Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.

1. Master presentation
Radware Attack
Mitigation System
(AMS)
Igor Kontsevoy
November 2012

2. Agenda
• Radware Attack Mitigation System (AMS)
• AMS technology overview
• Summary
Slide 2

3. Introducing Radware Attack
Mitigation System

4. Mapping Security Protection Tools
DoS Protection
Behavioral Analysis Large volume network flood attacks
IPS
IP Rep. Network scan
WAF Intrusion
Port scan
SYN flood attack
“Low & Slow” DoS attacks (e.g.Sockstress)
Application vulnerability, malware
High and slow Application DoS attacks
Web attacks: XSS, Brute force
Web attacks: SQL Injection
Slide 4

5. AMS Protection Set
DoS Protection Reputation Engine
• Prevent all type of • Financial fraud
network DDoS attacks protection
• Anti Trojan & Phishing
IPS
• Prevent application
vulnerability exploits
NBA
WAF
• Prevent application
• Mitigating Web resource misuse
application attacks
• Prevent zero-minute
• PCI compliance malware spread
Slide 5

6. Technology Overview

7. Network based DoS Protections

8. Network-based DoS Protections
Real Time Protections Against:
– TCP SYN floods – UDP floods
– TCP SYN+ACK floods – ICMP floods
– TCP FIN floods – IGMP floods
– TCP RESET floods – Packet Anomalies
– TCP Out of state floods – Known DoS tools
– TCP Fragment floods – Custom DoS signatures
Slide 8

9. Network Behavior Analysis & RT Signature Technology
Mitigation optimization process
Public Network Initial Filter Closed feedback
Inbound Traffic
3
Final Filter
Start Learning
Traffic characteristics
mitigation
Real-Time Signature
0 Up to 10 10+X Time [sec]
Degree of Attack = High
Low
Initial filter is generated:
Filter Optimization:
Filter Optimization: 5 1 2
Packet ID Optimization:
Filter
Packet ID AND Source IP
Packet ID AND Source IP
Packet ID AND Source IP Blocking Detection
AND Packet size AND TTL
AND Packet size Statistics
Rules Engine
Filtered Traffic
Degree of Attack = Low
Degree of Attack = High
(Negative Feedback)
(Positive Feedback)
Signature parameters
Narrowest filters
• Source/Destination IP RT
Outbound Traffic • Source/Destination Port Signatures
• Packet ID
• Packet size 4
• Source To Live)
• TTL (TimeIP Address
• Packet size
• DNS Query
• TTL ID
• Packet (Time To Live)
• TCP sequence number
Protected Network • More … (up to 20)
Slide 9

10. Decision Making - Attack
Attack Case
Attack Degree = 10
Z-axis (Attack)
Attack area
Attack Degree axis
Suspicious
area
X-axis
Y-axis
Normal
adapted area
Abnormal protocol
distribution [%]
Abnormal rate
of packets,…
Slide 10 10
Slide

11. Adaptive Detection Engine
Flash crowd scenario
Degree of Attack
(DoA) Attack area
Low DoA
Suspicious
area
Normal
adapted area
Rate parameter input
Rate-invariant input
parameter
Slide 11

12. Application based DoS
Protections

13. Application-based DoS Protections
Real-time protection against:
– Bot originated and direct application attacks
– HTTP GET page floods
– HTTP POST floods
– HTTP uplink bandwidth consumption attacks
– DNS query floods (A, MX, PTR,…)
Advanced behavioral application monitoring:
– HTTP servers real time statistics and baselines
– DNS server real time statistics and baselines
Slide 13

14. HTTP Mitigator

15. Challenge/Response & Action Escalation System
Botnet is identified Attack Real-Time “Light” “Strong” Selective
(suspicious sources are Detection Signature Created Challenge Actions Challenge Action Rate-limit
marked)
? ?
X X
TCP Challenge
302 Redirect
Challenge
Java Script
Challenge
RT Signature
blocking
Behavioral Real-time Challenge/Response Real-time Signature
Signature Technology Technology Blocking
Closed Feedback & Action Escalation
Slide 15

16. AMS protections: unique value proposition
Attack Real-time Light Strong Selective
detection signature challenge challenge rate-limit
• Best security coverage
– Prevent all type of network and application attacks
– Complementing technologies fighting known and zero-day attacks
– Complete removal of non-browser rogue traffic
• Best user quality of experience (QoE)
– Reaching the lowest false-positive rate in the industry
– Advanced capabilities are exposed only when needed
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 16

17. DNS Mitigator

18. Behavioral DNS Application Monitoring
Associated
threat
vectors
DNS Query Distribution Analysis
Rate Analysis per DNS Query Type
DNS QPS
MX
records „A‟ records base line
A records
TEXT „MX‟ records base line
records
„PTR‟ records…
PTR
records
„AAAA‟ records…
Other
records AAAA
records
Time
Slide 18

19. Challenge/Response & Action Escalation System
Botnet is identified Attack Real-Time signature DNS query Query rate Collective query Collective query
(suspicious traffic is Detection created challenge limit challenge rate limit
detected per query type)
? ? ?
X X X
Behavioral RT signature RT signature scope protection Collective scope protection per query
technology per query type Type
Closed Feedback & Action Escalation
Slide 19

