DDoS ochrana Petr Lasek, RADWARE
APSolute řešení
1
1
3
RADWARE APSolute řešení dokáže zajistit pro Vaši síť a aplikace: - maximální dostupnost (Availability), - maximální výkon (Performance), - bezpečnost (Security)
Slide 2
RADWARE
Více než 10 000 zákazníků
Kontinuální růst USD Millions 200.00
15% 221.0 (Forecast) 13% 2% 189.2193.0
Projected
16% 167.0
150.00
32% 144.1
15% 108.9 9% 7% 100.00 13% 5% 88.6 94.6 25% 77.6 81.4 25% 68.4 1% 54.8 50.00 43.7
Globální partnerství
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
3
Reference
7 of the World’s Top
6 of the World’s Top 20
4 of World’s Top
14 Stock Exchanges
Retailers
Telcos & 2 of the 10
& 12 of the World’s
& the NBA, NHL, MLB
Top Cloud Service
Top 20 Commercial
&
Providers
Banks Use Radware
Radware AMS!!
Nascar
use
use
Radware AMS!!
AMS!!
4
Aktuální bezpečnostní rizika
Bezpečnost
Bezpečnost
Slide 6
Co a před čím chrání?
Protection Purpose Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)
Firewall
IPS
WAF
Router ACLs
Anti-DoS Next Gen Appliance FW (CPE)
DLP
Cloud Anti-DoS
Trendy v DDoS 2014-2015
DDoS is the most common attack method.
Attacks last longer.
Government and Financial Services are the most attacked sectors.
Multi-vector trend continues.
Slide 8
Kdo je cílem?
2014
Změna proti 2013
Zdroj Radware Global Application and Network Report 2014 9
Motivace ?
• „Výpalné“ • Konkurenční boj (lze si snadno zaplatit útok) • Nespokojený zákazník • Politika, náboženství • Hacktivismus
DDoS útoky
HTTP Floods SSL Floods
App Misuse & Slow” DoS Je nutné kombinovat“Low více technologií! attacks Syn Floods
Large volume network flood attacks
Brute Force
(e.g.Sockstress) Network Scan
Cloud DDoS protection
DoS protection
IPS
Behavioral analysis
SSL protection
WAF
Slide 11
Anatomie útoku
Vektor I.: TCP Garbage Flood
Attack Vector
PSH+ACK Garbage Flood port 80
Description
TCP PSH+ACK packets that contain garbage data No initiation of proper TCP handshake
Mitigation
• Out-of-state • Signature (SUS – for all customers)
Garbage Data
Slide 13
Vektor III.: IP fragment flood to port 80
Attack Vector
IP fragment
Description
• • • •
Mitigation
BDOS
TCP Protocol port 80 Frag offset = 512 TTL = 244 Same SRC IP (unusual for this attack)
BDOS Mitigation in Action
Slide 15
Vector IV. : UPD Flood to Random Port
Attack Vector
Attack Vector V: UPD Flood to Random Port
Description
• UDP flood • Packet contained Garbage data
Mitigation
BDOS
BDOS Mitigation in Action
Slide 16
Jak vybrat správné řešení?
Technologie?
• • • • • • •
Všechny vektory (síťové, aplikační, SSL, low & slow) Útoky „hrubou silou“ (volumetric“) Blokování jen útoku (false – positive)? Dedikovaný hardware (hardware pro blokování)? Dedikovaný box (chrání vstup do sítě)? Chrání v reálném čase (inline)? Management / reporting (SIEM)?
Výrobce?
• Podpora během útoku 24 x 7 (ERT = nejen běžný support)? • Reference (nejlépe u MSSP)? • Skutečné řešení ? • Vlastní výzkum? • Reference
RADWARE řešení
• Výkonný hardware – od 200 Mbps až 300 Gbps • Kombinace více technologií (DoS Shield, IPS, NBA, IP reputation, SSL) • Služby ERT týmu během útoku • DefensePipe – DDoS ochrana v cloudu • Integrace (netflow, openflow) • Průběžný výzkum (Low&slow, counter attack) • Reference u MSSP
AMS = Attack Mitigation System
Attack Mitigation System
In the cloud
Perimeter Front-End
Alteon / AppWall
Defense Messaging
Internet
Protected Organization
Volumetric DDoS attack that saturates Internet pipe
Slide 22
Radware Attack Mitigation System (AMS)
Pokrytí všech vektorů
ERT
Okamžitá reakce
Management / monitoring / reporting
Slide 23
AMS komponenty
DefensePro DefensePipe
• Cloud Anti-DoS, NBA, IPS, Rep. Engineagainst based (service) protection •AppWall OnDefenseSSL demand throughput scalability pipe saturation 200Mbps – 40Gbps • Application Radware ADC solution •• Simple traffic based pricing modelcomplete Web Firewall offering • app Fast, HW based, SSL web protection decryption,based FIPS validated • Web-application availability attack AppWall
detection APSolute • Appliance &Vision VA Emergency Team • SIEM with realResponse time views, historical and • 24/7 service to customers under attack forensics reports • Appliance & VA
Alteon - DefenseSSL
APSoluteVision
Slide 24
Rozdíl: výkon pod útokem
230 Million PPS
