4. Mapping Security Protection Tools
DoS Protection
Behavioral Analysis Large volume network flood attacks
IPS
IP Rep. Network scan
WAF Intrusion
Port scan
SYN flood attack
“Low & Slow” DoS attacks (e.g.Sockstress)
Application vulnerability, malware
High and slow Application DoS attacks
Web attacks: XSS, Brute force
Web attacks: SQL Injection
Slide 4
5. AMS Protection Set
DoS Protection Reputation Engine
• Prevent all type of • Financial fraud
network DDoS attacks protection
• Anti Trojan & Phishing
IPS
• Prevent application
vulnerability exploits
NBA
WAF
• Prevent application
• Mitigating Web resource misuse
application attacks
• Prevent zero-minute
• PCI compliance malware spread
Slide 5
8. Network-based DoS Protections
Real Time Protections Against:
– TCP SYN floods – UDP floods
– TCP SYN+ACK floods – ICMP floods
– TCP FIN floods – IGMP floods
– TCP RESET floods – Packet Anomalies
– TCP Out of state floods – Known DoS tools
– TCP Fragment floods – Custom DoS signatures
Slide 8
9. Network Behavior Analysis & RT Signature Technology
Mitigation optimization process
Public Network Initial Filter Closed feedback
Inbound Traffic
3
Final Filter
Start Learning
Traffic characteristics
mitigation
Real-Time Signature
0 Up to 10 10+X Time [sec]
Degree of Attack = High
Low
Initial filter is generated:
Filter Optimization:
Filter Optimization: 5 1 2
Packet ID Optimization:
Filter
Packet ID AND Source IP
Packet ID AND Source IP
Packet ID AND Source IP Blocking Detection
AND Packet size AND TTL
AND Packet size Statistics
Rules Engine
Filtered Traffic
Degree of Attack = Low
Degree of Attack = High
(Negative Feedback)
(Positive Feedback)
Signature parameters
Narrowest filters
• Source/Destination IP RT
Outbound Traffic • Source/Destination Port Signatures
• Packet ID
• Packet size 4
• Source To Live)
• TTL (TimeIP Address
• Packet size
• DNS Query
• TTL ID
• Packet (Time To Live)
• TCP sequence number
Protected Network • More … (up to 20)
Slide 9
10. Decision Making - Attack
Attack Case
Attack Degree = 10
Z-axis (Attack)
Attack area
Attack Degree axis
Suspicious
area
X-axis
Y-axis
Normal
adapted area
Abnormal protocol
distribution [%]
Abnormal rate
of packets,…
Slide 10 10
Slide
11. Adaptive Detection Engine
Flash crowd scenario
Degree of Attack
(DoA) Attack area
Low DoA
Suspicious
area
Normal
adapted area
Rate parameter input
Rate-invariant input
parameter
Slide 11
13. Application-based DoS Protections
Real-time protection against:
– Bot originated and direct application attacks
– HTTP GET page floods
– HTTP POST floods
– HTTP uplink bandwidth consumption attacks
– DNS query floods (A, MX, PTR,…)
Advanced behavioral application monitoring:
– HTTP servers real time statistics and baselines
– DNS server real time statistics and baselines
Slide 13
15. Challenge/Response & Action Escalation System
Botnet is identified Attack Real-Time “Light” “Strong” Selective
(suspicious sources are Detection Signature Created Challenge Actions Challenge Action Rate-limit
marked)
? ?
