ddos-protector-customer-presentation.pdf

©2015 Check Point Software Technologies Ltd. 1
©2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content
THE CHECK POINT
DDOS PROTECTORTM
SOLUTION

2
©2014 Check Point Software Technologies Ltd.
Contents
Industry Trends and Attack Types
1
Solution Requirements
2
The Check Point DDoS ProtectorTM
3
Deployment Options
4

[Protected] Non-confidential content
Industry Trends
and Attack Profiles

4
DDoS
28%
SQLi
23%
Defacement
17%
Account
Hijacking
11%
Targeted
attack
(Various tools)
7%
DNS
Hijacking
3%
Malware
3%
iFrame
Injection
1% Other
7%
Source: 2013 Cyber Attacks Trends, Hackmagedon
28% of all cyber attacks in 2013 involved a DoS/DDoS attck
Cybercrime Landscape

5
Cost of Damage Per Attack
Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013
$0 $200 $400 $600 $800 $1,000 $1,200
Weather related
Generator failure
Water, heat or CRAC failure
UPS system failure
Cyber crime (DDoS)
IT equipment failure
2010
2013
$822,000 cost of a single DoS/DDoS attack that causes
unplanned outage
K

6
DDoS Attack Results
Source: Strangeloop Networks, Case Study: The impact of HTML delay on mobile business metrics.
1 second delay in page loading
3.5% decrease in conversion rate
2.1% decrease in shopping cart size
9.4% decrease in page views
8.4% increase in bounce rate
Amazon.com’s 40 minute outage = $5 million in lost sales.
(VentureBeat, August 2013)

7
Victims of Recent DDoS Attacks

8
Today’s Attacks Are More
Sophisticated
More DDoS attacks today than ever before
A
More damage with application attacks
B
No need to flood network bandwidth
C

9
Diversity of Attacks Vectors
Distribution of attack vectors
More than 50% of 2013 DDoS attacks had
more than 5 attack vectors.
Source: Radware ERT Report, Jan. 27, 2014
Over 50% of attacks use more than 5 attacks vectors

10
Application Layer DDoS Attacks
 Exploit application weakness with Low&Slow attacks
 Utilize relatively low volume and fewer connections
 Used in conjunction with volume-based attacks
Undetectable by threshold or volume-based solutions
New Application Attacks Are Stealthier…

11
How DDoS attacks can wreak havoc on even
the most defended network?
Network
Flood
DOS Attacks
• Consuming
bandwidth
resources
Application
Flood
DOS Attacks
• Target the
application
resources
Directed
Application
DOS Attacks
• Exploit
application
implementation
weaknesses

Solution
Requirements

13
The Right DDoS Solution Should Have…
Network
Layer
Protection
Adaptable
Application
Layer
Protection
Fast
Response
Time

14
Network Flood
High volume of
packets
Server Flood
High rate
of new
sessions
Application
Web / DNS
connection-
based attacks
Low & Slow
Attacks
Advanced
attack
techniques
Multi-Layered Protections

15
Network Flood
High volume of
packets
Server Flood
High rate
of new
sessions
Application
Web / DNS
connection-
based attacks
Low & Slow
Attacks
Advanced
attack
techniques
Multi-Layered Protections
Network
behavioral
analysis
DoS Mitigation
Engine (DME)
blocking up to
25M PPS
Connection
verification
Preventing
misuse of
resources
Behavioral
HTTP and DNS
User auth
through
advanced
challenge-
response
Signature
protections
String Match
Engine (SME) –
L7 RegEx
acceleration

16
Available
Service
Behavioral
DoS
Anti-Scanning
Out-Of-State
BL/WL
Connection
Limit
SYN
Protection
HTTP Flood
Protection
Connection
PPS Limit
Signature
Protection
Application
Server
Network
DNS
Protection
Multi-Layer Protections

17
Detection
Am I under attack?
Characterization
How am I being attacked?
Mitigation
What Action do I
take?
Termination
Is the attack over?
Able to mitigate the latest and newest attacks
Defense Behavioral Flow (Network
and Application Protections)

