The document discusses DDoS mitigation strategies presented by Aura Information Security. It outlines common DDoS threats like NTP amplification attacks and application layer attacks. It then discusses the limitations of traditional firewalls and how the TMOS platform can better mitigate attacks through TCP proxying, behavioral analysis and interaction. The presentation concludes with an overview of Aura's DDoS reference architecture using F5 technology and their managed security services.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.
This document discusses the challenges of encrypted traffic inspection and proposes an SSL security service orchestration solution. Some key points:
- 70% of internet traffic is now encrypted, making traditional network security tools like firewalls and antivirus less effective.
- Directly decrypting and inspecting SSL traffic at multiple points (daisy-chaining) has issues like reduced performance, increased complexity, and single points of failure.
- The proposed SSL security service uses a full proxy architecture to classify, decrypt, and re-encrypt SSL traffic dynamically based on policies. It sends traffic through reusable security services and scales dynamically. This provides a centralized solution to inspect encrypted traffic.
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
This document discusses DDoS attacks, including the types of attacks, their impact on victims, and best practices for network operators. It covers TCP exhaustion attacks, volumetric attacks, reflective amplification attacks that exploit protocols like DNS and NTP, and application layer attacks. These attacks can directly impact content providers and indirectly impact service providers and cloud providers. The document recommends network operators deploy anti-spoofing, scan for and mitigate abusable services, and utilize carrier DDoS protection services to help prevent collateral damage from attacks.
DDoS Threat Landscape - Ron Winward CHINOG16Radware
- DDoS attacks continue to grow in complexity and now utilize multi-vector attacks across all layers of the infrastructure. The top failure points for networks are internet pipe saturation and stateful firewalls.
- Common attack types include UDP, ICMP, reflection attacks, TCP weaknesses like SYN floods, low and slow attacks like Slowloris, and encrypted attacks such as HTTPS floods. Anonymous hacking tools enable these attacks.
- Successful mitigation of DDoS attacks requires proactive preparation across the network, including a hybrid solution of on-premise and cloud-based detection and mitigation, emergency response planning, and a single point of contact during attacks.
DNS is one of the fastest growing attack vectors and current security solutions don’t address DNS threats. Infoblox Advanced DNS Protection is a self-protecting DNS appliance that provides defense against widest range of attacks – enabling you to automatically defend your business from DNS threats.
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
DNS is a critical networking protocol that is also easy to exploit, making it a major security risk. Traditional security measures are ineffective against evolving DNS threats. Infoblox provides dedicated DNS security appliances and automated threat intelligence to protect against DNS attacks including DDoS, exploits, and data exfiltration techniques used by advanced threats. The solution detects and blocks malicious DNS queries and tunnels while allowing legitimate traffic.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.
This document discusses the challenges of encrypted traffic inspection and proposes an SSL security service orchestration solution. Some key points:
- 70% of internet traffic is now encrypted, making traditional network security tools like firewalls and antivirus less effective.
- Directly decrypting and inspecting SSL traffic at multiple points (daisy-chaining) has issues like reduced performance, increased complexity, and single points of failure.
- The proposed SSL security service uses a full proxy architecture to classify, decrypt, and re-encrypt SSL traffic dynamically based on policies. It sends traffic through reusable security services and scales dynamically. This provides a centralized solution to inspect encrypted traffic.
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
This document discusses DDoS attacks, including the types of attacks, their impact on victims, and best practices for network operators. It covers TCP exhaustion attacks, volumetric attacks, reflective amplification attacks that exploit protocols like DNS and NTP, and application layer attacks. These attacks can directly impact content providers and indirectly impact service providers and cloud providers. The document recommends network operators deploy anti-spoofing, scan for and mitigate abusable services, and utilize carrier DDoS protection services to help prevent collateral damage from attacks.
DDoS Threat Landscape - Ron Winward CHINOG16Radware
- DDoS attacks continue to grow in complexity and now utilize multi-vector attacks across all layers of the infrastructure. The top failure points for networks are internet pipe saturation and stateful firewalls.
