Modern DDoS and

DDoS SSL Attacks

Michael Soukonnik

Radware FSU

November 2012

DDoS – regular service ?

Slide 2

Legends vs. Reality

Size does not matter!

• Reality:

– Most organization may never experience an intense attack

– Less intensive application attacks can cause more damage than network

attacks

76 percent of the

attacks surveyed were

under 1Gbps

Slide 4

Are we really protected from DDoS?

30%

5% 4%

8%

24%

27%

Internet link

is saturated

(27% of the

attacks)

Stateful devices are

vulnerable to DDoS

(36% of the attacks)

Slide 5

1 fail is enough!

Slide 6

Large-volume network flood attacks

Web attacks: XSS, Brute force

SYN flood attack

Application vulnerability, malware

Web attacks: SQL Injection

Port scan

“Low & Slow” DoS attacks (e.g., Sockstress)

Network scan

Intrusion

High and slow Application DoS attacks

Radware security incidents report 2011:

• More than 70% of Radware reported cases in 2011

involved at least 3 attack vectors

• Attackers use multi-vulnerability attack campaigns

making mitigation nearly impossible

Network Attack and Application Attack Coexist

Slide 7

Mapping Security Protection Tools

Slide 8

DoS Protection

Behavioral Analysis

IP Rep.

IPS

WAF

Large volume network flood attacks

Web attacks: XSS, Brute force

SYN flood attack

Application vulnerability, malware

Web attacks: SQL Injection

Port scan

“Low & Slow” DoS attacks (e.g.Sockstress)

Network scan

Intrusion

High and slow Application DoS attacks

Radware answers

-

Attack Mitigation System (AMS)

DefensePro

Dynamic signature in 18 sek !!!

IPS

DoS Protection

NBA

Anti Trojan, Anti Phishing

Network & data center security: mapping the

technologies

IPS DoS Protection NBA Reputation

Engine Signature

Detection

Rate-based

Rate-based

Behavioral

Analysis

Signature

Detection

Anti Trojan,

Anti Phishing Stateful

Inspection

SYN Cookies

User

Behavioral

Analysis

Application

Behavioral

Analysis

AMS Protection Set

Slide 11

NBA

• Prevent application

resource misuse

• Prevent zero-minute

malware

DoS Protection

• Prevent all type of

network DDoS attacks

IPS

• Prevent application

vulnerability exploits

Reputation Engine

• Financial fraud

protection

• Anti Trojan & Phishing

WAF

• Mitigating Web

application threats

and zero-day attacks

The Competitive Advantage: Performance Under Attack

Multi-Gbps

Capacity

Legitimate

Traffic

12 Million

PPS

Attack

Traffic

Other Network Security Solutions

Multi-Gbps

Capacity

Legitimate

Traffic

+ Attack

Attack Attack

Attack

Traffic

DefensePro

Device handles attack

traffic at the expense

of legitimate traffic!

Attack traffic does

not impact

legitimate traffic

Slide 12

Slide 13

NY Stock Exchange Under Attack – Multi Vector Attack

Uniquely capable to withstand the sophistication and scale of recent attacks

Attack Vector Dates (~) Attack Peak Protection Mechanisms

Fragmented UDP Flood 10/10/2011 11PM- 11/10/2011 1 AM 95 Mbps

10K PPS BDoS

DoSS LOIC UDP 10/10/2011 4 AM

10/10/2011 8 PM- 11 PM 50 Mbps

5K PPS BDoS

Signatures

DoSS TCP SYN Flood 11/10/2011 1:40 PM 13.6 Mbps

24K PPS BDoS

DoSS R.U.D.Y 10/10/2011 4 PM 2.1 Mbps

0.7K PPS Signature

LOIC TCP 10/10/2011 11 PM- 11/10/2011 3:30 AM 500 Kbps

0.2K PPS Signatures

Mobile LOIC 10/10/2011 6 PM- 8:30 PM 86 Kbps

13 PPS Signature

#RefRef 10/10/2011 9:45 PM Few packets Signature

Low & slow

And Intrusions…

Network Attack and Application Attack Coexist

Slide 14

SSL services are extremely vulnerable to DDoS attacks

• SSL Handshake Flood

Establishing a secure connection requires 15 times more processing on the

server than on the client, opening multiple sessions quickly exhaust the server’s

resources

• SSL Renegotiation Flood

Client asks for key replacement during existing session, similar effect on the

server, could be blocked on the server side.

Popular since the release of THC-SSL-DOS last October

• HTTPS Flood

Exhausting the web application running on top of the secure session

SSL Attacks

Slide 15

Leading Israeli bank under attack December 11, 2011

Israeli Bank: Course of Events

15:05 PM- Attack Starts

HTTPS Flood

• 167 attackers open up to 70 SSL sessions per second

• Established sessions contains HTTP requests for the secure login page

GET /InternalSite/CustomUpdate/eBank_Login.asp

• Constant User-Agent: wget

• Service became unavailable in seconds

15:22 PM- ERT Initiated

16:10PM- Attack blocked, service revived

• ODS-3 deployed on-site, no SSL protection

• High rate allows easy identification of attackers

• Custom Signature suspend sources sending more than 5 “SSL Client

Hello” per second

Slide 17

Attack Peak Measurements

•200 Mbps

•360K Concurrent Connections

•1100 CPS

AMS Encrypted Attack Mitigation

Solution

SSL certificates,

not used for legal sessions

AMS Encrypted Attacks Mitigation

Slide 19

Traffic Anomalies

Floods

Network-Based DoS

Attacks

Application-Based DoS

Attacks (Clear and SSL)

“Directed” Application DoS

Attacks (Clear and SSL)

Packet anomalies,

Black & white lists

Behavioral DoS &

TCP cookie engines

L7 ASIC Regex

engine Application “cookie”

engines

Clear

Encrypted

Cle

ar

En

cry

pte

d

Client-side

termination point

Alteon’s SSL

Acceleration Engine

Clear

Encrypted “Authenticated”

clients

Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s):

SYN Attack Protection – DefensePro “authenticates” the source through a “safe-reset cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack.

HTTP Signature– DefensePro receives the decrypted 1st HTTP client request from the SSL engine and applies application layer signatures. This is done in order to remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or custom signatures.

Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open a new connection directly to the protected server.

AMS Encrypted Attacks Mitigation

AMS- Protecting the HTTPS service

* SSL Mitigation expands the resources- Alteon can handle up to 45K SSL sessions

• Banks and other financial institutions not able to export certificate (MSSP and such)

• Unique solution that requires two devices, will be merged in the future to 1 box

Slide 20

Protection Target Attack

SYN Cookies

BDoS

TCP Service Network Floods

Signatures

SSL Mitigation*

SSL Service SSL Floods

SSL Mitigation

Signatures

Web Service Application Floods

Sample of AMS Security Customers

Financial Services Retail Services

Government, Healthcare & Education Carrier & Technology Services

Slide 22

Summary

Slide 23

• Radware AMS protects against all types of DDoS attacks and application attacks

• Radware AMS first of all enables legal users to work under attack

• AMS can protect against SSL DDoS without using legal SSL certificates

• AMS works automatically – within 18 seconds from an attack raise dynamic signature

starts to work against the attack. No human interference usually required

• In case of very complicated attack Radware Emergency Response Team

can be involved on line

• ERT enables counter attack against DDoS sources

Thank You www.radware.com