web Servers IPS overload condition: Device falls into L2 BYPASS mode All traffic forwarded! Signature engine bypassed No network protection! Attacks evade into your network without inspection Slide Page 14 14

IPS Vulnerability Threat: Summary DDoS attacks threatens the on-line industry: ecommerce Government Critical infrastructure Existing IPS vendors force you to make compromises that are not acceptable When your network is under attack you need to choose between: Block legitimate users Dismantle your network protections Slide Page 15 15

Product Announcement APSolute Immunity with Booster Shot Page 16

Radware: The Smart Choice APSolute Immunity with Booster Shot Eliminate the compromises the IPS industry forces you to make when your network is under attack Slide Page 17 17

Introducing Radware DefensePro Radware DefensePro is a real-time Intrusion Prevention System (IPS) and DoS protection device that protects your application infrastructure against known attacks and emerging zero-minute and non-vulnerability network attacks that cannot be detected by static signature IPS using behavioral based real-time signatures Slide Page 18 18

DefensePro APSolute Immunity Client Behavioral Analysis Server Behavioral Analysis Network Behavioral Analysis APSolute Immunity Engine Vulnerability Research Center Automatic Real-time Signatures Static Signatures Protocol Anomaly & Rate Limit Protocol Anomaly & Rate Limit Real-time signature Within 18 sec! Slide Page 19 19

Next Generation DefensePro: IPS+DoS Architecture Standard IPS Solution ASIC-Based DoS Mitigator Engines Real-time signature injection APSolute Immunity with Booster Shot Real-time Signatures Engine (Multi CPU Cores) Real-time signature Static Signature Engine (DPI) APSolute Immunity booster: Prevent high volume attacks Up to 10 Million PPS of attack DefensePro On-Demand Switch 3: APSolute Immunity Up to 12Gbps of network Engines traffic inspection 4,000,000 concurrent sessions Latency < 100 micro seconds Slide Page 20 20

The Secret Sauce How The Engine Works Inbound Traffic Public Network Inputs - Network - Servers - Clients Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide Page 21 21

Standard Security Tools: HTTP Flood Example BOT Command Attacker Case: HTTP Page Flood Attack IRC Server Static Signatures HTTP Bot Approach (Infected host) - No solution for low-volume attacks as requests are legitimate - Connection limit against high volume attacks Agnostic to the attacked page Blocks legitimate traffic High false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources HTTP Bot (Infected host) Public Web Servers HTTP Bot (Infected host) Slide Page 22 22

Real-Time Signatures: Accurate Mitigation Case: HTTP Page Flood Attack Behavioral Pattern Detection (1) IRC Server Based on probability HTTP Bot analysis identify which web page (Infected host) (or pages) has higher than normal hits BOT Command Real Time Signature: Block abnormal users access to the specific page(s) under attack Attacker HTTP Bot (Infected host) Behavioral Pattern Detection (2) Identify abnormal user activity For example: HTTP Bot (Infected host) HTTP Bot (Infected host) Internet - Normal users download few pages per connection - Abnormal users download many pages per connection Misuse of Service Resources Public Web Servers Slide Page 23 23

Real-Time Signatures: Resistance to False Positive Legitimate User Case: Flash Crowd Access Behavioral Pattern Detection (1) Based on probability analysis identify which web page (or pages) has higher than normal hits APSolute Immunity: Alert on abnormal Web hits No real time signature is generated No Legitimate user will Userbe blocked! Internet Behavioral Pattern Detection (2) No detection of abnormal user activity Legitimate User Public Web Servers Legitimate User Page 24 Slide 24

Thank You

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information