- Common attack types include UDP, ICMP, reflection attacks, TCP weaknesses like SYN floods, low and slow attacks like Slowloris, and encrypted attacks such as HTTPS floods. Anonymous hacking tools enable these attacks.
- Successful mitigation of DDoS attacks requires proactive preparation across the network, including a hybrid solution of on-premise and cloud-based detection and mitigation, emergency response planning, and a single point of contact during attacks.
DNS is one of the fastest growing attack vectors and current security solutions don’t address DNS threats. Infoblox Advanced DNS Protection is a self-protecting DNS appliance that provides defense against widest range of attacks – enabling you to automatically defend your business from DNS threats.
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
DNS is a critical networking protocol that is also easy to exploit, making it a major security risk. Traditional security measures are ineffective against evolving DNS threats. Infoblox provides dedicated DNS security appliances and automated threat intelligence to protect against DNS attacks including DDoS, exploits, and data exfiltration techniques used by advanced threats. The solution detects and blocks malicious DNS queries and tunnels while allowing legitimate traffic.
This document discusses DNSSEC deployment. It provides an introduction to DNSSEC and outlines the preparation, process, strategy, and potential influences of a DNSSEC deployment. Key aspects include setting up a test environment, upgrading systems, training staff, signing zones and managing keys, implementing the deployment in stages, and dealing with increased size of packets and potential for larger DDoS attacks. Regular key rollover is part of the long-term strategy. Resources for further information are also provided.
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
This document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS and DDoS, describes common types like volumetric and application layer attacks. It also outlines tools used to carry out DDoS attacks and methods to protect against attacks, including configuring web servers and reverse proxies, using firewalls, and techniques from web application security firms.
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
On demand recording: https://www.nginx.com/resources/webinars/modsecurity-and-nginx-tuning-the-owasp-core-rule-set-emea/
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
Registration URL: https://attendee.gotowebinar.com/register/937771661672757762
Webinar ID: 374-977-347
The document discusses threats to DNS security and solutions to mitigate those threats. It describes how distributed denial of service (DDoS) attacks target name servers and use name servers to amplify attacks. It then discusses solutions such as monitoring DNS traffic levels and top queriers, using anycast to distribute queries to the closest name server, and response rate limiting to reduce amplification effects. It also covers threats like cache poisoning and malware propagation and solutions like DNSSEC and response policy zones.
What is DDoS attack? DDoS i.e. Distributed Denial of Service attack overloads the server with a number of requests which results in unavailability of service. It is one of the most powerful cyber attacks. To prevent DDoS attack, every website owner should invest in DDoS protection.
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:
• Increase visibility and security context at the network edge
• Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
• Audit firewall rules through flow analysis
• Achieve better performance and scalability for network and security monitoring
• Save vast amounts of time and money spent correlating data points from various sources
• More confidently demonstrate compliance with regulations such as PCI
StealthWatch 6.5 is a significant release of the StealthWatch network monitoring software that features new security and flow analysis capabilities. It introduces an operational network and security intelligence dashboard for faster threat investigation. The release also includes user-defined threat criteria for more collaborative threat defense, an enhanced quick view of flow data, and integration with Palo Alto Networks firewalls for added context. StealthWatch Labs security updates provide detection of suspect and target data hoarding.
Attacks evenly split across network and application layers
Web-based attacks remain the single most common attack vector
1 in every 4 are HTTPS
Increase reflective attacks cause UDP attacks to increase
From 7% in 2013 to 16% in 2014
Reflective attacks represent 2014’s single largest DDoS “headache”
The enterprise perimeter is disappearing. Migration to the cloud means a more distributed network infrastructure. Transition of web based applications to the cloud renders on premise mitigation tools ineffective against web attacks and requires organizations to protect applications both on premise and in-the-cloud.
Introducing Radware's Hybrid Cloud WAF Service - a fully-managed, always on service that integrates cloud-based with on premise protection against a broad range of attack vectors.
