Jak se bránit před DDoS útoky

Transkript

1 Jak se bránit před DDoS útoky Petr Lasek, RADWARE

2 Významné útoky Slide 2

3 Slide 3

4 Agenda Radware Aktuální rizika, kritéria výběru Příklady útoků Attack Mitigation System (AMS) Případová studie Shrnutí Slide 4

5 APSolute řešení RADWARE APSolute řešení dokáže zajistit pro Vaši síť a aplikace: - maximální dostupnost (Availability), - maximální výkon (Performance), - bezpečnost (Security) Slide 5

6 About Radware Over 10,000 Customers Company Growth 144,1 167,0 88,6 77,6 81,4 68,4 54,8 38,4 43,3 43,7 108,9 94,6 4,9 14, Recognized Market Leader & vision Global Technology Partners IPS Magic Quadrant 2013 ADC Magic Quadrant 2013 Slide 6

7 Radware přehled řešení HTTP Monitor Web Services and XML Gateway Partner Inflight AppXML Message Queuing System Router Intrusion Prevention Mainframe Customers LinkProof DefensePro Alteon / AppDirector ESB Router Application Delivery Controller LinkProof WAN Link Optimizer / Load Balancer AppWall Web & Portal Servers Database servers Web Application Firewall Branch Office Application Servers Data Center Slide 7

8 Radware řešení L4-L7 G/SLB Acceleration L4-L7 LB Acceleration Security Software Defined Networking Security 8

9 Aktuální bezpečnostní rizika

10 Bezpečnost Bezpečnost Slide 10

11 Významné útoky Slide 11

12 Kdo je cílem? Source: Radware Global Application and Network Report 2013 (to be published Jan. 27, 2014) 12

13 Pravděpodobnost že to budete Vy? 65% posledních Unlikely 45% Organizací zaznamenalo 3 DDoS útoky v 12 měsících Possible 37% 54 Minut by průměrný výpadek. Very likely 10% Likely 8% Industry Security Survey How likely is it that your organization will be attacked by cyber warfare? 13

14 Výpalné Konkurenční boj (lze si snadno zaplatit útok) Nespokojený zákazník Politika, náboženství Hacktivismus Motivace?

15 Bezpečnostní nástroje x útoky DoS Protection Behavioral Analysis IPS IP Reputation WAF Large volume network flood attacks Network scan Intrusion SYN flood Low & Slow DoS attacks Port scan Brute force attack Intrusion, Malware High & Low rate application DoS attacks Web application attacks (e.g. XSS, Injections, CSRF) Slide 15

16 Co a před čím chrání? Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Anti-DoS Appliance (CPE) DLP Cloud Anti-DoS Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)

17 DDoS útoky HTTP Floods SSL Floods Large volume network flood attacks Syn Floods Low & Slow DoS Comprehensive Protection attacks (e.g.sockstress) Integrated solution with all security technologies Network Scan Mitigates attacks beyond the perimeter App Misuse Brute Force Cloud DDoS protection Behavioral analysis DoS protection SSL protection IPS WAF Slide 17

18 Co se stane během DDoS útoku? Firewall & IPS NEOCHRÁNÍ před DDoS útokem 20 Typicky se kritickým místem stává: 15 Server 10 Firewall Připojení Internet Pipe Firewall IPS / DSS ADC Server SQL Server 18

19 Ja vybrat správné řešení?

20 Síťové útoky? Útoky na servery? Aplikační útoky? SSL útoky? Pomalé útoky (Low & slow)? Co řešení nabízí?

21 Útoky hrubou silou (volumetric ) Blokování jen útoku (false positive)? Dedikovaný hardware (hardware pro blokování)? Dedikovaný box (chrání vstup do sítě)? Chrání v reálném čase (inline)? Management / reporting (SIEM)? Technologie?

22 Podpora během útoku 24 x 7 (nejen běžný support)? Reference (nejlépe u MSSP)? Skutečné řešení? Vlastní výzkum? Výrobce?

23 RADWARE řešení Výkonný hardware od 200 Mbps až 40 Gbps Kombinace více technologií (DoS Shield, IPS, NBA, IP reputation) Služby ERT týmu během útoku DefensePipe DDoS ochrana v cloudu Průběžný výzkum (Low&slow, counter attack)

24 Anatomie útoku

25 APT Advanced Persistent Threat

26 Hacktivism příklady Komplexnost útoků Duration: 20 Days More than 7 attack vectors Inner cycle involvement Attack target: Vatican Duration: 3 Days 4 attack vectors Attack target: Visa, MasterCard Duration: 3 Days 5 attack vectors Only inner cycle involvement Attack target: HKEX Duration: 6 Days 5 attack vectors Inner cycle involvement Attack target: Israeli sites Slide 26

