DDoS ochrana Petr Lasek, RADWARE
APSolute řešení 1 1 3 RADWARE APSolute řešení dokáže zajistit pro Vaši síť a aplikace: - maximální dostupnost (Availability), - maximální výkon (Performance), - bezpečnost (Security) Slide 2
RADWARE Kontinuální růst Více než 10 000 zákazníků USD Millions 200.00 150.00 Projected 15% 108.9 94.6 88.6 25% 13% 5% 9% 7% 100.00 77.6 81.4 25% 68.4 1% 54.8 50.00 43.7 15% 221.0 (Forecast) 13% 2% 189.2 193.0 16% 167.0 32% 144.1 Globální partnerství 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 3
Reference 7 of the World s Top 14 Stock Exchanges & 12 of the World s Top 20 Commercial Banks Use Radware AMS!! 6 of the World s Top 20 Retailers & the NBA, NHL, MLB & Nascar use Radware AMS!! 4 of World s Top Telcos & 2 of the 10 Top Cloud Service Providers use Radware AMS!! 4
Aktuální bezpečnostní rizika
Bezpečnost Bezpečnost Slide 6
Co a před čím chrání? Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Anti-DoS Appliance (CPE) DLP Cloud Anti-DoS Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)
Trendy v DDoS 2014-2015 DDoS is the most common attack method. Attacks last longer. Government and Financial Services are the most attacked sectors. Multi-vector trend continues. Slide 8
Kdo je cílem? 2014 Změna proti 2013 Zdroj Radware Global Application and Network Report 2014 9
Výpalné Konkurenční boj (lze si snadno zaplatit útok) Nespokojený zákazník Politika, náboženství Hacktivismus Motivace?
DDoS útoky HTTP Floods SSL Floods Large volume Syn Floods Low & Slow DoS network flood Je nutné kombinovat více attacks technologií! attacks (e.g.sockstress) Network Scan App Misuse Brute Force Cloud DDoS protection Behavioral analysis DoS protection SSL protection IPS WAF Slide 11
Anatomie útoku
Vektor I.: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake Out-of-state Signature (SUS for all customers) Garbage Data Slide 13
Vektor III.: IP fragment flood to port 80 Attack Vector IP fragment Description TCP Protocol port 80 Frag offset = 512 TTL = 244 Same SRC IP (unusual for this attack) Mitigation BDOS BDOS Mitigation in Action Slide 15
Vector IV. : UPD Flood to Random Port Attack Vector Description Mitigation Attack Vector V: UPD Flood to Random Port UDP flood Packet contained Garbage data BDOS BDOS Mitigation in Action Slide 16
Jak vybrat správné řešení?
Technologie? Všechny vektory (síťové, aplikační, SSL, low & slow) Útoky hrubou silou (volumetric ) Blokování jen útoku (false positive)? Dedikovaný hardware (hardware pro blokování)? Dedikovaný box (chrání vstup do sítě)? Chrání v reálném čase (inline)? Management / reporting (SIEM)?
Podpora během útoku 24 x 7 (ERT = nejen běžný support)? Reference (nejlépe u MSSP)? Skutečné řešení? Vlastní výzkum? Reference Výrobce?