Visit here http://www.radware.com/social/hybridcloudwaf/ to read "The Dawn of Hybrid Cloud WAF" and to learn how the industry's first hybrid cloud-based WAF service addresses today's most challenging web-based cyber-attacks.
In this presentation, we cover advanced mitigation techniques used by Behemoth 2 – our latest mitigation platform – as well as real-life examples of different DDoS attack vectors and traffic samples. Plus, learn how we utilize a network of 4.7 Tbps to handle complex high throughput attacks and get a heads up on the latest trends we’re seeing in DDoS attacks.
This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.
This is a presentation i made about Denial of Service or a Distributed Denial of Service (DoS / DDoS) and the latest methods used to crash anything online and the future of such attacks which can disrupt the whole internet . Such attacks which are in TB's and can be launched from just single computer. And, there is not much that can be done to prevent them.
This document discusses research projects related to OpenFlow networking. It describes several projects focused on OpenFlow security including FortNOX, CloudPolice, CloudWatcher, and FRESCO. It also discusses the Bismark project for managing home networks using OpenFlow by monitoring network performance and allowing new services.
The document discusses the changing landscape of server and workload security over time from traditional data centers to virtualization and cloud computing. It notes how these changes have broken the traditional security approaches and tenants. The key points made are that workload security now requires embracing automation and orchestration with visibility across environments, reducing server communication and footprints, and integrating security solutions instead of managing standalone tools. It presents CloudPassage Halo as a security orchestration framework that provides these qualities with one tool that automates layered security for workloads.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
This document provides an overview of distributed denial of service (DDoS) attacks. It discusses the components and architecture of DDoS attacks and classifies them into four categories: flood attacks, amplification attacks, TCP SYN attacks, and malformed packet attacks. Specific attack types like UDP floods, ICMP floods, Smurf attacks and Fraggle attacks are described. The document also covers DDoS defense problems and classifications such as intrusion prevention, detection, tolerance and response. It concludes that DDoS attacks are difficult to prevent due to readily available tools and the ability to target any internet host, and that the best defense involves vigilant system administration.
This document provides a summary of the skills and experience of Michael Jones, including over 20 years of experience in IT and cyber security with extensive expertise in networking, systems administration, security engineering, penetration testing, and compliance with standards like NIST, FISMA, and DIACAP. He has held senior security roles and led teams for organizations like the FDA, Architect of the Capitol, and IBM.
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
Hackers attack applications to disrupt availability, responsiveness, and reputation. F5 provides comprehensive application-centric security across layers 3 through 7 to consolidate firewall, application security, and traffic management functions. This protects data centers and application servers from attacks targeting the most common inbound protocols.
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
Hackers attack for various reasons like politics, money, fame or boredom. They target applications by disrupting availability, performance, and reputation. F5 provides comprehensive application-centric security across layers 3 to 7 to protect applications. It consolidates firewall, traffic management, and security functions into one platform and provides protections like DDoS mitigation, web application firewall, and IP intelligence to secure applications. F5's high-performance appliances are purpose-built to deliver carrier-grade reliability and scalability.
This document discusses DNSSEC deployment. It provides an introduction to DNSSEC and outlines the preparation, process, strategy, and potential influences of a DNSSEC deployment. Key aspects include setting up a test environment, upgrading systems, training staff, signing zones and managing keys, implementing the deployment in stages, and dealing with increased size of packets and potential for larger DDoS attacks. Regular key rollover is part of the long-term strategy. Resources for further information are also provided.
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
This document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS and DDoS, describes common types like volumetric and application layer attacks. It also outlines tools used to carry out DDoS attacks and methods to protect against attacks, including configuring web servers and reverse proxies, using firewalls, and techniques from web application security firms.
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
On demand recording: https://www.nginx.com/resources/webinars/modsecurity-and-nginx-tuning-the-owasp-core-rule-set-emea/
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
Registration URL: https://attendee.gotowebinar.com/register/937771661672757762
Webinar ID: 374-977-347
The document discusses threats to DNS security and solutions to mitigate those threats. It describes how distributed denial of service (DDoS) attacks target name servers and use name servers to amplify attacks. It then discusses solutions such as monitoring DNS traffic levels and top queriers, using anycast to distribute queries to the closest name server, and response rate limiting to reduce amplification effects. It also covers threats like cache poisoning and malware propagation and solutions like DNSSEC and response policy zones.
