Close your security gaps and get 100% of your traffic protected with Cloudflare
•Descargar como PPTX, PDF•
0 recomendaciones•905 vistas
The Gaming & Gambling industry has been the target of increasingly sophisticated cyber attacks in recent years, ranging from automated bots carrying out credential stuffing and intellectual property scraping to Layer 3 DDoS attacks, which can result in reduced network speed and performance, and in some cases loss of business when such incidents occur. View this presentation from Cloudflare security experts Stephane Nouvellon, Principal Solutions Engineer and Philip Björkman, Strategic Vertical Account Executive (EMEA Gaming & Gambling) to learn about: -How you can protect your business and improve the performance and reliability of your infrastructure, globally -Solutions to secure your organization's online traffic (all OSI layers) against bots and cyber attacks whilst improving the performance of your applications.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Close your security gaps and get 100% of your traffic protected with Cloudflare
Similar a Close your security gaps and get 100% of your traffic protected with Cloudflare (20)
Más de Cloudflare
Más de Cloudflare (20)
Último
Último (20)
Close your security gaps and get 100% of your traffic protected with Cloudflare
- 1. Webinar Close your security gaps and get 100% of your traffic protected with Cloudflare
- 2. Speakers Stephane Nouvellon Principal Solutions Engineer @ Cloudflare Philip Bjorkman Strategic Vertical Account Executive: Gaming & Gambling @ Cloudflare
- 3. What we are talking about today Security challenges faced by online gaming & gambling platforms Strategies to secure on-prem networks (layer 3) and applications (layer 7)
- 4. About Cloudflare Cloudflare is a leading security, performance, and reliability company. We protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. We have one of the world’s largest networks that powers more than 28 million Internet properties, with approximately 16% of the Fortune 1,000 companies using at least one Cloudflare product. Trusted by:
- 5. PERFORMANCE & RELIABILITY SECURITY Domain Name System (DNS) Firewall AnalyticsWorkers IoT Security Cache Load Balancing SSL/TLS Secure Origin Connection Rate Limiting Bot Management DDoS Protection Intelligent Routing Image Optimization Access CLOUDFLARE FOR INFRASTRUCTURE CLOUDFLARE FOR TEAMS Magic Transit Gateway Workers KV SERVERLESS APPLICATION PLATFORM Stream Integrated, Intelligent Global Cloud Network
- 6. 28M+ Internet properties 200+ Cities and 95 countries 45B Cyber threats blocked each day in Q1’20 +95% Of the Internet-connected population in the world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. Cloudflare’s network operates at massive scale Confidential. Copyright © Cloudflare, Inc.
- 7. Application Layer7 Transport Layer Session Layer5 Datalink Layer2 Physical Layer1 IP, GRE, any packet/protocol ● Magic Transit Presentation Layer6 Network Layer Transport Layer4 Network Layer3 Physical interconnects with our customers, globally HTTP, DNS ● Authoritative DNS ● CDN ● Argo ● Load Balancing ● WAF ● Bot Management ● Video Streaming ● Authentication TCP/UDP ● Spectrum ● Argo ● Load Balancing 7 Cloudflare Security Stack
- 8. Every service we offer runs on every server in every datacenter around the world 8
- 9. #1 Scrapers & other automated source of traffic
- 10. How bad bots affect your business Take-over of user’s account from automatically applying previously stolen account credentials. Scraping and stealing information from a website Adding malicious content to web properties such as forums and registration forms Credential Stuffing Content Scraping Content Spam Fraudulently purchase goods to deprive legitimate customers or resell for a higher price Inventory Hoarding Credit Card Stuffing Attempts to validate stolen credit cards to then make fraudulent purchases Application DDoS Slowing sites, wasting bandwidth and compute resources
- 11. Evolution of Bots ● Simply collect info ● Limited number of static IP addresses ● Repetitive attack pattern ● Easy to detect Basic Bots ● Mimic human behavior or hijack a real customer’s browser and tokens ● Need threat intelligence, behavioral analysis, machine learning, fingerprinting Sophisticated Bots ● Steal sensitive data, commit fraud, and disrupt business ● Botnets, change source IP addresses or to originate from legitimate customers’ devices ● Challenge scripts, sending misleading information to a bot Mature Bots
- 12. Impact due to bot attacks Financial OperationalReputational ●Pipeline and sales impact ●Customer reimbursement ●Customer trust and loyalty ●Brand reputation ●Service disruption ●Firefighting mode with resource reallocation