27 Časový průběh

28 7. Březen I. den Začátek útoku Day 1 Wed March 7 th ~13:30 20:17 Customer website was taken down by anonymous. Later, Radware Italy is invoked, ERT receive heads-up. DefensePro is deployed, ERT start building configuration. DefensePro na místě (ODS2) ERT tým Slide 28

29 8. Březen II. den Day2 Thurs March 8 th 12:45 ERT Continued refining configuration moving the device to an aggressive configuration. 14:00 Attacks begin and mitigated by the DefensePro. ERT monitors and conduct minor fine tuning. 24:00 Attacks ended. Útok blokován (DefensePro a ERT) Slide 29

30 Útok pokračoval déle než týden Automaticky blokován Bez zásahu ERT Slide 31

31 Vektory útoku

32 Vektor I.: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake Out-of-state Signature (SUS for all customers) Garbage Data Slide 35

33 Vektor II.: SYN Flood Attack Vector SYN Flood Description Port attackers Mitigation BDOS SYN Protection (not activated, threshold were too high) BDOS Footprint Slide 36

34 Vektor III.: IP fragment flood to port 80 Attack Vector IP fragment Description TCP Protocol port 80 Frag offset = 512 TTL = 244 Same SRC IP (unusual for this attack) Mitigation BDOS BDOS Mitigation in Action Slide 37

35 Vector IV. : UPD Flood to Random Port Attack Vector Description Mitigation Attack Vector V: UPD Flood to Random Port UDP flood Packet contained Garbage data BDOS BDOS Mitigation in Action Slide 38

36 Evropská vládní instituce, Červenec 2012 Útočník posílal 3.4Mbps složený z 36 B DNS dotazů na 8 DNS serverů Doména s 43 registrovanými DNS záznamy. Odpověd 3991 B, 154 Mbps Navíc odpověd s fragmentovanými pakety Ochrana -DNS odpovědi blokovány pomocí BDoS modulu, fragmentované UDP pakety pomocí DoS-Shield modulu Slide 39

37 Op Ababil Slide 40

38 Vektory útoků US Bank March 2013 Radware s ERT Joins in Attacks started October 2012 ISP 1 DoS Mitigation Outage on daily basis ISP 2 DoS Mitigation ICMP Flood UDP Flood SYN Flood HTTP URL Floods IT department is exhausted and frustrated Search Page Floods TLS/SSL Rengotiation Login Page Floods Bypassing Mitgiation Slide 41

39 AMS = Attack Mitigation System

40 Attack Mitigation System In the cloud Perimeter Front-End Alteon / AppWall Internet Defense Messaging Volumetric DDoS attack that saturates Internet pipe Protected Organization Slide 43

41 AMS řešení Data Center DefensePro AppWall Web Application Výhody AMS Okamžitá reakce Hybridní řešení: CPE a scrubbing centrum v cloudu Kompletní pokrytí útoků Web stealth útoky Slide 44

42 Radware Attack Mitigation System (AMS) Pokrytí všech vektorů Okamžitá reakce ERT Management / monitoring / reporting Slide 45

43 AMS komponenty AppWall DefensePipe DefensePro Cloud Anti-DoS, based NBA, (service) IPS, Rep. protection Engine against AppWall pipe On DefenseSSL demand saturation throughput scalability 200Mbps 40Gbps Simple Web Application Radware traffic based ADC Firewall pricing solution offering model complete web app Fast, protection HW based, SSL Web-application decryption, based FIPS validated availability attack detection APSolute Appliance & Vision VA Emergency SIEM with real Response time views, historical Team and 24/7 forensics service reports to customers under attack Appliance & VA Alteon - DefenseSSL APSoluteVision Slide 46

44 Rozdíl: výkon pod útokem 12 Million PPS Attack Traffic Bez vlivu na ostatní provoz Útok blokován na úkor bežného provozu Multi-Gbps Capacity Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 48

45 Flood Packet Rate (Millions) Mitigation Performance (DME) Legitimate HTTP Traffic (Gbit/s) Slide 49

46 Radware Security Event Management (SEM) 3 rd SIEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 50

47 Vyčištění provozu DME DDoS Mitigation Engine (25M PPS / 60 Gbps) Multi Purpose Multi Cores CPU s (38 Gbps) L7 Regex Acceleration ASIC & Reputation Engine Behavioral-based protections Architecture That Was Tailored for Attack Mitigation 51

48 Síťové DoS útoky

49 SYN Protection Challenge/Response Logic cookie DP storing detected validated, received a SYN delayed data flood before to binding an endpoint proxying pending SYN SYN SYN-ACK +Cookie ACK +Cookie SYN-ACK ACK Real User Data DefensePro Data Target Cookie is validated. TCP Challenge passed - delayed binding begins HTTP Redirect / Javascript - awaiting data packet with valid cookie Slide 53