What is DDoS attack? DDoS i.e. Distributed Denial of Service attack overloads the server with a number of requests which results in unavailability of service. It is one of the most powerful cyber attacks. To prevent DDoS attack, every website owner should invest in DDoS protection.
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:
• Increase visibility and security context at the network edge
• Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
• Audit firewall rules through flow analysis
• Achieve better performance and scalability for network and security monitoring
• Save vast amounts of time and money spent correlating data points from various sources
• More confidently demonstrate compliance with regulations such as PCI
StealthWatch 6.5 is a significant release of the StealthWatch network monitoring software that features new security and flow analysis capabilities. It introduces an operational network and security intelligence dashboard for faster threat investigation. The release also includes user-defined threat criteria for more collaborative threat defense, an enhanced quick view of flow data, and integration with Palo Alto Networks firewalls for added context. StealthWatch Labs security updates provide detection of suspect and target data hoarding.
Attacks evenly split across network and application layers
Web-based attacks remain the single most common attack vector
1 in every 4 are HTTPS
Increase reflective attacks cause UDP attacks to increase
From 7% in 2013 to 16% in 2014
Reflective attacks represent 2014’s single largest DDoS “headache”
The enterprise perimeter is disappearing. Migration to the cloud means a more distributed network infrastructure. Transition of web based applications to the cloud renders on premise mitigation tools ineffective against web attacks and requires organizations to protect applications both on premise and in-the-cloud.
Introducing Radware's Hybrid Cloud WAF Service - a fully-managed, always on service that integrates cloud-based with on premise protection against a broad range of attack vectors.
Visit here http://www.radware.com/social/hybridcloudwaf/ to read "The Dawn of Hybrid Cloud WAF" and to learn how the industry's first hybrid cloud-based WAF service addresses today's most challenging web-based cyber-attacks.
In this presentation, we cover advanced mitigation techniques used by Behemoth 2 – our latest mitigation platform – as well as real-life examples of different DDoS attack vectors and traffic samples. Plus, learn how we utilize a network of 4.7 Tbps to handle complex high throughput attacks and get a heads up on the latest trends we’re seeing in DDoS attacks.
This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.
This is a presentation i made about Denial of Service or a Distributed Denial of Service (DoS / DDoS) and the latest methods used to crash anything online and the future of such attacks which can disrupt the whole internet . Such attacks which are in TB's and can be launched from just single computer. And, there is not much that can be done to prevent them.
This document discusses research projects related to OpenFlow networking. It describes several projects focused on OpenFlow security including FortNOX, CloudPolice, CloudWatcher, and FRESCO. It also discusses the Bismark project for managing home networks using OpenFlow by monitoring network performance and allowing new services.
The document discusses the changing landscape of server and workload security over time from traditional data centers to virtualization and cloud computing. It notes how these changes have broken the traditional security approaches and tenants. The key points made are that workload security now requires embracing automation and orchestration with visibility across environments, reducing server communication and footprints, and integrating security solutions instead of managing standalone tools. It presents CloudPassage Halo as a security orchestration framework that provides these qualities with one tool that automates layered security for workloads.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
This document provides an overview of distributed denial of service (DDoS) attacks. It discusses the components and architecture of DDoS attacks and classifies them into four categories: flood attacks, amplification attacks, TCP SYN attacks, and malformed packet attacks. Specific attack types like UDP floods, ICMP floods, Smurf attacks and Fraggle attacks are described. The document also covers DDoS defense problems and classifications such as intrusion prevention, detection, tolerance and response. It concludes that DDoS attacks are difficult to prevent due to readily available tools and the ability to target any internet host, and that the best defense involves vigilant system administration.