18
– TCP SYN floods
– TCP SYN+ACK floods
– TCP FIN floods
– TCP RESET floods
– TCP Out of state floods
– TCP Fragment floods
– UDP floods
– ICMP floods
– IGMP floods
– Packet Anomalies
– Amplification Attacks
– Known DoS tools
Real Time Protections Against:
Network Flood
High volume of
packets
Network-based DoS Protections

19
Real-time protection against:
Bot originated and direct application attacks
– HTTP GET page floods
– HTTP POST floods
– HTTP uplink bandwidth consumption attacks
– DNS query floods (A, MX, PTR,…)
Advanced behavioral application monitoring:
– HTTP servers real time statistics and baselines
– DNS server real time statistics and baselines
Application
Web / DNS
connection-
based attacks
Application-based DoS Protections

©2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content
THE CHECK POINT
DDOS PROTECTORTM
SOLUTION

21
Check Point DDoS Protector™
With new String Match Engine (SME)
Block Denial of Service Attacks Within Seconds!

22
Enterprise Grade – DP X06 Family
 Up to 2 Gbps throughput
 2M concurrent sessions
 1 Mpps max. DDoS flood attack rate
Datacenter Grade – DP X412 Family
Carrier Grade – DP X420 Family
DDoS ProtectorTM Product Line

23
DP X412 Family:
Up to 12 Gbps throughput
4M concurrent sessions
10 Mpps max DDoS flood
attack rate
DP X06 Family:
attack rate
New: String Match Engine (SME)
• Improved protection from known DDoS attack tools for superior continuity of
service
• Accelerated Layer7 signature protection to quickly mitigate advanced attacks
• Simplified Adaptable Application Layer Protections - custom protections made
easier
DP X420 Family:
attack rate
DDoS ProtectorTM New Platforms

24
Detect
Mitigate
Analyze
• Patented behavioral detection
• Network floods
• Application attacks: HTTP GET / POST, Low &
Slow
• Immediate, Automatic, no need to divert traffic
• Generates real-time signature
• Distinguish between attackers and legitimate
users
• Best quality of experience even under attack
• Powerful using dedicated hardware up to 25M
PPS
• Denial of Service Event Analysis
• Historical reports
• Forensics
• Trend analysis
DDoS ProtectorTM

25
Multi-Gbps
Capacity
Legitimate
Traffic
25 Million
PPS
Attack
Traffic
Other Network Security Solutions
Multi-Gbps
Capacity
Legitimate
Traffic
+ Attack
Attack
Attack
Attack
Traffic
DDoS Protector™
Attack traffic does
not impact
legitimate traffic
Device handles attack
traffic at the expense of
legitimate traffic!
• Maintain network
performance
even when under
high volume
network attacks
• Maintain
excellent user
response time
even under
attack
The competitive advantage: attack
mitigation superiority

26
TCP Challenge
Behavioral Real-time
Signature Technology
Real-Time
Signature Created
Challenge/Response
Technology
“Light”
Challenge Actions
“Strong”
Challenge Action
X
?
Selective
Rate-limit
X
?
Attack
Detection
302 Redirect
Challenge
Java Script
Challenge
RT Signature
blocking
Real-time Signature
Blocking
Closed Feedback & Action Escalation
Botnet is identified
(suspicious sources
are marked)
Challenge/Response & Action Escalation
System

27
Server-Based
Attacks
Server-Based
Behavioral Protections
Slide 27
•HTTP Mitigator
• Bot originated HTTP flood attacks
• High & Low rate HTTP flood DDoS attacks
• Page floods – Misuse the server resources
• HTTP bandwidth consumption attacks (e.g., large downloads)
Server-based Behavioral Protections

28
Attack Degree = 10
(Attack)
Abnormal rate
of packets,…
Attack Case
Y-axis
X-axis
Z-axis
Attack
Degree
axis
Attack area
Suspicious
area
Normal
adapted area
Abnormal protocol
distribution [%]
Decision Making Accuracy - Attack