RADWARE řešení Výkonný hardware od 200 Mbps až 300 Gbps Kombinace více technologií (DoS Shield, IPS, NBA, IP reputation, SSL) Služby ERT týmu během útoku DefensePipe DDoS ochrana v cloudu Integrace (netflow, openflow) Průběžný výzkum (Low&slow, counter attack) Reference u MSSP
AMS = Attack Mitigation System
Attack Mitigation System In the cloud Perimeter Front-End Alteon / AppWall Internet Defense Messaging Volumetric DDoS attack that saturates Internet pipe Protected Organization Slide 22
Radware Attack Mitigation System (AMS) Pokrytí všech vektorů Okamžitá reakce ERT Management / monitoring / reporting Slide 23
AMS komponenty AppWall DefensePipe DefensePro Cloud Anti-DoS, based NBA, (service) IPS, Rep. protection Engineagainst AppWall pipe On DefenseSSL demand saturation throughput scalability 200Mbps 40Gbps Simple Web Application Radware traffic based ADC Firewall pricing solution offering modelcomplete web app Fast, protection HW based, SSL Web-application decryption, based FIPS validated availability attack detection APSolute Appliance & Vision VA Emergency SIEM with real Response time views, historical Teamand 24/7 forensics service reports to customers under attack Appliance & VA Alteon - DefenseSSL APSoluteVision Slide 24
Rozdíl: výkon pod útokem 230 Million PPS Attack Traffic Bez vlivu na ostatní provoz Útok blokován na úkor bežného provozu Multi-Gbps Capacity 160 Gbps Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 25
Vyčištění provozu DME DDoS Mitigation Engine (25M PPS / 60 Gbps) Multi Purpose Multi Cores CPU s (38 Gbps) L7 Regex Acceleration ASIC & Reputation Engine Behavioral-based protections Hardwarová architektura 26
Radware VISION: Security Event Management (SEM) 3 rd SIEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 27
Síťové DoS útoky
SYN Protection Challenge/Response Původní myšlenka RADWARE rozšíření SYN SYN Real User SYN-ACK +Cookie ACK +Cookie Data DefensePro SYN-ACK ACK Data Target Cookie is validated. TCP Challenge passed - delayed binding begins HTTP Redirect / Javascript - awaiting data packet with valid cookie Slide 29
NBA a RT Signature Technologie Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID IDAND IP Packet AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to 10 10+X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 30
Attack Degree axis NBA - Fuzzy logika Flash crowd Z-axis Attack area Decision Engine Suspicious area Attack Degree = 5 (Normal- Suspect) X-axis Normal adapted area Y-axis Normal TCP flags ratio Abnormal rate of Syn packets Slide 31 31
Aplikační DoS útoky
Příklad: HTTP Flood BOT Command IRC Server Statické signatury HTTP Bot (Infected host) - Požadavky na server jsou legitimní = nelze takto detekovat - Connection limit against high volume attacks Typicky nereflektuje na kterou stránku se útočí Blokování legitimního provozu Vysoká míra false-positives HTTP Bot (Infected host) Internet Misuse of Service Resources Attacker Public Web Servers HTTP Bot (Infected host) HTTP Bot (Infected host) Slide 33
Behaviorální analýza & generováni signatur DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 34
Další metody ochrany IP reputation Signatury Black-white list, ACL Řízení pásma (QoS) Server cracking SSL mitigaiton Slide 36
Integrace
Integrace DefensePro APSolute Vision CLI, SNMP, SOAP, REST API Signaling (SYSLOG) SNMP traps, mails Reports, SQL SDN - openflow Netflow - Invea-tech Slide 38
DefensePipe / Scrubbing center
DefensePipe jak funguje? ISP ERT with the customer decide to divert the traffic Volumetric On-premise DDoS attack AMS that blocks mitigates the Internet the attack pipe Clean traffic Defense Messaging DefensePro DefensePros AppWall Sharing essential information for attack mitigation Protected Online Services Protected organization Slide 40
U zákazníka nebo v cloudu? Slide 41
FlowMon sonda pro monitoring linky Lze monitorovat velké množství linek DDoS Defender - architektura FlowMon Collector (FC) sbíra statistiky a detekuje (DoS/DDoS) útok FlowMon sbíra statistiky pro DefensePro FC poskytuje potřebné informace pro DefensePro a nakonfiguruje profil a pravidlo pro mitigaci. Po ukončení útoku je konfigurace vymazána. Výhody: Škálovatelnost Jednoduchá implementace v komplexních sítích Cenově efektivní
Dotazy? petrl@radware.com www.radware.com security.radware.com Slide 43