This document provides a summary of the skills and experience of Michael Jones, including over 20 years of experience in IT and cyber security with extensive expertise in networking, systems administration, security engineering, penetration testing, and compliance with standards like NIST, FISMA, and DIACAP. He has held senior security roles and led teams for organizations like the FDA, Architect of the Capitol, and IBM.
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
Hackers attack applications to disrupt availability, responsiveness, and reputation. F5 provides comprehensive application-centric security across layers 3 through 7 to consolidate firewall, application security, and traffic management functions. This protects data centers and application servers from attacks targeting the most common inbound protocols.
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
Hackers attack for various reasons like politics, money, fame or boredom. They target applications by disrupting availability, performance, and reputation. F5 provides comprehensive application-centric security across layers 3 to 7 to protect applications. It consolidates firewall, traffic management, and security functions into one platform and provides protections like DDoS mitigation, web application firewall, and IP intelligence to secure applications. F5's high-performance appliances are purpose-built to deliver carrier-grade reliability and scalability.
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
This document discusses how using NetFlow data with Lancope's StealthWatch solution can provide network visibility and help streamline security analysis and response to cyber threats. It describes how NetFlow allows collecting vast amounts of network metadata at scale which can then be analyzed using behavioral algorithms to detect anomalies and threats. It also provides an example of how StealthWatch helped investigate and mitigate a DNS amplification distributed denial of service attack. The document concludes by describing how EndaceFlow NetFlow generators and Lancope's StealthWatch solution were deployed by a customer to improve security incident response times.
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
Adam Obszyński – pracuje w Infoblox jako Senior Systems Engineer odpowiedzialny za CEE. Wcześniej pracował w Cisco, u kilku integratorów (NXO, MCX, ATM) i operatorów (ATMAN, Polbox, Multinet). Posiada doświadczenie w projektowaniu i wdrażaniu rozwiązań sieciowych i aplikacyjnych. W branży od 20 lat. Certyfikowany inżynier CCIE #8557 oraz CISSP. Prowadził prezentacje i warsztaty na wielu konferencjach w kraju i za granicą (m.in. Cisco Live US & EU, Cisco Forum, Cisco Expo, PLNOG).
Temat prezentacji:Case Study – Infoblox Advanced DNS Protection
Język prezentacji: Polski
Abstrakt:
Słyszałeś o typach ataków wymienionych poniżej? A może doświadczyłeś ich w swojej sieci?
Phantom domain attack
NXDomain attack
DNS reflection/DrDoS attacks
DNS amplification
DNS cache poisoning
Protocol anomalies
DNS tunneling
DNS hijacking
Na poprzednim PLNOG mówiłem o unikalnej ochronie DNS za pomocą Infoblox ADP. Tym razem opowiem o tym co nowego zrobiliśmy w ramach ochrony DNS oraz zaprezentuje przypadki ze środowisk sieciowych naszych klientów.
Opowiem co się działo w sieci klientów i jak uporaliśmy się z problemami ataków na DNS.
Rozwiązanie Advanced DNS Protection od Infoblox dostarcza kompleksowe rozwiązanie do ochrony przed wieloma atakami na usługi DNS. System w inteligentny sposób odróżnia poprawny ruch DNS od złośliwego ruchu DDoS generowanego przez atakujących, takich jak DNS, exploity i słabości. Automatycznie usuwa ruch atakujący podczas gdy z pełną wydajnością odpowiada na poprawny ruch DNS. Ponadto, Advanced DNS Protection otrzymuje automatyczne aktualizacje swoich polityk/reguł, zapewniając stałą ochronę przed wszelkimi nowościami w tej dziedzinie. Infoblox jest pierwszym i jedynym producentem, który oferuje tak wyjątkowe i unkalne rozwiązanie dla najwyższej ochrony krytycznych usług DNS. Więcej szczegółów o rozwiązaniach dla operatorów: www.infoblox.com/sp
This document discusses how SonicWall's Deep Packet Inspection over SSL (DPI-SSL) technology helps customers defeat encrypted threats. It explains that most websites and proxy/bypass apps are now encrypted, and attacks are being delivered over encrypted channels. SonicWall's DPI-SSL works by intercepting, decrypting, and inspecting encrypted traffic for threats, then re-encrypting safe traffic before sending it to the client. This allows the firewall to see threats that were previously hidden in encrypted traffic. The document also provides details on SonicWall's firewall product lineups and their DPI-SSL throughput performance and scalability.