- 13. Traditional solutions aren’t enough anymore ● Filtering IPs, User-Agent, Cloud provider ASns ● Rate Limiting ● WAF ● Authentication ● DDoS protection
- 14. The Cloudflare Bot Difference Fast Intelligent Integrated ● Cutting-edge detection engines ● Constantly learning from billions of new requests ● SDK-free ● Implement in under one hour ● Onboard customers under attack ● Effectively zero latency ● Retroactive analytics for existing customers ● Built to work with Cloudflare’s security suite ● No scale concerns
- 15. How it works
- 16. Bot protection as a framework
- 17. Built for security needs of the modern business Configuration Flexibility Threat Intelligence At-Scale Automatic Allowlist Optional JS injection Integrated Security and Performance Mobile App Endpoint and API Protection Complete without Complexity Bot Management
- 18. #2 What if HTTP isn’t your only public facing perimeter?
- 19. Extending Cloudflare to networks Layer 3 — IP Layer 4 — TCP DDoS mitigation IP firewall L4 load balancing TLS & protocols CLOUDFLARE DATA CENTER REVERSE PROXY CUSTOMER ORIGIN NETWORK(S) Layer 7 — HTTP WAF Content caching Filtering IP level traffic
- 20. Magic Transit: Our battle-tested network stack, available in front of a customer’s data center for Layer 3 protection Cloudflare Data Center 200 Cities in 100+ countries 51 Tbps DDoS mitigation capacity Biggest attack mitigated ~942 gbps DDoS protection Near-instant TTM Network firewall Granular Allow/Deny rules Customer Data Center LAYER 3 - IP (MAGIC TRANSIT) 20
- 21. Benefits Get rid of network perimeter hardware DDoS protection, network firewall, traffic acceleration, and more delivered as a service Drive down your TCO Pay exactly for only what you use. Get operational agility with VNFs delivered and billed as a service Get security + performance for your networks Cloudflare has a physical presence in over 200 cities across 100+ countries. Magic Transit delivers DDoS protection with integrated performance benefits
- 22. Connect: Using BGP route announcements customer network traffic is ingested by Cloudflare Protect and Process: All traffic inspected for attacks automatically and immediately Accelerate: Clean traffic is routed back to the customer network over Cloudflare. Anycast GRE tunnels deliver traffic to the customer network How it works
- 23. PNI Customers can physically connect using Private Network Interconnect (PNI) at any of Cloudflare’s physical Points of Presence How to connect to Cloudflare Internet Exchanges Customers who want to use existing Internet Exchanges can interconnect with us at any of the 235+ Internet Exchanges that Cloudflare participates in Virtual connections Cloudflare has partnered with five cloud-exchange providers to allow customers to connect using virtual links at any of the partner locations
- 24. Legit Client Attacker BGP announcements (from dedicated scrubbing centers) L3/ 4 attack traffic L3 scrubbing centers L7 attack traffic Additional hop (latency) for other L7 processing of traffic L7 services Ingress to customer data center (over Anycast GRE/ PNI) Customer data center Egress (over the internet) Other implementation s have dedicated ‘scrubbing centers’ where the traffic is inspected for L3 threats before being processed for other L7 services—this adds delay to network traffic Legit traffic
- 25. Legit Client Attacker BGP announcements from every single Cloudflare data center L3/ 4 attack traffic Customer data center Egress (over the internet) All L3/ L4-7 services delivered from every Cloudflare data center (no need for traffic diversion) Smart routing over the Cloudflare network Ingress to customer data center (over Anycast GRE/ PNI) Legit traffic Attacks are detected and mitigated at a Cloudflare data center closest to the source of origin
- 26. Summary - Magic Transit Key Features ● DDoS mitigation capacity > 51+ Tbps ● Mitigate most attacks in < 3 seconds ● Sub-second threat detection ● BGP routing and GRE encapsulation ● 24 x 7 x 365 SOC ● Native integration with L7 services (CDN, WAF, Bot Management, etc.) ● Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols) ● Analytics dashboard
- 27. Wrap-up
- 28. Q&A
Notas del editor
- Cloudflare is a company which provides security, performance, and reliability to any web-facing property. Traiditionally this meant web-sites, or web-facing applications for example mobile banking, and we did this by operating as a reverse proxy for HTTP traffic. We’ve actually expanded that capability such that we are now ability to proxy any TCP and UDP traffic, will talk about that in a bit, but this allows you now to put your game server behind Cloudflare as well We have more than 20 million such internet properties behind us, and you can see a few recognizable names like Discord and Hypixel there, who are utilizing various Cloudflare features