50 SYN cookies Slide 54

51 Challenge/Response Botnet is identified (suspicious sources are marked) Attack Detection Real-Time Signature Created Light Challenge Actions Strong Challenge Action Selective Rate-limit?? X X TCP Challenge 302 Redirect Challenge Java Script Challenge RT Signature blocking Behavioral Real-time Signature Technology Challenge/Response Technology Uzavřená smyčka Real-time Signature Blocking Slide 55

52 AMS - co nabízí Detekce útoku Real-time signatura Challenge Druhý challenge Blokování Kombinace více bezpečnostních technologií QoE TCO Ochrana před síťovými a aplikačními útoky Ochrana před známými i neznámými (zero-day) útoky Prakticky nulové false-positive Granulární konfigurace, kombinace více metod blokování, real-time monitroing i dloudobý reporting Automatické generování signatur, bez nutnosti zásahu administrátora Slide 56

53 Ochrana před síťovými DoS útoky Ochrana před: TCP SYN floods TCP SYN+ACK floods TCP FIN floods TCP RESET floods TCP Out of state floods TCP Fragment floods UDP floods ICMP floods IGMP floods Packet Anomalies Known DoS tools Custom DoS signatures Slide 57

54 NBA a RT Signature Technologie Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID ID AND AND IP Packet ID AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 58

55 Attack Degree axis NBA - Fuzzy logika Flash crowd Z-axis Attack area Decision Engine Suspicious area Attack Degree = 5 (Normal- Suspect) X-axis Normal adapted area Y-axis Normal TCP flags ratio Abnormal rate of Syn packets Slide 59 59

56 Aplikační DoS útoky

57 HTTP Mitigator

58 Behaviorální analýza & generováni signatur DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 63

59 DNS Mitigator

60 Behavorální analýza DNS provozu DNS dotazy jejich rozložení Četnost dotazů DNS QPS TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time DoA per typ dotazu Fuzzy Logic Inference System Normal Suspect Attack Slide 69

61 SSL

62 Clear Ochrana před útoky v šifrovaném provozu Application cookie engines L7 ASIC Regex engine Traffic Anomalies Floods Network-Based DoS Attacks Application-Based DoS Attacks (Clear and SSL) Directed Application DoS Attacks (Clear and SSL) Clear Clear Encrypted Authenticated clients Encrypted Packet anomalies, Black & white lists Behavioral DoS & TCP cookie engines Client-side termination point Encrypted Alteon s SSL Acceleration Engine Slide 71

63 Ostatní metody

64 Další metody ochrany IP reputation Signatury Black-white list, ACL Řízení pásma (QoS) Server cracking Slide 73

65 Integrace DefensePro APSolute Vision CLI, SNMP, SOAP Signaling (SYSLOG) SNMP traps, mails Reports, SQL SDN Netflow - Invea-tech Slide 74

66 DefenseFlow - SDN DefenseFlow Application Control Collect Analyze & Decide DefenseFlow Diversion and DefensePro Mitigation Network Controller Mobile Users A completely new solution architecture: From point security solution to network-wide solution enabled by SDN Dynamic, programmable, scalable, easy-to-operate security network service Best possible design: Always out of path except for under attack Unprecedented attack detection span 75

67 WAF

68 Vektory útoků Top Attack Vectors Source: webappsec.org Slide 77

69 Výsledek útoků Top Impact / Outcomes Source: webappsec.org Slide 78

70 AppWall Out-of-the-Box PCI Compliance WAF + IPS (PCI 6.6 & 11.4) PCI Compliance Reporting Fast Implementation Simple initial deployment Best in class Auto-Policy Generation Risk Management Unified and Correlated reporting across the network Security reporting APSolute Vision SIEM AppWall Scalability Cluster deployment Centralized policy management Scalable by Device Complete Web App Protection Full coverage of OWASP Top-10 Negative & positive security models Slide 79

71 Bezpečnost webu Pokrytí OWASP Top-10 Negativní & Pozitivní bezpečnstní model Out-of-the-Box pravidla WASC Threat Classification Slide 80

72 Complete Web Application Protection Signature & Rule Protection Terminate TCP, Normalize, HTTP RFC Data Leak Prevention Cross site scripting (XSS) SQL injection, LDAP injection, OS commanding Evasions HTTP response splitting (HRS) Credit card number (CCN) / Social Security (SSN) Regular Expression Slide 81