X X
TCP Challenge
302 Redirect
Challenge
Java Script
Challenge
RT Signature
blocking
Behavioral Real-time Challenge/Response Real-time Signature
Signature Technology Technology Blocking
Closed Feedback & Action Escalation
Slide 15
16. AMS protections: unique value proposition
Attack Real-time Light Strong Selective
detection signature challenge challenge rate-limit
• Best security coverage
– Prevent all type of network and application attacks
– Complementing technologies fighting known and zero-day attacks
– Complete removal of non-browser rogue traffic
• Best user quality of experience (QoE)
– Reaching the lowest false-positive rate in the industry
– Advanced capabilities are exposed only when needed
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 16
18. Behavioral DNS Application Monitoring
Associated
threat
vectors
DNS Query Distribution Analysis
Rate Analysis per DNS Query Type
DNS QPS
MX
records „A‟ records base line
A records
TEXT „MX‟ records base line
records
„PTR‟ records…
PTR
records
„AAAA‟ records…
Other
records AAAA
records
Time
Slide 18
19. Challenge/Response & Action Escalation System
Botnet is identified Attack Real-Time signature DNS query Query rate Collective query Collective query
(suspicious traffic is Detection created challenge limit challenge rate limit
detected per query type)
? ? ?
X X X
Behavioral RT signature RT signature scope protection Collective scope protection per query
technology per query type Type
Closed Feedback & Action Escalation
Slide 19
27. The Secret Sauce – Adaptive Policy Creation (1 of 3)
App Threat
Mapping Analysis
Reservations.com
/config/ Risk analysis per “ application-path”
Spoof identity, steal user
information, data tampering
/admin/ SQL Injection
/register/ CCN breach Information leakage
/hotels/
Gain root access control
/info/ Directory Traversal
/reserve/ Buffer Overflow Unexpected application
behavior, system crash, full
system compromise
Slide 27
28. The Secret Sauce – Adaptive Policy Creation (2 of 3)
App Threat Policy
Mapping Analysis Generation
Reservations.com
/config/
Prevent access to
/admin/ SQL Injection sensitive app sections
/register/ CCN breach
Mask CCN, SSN, etc. in
***********9459 responses.
/hotels/
Traffic normalization &
/info/ Directory Traversal HTTP RFC validation
/reserve/ Buffer Overflow P Parameters inspection
Slide 28
29. The Secret Sauce – Adaptive Policy Creation (3 of 3)
App Threat Policy Policy
Mapping Analysis Generation Activation
Reservations.com
Time to protect
Virtually zero false positive
/config/
/admin/ SQL Injection Known
vulnerabilities
protections:
/register/ CCN breach
Optimization of
***********9459
negative rules
for best
/hotels/ accuracy
/info/ Directory Traversal
Add tailored
/reserve/ Buffer Overflow P application
behavioral rules
for “Zero day”
protection
Best coverage
Slide 29
30. The Secret Sauce – Unique Value Proposition
App Threat Policy Policy
Mapping Analysis Generation Activation
Reservations.com
• Best security coverage
– Auto detection of potential threats
– Other WAFs require admins intervention and knowledge to protect
• Lowest false-positives
– Adaptive security protections optimized per application resource (“app- path”)
– Other WAFs auto generate global policies
• Shortest time to protect
– Highly granular policy creation and activation (“app-path”)
– Immediate policy modification upon application change
– Other WAFs wait upon global policy activation
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 30
37. Summary: Radware AMS Differentiators
• Best security solution for online businesses:
– DoS protection
– Network behavioral analysis (NBA)
– Intrusion prevention (IPS)
– Reputation Engine service
– Web application firewall (WAF)
• Built-in SEM engine
• Emergency Response Team (ERT)
– 24x7 Service for immediate response
– Neutralize DoS/DDoS attacks and malware outbreaks
• Lowest CapEx & OpEx “Radware offers low product
– Multitude of security tools in a single solution and maintenance cost, as
– Unified management and reporting compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
December 2010
Slide 37
38. Summary
• Attackers deploy multi-vulnerability attack campaigns
– Organizations deploy point security solutions
– Attackers seek blind spots
• Radware offers Attack Mitigation System (AMS):
– The only solution that can defend against emerging cyber-attack campaigns
– No blind spots in perimeter security
• The only attack mitigation solution that keeps your business up!
– Online business protection
– Data center protection
– MSSP
Slide 38