- Cloudflare delivers a platform of deeply integrated products that serve as a unified control plane for our customers. Our comprehensive Platform includes purpose built products for security, performance, reliability in one unified solution. The platform also makes it easy to build serverless application using edge computing, developing Cloudflare applications while providing meaningful insights and analytics on web activities. Modern architecture with integrated design Single UI to manage security and performance All underlying data in centralized location allows faster insights into performance and security Ensures uptime during DDoS attacks while delivering accelerated performance for the applications
- Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
- I always like to start speaking about Cloudflare by representing the portfolio aligned with the OSI Model since it provides a great visual overview or where Cloudflare’s solution is actually operating on your applications and infrastructures: Layer 7 or application. This is where Cloudflare started 10 years ago with Performance and Security at the HTTP level. Bot Management is a relatively recent addition that we’re going to see in more detail later on in the presentation Down to the layer 4. Because HTTP is probably not the only protocol you’re using and you might want to accelerate and protect. Cloudflare provide security, acceleration and load balancing for your TCP/UDP applications The network layer is also an important piece of our stack, where Cloudflare can provide performance and security at the IP level with Magic transit that we’re going to see in more detail in the presentation And finally down to the physical layer where Cloudflare can directly interconnect either physically or virtually with your infrastructure so cloudflare ends up being virtually on top of your rack with no borders left facing the internet without protection.
- And an important point to note is that Cloudflare provides its service in a fully integrated way, which means that every single line of code representing service we offer runs on every server, in every datacenter and this all around the world where Cloudflare has a point of presence.
- The first challenge we observed on the Gaming and Gambling industry is regarding scrapers and in general any kind of unwanted source of automated traffic targeting your applications
- Here is a non comprehensive list of use-cases these bots are having when it comes to operate botnets towards your Origins Credential Stuffing: This is how attackers are validating lists of credential stolen on the internet with the intent of either access these accounts on your services or just validate the accuracy of this listing for future coordinated attacks or selling of the validated information Inventory hoarding: This targets especially ecommerce with the intent of programmatically buying all items and preventing real users from doing so Content scraping: This one is particularly observed in the gambling industry where scrapers are industrially monitoring odds of the competition to place theirs in a better spot Credit card stuffing: This one intents to validate stolen source of credit card information towards your application for fraudulent buying or validating credentials to sell them at a higher price Content Spam: This one target any location of your website accepting information to be posted to either inject malicious payload or simply flood your workflows. This could be forums, account creation or reset a password interfaces Application DDoS: Maybe not the most intuitive one but given these attacks are targeting dynamic portion of websites since they need to somehow interact with it it, it could end up having the application itself being non responsive and leave the real users with a bad experience
- At Cloudflare we observed a quite representative transition in how these bots are operated for the last 5 years. They came from a basic to mature footprint which implies a limited number of IPs being used, limited support for Javascript computation to a more sophisticated form. This last one is very special since is in general very targeted where perpetrators are studying with detail the perimeter of the application to target, how does the real user experience looks like in terms of requests so they can emulate these without leaving obvious footprints. They also implement advanced stacks that are able to mimic real browser behaviours, they can solve challenges and they can leverage a large range of IP, both being originating from Datacenter or even residential ISPs. This is the type of bot we’re going to focus here with Bot Management.
