Master presentation

Radware Attack

Mitigation System

(AMS)

Igor Kontsevoy

November 2012

Agenda

• Radware Attack Mitigation System (AMS)

• AMS technology overview

• Summary

Slide 2

Introducing Radware Attack

Mitigation System

Mapping Security Protection Tools

Slide 4

DoS Protection

Behavioral Analysis

IP Rep.

IPS

WAF

Large volume network flood attacks

Web attacks: XSS, Brute force

SYN flood attack

Application vulnerability, malware

Web attacks: SQL Injection

Port scan

“Low & Slow” DoS attacks (e.g.Sockstress)

Network scan

Intrusion

High and slow Application DoS attacks

AMS Protection Set

Slide 5

NBA

• Prevent application

resource misuse

• Prevent zero-minute

malware spread

DoS Protection

• Prevent all type of

network DDoS attacks

IPS

• Prevent application

vulnerability exploits

WAF

• Mitigating Web

application attacks

• PCI compliance

Reputation Engine

• Financial fraud

protection

• Anti Trojan & Phishing

Technology Overview

Network based DoS Protections

Network-based DoS Protections

Slide 8

– TCP SYN floods

– TCP SYN+ACK floods

– TCP FIN floods

– TCP RESET floods

– TCP Out of state floods

– TCP Fragment floods

– UDP floods

– ICMP floods

– IGMP floods

– Packet Anomalies

– Known DoS tools

– Custom DoS signatures

Real Time Protections Against:

Network Behavior Analysis & RT Signature Technology

Public Network

Blocking

Rules Statistics

Detection

Engine

Learning

RT

Signatures

Signature parameters

• Source/Destination IP

• Source/Destination Port

• Packet size

• TTL (Time To Live)

• DNS Query

• Packet ID

• TCP sequence number

• More … (up to 20)

Initial filter is generated: Packet ID

Degree of Attack = Low (Positive Feedback)

Filter Optimization: Packet ID AND Source IP Filter Optimization: Packet ID AND Source IP

AND Packet size

Degree of Attack = High (Negative Feedback)

Filter Optimization: Packet ID AND Source IP

AND Packet size AND TTL

Degree of Attack = High Degree of Attack = Low

Narrowest filters

• Packet ID

• Source IP Address

• Packet size

• TTL (Time To Live)

1 2

3

4

5

Inbound Traffic

Outbound Traffic

Protected Network

Up to 10 0 10+X

Final Filter Start

mitigation

Closed feedback Initial Filter

Time [sec]

Mitigation optimization process

Filte

red

Tra

ffic

Traffic characteristics Real-Time Signature

Slide 9

Attack Degree = 10

(Attack)

Abnormal rate

of packets,…

Attack Case

Y-axis X-axis

Z-axis A

tta

ck D

eg

ree

axi

s

Attack area

Suspicious

area

Normal

adapted area

Decision Making - Attack

Slide 10

Abnormal protocol

distribution [%]

Slide 10

Adaptive Detection Engine

Rate parameter input Rate-invariant input

parameter

Degree of Attack

(DoA) Attack area

Suspicious

area

Normal

adapted area

Low DoA

Flash crowd scenario

Slide 11

Application based DoS

Protections

Real-time protection against:

– Bot originated and direct application attacks

– HTTP GET page floods

– HTTP POST floods

– HTTP uplink bandwidth consumption attacks

– DNS query floods (A, MX, PTR,…)

Advanced behavioral application monitoring:

– HTTP servers real time statistics and baselines

– DNS server real time statistics and baselines

Application-based DoS Protections

Slide 13

HTTP Mitigator

TCP Challenge

Challenge/Response & Action Escalation System

Slide 15

Behavioral Real-time

Signature Technology

Real-Time

Signature Created

Challenge/Response

Technology

“Light”

Challenge Actions

“Strong”

Challenge Action

X

?

Selective

Rate-limit

X

?

Attack

Detection

302 Redirect

Challenge

Java Script

Challenge

RT Signature

blocking

Real-time Signature

Blocking

Closed Feedback & Action Escalation

Botnet is identified

(suspicious sources are

marked)

AMS protections: unique value proposition

Slide 16

Attack

detection

Strong

challenge

Light

challenge Real-time

signature

Selective

rate-limit

• Best security coverage

– Prevent all type of network and application attacks

– Complementing technologies fighting known and zero-day attacks

– Complete removal of non-browser rogue traffic

• Best user quality of experience (QoE)

– Reaching the lowest false-positive rate in the industry

– Advanced capabilities are exposed only when needed

• Reduced Cost of Ownership

– Automatic real-time attack mitigation with no need for human intervention

DNS Mitigator

Behavioral DNS Application Monitoring

Slide 18

„A‟ records base line

„MX‟ records base line

„PTR‟ records…

„AAAA‟ records…

DNS QPS

Time

Rate Analysis per DNS Query Type

A records

MX

records

PTR

records

AAAA

records

TEXT

records

Other

records

DNS Query Distribution Analysis

Associated

threat

vectors

Challenge/Response & Action Escalation System

Slide 19

Closed Feedback & Action Escalation

Slide 19

Behavioral RT signature

technology

Real-Time signature

created

RT signature scope protection

per query type

DNS query

challenge

Query rate

limit

X

?

