DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks

  1. 1. Modern DDoS andDDoS SSL AttacksMichael SoukonnikRadware FSUNovember 2012
  2. 2. DDoS – regular service ? Slide 2
  3. 3. Legends vs. Reality
  4. 4. Size does not matter!• Reality: – Most organization may never experience an intense attack – Less intensive application attacks can cause more damage than network attacks 76 percent of the attacks surveyed were under 1Gbps Slide 4
  5. 5. Are we really protected from DDoS? 30% 27% 24%Internet link Stateful devices areis saturated vulnerable to DDoS(27% of the 8% (36% of the attacks) 5% attacks) 4% Slide 5
  6. 6. 1 fail is enough! Large-volume network flood attacks Network scan Intrusion Port scanRadware security incidents report 2011: SYN flood attack• More than 70% of Radware reported cases in 2011 (e.g., Sockstress) “Low & Slow” DoS attacks involved at least 3 attack vectors Application vulnerability, malware• Attackers use multi-vulnerability attack campaigns making mitigation nearly impossible and slow Application DoS attacks High Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 6
  7. 7. Network Attack and Application Attack Coexist Slide 7
  8. 8. Mapping Security Protection ToolsDoS ProtectionBehavioral Analysis Large volume network flood attacksIPSIP Rep. Network scanWAF Intrusion Port scan SYN flood attack “Low & Slow” DoS attacks (e.g.Sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 8
  9. 9. Radware answers -Attack Mitigation System (AMS)
  10. 10. Network & data center security: mapping the technologiesDefensePro Dynamic signature in 18 sek !!! IPS DoS Protection NBA Anti Trojan, Anti Phishing IPS DoS Protection NBA Reputation Signature Engine Signature Detection User Detection Behavioral Behavioral Analysis Anti Trojan, Stateful Analysis Anti Phishing Inspection Application Rate-based Behavioral Rate-based Analysis SYN Cookies
  11. 11. AMS Protection SetDoS Protection• Prevent all type of Reputation Engine network DDoS attacks • Financial fraud protection • Anti Trojan & PhishingIPS• Prevent application vulnerability exploits NBAWAF • Prevent application• Mitigating Web resource misuse application threats • Prevent zero-minute and zero-day attacks malware Slide 11
  12. 12. The Competitive Advantage: Performance Under Attack Attack traffic does Device handles attack12 Million not impact traffic at the expense PPS legitimate traffic of legitimate traffic! Attack Traffic Attack AttackMulti-Gbps Multi-Gbps Capacity Capacity AttackLegitimate Legitimate Traffic Traffic Traffic + AttackDefensePro Other Network Security Solutions Slide 12
  13. 13. NY Stock Exchange Under Attack – Multi Vector Attack Uniquely capable to withstand the sophistication and scale of recent attacksAttack Vector Dates (~) Attack Peak Protection MechanismsFragmented UDP Flood Low & slow 11/10/2011 1 AM 10/10/2011 11PM- 95 Mbps BDoS 10K PPS DoSSLOIC UDP And Intrusions… 10/10/2011 4 AM 50 Mbps BDoS 10/10/2011 8 PM- 11 PM 5K PPS Signatures DoSSTCP SYN Flood 11/10/2011 1:40 PM 13.6 Mbps BDoS 24K PPS DoSSR.U.D.Y 10/10/2011 4 PM 2.1 Mbps Signature 0.7K PPSLOIC TCP 10/10/2011 11 PM- 11/10/2011 3:30 AM 500 Kbps Signatures 0.2K PPSMobile LOIC 10/10/2011 6 PM- 8:30 PM 86 Kbps Signature 13 PPS#RefRef 10/10/2011 9:45 PM Few packets Signature Slide 13
  14. 14. Network Attack and Application Attack Coexist Slide 14
  15. 15. SSL AttacksSSL services are extremely vulnerable to DDoS attacks• SSL Handshake Flood Establishing a secure connection requires 15 times more processing on the server than on the client, opening multiple sessions quickly exhaust the server’s resources• SSL Renegotiation Flood Client asks for key replacement during existing session, similar effect on the server, could be blocked on the server side. Popular since the release of THC-SSL-DOS last October• HTTPS Flood Exhausting the web application running on top of the secure session Slide 15
  16. 16. Leading Israeli bank under attack December 11, 2011
  17. 17. Israeli Bank: Course of Events15:05 PM- Attack StartsHTTPS Flood• 167 attackers open up to 70 SSL sessions per second• Established sessions contains HTTP requests for the secure login page GET /InternalSite/CustomUpdate/eBank_Login.asp• Constant User-Agent: wget Attack Peak Measurements• Service became unavailable in seconds •200 Mbps •360K Concurrent Connections15:22 PM- ERT Initiated •1100 CPS16:10PM- Attack blocked, service revived• ODS-3 deployed on-site, no SSL protection• High rate allows easy identification of attackers• Custom Signature suspend sources sending more than 5 “SSL Client Hello” per second Slide 17
  18. 18. AMS Encrypted Attack Mitigation Solution
  19. 19. AMS Encrypted Attacks Mitigation Application “cookie” L7 ASIC Regex engines engine Once anTraffic Anomalies attack is detectedNetwork-Based 3 main security actions that are done on each there are DoS Application-Based DoS “Directed” Application DoS client who tries to connect to the protected server(s): and SSL) Attacks (Clear and SSL) Floods Attacks Attacks (Clear Clear Attack Protection – DefensePro “authenticates” the source through a “safe-reset SYN Clear cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack. HTTP Signature– DefensePro receives the decrypted 1st HTTP client request from the “Authenticated”Encrypted engine and applies application layer signatures. This is done in order to Encrypted SSL clients remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or custom signatures. Packet anomalies, Behavioral DoS & Encrypted Black & white lists TCP cookie engines Clear Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted Client-side termination point and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open Alteon’s SSL SSL certificates, a new connection directly to the protected server. Acceleration Engine not used for legal sessions Slide 19
  20. 20. AMS Encrypted Attacks Mitigation AMS- Protecting the HTTPS service Attack Target Protection Network Floods TCP Service SYN Cookies BDoS SSL Floods SSL Service Signatures SSL Mitigation* Application Floods Web Service SSL Mitigation Signatures* SSL Mitigation expands the resources- Alteon can handle up to 45K SSL sessions• Banks and other financial institutions not able to export certificate (MSSP and such)• Unique solution that requires two devices, will be merged in the future to 1 box Slide 20
  21. 21. Sample of AMS Security Customers Financial Services Retail ServicesGovernment, Healthcare & Education Carrier & Technology Services Slide 22
  22. 22. Summary• Radware AMS protects against all types of DDoS attacks and application attacks• Radware AMS first of all enables legal users to work under attack• AMS can protect against SSL DDoS without using legal SSL certificates• AMS works automatically – within 18 seconds from an attack raise dynamic signaturestarts to work against the attack. No human interference usually required• In case of very complicated attack Radware Emergency Response Teamcan be involved on line• ERT enables counter attack against DDoS sources Slide 23
  23. 23. Thank Youwww.radware.com