- These are potentially impacting your operations via three potential ways. The first one is financial where you can end up being in a situation that you cannot sell to your customers since all your stock is being taken off from them. Second is reputation and this has to do with the experience provided to your customers, this can either be coming from the fact your application is slow or unavailable because the automated traffic is disrupting it. And finally operational because it costs already a lot to operate your service and even more with at the same time coping with the level of traffic these automated source of traffic are targeting your website.
- Traditional Cloudflare’s offering was great at mitigating basic and mature bots but with the sophistication of these sources of automated traffic, they were not enough anymore.
- Now, Cloudflare Bot Management difference in three key propositions It is fast, because directly embedded in Cloudflare’s Security and Performance stack and provide a quick onboarding experience. No latency is added when adding Bot Management into the mix It is intelligent, and this is the advantage of having such a breath of traffic with about 20M request/second in average received on the platform. This allows Cloudflare to learn even quicker and react to Bot transition and new trends It is fully integrated, Bot Management is a product that can interact with other security products with no compromise on performance
- In terms of operations, Bot Management is an addition to what Cloudflare does already on your traffic for performance and security Purposes. Bot Management analyses the traffic and establish a score coming from a various list of specific features like Machine learning, Behavioral analysis, Heuristics, JS fingerprinting and finally curating a list of verified bots to make sure none of your wanted automated traffic is being blocked. All this platform integrates with the rest of Cloudflare’s stacks and provide you another signal to take accurate action on your traffic, with no latency added. On top of that, when it comes to operating the solution, Cloudflare offers rich analytics and raw logs so your teams can monitor your applications at all time.
- Bot Management as explained is provided as a platform that could be used in coordination with the other product which in turns allows customers to implement the solution via many ways. The score could be used in the Firewall Engine provided by Cloudflare, be pushed to your backend for analysis or even be leveraged inside our Serverless computing platform for advanced mitigation. This last scenario is quite popular since it allows for instance to mitigate bot by confusing them. Instead of blocking or challenging the traffic which would give indication to the bot that he was detected, why not sending a confusing payload with randomized information? This is what the integration with workers allows.
- Finally, Cloudflare Bot Management in a nutshell, this is: Complete without Complexity: Protects against a full range of bot attacks with instant deployment Threat Intelligence At-Scale: Leverages diverse data from more than 27 million Internet properties. Applies machine learning, behavioral analysis, and fingerprinting to accurately identify bots. Integrated Security and Performance: Bot Management Integrates seamlessly with Cloudflare's DDoS, WAF, and CDN, enhancing - security, user experience and performance. Automatic allowlist: Allows good bots, such as those belonging to search engines, to keep reaching site while preventing malicious traffic. API and Mobile App Protection: Protects APIs that are generated in an automated fashion, accessed via web browsers. The solution also protects mobile applications from impersonation and emulation attacks. Configuration Flexibility: Granular rules, user-defined mitigations and integration with Cloudflare’s Workers platform allows for unique actions beyond the industry standard.
- The second challenge is around the scope of the properties being protected, sometimes HTTP or even TCP/UDP aren’t the only types of application or resources you’ve got public facing and by extension you need to protect. We’re going to see how to close these gaps with Magic Transit.
- When we started 10 years ago, we were providing Layer 7 Security and Performance but it didn’t mean that Cloudflare wasn’t operating DDoS mitigation for lower level of the OSI stack. With Magic transit, we’re making available to customer the product we’ve built all these years to protect our infrastructure so we can protect yours, too. IP Level protection is directly operated by Cloudflare and sent back to customer Origin infrastructure when mitigated.
