Jak se bránit před DDoS útoky Petr Lasek, RADWARE 19.09.2014
Významné útoky Slide 2
Slide 3
Agenda Radware Aktuální rizika, kritéria výběru Příklady útoků Attack Mitigation System (AMS) Případová studie Shrnutí Slide 4
APSolute řešení 1 1 3 RADWARE APSolute řešení dokáže zajistit pro Vaši síť a aplikace: - maximální dostupnost (Availability), - maximální výkon (Performance), - bezpečnost (Security) Slide 5
About Radware Over 10,000 Customers Company Growth 144,1 167,0 88,6 77,6 81,4 68,4 54,8 38,4 43,3 43,7 108,9 94,6 4,9 14,1 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Recognized Market Leader & vision Global Technology Partners IPS Magic Quadrant 2013 ADC Magic Quadrant 2013 Slide 6
Radware přehled řešení HTTP Monitor Web Services and XML Gateway Partner Inflight AppXML Message Queuing System Router Intrusion Prevention Mainframe Customers LinkProof DefensePro Alteon / AppDirector ESB Router Application Delivery Controller LinkProof WAN Link Optimizer / Load Balancer AppWall Web & Portal Servers Database servers Web Application Firewall Branch Office Application Servers Data Center Slide 7
Radware řešení L4-L7 G/SLB Acceleration L4-L7 LB Acceleration Security Software Defined Networking Security 8
Aktuální bezpečnostní rizika
Bezpečnost Bezpečnost Slide 10
Významné útoky Slide 11
Kdo je cílem? Source: Radware Global Application and Network Report 2013 (to be published Jan. 27, 2014) 12
Pravděpodobnost že to budete Vy? 65% posledních Unlikely 45% Organizací zaznamenalo 3 DDoS útoky v 12 měsících Possible 37% 54 Minut by průměrný výpadek. Very likely 10% Likely 8% Industry Security Survey How likely is it that your organization will be attacked by cyber warfare? 13
Výpalné Konkurenční boj (lze si snadno zaplatit útok) Nespokojený zákazník Politika, náboženství Hacktivismus Motivace?
Bezpečnostní nástroje x útoky DoS Protection Behavioral Analysis IPS IP Reputation WAF Large volume network flood attacks Network scan Intrusion SYN flood Low & Slow DoS attacks Port scan Brute force attack Intrusion, Malware High & Low rate application DoS attacks Web application attacks (e.g. XSS, Injections, CSRF) Slide 15
Co a před čím chrání? Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Anti-DoS Appliance (CPE) DLP Cloud Anti-DoS Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)
DDoS útoky HTTP Floods SSL Floods Large volume network flood attacks Syn Floods Low & Slow DoS Comprehensive Protection attacks (e.g.sockstress) Integrated solution with all security technologies Network Scan Mitigates attacks beyond the perimeter App Misuse Brute Force Cloud DDoS protection Behavioral analysis DoS protection SSL protection IPS WAF Slide 17
Co se stane během DDoS útoku? 35 30 25 Firewall & IPS NEOCHRÁNÍ před DDoS útokem 20 Typicky se kritickým místem stává: 15 Server 10 Firewall Připojení 5 2011 2012 2013 0 Internet Pipe Firewall IPS / DSS ADC Server SQL Server 18
Ja vybrat správné řešení?
Síťové útoky? Útoky na servery? Aplikační útoky? SSL útoky? Pomalé útoky (Low & slow)? Co řešení nabízí?
Útoky hrubou silou (volumetric ) Blokování jen útoku (false positive)? Dedikovaný hardware (hardware pro blokování)? Dedikovaný box (chrání vstup do sítě)? Chrání v reálném čase (inline)? Management / reporting (SIEM)? Technologie?
Podpora během útoku 24 x 7 (nejen běžný support)? Reference (nejlépe u MSSP)? Skutečné řešení? Vlastní výzkum? Výrobce?