20. Service Cracking Behavioral
Protections

21. Service Cracking Behavioral Protections
Real-time protections against information stealth:
– HTTP servers
– Web vulnerability scans
– Bruteforce
– SIP servers (TCP & UDP)
– SIP spoofed floods
– Pre-SPIT activities
– SIP scanning
– SMTP/IMAP/POP3,FTP,…
– Application Bruteforce
– Application scans
Slide 21

22. Network scanning and malware
propagation Protections

23. Source-based Behavioral Analysis
• Behavioral Real-time protection against Zero-
Minute Malware Propagation and network scans:
– UDP spreading worms detection
– TCP spreading worms detection
– High and low rate network scans
– Scanning/spreading pattern identification
– Infected source identification
Slide 23

24. IPS & Reputation Services

25. IPS & Radware‟s SOC
Signatures Protection against:
• Application Vulnerabilities and exploits
– Web, Mail, DNS, databases, VoIP
• OS Vulnerabilities and exploits
– Microsoft, Apple, Unix based
• Network Infrastructure Vulnerabilities
– Switches, routers and other network elements vulnerabilities
• Malware
– Worms, Bots, Trojans and Drop-points, Spyware
& Reputation Engine
• Anonymizers
• IPv6 attacks
• Protocol Anomalies
Security Operation Center
– Leading vulnerability security research team
–Weekly and emergency signature updates
Slide 25

26. WAF

27. The Secret Sauce – Adaptive Policy Creation (1 of 3)
App Threat
Mapping Analysis
Reservations.com
/config/ Risk analysis per “ application-path”
Spoof identity, steal user
information, data tampering
/admin/ SQL Injection
/register/ CCN breach Information leakage
/hotels/
Gain root access control
/info/ Directory Traversal
/reserve/ Buffer Overflow Unexpected application
behavior, system crash, full
system compromise
Slide 27

28. The Secret Sauce – Adaptive Policy Creation (2 of 3)
App Threat Policy
Mapping Analysis Generation
Reservations.com
/config/
Prevent access to
/admin/ SQL Injection sensitive app sections
/register/ CCN breach
Mask CCN, SSN, etc. in
***********9459 responses.
/hotels/
Traffic normalization &
/info/ Directory Traversal HTTP RFC validation
/reserve/ Buffer Overflow P Parameters inspection
Slide 28

29. The Secret Sauce – Adaptive Policy Creation (3 of 3)
App Threat Policy Policy
Mapping Analysis Generation Activation
Reservations.com
Time to protect
Virtually zero false positive
/config/
/admin/ SQL Injection Known
vulnerabilities
protections:
/register/ CCN breach
Optimization of
***********9459
negative rules
for best
/hotels/ accuracy
/info/ Directory Traversal
Add tailored
/reserve/ Buffer Overflow P application
behavioral rules
for “Zero day”
protection
Best coverage
Slide 29

30. The Secret Sauce – Unique Value Proposition
App Threat Policy Policy
Mapping Analysis Generation Activation
Reservations.com
• Best security coverage
– Auto detection of potential threats
– Other WAFs require admins intervention and knowledge to protect
• Lowest false-positives
– Adaptive security protections optimized per application resource (“app- path”)
– Other WAFs auto generate global policies
• Shortest time to protect
– Highly granular policy creation and activation (“app-path”)
– Immediate policy modification upon application change
– Other WAFs wait upon global policy activation
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 30

31. Radware’s SIEM

32. Radware‟s built-in SIEM engine
Built-in SEM
• Historical Reporting Engine
• Customizable Dashboards
• Event Correlation Engine
• Advanced Forensics Reports
• Compliance Reports
• Ticket Work Flow Management
• 3rd Party Event Notifications
• Role/User Based Access Control
• Works with all Radware‟s Security Modules
Slide 32

33. Radware‟s built-in SEM engine – Unified Reports
Threat
analysis
Target service
Trend analysis
Slide 33

34. Radware‟s built-in SEM engine - Dashboards
Per user dashboard
Slide 34

35. Radware‟s built-in SEM engine – Event Correlation
Event Correlation Rules by:
• Attack duration & time interval
• Managed devices
• Attack ID , Attack type
• Destination IP
• Protected Web Application
• Event description
• Source IP
• Action
• Risk weight definition…
Slide 35

36. Summary

37. Summary: Radware AMS Differentiators
• Best security solution for online businesses:
– DoS protection
– Network behavioral analysis (NBA)
– Intrusion prevention (IPS)
– Reputation Engine service
– Web application firewall (WAF)
• Built-in SEM engine
• Emergency Response Team (ERT)
– 24x7 Service for immediate response
– Neutralize DoS/DDoS attacks and malware outbreaks
• Lowest CapEx & OpEx “Radware offers low product
– Multitude of security tools in a single solution and maintenance cost, as
– Unified management and reporting compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
December 2010
Slide 37

38. Summary
• Attackers deploy multi-vulnerability attack campaigns
– Organizations deploy point security solutions
– Attackers seek blind spots
• Radware offers Attack Mitigation System (AMS):
– The only solution that can defend against emerging cyber-attack campaigns
– No blind spots in perimeter security
• The only attack mitigation solution that keeps your business up!
– Online business protection
– Data center protection
– MSSP
Slide 38

39. Thank You
www.radware.com