- Magic transit isn’t different from the other products in the stack, this is totally integrated. It means Magic transit is operated in any server of any datacenter and this all around the world with providing a total of 51 tbps of mitigation capacity. As of now and just to give you a perspective of the scale we provide with the platform, the biggest attack our network has mitigated was generating 942 gbps of traffic. From a packets perspective, the biggest attack we mitigated was generating 754 Million packet per second.
- Now on to the benefits of Magic Transit: One — it helps business make their transformation to the cloud and get rid of some portion of their on-premise boxes, Magic transit operates on all your traffic for DDoS purposes Two — it provides security without compromise on performance. And using a network like Cloudflare’s helps with that + the fact that the solution is fully integrated with the others features and products the scanning of traffic is done only once and for all before reaching your infrastructure Third — costs. More and more companies we talk to are looking for ways to reduce their Capex. Magic Transit helps you dramatically reduce your Capex and delivers operational agility with virtual network functions delivered and billed as a service.
- OK, so how does it work? We use BGP to announce routes to the customer’s network. Note that this is fundamentally a different product than anything Cloudflare has ever offered. This is not a simple DNS redirect. It’s a more involved process where we tell the Internet that we are the customer’s network and ingest all traffic destined to their networks using BGP. We can announce any customer network that is larger than a /24 prefix. Once ingested by a Cloudflare data center closest to the source, the traffic is inspected for any threats. Of course, any L7 traffic that would benefit from content caching or WAF inspection is “upgraded” to our L7 pipeline without incurring additional network hops. All clean network traffic is then encapsulated using GRE and tunneled over from the Cloudflare data center to the customer network. GRE tunnels are initiated from Cloudflare’s anycast endpoints to the customer’s network. Anycast GRE tunnels ensure they are highly available and resilient to network failures that would bring traditional GRE tunnels down. Finally, any egress traffic from the customer’s network is sent directly to the requestor/ client using Direct Server Return.
- Now, the next important question is the following: How do I connect with Cloudflare? Multiple solutions, the default being establishing a GRE tunnel over the internet but some other scenarios are also supported such as: PNI: Setting up a cable between your infrastructure and Cloudflare where a location is compatible Internet exchanges: Setting up a BGP peering directly within an IX Virtual Connections: Setting up a connection via cloud-exchange providers we support (Zayo, Equinix, Megaport, ConsoleConnect, PacketFabric)
- Important point to mention is the life of the packets and requests, when it comes to implement such a scrubbing mechanisms. This schema shows you how in general this kind of security solution is being implemented. You can see here in the schema that two locations are being used to clean the traffic at layer 3 and then at Layer 4 and 7. Where this isn’t specifically a problem for bad traffic since we do not really care about the performance of this mitigation anyway, it can induce latency for legitimate traffic when crossing multiple hops potentially sitting in different regions. The blue line shows here that for legitimate traffic, 2 hops are going to be needed before reaching to the backend infrastructure.
- With Cloudflare, the traffic goes through only on location and is inspected only once from Layer 3 up to layer 7 before being sent to your infrastructure if legitimate. Cloudflare also implement a smart routing of the traffic to leverage even more the backbone so the traffic goes back to the infrastructure in the most efficient way.
- Now a summary of the solution and what it provides
- What requirement do you ask customers when using Magic Transit? (/24 subnet minimum and being able to sign a letter of authorization. Optional including ASN 13335 in the RPKI implementation) Does Magic transit require customers to have a private interconnection with Cloudflare? (No, a GRE tunnel over the internet could be established too) Is any modification needed at the client or application-side to use Bot Management? (No, Bot Management works directly on proxied request and challenge mitigation is inserted by Cloudflare directly without any change required) How Bot Management is different from manually creating Firewall rules to mitigate traffic? (Bot Management provides the intelligence of the network and does it automatically for you with no operation overhead) How is it possible that Cloudflare can support the execution of the security at different layer of the OSI model?