The Industrial IoT depends on connectivity and information exchange. Much of the business value derives from the ability to have independent systems share information in order to derive knowledge, make "smart decisions", and offer behavior and functionality never before possible.
Many industrial systems were designed with a focus on reliability and safety at a time were implicit trust of all components and communication was the norm. Restricting physical access is currently the only practical method for protecting this existing critical infrastructure. This includes the electrical power grid, process control, transportation, or manufacturing systems. This is changing with increased connectivity to the Internet and personal computers as well as awareness of malicious insider threats. Many industrial systems are being (or want to be) connected to external networks using standard technologies like Ethernet and the Internet Protocol Suite (TCP/UDP/IP). These technologies make systems more functional and efficient, unfortunately they also open the critical infrastructure to cyber attacks.
New IIoT Systems are being designed with security as a key concern. New systems can leverage a solid set of security technologies and building blocks for Authentication, Cryptography, Integrity, etc. However these security technologies must be used correctly and in ways that do not disrupt the performance or access to the legitimate applications/devices, yet limit legitimate access to just the needed information (to minimize the insider threats) and denies access to all others. Adding to this difficulties the new systems need to co-exist and (securely) exchange information with the already-deployed legacy systems which were built without such security elements.
Secure DDS (a recent standard from the OMG) is a "secure connectivity middleware" technology that can be used to address these three needs: (1) Build modern secure IIoT systems, (2) Secure legacy Industrial systems being connected on the Internet, and (3) Securely bridge between new and legacy systems. Secure DDS extends the proven Data-Distribution Service (DDS) and Real-Time Publish-Subscribe Protocol (DDS-RTPS) standards with enterprise-grade authentication, encryption and fine-grained security controls while maintaining the peer-to-peer, robustness and scalability features (including secure multicast) that have made DDS a clear choice for critical infrastructure systems.
This presentation introduces the DDS Security specification and provide describe several use-cases that exemplify how these standards are deployed in real-world applications.
Check Point's CloudGuard portfolio provides advanced threat prevention solutions for cloud environments. It includes CloudGuard SaaS for securing SaaS applications, CloudGuard IaaS for infrastructure as a service clouds, and CloudGuard for SDN solutions like VMware NSX. CloudGuard uses shared threat intelligence and consolidated security management across networks, endpoints, mobile devices, and hybrid cloud deployments to prevent both known and unknown cyber attacks.
F5 provides both on-premises and cloud-based DDoS protection solutions. Their hybrid approach mitigates attacks at the network, transport, and application layers using hardware-accelerated detection and filtering of over 110 DDoS vector types. Key capabilities include comprehensive L3-L7 protection, multi-terabit cloud scrubbing, and integration of network firewall and web application firewall technologies to strengthen security and ensure application availability even during large DDoS attacks.
DNS Protection safeguards Incapsula clients’ DNS servers, while also accelerating DNS responses.
Infrastructure Protection, enabled by the addition of a GRE tunneling onboarding option, widen Incapsula's security perimeter - allowing it to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
MT17_Building Integrated and Secure Networks with limited IT SupportDell EMC World
Many businesses need a secure and flexible network but are not networking experts. With Dell Networking and SonicWALL, you can enjoy an easy-to-manage high performance network for wired and wireless connectivity, secured by the award-winning SonicWALL Nextgen Firewall.
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
This document discusses DDoS attacks, including what they are, how they work, their impact, and best practices for prevention. It covers different types of attacks like TCP exhaustion, volumetric, and reflective amplification attacks. Reflective amplification attacks are of particular concern due to their large size, affecting millions of users. The document recommends network operators deploy anti-spoofing measures, identify and remove exposed services, and consider cloud-based DDoS mitigation services to help prevent collateral damage from large attacks.