RADWARE řešení Výkonný hardware od 200 Mbps až 40 Gbps Kombinace více technologií (DoS Shield, IPS, NBA, IP reputation) Služby ERT týmu během útoku DefensePipe DDoS ochrana v cloudu Průběžný výzkum (Low&slow, counter attack)
Anatomie útoku
APT Advanced Persistent Threat
Hacktivism příklady Komplexnost útoků Duration: 20 Days More than 7 attack vectors Inner cycle involvement Attack target: Vatican Duration: 3 Days 4 attack vectors Attack target: Visa, MasterCard Duration: 3 Days 5 attack vectors Only inner cycle involvement Attack target: HKEX Duration: 6 Days 5 attack vectors Inner cycle involvement Attack target: Israeli sites Slide 26
Časový průběh
7. Březen I. den Začátek útoku Day 1 Wed March 7 th ~13:30 20:17 Customer website was taken down by anonymous. Later, Radware Italy is invoked, ERT receive heads-up. DefensePro is deployed, ERT start building configuration. DefensePro na místě (ODS2) ERT tým Slide 28
8. Březen II. den Day2 Thurs March 8 th 12:45 ERT Continued refining configuration moving the device to an aggressive configuration. 14:00 Attacks begin and mitigated by the DefensePro. ERT monitors and conduct minor fine tuning. 24:00 Attacks ended. Útok blokován (DefensePro a ERT) Slide 29
Útok pokračoval déle než týden Automaticky blokován Bez zásahu ERT Slide 31
Vektory útoku
Vektor I.: TCP Garbage Flood Attack Vector PSH+ACK Garbage Flood port 80 Description Mitigation TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake Out-of-state Signature (SUS for all customers) Garbage Data Slide 35
Vektor II.: SYN Flood Attack Vector SYN Flood Description Port 80 460 attackers Mitigation BDOS SYN Protection (not activated, threshold were too high) BDOS Footprint Slide 36
Vektor III.: IP fragment flood to port 80 Attack Vector IP fragment Description TCP Protocol port 80 Frag offset = 512 TTL = 244 Same SRC IP (unusual for this attack) Mitigation BDOS BDOS Mitigation in Action Slide 37
Vector IV. : UPD Flood to Random Port Attack Vector Description Mitigation Attack Vector V: UPD Flood to Random Port UDP flood Packet contained Garbage data BDOS BDOS Mitigation in Action Slide 38
Evropská vládní instituce, Červenec 2012 Útočník posílal 3.4Mbps složený z 36 B DNS dotazů na 8 DNS serverů Doména s 43 registrovanými DNS záznamy. Odpověd 3991 B, 154 Mbps Navíc odpověd s fragmentovanými pakety Ochrana -DNS odpovědi blokovány pomocí BDoS modulu, fragmentované UDP pakety pomocí DoS-Shield modulu Slide 39
Op Ababil Slide 40
Vektory útoků US Bank March 2013 Radware s ERT Joins in Attacks started October 2012 ISP 1 DoS Mitigation Outage on daily basis ISP 2 DoS Mitigation ICMP Flood UDP Flood SYN Flood HTTP URL Floods IT department is exhausted and frustrated Search Page Floods TLS/SSL Rengotiation Login Page Floods Bypassing Mitgiation Slide 41
AMS = Attack Mitigation System
Attack Mitigation System In the cloud Perimeter Front-End Alteon / AppWall Internet Defense Messaging Volumetric DDoS attack that saturates Internet pipe Protected Organization Slide 43
AMS řešení Data Center DefensePro AppWall Web Application Výhody AMS Okamžitá reakce Hybridní řešení: CPE a scrubbing centrum v cloudu Kompletní pokrytí útoků Web stealth útoky Slide 44
Radware Attack Mitigation System (AMS) Pokrytí všech vektorů Okamžitá reakce ERT Management / monitoring / reporting Slide 45
AMS komponenty AppWall DefensePipe DefensePro Cloud Anti-DoS, based NBA, (service) IPS, Rep. protection Engine against AppWall pipe On DefenseSSL demand saturation throughput scalability 200Mbps 40Gbps Simple Web Application Radware traffic based ADC Firewall pricing solution offering model complete web app Fast, protection HW based, SSL Web-application decryption, based FIPS validated availability attack detection APSolute Appliance & Vision VA Emergency SIEM with real Response time views, historical Team and 24/7 forensics service reports to customers under attack Appliance & VA Alteon - DefenseSSL APSoluteVision Slide 46
