Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
1. DoS, DDoS and application attacks –
are you ready?
Michael Soukonnik
Radware Ltd
michaels@radware.com
2. 2012 Radware Security Report:
DDoS Attack Vectors
SSL based
attacks are on
the rise
Specific
Application
Resources are
targeted
C/R bypass
capabilities
SMTP
9%
VoIP
4%
Increased
Bandwidth
saturation
TCP - SYN Flood
35%
Web
24%
Complexity
DNS
10%
Volume
TCP
UDP
Other
7%
3%
ICMP
5%
IPv6
3%
Attack remained diversified between different attack types.
This reflects attackers using multi-vector attacks.
Usage of
servers –
more
firepower
Volume
attacks on
DNS
infrastructure
2
3. Attack Vectors
Cloud Mitigation
On-Premises
Mitigation
Volumetric network flood attacks
Attack Volume
Network scan
Intrusion
Port scan
SYN flood attack
Attack
“Low
Complexity & Slow” attacks
Application Flood attacks
Application vulnerability, malware
SSL based attacks
Web attacks: XSS, Brute force
Web attacks: SQL Injection
3
4. Old fashion systems are volnurable
Firewall, IPS (even NG) cannot stop DDoS !
Radware Confidential Jan 2012
4
5. • Attacks become more complex (5-7 vectors)!
• Attacks become longer (days and weeks)!
• More financially motivated attacks, but at the
same time more politically motivated attacks
on government and private organizations !
You never know if you are on sight of future
attack!
5
6. • It’s cheap (hundreds of $)!
• Attacks become very powerful and use
server based botnets !
• New attacking tools know how to overcome
not only legacy, but even newest protection
systems
6
9. Mapping Security Protection Tools
In the cloud DDoS protection
DoS protection
Behavioral analysis
SSL protection
IPS
WAF
UDP Garbage flood on ports 80 and 443
ICMP flood attacks
To fight back you need:
SYN/TCP OOS flood attacks
• An integrated solution with all security technologies
Server cracking attacks
Business
• Mitigate attacks beyond the perimeter
SSL/TLS negotiation attacks
HTTP flood attack
HTTPS flood attack
Web attacks: XSS, SQL Injection, Brute force
9
11. AMS Deployment
• Mitigate all type of
DDoS attacks
• Mitigate SSL attacks
Alteon
AppWall
DefensePro
• Mitigate web
application exploits
Application Infrastructure
11
12. Where to Detect?
• Network DDoS
• SYN Floods
• HTTP Floods
• SSL Floods
• Server cracking
Cloud mitigation services
cannot detect attacks!
In the cloud
Perimeter
Front-End
AMS provides the widest
attack detection coverage!
Alteon
Internet
• Web attacks
Protected
• Application misuse
Organization
• Application connection overflow
12
13. Attack Mitigation System: Layers of Defense
In the cloud
Defense Messaging
• Traffic baselines & real-time
signature information
• Complete system in sync
Perimeter
Front-End
Alteon
Benefits
• Detect where you can
• Mitigate where you should
• Optimize mitigation scalability
Defense Messaging
Protected
Organization
Internet
13
14. Attack Mitigation System: Scalable Defense Network
In the cloud
Perimeter
Front-End
ERT and the customer
decide to divert
the traffic
Alteon
Defense Messaging
Internet
Volumetric DDoS
attack that saturates
Internet pipe
Protected
Organization
14
15. Attack Mitigation System: Mitigating the SSL Threat
In the cloud
Unique Solution Benefits
Perimeter
• Detects all types of SSL
encrypted attacks
Front-End
•Non-vulnerable mitigation architecture
• Legitimate transactions go through
without decryption
•Lowest latency approach
Alteon
•FIPS compliant & common criteria
certified solution
•Single vendor, integrated management
Protected
Organization
Internet
15
16. • Every governmental and business body may become an attack target
• Attacks have more and more volume and complexity, covering L4-L7 simultaneously
• Legacy types of security equipment cannot stop complex attacks
• Cloud service and CPE cannot stop attacks working separately
• Radware provides CPE (DDoS, DoS, Application attacks and WEB), Emergency
Response Team 24X365 support and DefensePipe cloud service. Together it enables
attack mitigation from its’ first seconds at CPE and volume network attack mitigation
in cloud
16