73 Complete Web Application Protection Parameters Inspection User Behavior Layer 7 ACL XML & Web Services Role Based Policy Buffer overflow (BO) Zero-day attacks Cross site request forgery Cookie poisoning, session hijacking Folder/file/param level access control White listing or black listing XML Validity and schema enforcement Authentication User Tracking Slide 82

74 Flexible Deployment Strategies Access Router Firewall Virtual IP ADC Public AppWall IP IP Internet Transparent bridge mode No network topology changes required Transparent to non-http traffic Fail-open interfaces Transparent Reverse proxy HTTP Proxy for maximum security Preserves Original Client IP address Reverse proxy HTTP Proxy for maximum security Cluster deployment ADC farm deployment Auto policy synchronization within the farm AppWall AppWall Array Web Servers Slide 83

75 Automatická tvroba pravidel App Mapping Threat Analysis Reservations.com /config/ /admin/ Risk analysis per application-path SQL Injection Spoof identity, steal user information, data tampering /register/ CCN breach Information leakage /hotels/ /info/ Directory Traversal Gain root access control /reserve/ Buffer Overflow Unexpected application behavior, system crash, full system compromise Slide 84

76 Doporučení ochrany Reservations.com App Mapping Threat Analysis Policy Generation /config/ /admin/ SQL Injection Prevent access to sensitive app sections /register/ CCN breach ***********9459 Mask CCN, SSN, etc. in responses. /hotels/ /info/ Directory Traversal Traffic normalization & HTTP RFC validation /reserve/ Buffer Overflow P Parameters inspection Slide 85

77 Authentication, SSO & Role Based Policy Authentication and login detection Accounting and Auditing Authorization and access control Web based Single Sign On Slide 86

78 RBAC Organizational Roles IT HR Finance Operations Attack Source Application Roles Customer Partner Employee Administrator 18% 2% 80% External Partner Internal Slide 87

79 Více vektorový RBAC Context Web Role IP & Geo Location Security Policy Application Access Control Data Access and Visibility Web Security, XSS, SQL Inj. Action Block Report Slide 88

80 WAF = kritéria výběru Jak rychle lze nasadit? Autolearning 7 dní Výkon a škálovatelnost Cluster a licence Blokování je špatného provozu Pozitovní a negativní bezpečnostní model Nasazení Automatické generovnání pravidel Slide 89

81 Signalizace Data Center Web application attack detected by AppWall AppWall signals DefensePro DefensePro mitigates the attack HTTP Dynamic Flood AppWall DefensePro Slide 90

82 Elastic WAF Step #1.2 High AppWall resource Utilization Step #1.4 Reduced Resource utilization Step #1.1 Growing traffic volume to the Web application Step #1.3 Add AppWall Instance Ext vadc Int vadc Multiple Policies Step #2.2 New Policy Assigned Alteon ADC-VX User Selective Routing of Protected and unprotected Tenants Operator Step #2.1 New Tenant Application added

83 DefensePipe / Scrubbing center

84 DefensePipe Ochrana v cloudu před volumetric útoky Přesměrování JEN během útoků První hybridní útoky na trhu Sdílené informace mezi CPE a cloudem Slide 94

85 DefensePipe Operation Flow ISP ERT with the customer decide to divert the traffic Volumetric On-premise DDoS attack AMS that blocks mitigates the Internet the attack pipe Clean traffic Defense Messaging DefensePro DefensePros AppWall Sharing essential information for attack mitigation Protected Online Services Protected organization Slide 95

86 Radware AMS & ERT/SOC Security Operations Center (SOC) Pravidelné update signatur každý týden a kritické updaty okamžitě 24 x 7, znalost sdílená celosvětově Emergency Response Team (ERT) 24x7 služba pro zákazníky pod útokem Eliminace DoS/DDoS útotů, předejití škodám Slide 96

87 U zákazníka nebo v cloudu? Slide 97

88 SOC a ERT služby

89 Architektura FlowMon sonda pro minitoring linky Lze monitorovat velké množství linek FlowMon Collector (FC) sbíra statistiky a detekuje (DoS/DDoS) útok FlowMon sbíra statistiky pro DefensePro FC poskytuje potřebné informace pro DefensePro a nakonfigureje profil a pravidlo pro mitigaci. Po ukončení útoku je konfigurace vymazána. Výhody: Škálovatelnost

90 Závěr

91 Shrnutí Více vektorů útoků Uživatele nasazují více řešení Útočníci využivají mezer mezi neintegrovanými produkty Attack Mitigation System (AMS): Ochrana před APT (Advanced Persistent Threat = dlouhodobé kampaně ) Integrované řešení / korelace mezi jednotlivými metodami Řešení pro Online aplikace Datová centra, hosting, cloud Poskytovale internetu Slide 107

92 Thank You

93 Dotazy? security.radware.com Slide 109