Rozdíl: výkon pod útokem 12 Million PPS Attack Traffic Bez vlivu na ostatní provoz Útok blokován na úkor bežného provozu Multi-Gbps Capacity Legitimate Traffic Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack DefensePro Other Network Security Solutions Slide 48
Flood Packet Rate (Millions) Mitigation Performance (DME) 12 10 8 6 4 2 0 0 5 10 15 Legitimate HTTP Traffic (Gbit/s) Slide 49
Radware Security Event Management (SEM) 3 rd SIEM Correlated reports Trend analysis Compliance management RT monitoring Advanced alerts Forensics Slide 50
Vyčištění provozu DME DDoS Mitigation Engine (25M PPS / 60 Gbps) Multi Purpose Multi Cores CPU s (38 Gbps) L7 Regex Acceleration ASIC & Reputation Engine Behavioral-based protections Architecture That Was Tailored for Attack Mitigation 51
Síťové DoS útoky
SYN Protection Challenge/Response Logic cookie DP storing detected validated, received a SYN delayed data flood before to binding an endpoint proxying pending SYN SYN SYN-ACK +Cookie ACK +Cookie SYN-ACK ACK Real User Data DefensePro Data Target Cookie is validated. TCP Challenge passed - delayed binding begins HTTP Redirect / Javascript - awaiting data packet with valid cookie Slide 53
SYN cookies Slide 54
Challenge/Response Botnet is identified (suspicious sources are marked) Attack Detection Real-Time Signature Created Light Challenge Actions Strong Challenge Action Selective Rate-limit?? X X TCP Challenge 302 Redirect Challenge Java Script Challenge RT Signature blocking Behavioral Real-time Signature Technology Challenge/Response Technology Uzavřená smyčka Real-time Signature Blocking Slide 55
AMS - co nabízí Detekce útoku Real-time signatura Challenge Druhý challenge Blokování Kombinace více bezpečnostních technologií QoE TCO Ochrana před síťovými a aplikačními útoky Ochrana před známými i neznámými (zero-day) útoky Prakticky nulové false-positive Granulární konfigurace, kombinace více metod blokování, real-time monitroing i dloudobý reporting Automatické generování signatur, bez nutnosti zásahu administrátora Slide 56
Ochrana před síťovými DoS útoky Ochrana před: TCP SYN floods TCP SYN+ACK floods TCP FIN floods TCP RESET floods TCP Out of state floods TCP Fragment floods UDP floods ICMP floods IGMP floods Packet Anomalies Known DoS tools Custom DoS signatures Slide 57
NBA a RT Signature Technologie Public Network Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Real-Time Signature Initial filter is generated: Packet Filter ID Optimization: ID ID AND AND IP Packet ID AND Source IP IP AND AND Packet size size AND TTL 5 Blocking Rules Start Traffic mitigation characteristics 1 2 Statistics Final Filter 0 Up to 10 10+X 3 Learning Time [sec] Detection Engine Degree of Attack = High Low Filtered Traffic Outbound Traffic Protected Network Signature parameters Source/Destination Narrowest filters IP Source/Destination Port Packet Packet size ID TTL Source (Time IP To Address Live) DNS Packet Query size Packet TTL (Time ID To Live) TCP sequence number More (up to 20) RT Signatures 4 Degree of Attack = Low High (Negative (Positive Feedback) Slide 58
Attack Degree axis NBA - Fuzzy logika Flash crowd Z-axis Attack area Decision Engine Suspicious area Attack Degree = 5 (Normal- Suspect) X-axis Normal adapted area Y-axis Normal TCP flags ratio Abnormal rate of Syn packets Slide 59 59
Aplikační DoS útoky
HTTP Mitigator
