SlideShare a Scribd company logo

DDoS Mitigation on the Front Line with RedShield

S
Sam Pickles

The document discusses DDoS mitigation strategies presented by Aura Information Security. It outlines common DDoS threats like NTP amplification attacks and application layer attacks. It then discusses the limitations of traditional firewalls and how the TMOS platform can better mitigate attacks through TCP proxying, behavioral analysis and interaction. The presentation concludes with an overview of Aura's DDoS reference architecture using F5 technology and their managed security services.

Internet
1 of 34
DDoS Mitigation on the Front Line Presenter: Sam Pickles, CTO Aura Information Security
Overview • Why we’re here – Who are Aura Information Security • What we’re seeing in the wild – DDoS Threats • DDoS Mitigation Strategies • DDoS Reference Architecture Extended
Aura RedShield • Aura Information Security • F5 Technology Alliance Partners • NZ’s leading Information Security consulting company. • Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg • Deloitte APAC Tech Fast 500 2010, 2011, 2012 • Electra Business of the Year 2010 / 2011 • Finalists in NZ HiTech Awards 2014 • Customers across NZ Govt and private sector. – NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech • Services: – Penetration Testing, InfoSec Training, Security Research, Security Architecture, Code Reviews • Aura RedEye • Globally registered PCI ASV (Approved Scanning Vendor) • Winner of the ANZIAs 2012 for Security and Privacy
Aura RedShield
RedShield Cloud HTTP(S) HTTP(S) HTTP(S) HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield
HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield RedShield On-Premise
DDoS THREATS
DDoS – Reflected / Amplified Attacker
DDoS – Reflected / Amplified Attacker
NTP Amplification • One small command sends a single UDP request: – ntpdc -c monlist 117.1x.1xx.1x • Response is huge, sent to victim. • Even a small botnet can trigger an avalanche
NTP Amplification Example 1: • February 10th 2014 • Over 400Gbps • 4,529 servers
NTP Amplification Hits RedShield • Large scale NTP attack hit Aura’s network on March 16th 2014 • Target victim is a government sector org • Source addresses = approximately 2500 NTP servers identified • TMOS scrubs by default
200 x Amplification • Each NTP request triggers a large text stream to the victim • Thousands of requests per second
Meanwhile, keep your eyes on the applications… • Application Layer DDoS increasing in popularity • Malicious individuals with limited resources can now cause outages • These attacks work just as well over SSL
Apache Killer Example GET /downloads/folder/path/large-file.pdf HTTP/1.1 Accept: */* Range: bytes=1097728-1098239, 1098240-1098751, 1098752- 1099263, 1099264-1099775, 1099776-1100287, 1100288-1100799, 1100800-1101311, 1101312-1101823, 1101824-1102335, 1102336- 1102847, 1102848-1103359, 1103360-1103871, 1103872-1104383, 1104384-1104895, 1104896-1105407, 1105408-1105919, 1105920- 1106431, 1106432-1106943, 1106944-1107455, 1107456-1107967, 1107968-1108479, 1108480-1108991, 1108992-1109503, 1109504- 1110015, 1110016-1110527, 1110528-1111039, 1111040-1111551 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Constantly Probed
Attacks target vulnerabilities
SSL is Trending Layer 7 DoS Traffic
DOS MITIGATION STRATEGIES
Issues - Weaponized Defenses • Many defensive strategies can be turned against the application • Rate limiting SYNs by destination can cause failed handshakes, even while pipe not full • Blocking DNS or SYN attacks by source IP: Spoofed origin packets cause blocking IP of the attackers choice
Issues – Traditional Firewalls: • Traditional Firewalls have limitations: – Cannot tell spoofed origin traffic from real IP – Limited to Dropping packets • Such defenses can be turned against the app – Max sessions tends to be easily reached – Struggle with encrypted attacks, layer 7, low and slow, and other behavioral attacks
Why TMOS? • TCP inline, all the time – Accelerates and mitigates from the first packet • High capacity SSL, with iRules (see: sslsqueeze) • SSL cert management in one place
TMOS in Action - TCP TCP SSL HTTP ASM SYN Flood SSL Attacks Slow HTTP, Request Floods Layer 7 Attacks iRules Users
TMOS in Action – Other IP AFM GTM DNS Flood NTP, DNS Amplification iRules DNS Query - User
Further Observations: • Effective DDoS mitigation requires: – High speed SSL hardware – TCP full proxy – Behavioural analysis – Interaction with the attack • Challenge suspicious clients to prevent false positives, weaponised defence • Visibility, planning, automation, testing
F5 DDOS REFERENCE ARCHITECTURE
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
Test Driven Security Vulnerability Scanning Application Penetration Testing Remediation and Retesting Continuous Scanning and Analysis Attack Monitoring and Reporting Incident Response and Technical Support
Why not check out… Aura Managed Services overview: http://aurainfosec.com/managed-services.html - redshield FAQ, knowledgebase and forums: https://auraredeye.zendesk.com

