Protection against DDoS and WEB attacks

Michael SoukonnikRadware Ltdmichaels@radware.com

Landscape

Ponemon Research 2012:Cyber security threats

Phishing and social engineeringWeb scrapping

Cross site scriptingMalicious insiders

BotnetsMalware

Viruses, worms and trojansDistributed denial of service (DDoS)

Server side injectionDenial of service (DoS)

0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0

2.83.03.2

5.46.4

7.77.9

8.28.6

9.0

Cyber security threats according to risk mitigation priority 10 = Highest Priority to 1 = Lowest Priority

3

4

Attacks Have Become More Complex

5-6

7-8

9-10

0%

5%

10%

15%

20%

25%

30%

4%16%

7%

16%29%

29%

2011 2012 Complexity

ERT Cases – Attack Vectors

Attacks are more complex: 2013 DoS/DDoS attacks have become more sophisticated, using more complex attack vectors. Note the number of attacks with a complexity level of 7-10.

Individual ServersMalicious software installed on hosts and servers (mostly locatedat Russian and east European universities),controlled by a single entity by direct communication.

Examples:Trin00, TFN, Trinity

BotnetsStealthy malicious software installed mostly on personal computers without the owner’s consent; controlled by a single entity through indirect channels (IRC, HTTP)

Examples:Agobot, DirtJumper,Zemra

Voluntary BotnetsMany users, at times as part of a Hacktivist group, willingly share their personal computers. Usingpredetermined and publicly available attack tools and methods, with an optional remote control channel.

Examples:LOIC, HOIC

New Server-basedBotnetsPowerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients.

5

20121998 - 2002 1998 - Present 2010 - Present

Botnet EvolutionTo subdue the enemy without fighting is the acme of skill.

DDoS from Russia – Just business

Slide 6

7

It is cheap!

Current prices on the Russian underground market:Hacking corporate mailbox: $500Winlocker ransomware: $10-$20Unintelligent exploit bundle: $25Intelligent exploit bundle: $10-$3,000Basic crypter (for inserting rogue code into benign file): $10-$30SOCKS bot (to get around firewalls): $100Hiring a DDoS attack: $30-$70 / day, $1,200 / monthBotnet: $200 for 2,000 botsDDoS Botnet: $700ZeuS source code: $200-$250Windows rootkit (for installing malicious drivers): $292Hacking Facebook or Twitter account: $130Hacking Gmail account: $162Email spam: $10 per one million emailsEmail scam (using customer database): $50-$500 per one million emails

8

• Lithuania – just weeks before becoming a chairman of EU (1.07.2013) – DDoS attack on a news website resulted by harming Internet for the entire country. New waves of the attack are coming every several weeks on governmental and private sites using 7-8 different attack vectors

• In July new DDoS protection system from Radware installed and protecting sites with coverage of Emergency Response Team

9

• Russia – Anonymous Caucasus attacking all major banks (Central Bank, Sberbank, VTB, Alfa, Gazprombank) a month ago

• Old fashion systems/services they used before that (IPS, IDS, DDoS, NG Firewalls, Kaspersky etc) were unable to stop the attacks

Russia – Anonymous Caucasus attacking all major banks (Central Bank,

10

• US – Op Ababil – all major banks were attacked in multiple waves by Iranian and Arab fundamentalists since 09\12

• 5-6 vectors per attack including TCP, UDP, HTTP, HTTPS floods, DNS amplification attacks etc

• Old fashion systems they used before that (IPS, IDS, DDoS, NG Firewalls, etc) were unable to stop the attacks

• Radware DDoS protection was installed in march – just before 3rd wave of attack and stopped 3rd and 4th waves

11

• Attacks become more complex!• Attacks become longer!• More financially motivated attacks, but

at the same time more politically motivated attacks on government and private organizations ! You never know if you are on sight of future attack!

Radware Attack Mitigation System (AMS)

Old fashion systems are volnurable

Radware Confidential Jan 2012 13

Firewall, IPS (even NG) cannot stop DDoS !

Mapping Security Protection Tools

Business

Network

Server

Application

Business

UDP Garbage flood on ports 80 and 443

SSL/TLS negotiation attacks

Server cracking attacks

SHUTDOWN

HTTPS flood attack

ICMP flood attacks

HTTP flood attack

14

SYN/TCP OOS flood attacks

Web attacks: XSS, SQL Injection, Brute force

DoS protectionBehavioral analysisSSL protectionIPSWAF

In the cloud DDoS protection

To fight back you need:• An integrated solution with all security technologies

• Mitigate attacks beyond the perimeter

15

Radware Attack Mitigation System (AMS)

Radware AMS Architecture

Volumetric DoS Protection

IPS & FRAUD PROTECTIONL3 – 7 Anomaly Detection

& Reputation Engine

Application Firewall

Web Application Protection

ApplicationAttacks

Behavior protection mechanisms

HW/SW specially developed to fight against all levels of attacks !Static signatures

Radware AMS Portfolio

AppWall Appliance & VA Web Application Firewall (WAF)

DefenseProOn demand 200Mbps – 40Gbps of legitimate traffic Anti-DoS, NBA, IPS, Rep. Engine

APSolute Vision HW или VA Security Event Management (SEM)

17

DefensePro Protection Layers

Available Service

Behavioral DoS

SYN Protection

Out-Of-State

BL/WL

Connection Limit

DNS Protection

Anti-Scan

HTTP Flood Protection

Server Cracking

Connection PPS Limit

Signature Protection

Application

Server

NetworkBEHAVIORAL PROTECTIONSCHALLENGE/RESPONSEACCESS CONTROLKNOWN VULNERABILITIES/TOOLS

19

US Banks Under Attack: AMS Deployment

DefensePro

Application Infrastructure

AppWallAlteon

• Mitigate all type of DDoS attacks

• Mitigate SSL attacks

• Mitigate web application explits

Customer Success - Leading the DDoS Protection Market

21

Top Account Wins in Every Segment

Carrier/ISP DDoS Mitigation Service

Critical Infrastructure

Online Businesses

Hosting Cloud Scrubbers

Carrier Backbone

Radware is THE leader in the DDoS

protection market.

22

Our Customers Select AMS

Financial Services Retail Services

Government, Healthcare & Education Carrier & Technology Services

23

We Protect Against the Top Attack Campaigns

24

Radware AMS

Application SLA Assurance

Even Under Attack!