Behaviorální analýza & generováni signatur DoS & DDoS Inbound Traffic Public Network Inputs - Network - Servers - Clients Application level threats Zero-Minute malware propagation Real-Time Signature Behavioral Analysis Inspection Module Closed Feedback Abnormal Activity Detection Outbound Traffic Enterprise Network Real-Time Signature Generation Optimize Signature Remove when attack is over Slide 63
DNS Mitigator
Behavorální analýza DNS provozu DNS dotazy jejich rozložení Četnost dotazů DNS QPS TEXT records MX records Other records A records AAAA records PTR records A records base line MX records base line PTR records AAAA records Time DoA per typ dotazu Fuzzy Logic Inference System Normal Suspect Attack Slide 69
SSL
Clear Ochrana před útoky v šifrovaném provozu Application cookie engines L7 ASIC Regex engine Traffic Anomalies Floods Network-Based DoS Attacks Application-Based DoS Attacks (Clear and SSL) Directed Application DoS Attacks (Clear and SSL) Clear Clear Encrypted Authenticated clients Encrypted Packet anomalies, Black & white lists Behavioral DoS & TCP cookie engines Client-side termination point Encrypted Alteon s SSL Acceleration Engine Slide 71
Ostatní metody
Další metody ochrany IP reputation Signatury Black-white list, ACL Řízení pásma (QoS) Server cracking Slide 73
Integrace DefensePro APSolute Vision CLI, SNMP, SOAP Signaling (SYSLOG) SNMP traps, mails Reports, SQL SDN Netflow - Invea-tech Slide 74
DefenseFlow - SDN DefenseFlow Application Control Collect Analyze & Decide DefenseFlow Diversion and DefensePro Mitigation Network Controller Mobile Users A completely new solution architecture: From point security solution to network-wide solution enabled by SDN Dynamic, programmable, scalable, easy-to-operate security network service Best possible design: Always out of path except for under attack Unprecedented attack detection span 75
WAF
Vektory útoků Top Attack Vectors Source: webappsec.org Slide 77
Výsledek útoků Top Impact / Outcomes Source: webappsec.org Slide 78
AppWall Out-of-the-Box PCI Compliance WAF + IPS (PCI 6.6 & 11.4) PCI Compliance Reporting Fast Implementation Simple initial deployment Best in class Auto-Policy Generation Risk Management Unified and Correlated reporting across the network Security reporting APSolute Vision SIEM AppWall Scalability Cluster deployment Centralized policy management Scalable by Device Complete Web App Protection Full coverage of OWASP Top-10 Negative & positive security models Slide 79
Bezpečnost webu Pokrytí OWASP Top-10 Negativní & Pozitivní bezpečnstní model Out-of-the-Box pravidla WASC Threat Classification Slide 80
Complete Web Application Protection Signature & Rule Protection Terminate TCP, Normalize, HTTP RFC Data Leak Prevention Cross site scripting (XSS) SQL injection, LDAP injection, OS commanding Evasions HTTP response splitting (HRS) Credit card number (CCN) / Social Security (SSN) Regular Expression Slide 81
Complete Web Application Protection Parameters Inspection User Behavior Layer 7 ACL XML & Web Services Role Based Policy Buffer overflow (BO) Zero-day attacks Cross site request forgery Cookie poisoning, session hijacking Folder/file/param level access control White listing or black listing XML Validity and schema enforcement Authentication User Tracking Slide 82
Flexible Deployment Strategies Access Router Firewall Virtual IP ADC Public AppWall IP IP Internet Transparent bridge mode No network topology changes required Transparent to non-http traffic Fail-open interfaces Transparent Reverse proxy HTTP Proxy for maximum security Preserves Original Client IP address Reverse proxy HTTP Proxy for maximum security Cluster deployment ADC farm deployment Auto policy synchronization within the farm AppWall AppWall Array Web Servers Slide 83