Recommended

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
Imperva Incapsula
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
Haltdos
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
Srikrupa Srivatsan
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PROIDEA
 

Recommended

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
Imperva Incapsula
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
Haltdos
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
Srikrupa Srivatsan
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PROIDEA
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
InnoTech
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attack
Dosarrest007
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWARE
Deivid Toledo
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
Radware
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
Imperva Incapsula
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
Erik Iker
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)
NAIM Networks, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
North Texas Chapter of the ISSA
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
OECLIB Odisha Electronics Control Library
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
Michael Jones, CCIE, CISSP, PMP
 
F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric Security
Tzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric Security
Tzoori Tamam
 

More Related Content

What's hot

DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
InnoTech
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attack
Dosarrest007
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWARE
Deivid Toledo
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
Radware
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
Imperva Incapsula
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
Erik Iker
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)
NAIM Networks, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
North Texas Chapter of the ISSA
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
OECLIB Odisha Electronics Control Library
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
Michael Jones, CCIE, CISSP, PMP
 

What's hot (20)

DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attack
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWARE
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
 

Similar to DDoS Mitigation on the Front Line with RedShield

F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric Security
Tzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric Security
Tzoori Tamam
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PROIDEA
 
SonicWall
SonicWallSonicWall
SonicWall
NEOTD Tech Events .
 
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksJeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Media Perspectives
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
Gerardo Pardo-Castellote
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
MarioCruz664886
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
Imperva Incapsula
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
Andris Soroka
 
MT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportMT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT Support
Dell EMC World
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PROIDEA
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Imperva Incapsula
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
PROIDEA
 
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
Hillel Kobrovski
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car
Real-Time Innovations (RTI)
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
Real-Time Innovations (RTI)
 

Similar to DDoS Mitigation on the Front Line with RedShield (20)

F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric Security
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric Security
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
SonicWall
SonicWallSonicWall
SonicWall
 
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksJeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
 
MT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportMT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT Support
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
 
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 

Recently uploaded

办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
AanSulistiyo
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 

Recently uploaded (20)

办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 

DDoS Mitigation on the Front Line with RedShield

  • 1. DDoS Mitigation on the Front Line Presenter: Sam Pickles, CTO Aura Information Security
  • 2. Overview • Why we’re here – Who are Aura Information Security • What we’re seeing in the wild – DDoS Threats • DDoS Mitigation Strategies • DDoS Reference Architecture Extended
  • 3. Aura RedShield • Aura Information Security • F5 Technology Alliance Partners • NZ’s leading Information Security consulting company. • Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg • Deloitte APAC Tech Fast 500 2010, 2011, 2012 • Electra Business of the Year 2010 / 2011 • Finalists in NZ HiTech Awards 2014 • Customers across NZ Govt and private sector. – NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech • Services: – Penetration Testing, InfoSec Training, Security Research, Security Architecture, Code Reviews • Aura RedEye • Globally registered PCI ASV (Approved Scanning Vendor) • Winner of the ANZIAs 2012 for Security and Privacy
  • 5. RedShield Cloud HTTP(S) HTTP(S) HTTP(S) HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield
  • 6. HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield RedShield On-Premise
  • 8. DDoS – Reflected / Amplified Attacker
  • 9. DDoS – Reflected / Amplified Attacker
  • 10. NTP Amplification • One small command sends a single UDP request: – ntpdc -c monlist 117.1x.1xx.1x • Response is huge, sent to victim. • Even a small botnet can trigger an avalanche
  • 11. NTP Amplification Example 1: • February 10th 2014 • Over 400Gbps • 4,529 servers
  • 12. NTP Amplification Hits RedShield • Large scale NTP attack hit Aura’s network on March 16th 2014 • Target victim is a government sector org • Source addresses = approximately 2500 NTP servers identified • TMOS scrubs by default
  • 13. 200 x Amplification • Each NTP request triggers a large text stream to the victim • Thousands of requests per second
  • 14. Meanwhile, keep your eyes on the applications… • Application Layer DDoS increasing in popularity • Malicious individuals with limited resources can now cause outages • These attacks work just as well over SSL
  • 15. Apache Killer Example GET /downloads/folder/path/large-file.pdf HTTP/1.1 Accept: */* Range: bytes=1097728-1098239, 1098240-1098751, 1098752- 1099263, 1099264-1099775, 1099776-1100287, 1100288-1100799, 1100800-1101311, 1101312-1101823, 1101824-1102335, 1102336- 1102847, 1102848-1103359, 1103360-1103871, 1103872-1104383, 1104384-1104895, 1104896-1105407, 1105408-1105919, 1105920- 1106431, 1106432-1106943, 1106944-1107455, 1107456-1107967, 1107968-1108479, 1108480-1108991, 1108992-1109503, 1109504- 1110015, 1110016-1110527, 1110528-1111039, 1111040-1111551 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
  • 18. SSL is Trending Layer 7 DoS Traffic
  • 20. Issues - Weaponized Defenses • Many defensive strategies can be turned against the application • Rate limiting SYNs by destination can cause failed handshakes, even while pipe not full • Blocking DNS or SYN attacks by source IP: Spoofed origin packets cause blocking IP of the attackers choice
  • 21. Issues – Traditional Firewalls: • Traditional Firewalls have limitations: – Cannot tell spoofed origin traffic from real IP – Limited to Dropping packets • Such defenses can be turned against the app – Max sessions tends to be easily reached – Struggle with encrypted attacks, layer 7, low and slow, and other behavioral attacks
  • 22. Why TMOS? • TCP inline, all the time – Accelerates and mitigates from the first packet • High capacity SSL, with iRules (see: sslsqueeze) • SSL cert management in one place
  • 23. TMOS in Action - TCP TCP SSL HTTP ASM SYN Flood SSL Attacks Slow HTTP, Request Floods Layer 7 Attacks iRules Users
  • 24. TMOS in Action – Other IP AFM GTM DNS Flood NTP, DNS Amplification iRules DNS Query - User
  • 25. Further Observations: • Effective DDoS mitigation requires: – High speed SSL hardware – TCP full proxy – Behavioural analysis – Interaction with the attack • Challenge suspicious clients to prevent false positives, weaponised defence • Visibility, planning, automation, testing
  • 27. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
  • 28. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
  • 29. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
  • 30. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
  • 31. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
  • 32. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
  • 33. Test Driven Security Vulnerability Scanning Application Penetration Testing Remediation and Retesting Continuous Scanning and Analysis Attack Monitoring and Reporting Incident Response and Technical Support
  • 34. Why not check out… Aura Managed Services overview: http://aurainfosec.com/managed-services.html - redshield FAQ, knowledgebase and forums: https://auraredeye.zendesk.com

