dss itsec conference 2012 - radware - protection from ssl ddos attacks
DESCRIPTION
TRANSCRIPT
Size does not matter!
• Reality:
– Most organization may never experience an intense attack
– Less intensive application attacks can cause more damage than network
attacks
76 percent of the
attacks surveyed were
under 1Gbps
Slide 4
Are we really protected from DDoS?
30%
5% 4%
8%
24%
27%
Internet link
is saturated
(27% of the
attacks)
Stateful devices are
vulnerable to DDoS
(36% of the attacks)
Slide 5
1 fail is enough!
Slide 6
Large-volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
“Low & Slow” DoS attacks (e.g., Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
Radware security incidents report 2011:
• More than 70% of Radware reported cases in 2011
involved at least 3 attack vectors
• Attackers use multi-vulnerability attack campaigns
making mitigation nearly impossible
Mapping Security Protection Tools
Slide 8
DoS Protection
Behavioral Analysis
IP Rep.
IPS
WAF
Large volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
DefensePro
Dynamic signature in 18 sek !!!
IPS
DoS Protection
NBA
Anti Trojan, Anti Phishing
Network & data center security: mapping the
technologies
IPS DoS Protection NBA Reputation
Engine Signature
Detection
Rate-based
Rate-based
Behavioral
Analysis
Signature
Detection
Anti Trojan,
Anti Phishing Stateful
Inspection
SYN Cookies
User
Behavioral
Analysis
Application
Behavioral
Analysis
AMS Protection Set
Slide 11
NBA
• Prevent application
resource misuse
• Prevent zero-minute
malware
DoS Protection
• Prevent all type of
network DDoS attacks
IPS
• Prevent application
vulnerability exploits
Reputation Engine
• Financial fraud
protection
• Anti Trojan & Phishing
WAF
• Mitigating Web
application threats
and zero-day attacks
The Competitive Advantage: Performance Under Attack
Multi-Gbps
Capacity
Legitimate
Traffic
12 Million
PPS
Attack
Traffic
Other Network Security Solutions
Multi-Gbps
Capacity
Legitimate
Traffic
+ Attack
Attack Attack
Attack
Traffic
DefensePro
Device handles attack
traffic at the expense
of legitimate traffic!
Attack traffic does
not impact
legitimate traffic
Slide 12
Slide 13
NY Stock Exchange Under Attack – Multi Vector Attack
Uniquely capable to withstand the sophistication and scale of recent attacks
Attack Vector Dates (~) Attack Peak Protection Mechanisms
Fragmented UDP Flood 10/10/2011 11PM- 11/10/2011 1 AM 95 Mbps
10K PPS BDoS
DoSS LOIC UDP 10/10/2011 4 AM
10/10/2011 8 PM- 11 PM 50 Mbps
5K PPS BDoS
Signatures
DoSS TCP SYN Flood 11/10/2011 1:40 PM 13.6 Mbps
24K PPS BDoS
DoSS R.U.D.Y 10/10/2011 4 PM 2.1 Mbps
0.7K PPS Signature
LOIC TCP 10/10/2011 11 PM- 11/10/2011 3:30 AM 500 Kbps
0.2K PPS Signatures
Mobile LOIC 10/10/2011 6 PM- 8:30 PM 86 Kbps
13 PPS Signature
#RefRef 10/10/2011 9:45 PM Few packets Signature
Low & slow
And Intrusions…
SSL services are extremely vulnerable to DDoS attacks
• SSL Handshake Flood
Establishing a secure connection requires 15 times more processing on the
server than on the client, opening multiple sessions quickly exhaust the server’s
resources
• SSL Renegotiation Flood
Client asks for key replacement during existing session, similar effect on the
server, could be blocked on the server side.
Popular since the release of THC-SSL-DOS last October
• HTTPS Flood
Exhausting the web application running on top of the secure session
SSL Attacks
Slide 15
Israeli Bank: Course of Events
15:05 PM- Attack Starts
HTTPS Flood
• 167 attackers open up to 70 SSL sessions per second
• Established sessions contains HTTP requests for the secure login page
GET /InternalSite/CustomUpdate/eBank_Login.asp
• Constant User-Agent: wget
• Service became unavailable in seconds
15:22 PM- ERT Initiated
16:10PM- Attack blocked, service revived
• ODS-3 deployed on-site, no SSL protection
• High rate allows easy identification of attackers
• Custom Signature suspend sources sending more than 5 “SSL Client
Hello” per second
Slide 17
Attack Peak Measurements
•200 Mbps
•360K Concurrent Connections
•1100 CPS
SSL certificates,
not used for legal sessions
AMS Encrypted Attacks Mitigation
Slide 19
Traffic Anomalies
Floods
Network-Based DoS
Attacks
Application-Based DoS
Attacks (Clear and SSL)
“Directed” Application DoS
Attacks (Clear and SSL)
Packet anomalies,
Black & white lists
Behavioral DoS &
TCP cookie engines
L7 ASIC Regex
engine Application “cookie”
engines
Clear
Encrypted
Cle
ar
En
cry
pte
d
Client-side
termination point
Alteon’s SSL
Acceleration Engine
Clear
Encrypted “Authenticated”
clients
Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s):
SYN Attack Protection – DefensePro “authenticates” the source through a “safe-reset cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack.
HTTP Signature– DefensePro receives the decrypted 1st HTTP client request from the SSL engine and applies application layer signatures. This is done in order to remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or custom signatures.
Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open a new connection directly to the protected server.
AMS Encrypted Attacks Mitigation
AMS- Protecting the HTTPS service
* SSL Mitigation expands the resources- Alteon can handle up to 45K SSL sessions
• Banks and other financial institutions not able to export certificate (MSSP and such)
• Unique solution that requires two devices, will be merged in the future to 1 box
Slide 20
Protection Target Attack
SYN Cookies
BDoS
TCP Service Network Floods
Signatures
SSL Mitigation*
SSL Service SSL Floods
SSL Mitigation
Signatures
Web Service Application Floods
Sample of AMS Security Customers
Financial Services Retail Services
Government, Healthcare & Education Carrier & Technology Services
Slide 22
Summary
Slide 23
• Radware AMS protects against all types of DDoS attacks and application attacks
• Radware AMS first of all enables legal users to work under attack
• AMS can protect against SSL DDoS without using legal SSL certificates
• AMS works automatically – within 18 seconds from an attack raise dynamic signature
starts to work against the attack. No human interference usually required
• In case of very complicated attack Radware Emergency Response Team
can be involved on line
• ERT enables counter attack against DDoS sources