DDoS ochrana. Petr Lasek, RADWARE

Transkript

1 DDoS ochrana Petr Lasek, RADWARE

2 APSolute řešení RADWARE APSolute řešení dokáže zajistit pro Vaši síť a aplikace: - maximální dostupnost (Availability), - maximální výkon (Performance), - bezpečnost (Security) Slide 2

3 RADWARE Kontinuální růst Více než zákazníků USD Millions Projected 15% % 13% 5% 9% 7% % % % (Forecast) 13% 2% % % Globální partnerství

4 Reference 7 of the World s Top 14 Stock Exchanges & 12 of the World s Top 20 Commercial Banks Use Radware AMS!! 6 of the World s Top 20 Retailers & the NBA, NHL, MLB & Nascar use Radware AMS!! 4 of World s Top Telcos & 2 of the 10 Top Cloud Service Providers use Radware AMS!! 4

5 Aktuální bezpečnostní rizika

6 Bezpečnost Bezpečnost Slide 6

7 Co a před čím chrání? Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Anti-DoS Appliance (CPE) DLP Cloud Anti-DoS Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)

8 Trendy v DDoS DDoS is the most common attack method. Attacks last longer. Government and Financial Services are the most attacked sectors. Multi-vector trend continues. Slide 8

9 Kdo je cílem? 2014 Změna proti 2013 Zdroj Radware Global Application and Network Report

10 Výpalné Konkurenční boj (lze si snadno zaplatit útok) Nespokojený zákazník Politika, náboženství Hacktivismus Motivace?

11 DDoS útoky HTTP Floods SSL Floods Large volume Syn Floods Low & Slow DoS network flood Je nutné kombinovat více attacks technologií! attacks (e.g.sockstress) Network Scan App Misuse Brute Force Cloud DDoS protection Behavioral analysis DoS protection SSL protection IPS WAF Slide 11

12 Anatomie útoku

13 Vektor I.: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake Out-of-state Signature (SUS for all customers) Garbage Data Slide 13

14 Vektor III.: IP fragment flood to port 80 Attack Vector IP fragment Description TCP Protocol port 80 Frag offset = 512 TTL = 244 Same SRC IP (unusual for this attack) Mitigation BDOS BDOS Mitigation in Action Slide 15

15 Vector IV. : UPD Flood to Random Port Attack Vector Description Mitigation Attack Vector V: UPD Flood to Random Port UDP flood Packet contained Garbage data BDOS BDOS Mitigation in Action Slide 16

16 Jak vybrat správné řešení?

17 Technologie? Všechny vektory (síťové, aplikační, SSL, low & slow) Útoky hrubou silou (volumetric ) Blokování jen útoku (false positive)? Dedikovaný hardware (hardware pro blokování)? Dedikovaný box (chrání vstup do sítě)? Chrání v reálném čase (inline)? Management / reporting (SIEM)?

18 Podpora během útoku 24 x 7 (ERT = nejen běžný support)? Reference (nejlépe u MSSP)? Skutečné řešení? Vlastní výzkum? Reference Výrobce?

19 RADWARE řešení Výkonný hardware od 200 Mbps až 300 Gbps Kombinace více technologií (DoS Shield, IPS, NBA, IP reputation, SSL) Služby ERT týmu během útoku DefensePipe DDoS ochrana v cloudu Integrace (netflow, openflow) Průběžný výzkum (Low&slow, counter attack) Reference u MSSP

20 AMS = Attack Mitigation System

21 Attack Mitigation System In the cloud Perimeter Front-End Alteon / AppWall Internet Defense Messaging Volumetric DDoS attack that saturates Internet pipe Protected Organization Slide 22

22 Radware Attack Mitigation System (AMS) Pokrytí všech vektorů Okamžitá reakce ERT Management / monitoring / reporting Slide 23

23 AMS komponenty AppWall DefensePipe DefensePro Cloud Anti-DoS, based NBA, (service) IPS, Rep. protection Engineagainst AppWall pipe On DefenseSSL demand saturation throughput scalability 200Mbps 40Gbps Simple Web Application Radware traffic based ADC Firewall pricing solution offering modelcomplete web app Fast, protection HW based, SSL Web-application decryption, based FIPS validated availability attack detection APSolute Appliance & Vision VA Emergency SIEM with real Response time views, historical Teamand 24/7 forensics service reports to customers under attack Appliance & VA Alteon - DefenseSSL APSoluteVision Slide 24

24 Rozdíl: výkon pod útokem 230 Million PPS Attack Traffic Bez vlivu na ostatní provoz Útok blokován na úkor bežného provozu Multi-Gbps Capacity 160 Gbps Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 25

25 Vyčištění provozu DME DDoS Mitigation Engine (25M PPS / 60 Gbps) Multi Purpose Multi Cores CPU s (38 Gbps) L7 Regex Acceleration ASIC & Reputation Engine Behavioral-based protections Hardwarová architektura 26

26 Radware VISION: Security Event Management (SEM) 3 rd SIEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 27

27 Síťové DoS útoky

28 SYN Protection Challenge/Response Původní myšlenka RADWARE rozšíření SYN SYN Real User SYN-ACK +Cookie ACK +Cookie Data DefensePro SYN-ACK ACK Data Target Cookie is validated. TCP Challenge passed - delayed binding begins HTTP Redirect / Javascript - awaiting data packet with valid cookie Slide 29

29 NBA a RT Signature Technologie Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID IDAND IP Packet AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 30

30 Attack Degree axis NBA - Fuzzy logika Flash crowd Z-axis Attack area Decision Engine Suspicious area Attack Degree = 5 (Normal- Suspect) X-axis Normal adapted area Y-axis Normal TCP flags ratio Abnormal rate of Syn packets Slide 31 31

31 Aplikační DoS útoky

32 Příklad: HTTP Flood BOT Command IRC Server Statické signatury HTTP Bot (Infected host) - Požadavky na server jsou legitimní = nelze takto detekovat - Connection limit against high volume attacks Typicky nereflektuje na kterou stránku se útočí Blokování legitimního provozu Vysoká míra false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources Attacker Public Web Servers HTTP Bot (Infected host) HTTP Bot (Infected host) Slide 33

33 Behaviorální analýza & generováni signatur DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 34

34 Další metody ochrany IP reputation Signatury Black-white list, ACL Řízení pásma (QoS) Server cracking SSL mitigaiton Slide 36

35 Integrace

36 Integrace DefensePro APSolute Vision CLI, SNMP, SOAP, REST API Signaling (SYSLOG) SNMP traps, mails Reports, SQL SDN - openflow Netflow - Invea-tech Slide 38

37 DefensePipe / Scrubbing center

38 DefensePipe jak funguje? ISP ERT with the customer decide to divert the traffic Volumetric On-premise DDoS attack AMS that blocks mitigates the Internet the attack pipe Clean traffic Defense Messaging DefensePro DefensePros AppWall Sharing essential information for attack mitigation Protected Online Services Protected organization Slide 40

39 U zákazníka nebo v cloudu? Slide 41

40 FlowMon sonda pro monitoring linky Lze monitorovat velké množství linek DDoS Defender - architektura FlowMon Collector (FC) sbíra statistiky a detekuje (DoS/DDoS) útok FlowMon sbíra statistiky pro DefensePro FC poskytuje potřebné informace pro DefensePro a nakonfiguruje profil a pravidlo pro mitigaci. Po ukončení útoku je konfigurace vymazána. Výhody: Škálovatelnost Jednoduchá implementace v komplexních sítích Cenově efektivní

41 Dotazy? security.radware.com Slide 43