Editor's Notes

  1. F5 TMOS platforms present the opportunity to mitigate a wide variety of security threats from network, to application layer, in a consolidated architecture. In this talk, we’ll illustrate this by taking a look at what our F5s are picking up in the wild; and discuss our view of datacenter security for your critical applications.
  2. This attack was launched against CDN provider Cloudflare and is claimed to be the worlds biggest DDoS so far (this record won’t last!)
  3. All those byte ranges cause the server to produce a full copy of the large-file.pdf response, for each byte range. A PDF of 2MB can thus cause this single response to take up 50MB of memory while the server responds. Multiply by thousands or more, and a single individual can cause a website outage without needing a botnet. This example hit RedShield in March.
  4. An average customer on RedShield currently receives around 100-200 L7 DoS reconnaissance probes per month. Each IP address tends to make 3-15 requests and tests one or two techniques to verify whether the server is a potential target. Interestingly, these attacks almost never escalate against policies in blocking mode, but are more often seen during initial policy tuning phase before blocking is enabled. Monitoring ASM immediately after deployment is critical, as is progression towards blocking mode.
  5. This type of attack doesn’t get picked up by network monitoring systems; bandwidth requirements are small. A few Mbps can completely disable a vulnerable service; much smaller than a smash-up style amplified Botnet. Most administrators would suspect application problems, try rebooting servers, read error logs etc. These attacks can be hard to troubleshoot as this is legitimate HTTP. Attacks like this are also often launched over HTTPS in an effort to avoid detection. A favorite of Anonymous; particularly prevalent against government targets due to popularity with hacktivists.
  6. This proportion of traffic is steadily rising. We see SSL attacks up ~30% from previous year.
  7. These layers all actively mitigate different types of attacks, and cover the full spectrum from network to application, from DDoS to advanced hacking techniques. Each layer is naturally part of the infrastructure stack – not a bottleneck, but an accelerator. Each layer earns its permanent place in the application stack by offloading, accelerating, improving performance and reliability of applications. When attack traffic strikes, the infrastructure responds from the very first packet, whilst continuing its function and processing desirable user traffic. Contrast this approach with a firewall, or other reactive device such as a DDoS mitigator; which needs to insert itself into suspicious sessions when attacks are detected. This requires another point of SSL certificate management, and another place to define your applications, and the device will generally cause performance degradation such as latency and additional TCP overhead.
  8. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  9. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  10. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  11. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  12. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  13. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.