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
All too often, online threats such as DDoS attacks, scrapers, or traffic that consumes too much bandwidth are disrupting or slowing down SaaS websites. It is now more important than ever to keep website traffic flowing quickly without service interruptions.
Tempus Technologies’ president, Jason Sweitzer, talks about the technological challenges his company faced and the solutions his team adopted to increase website acceleration and uptime.
Join us for Incapsula’s free 30-minute webinar to learn how you can increase your website’s uptime and enhance its performance. We’ll be discussing opportunities SaaS companies can explore through WAF protection, frontend SSL, failover ISPs, and against DDoS attacks and using Incapsula solutions.
This document provides an overview of denial of service attacks and service provider solutions from F5 Networks. It discusses how DNS protocols are commonly used in DDoS attacks and how F5 solutions can provide DNS firewalling, DDoS protection, and high performance DNS services. The document also summarizes how the F5 Advanced Firewall Manager (AFM) can mitigate DDoS attacks through detection, filtering, and dynamic blacklisting capabilities. Finally, it addresses challenges of IPv6 and the transition to IPv6 through integrated firewall and CGNAT solutions.
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPROIDEA
This document discusses virtualization and optimization of infrastructure using F5 Networks products. It describes how F5 solutions can consolidate infrastructure, optimize application delivery across networks, and provide security, availability and visibility. Examples are given of how F5 virtualizes servers, storage, and data centers to improve performance, flexibility and efficiency.
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...Hillel Kobrovski
The document discusses the challenges of securing remote work and access. It outlines an agenda for a seminar on the topic, including presentations on existing technologies and models for secure remote connections, as well as a presentation from the company Safe-T on their Zero Trust implementation. It notes some of the realities of remote access compared to fantasies, such as cost, technical complexity, device compatibility issues, and inability to match network topologies. It discusses the need for endpoint security capabilities and a layered "onion model" approach to security in a boundaryless network where access is needed from any device and any location at any time.
This document discusses cyber security challenges for connected cars. It notes connected cars have multiple attack surfaces through the internet, cloud, communication with other cars, and in-car systems. The document advocates for a layered security approach, including boundary security, transport-level security, and fine-grained data-centric security. It describes using Real-Time Innovation's Connext DDS Secure product to implement fine-grained security at the individual data topic level to control access and ensure proper system operation in a secure manner.
The document discusses four keys to securing distributed industrial internet of things (IIoT) systems: 1) using a decentralized architecture rather than a centralized one, 2) implementing access control, 3) not relying solely on TCP and transport layer security, and 4) ensuring interoperability through open architectures and standards. It provides examples of how RTI's Data Distribution Service approach addresses these keys and secures critical infrastructure like power grids.
Similar to DDoS Mitigation on the Front Line with RedShield (20)
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
1. DDoS Mitigation on the
Front Line
Presenter:
Sam Pickles, CTO
Aura Information Security
2. Overview
• Why we’re here
– Who are Aura Information Security
• What we’re seeing in the wild
– DDoS Threats
• DDoS Mitigation Strategies
• DDoS Reference Architecture Extended
3. Aura RedShield
• Aura Information Security
• F5 Technology Alliance Partners
• NZ’s leading Information Security consulting company.
• Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg
• Deloitte APAC Tech Fast 500 2010, 2011, 2012
• Electra Business of the Year 2010 / 2011
• Finalists in NZ HiTech Awards 2014
• Customers across NZ Govt and private sector.
– NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech
• Services:
– Penetration Testing, InfoSec Training, Security Research, Security Architecture,
Code Reviews
• Aura RedEye
• Globally registered PCI ASV (Approved Scanning Vendor)
• Winner of the ANZIAs 2012 for Security and Privacy
10. NTP Amplification
• One small command sends a single UDP
request:
– ntpdc -c monlist 117.1x.1xx.1x
• Response is huge, sent to victim.
