DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
Upcoming SlideShare
Loading in...5
×
 

DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks

on

  • 963 views

 

Statistics

Views

Total Views
963
Views on SlideShare
963
Embed Views
0

Actions

Likes
0
Downloads
17
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks Presentation Transcript

  • Modern DDoS andDDoS SSL AttacksMichael SoukonnikRadware FSUNovember 2012
  • DDoS – regular service ? Slide 2
  • Legends vs. Reality
  • Size does not matter!• Reality: – Most organization may never experience an intense attack – Less intensive application attacks can cause more damage than network attacks 76 percent of the attacks surveyed were under 1Gbps Slide 4
  • Are we really protected from DDoS? 30% 27% 24%Internet link Stateful devices areis saturated vulnerable to DDoS(27% of the 8% (36% of the attacks) 5% attacks) 4% Slide 5
  • 1 fail is enough! Large-volume network flood attacks Network scan Intrusion Port scanRadware security incidents report 2011: SYN flood attack• More than 70% of Radware reported cases in 2011 (e.g., Sockstress) “Low & Slow” DoS attacks involved at least 3 attack vectors Application vulnerability, malware• Attackers use multi-vulnerability attack campaigns making mitigation nearly impossible and slow Application DoS attacks High Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 6
  • Network Attack and Application Attack Coexist Slide 7
  • Mapping Security Protection ToolsDoS ProtectionBehavioral Analysis Large volume network flood attacksIPSIP Rep. Network scanWAF Intrusion Port scan SYN flood attack “Low & Slow” DoS attacks (e.g.Sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 8
  • Radware answers -Attack Mitigation System (AMS)
  • Network & data center security: mapping the technologiesDefensePro Dynamic signature in 18 sek !!! IPS DoS Protection NBA Anti Trojan, Anti Phishing IPS DoS Protection NBA Reputation Signature Engine Signature Detection User Detection Behavioral Behavioral Analysis Anti Trojan, Stateful Analysis Anti Phishing Inspection Application Rate-based Behavioral Rate-based Analysis SYN Cookies
  • AMS Protection SetDoS Protection• Prevent all type of Reputation Engine network DDoS attacks • Financial fraud protection • Anti Trojan & PhishingIPS• Prevent application vulnerability exploits NBAWAF • Prevent application• Mitigating Web resource misuse application threats • Prevent zero-minute and zero-day attacks malware Slide 11
  • The Competitive Advantage: Performance Under Attack Attack traffic does Device handles attack12 Million not impact traffic at the expense PPS legitimate traffic of legitimate traffic! Attack Traffic Attack AttackMulti-Gbps Multi-Gbps Capacity Capacity AttackLegitimate Legitimate Traffic Traffic Traffic + AttackDefensePro Other Network Security Solutions Slide 12
  • NY Stock Exchange Under Attack – Multi Vector Attack Uniquely capable to withstand the sophistication and scale of recent attacksAttack Vector Dates (~) Attack Peak Protection MechanismsFragmented UDP Flood Low & slow 11/10/2011 1 AM 10/10/2011 11PM- 95 Mbps BDoS 10K PPS DoSSLOIC UDP And Intrusions… 10/10/2011 4 AM 50 Mbps BDoS 10/10/2011 8 PM- 11 PM 5K PPS Signatures DoSSTCP SYN Flood 11/10/2011 1:40 PM 13.6 Mbps BDoS 24K PPS DoSSR.U.D.Y 10/10/2011 4 PM 2.1 Mbps Signature 0.7K PPSLOIC TCP 10/10/2011 11 PM- 11/10/2011 3:30 AM 500 Kbps Signatures 0.2K PPSMobile LOIC 10/10/2011 6 PM- 8:30 PM 86 Kbps Signature 13 PPS#RefRef 10/10/2011 9:45 PM Few packets Signature Slide 13
  • Network Attack and Application Attack Coexist Slide 14
  • SSL AttacksSSL services are extremely vulnerable to DDoS attacks• SSL Handshake Flood Establishing a secure connection requires 15 times more processing on the server than on the client, opening multiple sessions quickly exhaust the server’s resources• SSL Renegotiation Flood Client asks for key replacement during existing session, similar effect on the server, could be blocked on the server side. Popular since the release of THC-SSL-DOS last October• HTTPS Flood Exhausting the web application running on top of the secure session Slide 15
  • Leading Israeli bank under attack December 11, 2011
  • Israeli Bank: Course of Events15:05 PM- Attack StartsHTTPS Flood• 167 attackers open up to 70 SSL sessions per second• Established sessions contains HTTP requests for the secure login page GET /InternalSite/CustomUpdate/eBank_Login.asp• Constant User-Agent: wget Attack Peak Measurements• Service became unavailable in seconds •200 Mbps •360K Concurrent Connections15:22 PM- ERT Initiated •1100 CPS16:10PM- Attack blocked, service revived• ODS-3 deployed on-site, no SSL protection• High rate allows easy identification of attackers• Custom Signature suspend sources sending more than 5 “SSL Client Hello” per second Slide 17
  • AMS Encrypted Attack Mitigation Solution
  • AMS Encrypted Attacks Mitigation Application “cookie” L7 ASIC Regex engines engine Once anTraffic Anomalies attack is detectedNetwork-Based 3 main security actions that are done on each there are DoS Application-Based DoS “Directed” Application DoS client who tries to connect to the protected server(s): and SSL) Attacks (Clear and SSL) Floods Attacks Attacks (Clear Clear Attack Protection – DefensePro “authenticates” the source through a “safe-reset SYN Clear cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack. HTTP Signature– DefensePro receives the decrypted 1st HTTP client request from the “Authenticated”Encrypted engine and applies application layer signatures. This is done in order to Encrypted SSL clients remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or custom signatures. Packet anomalies, Behavioral DoS & Encrypted Black & white lists TCP cookie engines Clear Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted Client-side termination point and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open Alteon’s SSL SSL certificates, a new connection directly to the protected server. Acceleration Engine not used for legal sessions Slide 19
  • AMS Encrypted Attacks Mitigation AMS- Protecting the HTTPS service Attack Target Protection Network Floods TCP Service SYN Cookies BDoS SSL Floods SSL Service Signatures SSL Mitigation* Application Floods Web Service SSL Mitigation Signatures* SSL Mitigation expands the resources- Alteon can handle up to 45K SSL sessions• Banks and other financial institutions not able to export certificate (MSSP and such)• Unique solution that requires two devices, will be merged in the future to 1 box Slide 20
  • Sample of AMS Security Customers Financial Services Retail ServicesGovernment, Healthcare & Education Carrier & Technology Services Slide 22
  • Summary• Radware AMS protects against all types of DDoS attacks and application attacks• Radware AMS first of all enables legal users to work under attack• AMS can protect against SSL DDoS without using legal SSL certificates• AMS works automatically – within 18 seconds from an attack raise dynamic signaturestarts to work against the attack. No human interference usually required• In case of very complicated attack Radware Emergency Response Teamcan be involved on line• ERT enables counter attack against DDoS sources Slide 23
  • Thank Youwww.radware.com