Collective query

challenge

X

?

Attack

Detection

Collective scope protection per query

Type

Botnet is identified

(suspicious traffic is

detected per query type)

Collective query

rate limit

X

?

Service Cracking Behavioral

Protections

Service Cracking Behavioral Protections

Slide 21

Real-time protections against information stealth:

– HTTP servers

– Web vulnerability scans

– Bruteforce

– SIP servers (TCP & UDP)

– SIP spoofed floods

– Pre-SPIT activities

– SIP scanning

– SMTP/IMAP/POP3,FTP,…

– Application Bruteforce

– Application scans

Network scanning and malware

propagation Protections

Source-based Behavioral Analysis

Slide 23

• Behavioral Real-time protection against Zero-

Minute Malware Propagation and network scans:

– UDP spreading worms detection

– TCP spreading worms detection

– High and low rate network scans

– Scanning/spreading pattern identification

– Infected source identification

IPS & Reputation Services

IPS & Radware‟s SOC

Slide 25

Signatures Protection against:

• Application Vulnerabilities and exploits

– Web, Mail, DNS, databases, VoIP

• OS Vulnerabilities and exploits

– Microsoft, Apple, Unix based

• Network Infrastructure Vulnerabilities

– Switches, routers and other network elements vulnerabilities

• Malware

– Worms, Bots, Trojans and Drop-points, Spyware

• Anonymizers

• IPv6 attacks

• Protocol Anomalies

Security Operation Center

– Leading vulnerability security research team

–Weekly and emergency signature updates

& Reputation Engine

WAF

Reservations.com

/config/

/hotels/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

The Secret Sauce – Adaptive Policy Creation (1 of 3)

App

Mapping

Information leakage

Gain root access control

Unexpected application

behavior, system crash, full

system compromise

Threat

Analysis

Risk analysis per “ application-path”

/admin/

Spoof identity, steal user

information, data tampering

Slide 27

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

***********9459

P

The Secret Sauce – Adaptive Policy Creation (2 of 3)

App

Mapping

Policy

Generation

Prevent access to

sensitive app sections

Mask CCN, SSN, etc. in

responses.

Parameters inspection

Threat

Analysis

Traffic normalization &

HTTP RFC validation

Slide 28

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

The Secret Sauce – Adaptive Policy Creation (3 of 3)

Time to protect

App

Mapping

Policy

Activation

Add tailored

application

behavioral rules

for “Zero day”

protection

Known

vulnerabilities

protections:

Optimization of

negative rules

for best

accuracy

Policy

Generation Threat

Analysis

***********9459

P

Virtually zero false positive

Best coverage

Slide 29

Reservations.com

The Secret Sauce – Unique Value Proposition

App

Mapping

Threat

Analysis

Policy

Generation

Policy

Activation

• Best security coverage

– Auto detection of potential threats

– Other WAFs require admins intervention and knowledge to protect

• Lowest false-positives

– Adaptive security protections optimized per application resource (“app- path”)

– Other WAFs auto generate global policies

• Shortest time to protect

– Highly granular policy creation and activation (“app-path”)

– Immediate policy modification upon application change

– Other WAFs wait upon global policy activation

• Reduced Cost of Ownership

– Automatic real-time attack mitigation with no need for human intervention

Slide 30

Radware’s SIEM

Radware‟s built-in SIEM engine

Slide 32

Built-in SEM

• Historical Reporting Engine

• Customizable Dashboards

• Event Correlation Engine

• Advanced Forensics Reports

• Compliance Reports

• Ticket Work Flow Management

• 3rd Party Event Notifications

• Role/User Based Access Control

• Works with all Radware‟s Security Modules

Radware‟s built-in SEM engine – Unified Reports

Slide 33

Threat

analysis

Target service

Trend analysis

Radware‟s built-in SEM engine - Dashboards

Slide 34

Per user dashboard

Radware‟s built-in SEM engine – Event Correlation

Slide 35

Event Correlation Rules by: • Attack duration & time interval • Managed devices • Attack ID , Attack type • Destination IP • Protected Web Application • Event description • Source IP • Action • Risk weight definition…

Summary

Summary: Radware AMS Differentiators

• Best security solution for online businesses:

– DoS protection

– Network behavioral analysis (NBA)

– Intrusion prevention (IPS)

– Reputation Engine service

– Web application firewall (WAF)

• Built-in SEM engine

• Emergency Response Team (ERT)

– 24x7 Service for immediate response

– Neutralize DoS/DDoS attacks and malware outbreaks

• Lowest CapEx & OpEx

– Multitude of security tools in a single solution

– Unified management and reporting

Slide 37

“Radware offers low product

and maintenance cost, as

compared with most

competitors.”

Greg Young & John Pescatore, Gartner,

December 2010

Summary

• Attackers deploy multi-vulnerability attack campaigns

– Organizations deploy point security solutions

– Attackers seek blind spots

• Radware offers Attack Mitigation System (AMS):

– The only solution that can defend against emerging cyber-attack campaigns

– No blind spots in perimeter security

• The only attack mitigation solution that keeps your business up!

– Online business protection

– Data center protection

– MSSP

Slide 38

Thank You www.radware.com