• Even a small botnet can trigger an avalanche
12. NTP Amplification Hits RedShield
• Large scale NTP attack hit Aura’s network on
March 16th 2014
• Target victim is a government sector org
• Source addresses = approximately 2500 NTP
servers identified
• TMOS scrubs by default
13. 200 x Amplification
• Each NTP request triggers a
large text stream to the victim
• Thousands of requests per
second
14. Meanwhile, keep your eyes on the
applications…
• Application Layer DDoS increasing in
popularity
• Malicious individuals with limited resources
can now cause outages
• These attacks work just as well over SSL
20. Issues - Weaponized Defenses
• Many defensive strategies can be turned
against the application
• Rate limiting SYNs by destination can cause
failed handshakes, even while pipe not full
• Blocking DNS or SYN attacks by source IP:
Spoofed origin packets cause blocking IP of
the attackers choice
21. Issues – Traditional Firewalls:
• Traditional Firewalls have limitations:
– Cannot tell spoofed origin traffic from real IP
– Limited to Dropping packets
• Such defenses can be turned against the app
– Max sessions tends to be easily reached
– Struggle with encrypted attacks, layer 7, low and
slow, and other behavioral attacks
22. Why TMOS?
• TCP inline, all the time
– Accelerates and mitigates from the first packet
• High capacity SSL, with iRules (see:
sslsqueeze)
• SSL cert management in one place
33. Test Driven Security
Vulnerability Scanning
Application Penetration Testing
Remediation and Retesting
Continuous Scanning and Analysis
Attack Monitoring and Reporting
Incident Response and Technical Support
34. Why not check out…
Aura Managed Services overview:
http://aurainfosec.com/managed-services.html - redshield
FAQ, knowledgebase and forums:
https://auraredeye.zendesk.com
Editor's Notes
F5 TMOS platforms present the opportunity to mitigate a wide variety of security threats from network, to application layer, in a consolidated architecture. In this talk, we’ll illustrate this by taking a look at what our F5s are picking up in the wild; and discuss our view of datacenter security for your critical applications.
This attack was launched against CDN provider Cloudflare and is claimed to be the worlds biggest DDoS so far (this record won’t last!)
All those byte ranges cause the server to produce a full copy of the large-file.pdf response, for each byte range. A PDF of 2MB can thus cause this single response to take up 50MB of memory while the server responds.
Multiply by thousands or more, and a single individual can cause a website outage without needing a botnet.
This example hit RedShield in March.
An average customer on RedShield currently receives around 100-200 L7 DoS reconnaissance probes per month. Each IP address tends to make 3-15 requests and tests one or two techniques to verify whether the server is a potential target.
Interestingly, these attacks almost never escalate against policies in blocking mode, but are more often seen during initial policy tuning phase before blocking is enabled. Monitoring ASM immediately after deployment is critical, as is progression towards blocking mode.
This type of attack doesn’t get picked up by network monitoring systems; bandwidth requirements are small. A few Mbps can completely disable a vulnerable service; much smaller than a smash-up style amplified Botnet. Most administrators would suspect application problems, try rebooting servers, read error logs etc. These attacks can be hard to troubleshoot as this is legitimate HTTP.
Attacks like this are also often launched over HTTPS in an effort to avoid detection. A favorite of Anonymous; particularly prevalent against government targets due to popularity with hacktivists.
This proportion of traffic is steadily rising. We see SSL attacks up ~30% from previous year.
These layers all actively mitigate different types of attacks, and cover the full spectrum from network to application, from DDoS to advanced hacking techniques. Each layer is naturally part of the infrastructure stack – not a bottleneck, but an accelerator. Each layer earns its permanent place in the application stack by offloading, accelerating, improving performance and reliability of applications. When attack traffic strikes, the infrastructure responds from the very first packet, whilst continuing its function and processing desirable user traffic.
Contrast this approach with a firewall, or other reactive device such as a DDoS mitigator; which needs to insert itself into suspicious sessions when attacks are detected. This requires another point of SSL certificate management, and another place to define your applications, and the device will generally cause performance degradation such as latency and additional TCP overhead.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.