Automatická tvroba pravidel App Mapping Threat Analysis Reservations.com /config/ /admin/ Risk analysis per application-path SQL Injection Spoof identity, steal user information, data tampering /register/ CCN breach Information leakage /hotels/ /info/ Directory Traversal Gain root access control /reserve/ Buffer Overflow Unexpected application behavior, system crash, full system compromise Slide 84
Doporučení ochrany Reservations.com App Mapping Threat Analysis Policy Generation /config/ /admin/ SQL Injection Prevent access to sensitive app sections /register/ CCN breach ***********9459 Mask CCN, SSN, etc. in responses. /hotels/ /info/ Directory Traversal Traffic normalization & HTTP RFC validation /reserve/ Buffer Overflow P Parameters inspection Slide 85
Authentication, SSO & Role Based Policy Authentication and login detection Accounting and Auditing Authorization and access control Web based Single Sign On Slide 86
RBAC Organizational Roles IT HR Finance Operations Attack Source Application Roles Customer Partner Employee Administrator 18% 2% 80% External Partner Internal Slide 87
Více vektorový RBAC Context Web Role IP & Geo Location Security Policy Application Access Control Data Access and Visibility Web Security, XSS, SQL Inj. Action Block Report Slide 88
WAF = kritéria výběru Jak rychle lze nasadit? Autolearning 7 dní Výkon a škálovatelnost Cluster a licence Blokování je špatného provozu Pozitovní a negativní bezpečnostní model Nasazení Automatické generovnání pravidel Slide 89
Signalizace Data Center Web application attack detected by AppWall AppWall signals DefensePro DefensePro mitigates the attack HTTP Dynamic Flood AppWall DefensePro Slide 90
Elastic WAF Step #1.2 High AppWall resource Utilization Step #1.4 Reduced Resource utilization Step #1.1 Growing traffic volume to the Web application Step #1.3 Add AppWall Instance Ext vadc Int vadc Multiple Policies Step #2.2 New Policy Assigned Alteon ADC-VX User Selective Routing of Protected and unprotected Tenants Operator Step #2.1 New Tenant Application added
DefensePipe / Scrubbing center
DefensePipe Ochrana v cloudu před volumetric útoky Přesměrování JEN během útoků První hybridní útoky na trhu Sdílené informace mezi CPE a cloudem Slide 94
DefensePipe Operation Flow ISP ERT with the customer decide to divert the traffic Volumetric On-premise DDoS attack AMS that blocks mitigates the Internet the attack pipe Clean traffic Defense Messaging DefensePro DefensePros AppWall Sharing essential information for attack mitigation Protected Online Services Protected organization Slide 95
Radware AMS & ERT/SOC Security Operations Center (SOC) Pravidelné update signatur každý týden a kritické updaty okamžitě 24 x 7, znalost sdílená celosvětově Emergency Response Team (ERT) 24x7 služba pro zákazníky pod útokem Eliminace DoS/DDoS útotů, předejití škodám Slide 96
U zákazníka nebo v cloudu? Slide 97
SOC a ERT služby
Architektura FlowMon sonda pro minitoring linky Lze monitorovat velké množství linek FlowMon Collector (FC) sbíra statistiky a detekuje (DoS/DDoS) útok FlowMon sbíra statistiky pro DefensePro FC poskytuje potřebné informace pro DefensePro a nakonfigureje profil a pravidlo pro mitigaci. Po ukončení útoku je konfigurace vymazána. Výhody: Škálovatelnost
Závěr
Shrnutí Více vektorů útoků Uživatele nasazují více řešení Útočníci využivají mezer mezi neintegrovanými produkty Attack Mitigation System (AMS): Ochrana před APT (Advanced Persistent Threat = dlouhodobé kampaně ) Integrované řešení / korelace mezi jednotlivými metodami Řešení pro Online aplikace Datová centra, hosting, cloud Poskytovale internetu Slide 107
Thank You www.radware.com
Dotazy? petrl@radware.com www.radware.com security.radware.com Slide 109