Bez vlivu na ostatní provoz
Útok blokován na úkor bežného provozu
Attack Traffic
Multi-Gbps Capacity 160 Gbps Legitimate Traffic
DefensePro
Attack Attack Multi-Gbps Capacity Attack Legitimate Traffic Traffic + Attack
Other Network Security Solutions Slide 25
Vyčištění provozu
DME DDoS Mitigation Engine (25M PPS / 60 Gbps)
Multi Purpose Multi Cores CPU’s (38 Gbps)
L7 Regex Acceleration ASIC
& Reputation Engine
Behavioral-based protections
Hardwarová architektura 26
Radware VISION: Security Event Management (SEM) • Correlated reports • Trend analysis • Compliance management • RT monitoring • Advanced alerts • Forensics
3rd SIEM
Slide 27
Síťové DoS útoky
SYN Protection – Challenge/Response RADWARE rozšíření
Původní myšlenka
Real User
SYN
SYN
SYN-ACK +Cookie
SYN-ACK
ACK +Cookie
ACK
Data
DefensePro
Data
Target
Cookie is validated. TCP Challenge passed - delayed binding begins HTTP Redirect / Javascript - awaiting data packet with valid cookie Slide 29
NBA a RT Signature Technologie Mitigation optimization process Initial Filter
Public Network
Closed feedback
Inbound Traffic Start Traffic characteristics mitigation
Real-Time Signature
0
Initial filter is generated: Filter Optimization: Filter Filter Optimization: Packet IDOptimization:
Packet ID AND Source IPIP Packet PacketID IDAND ANDSource Source IP AND Packet size AND Packet size AND TTL
5
Blocking Rules Filtered Traffic
Outbound Traffic
Protected Network
Up to 10
Final Filter
3
Learning
10+X Time [sec]
Degree of Attack = High Low
1
2
Statistics
Detection Engine Degree Degree of ofAttack Attack == Low High (Positive Feedback) (Negative Feedback)
Signature parameters Narrowest filtersIP • Source/Destination • Source/Destination Port • Packet ID • Packet size • Source • TTL (TimeIP ToAddress Live) • Packet size • DNS Query • TTL (Time To Live) • Packet ID • TCP sequence number • More … (up to 20)
RT Signatures
4
Slide 30
NBA - Fuzzy logika
Flash crowd Z-axis
Attack Degree axis
Attack area
Decision Engine
X-axis
Suspicious area
Normal adapted area
Normal TCP flags ratio
Attack Degree = 5 (Normal- Suspect)
Y-axis
Abnormal rate of Syn packets
Slide3131 Slide
Aplikační DoS útoky
Příklad: HTTP Flood
IRC Server HTTP Bot Statické signatury (Infected host) - Požadavky na server jsou legitimní = nelze takto
detekovat - Connection limit against high volume attacks
BOT Command
Typicky nereflektuje na kterou stránku se útočí Blokování legitimního provozu Vysoká míra HTTP Bot „false-positives“ (Infected host)
Misuse of Service Resources
Internet
Attacker
Public Web Servers HTTP Bot (Infected host)
HTTP Bot (Infected host)
Slide 33
Behaviorální analýza & generováni signatur DoS & DDoS
Inputs Public Network
- Network - Servers - Clients
Inbound Traffic
Application level threats Zero-Minute malware propagation
Behavioral Analysis
Real-Time Signature Inspection Module
Outbound Traffic
Enterprise Network
Closed Feedback
Real-Time Signature Generation
Abnormal Activity Detection
Optimize Signature Remove when attack is over Slide 34
Další metody ochrany
IP reputation
Signatury Black-white list, ACL Řízení pásma (QoS) Server cracking SSL mitigaiton
Slide 36
Integrace
Integrace
DefensePro APSolute Vision
CLI, SNMP, SOAP, REST API Signaling (SYSLOG) SNMP traps, mails
Reports, SQL SDN - openflow
Netflow - Invea-tech Slide 38
DefensePipe / Scrubbing center
DefensePipe – jak funguje?
ISP
ERT with the customer decide to divert the traffic
Volumetric DDoS attack On-premise AMS that blocks the Internet pipe mitigates the attack
Clean traffic
Defense Messaging DefensePro
DefensePros
AppWall
Sharing essential information for attack mitigation
Protected Online Services
Protected organization Slide 40
U zákazníka nebo v cloudu?
Slide 41
DDoS Defender - architektura •
FlowMon sonda pro monitoring linky – Lze monitorovat velké množství linek
•
FlowMon Collector (FC) sbíra statistiky a detekuje (DoS/DDoS) útok – FlowMon sbíra statistiky pro DefensePro
• •
FC poskytuje potřebné informace pro DefensePro a nakonfiguruje profil a pravidlo pro mitigaci. Po ukončení útoku je konfigurace vymazána. Výhody: – Škálovatelnost – Jednoduchá implementace v komplexních sítích – Cenově efektivní
Dotazy?
[email protected]
www.radware.com security.radware.com Slide 43