29
Public Network
Blockin
g Rules
Statistics Detection
Engine
Learning
RT
Signatures
Signature
parameters
• Source/Destination IP
• Source/Destination Port
• Packet size
• TTL (Time To Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Initial filter is generated:
Packet ID
Degree of Attack =
Low
(Positive Feedback)
Filter Optimization:
Packet ID AND Source IP
AND Packet size
Degree of Attack =
High
(Negative Feedback)
AND Packet size AND TTL
Degree of Attack =
High
Degree of Attack =
Low
Narrowest filters
• Packet ID
• Source IP Address
• Packet size
• TTL (Time To Live)
1 2
3
4
5
Inbound Traffic
Outbound Traffic
Protected Network
Up to 10
0 10+X
Final Filter
Start
mitigation
Closed feedback
Initial Filter
Time [sec]
Mitigation optimization process
Filtered
Traffic
Traffic characteristics
Real-Time Signature
Network Behavior Analysis & RT Signature
Technology

30
• Constant monitoring (per protection type) of
– Throughput parameters [bps]
– Packet parameters [pps]
– Rate-Invariants parameters (e.g., TCP SYN/Total TCP,…)
• Fuzzy Logic engine assigns anomaly weights to each
parameter and correlates between the weights to define the
Degree of Attack (DoA) every one second
• High DoA requires that both rate counters and rate- invariant
counters will deviate from normal baselines
1st Phase: 0 … 10 seconds
Attack Detection

31
• Inspects “all*” packets to find abnormally repeated headers’ values
– Compares the frequency in which headers’ values appear against the
expected frequency in normal traffic conditions
– Extracts the abnormal values, i.e., footprint values
• Creates footprint blocking rule through a closed-feedback mechanism
which finds the narrowest, yet most effective footprint rule
• It is possible to force the system to ignore (bypass) some of the
headers fields and/or values (i.e., bypass footprint types and/or values)
• If you like you can also enable “transparent foot printing” which will
prevent from dropping packets before the filter is optimized.
2nd Phase: 10… 18 seconds
Footprint Detection

32
3rd Phase: 18… seconds
Blocking

33
On-Demand switch
Platform Capacity up to
40Gbps
NBA Protections
• Prevent application
resource misuse
• Prevent zero-minute
malware
IPS
• ASIC based String Match
Engine performing deep
packet inspection
• Prevent application
vulnerability exploits
On-Demand Switch: architecture designed for
attacks prevention
DoS Mitigation Engine
• ASIC based
• Prevent high volume attacks
• Up to 25 Million PPS of attack
protection

34
Behavioral-based protections
DME
DDoS Mitigation
Engine
(25M PPS / 60 Gbps)
L7 Regex
Acceleration
ASIC
Multi Purpose Multi Cores CPU’s
(Up to 40 Gbps)
& Reputation Engine
Architecture That Was Tailored for Attack
Mitigation
Layers of Defense – DDoS ProtectorTM

35
Model DP 506 DP 1006 DP 2006 DP 4412 DP 8412 DP 12412
Capacity 0.5Gbps 1Gbps 2Gbps 4GBps 8Gbps 12Gbps
Max Concurrent
Sessions
2 Million 4 Million
Max DDoS
Flood Attack
Protection Rate
1 Million packets per second 10 Million packets per second
Latency <60 micro seconds
Real-Time
Signatures
Detect and protect against attacks in less than 18 seconds
Appliance Specifications X06 and X412

36
Model DP 10420 DP 20420 DP 30420 DP 40420
Capacity 10Gbps 20Gbps 30Gbps 40Gbps
Max Concurrent Sessions 6 Million
Max DDoS
Flood Attack Protection Rate
25 Million packets per second
Latency <60 micro seconds
Real-Time Signatures Detect and protect against attacks in less than 18 seconds
Appliance Specifications X420

Deployment Options

38
Environment
Assessment
Initial
Configuration
Validation
& Tuning
Performance
Protected Services
Threats
Environment Symmetry
IP ranges
CDN
• Map Requirements to Protection
Configuration
• Initial DDoS Protector Setup - Report
Only
• Alert Analysis
• Protection Tuning
• Transition to Block Mode
Validation & Tuning
HTTPS
IP version
Tunneling Protocols
Automatic / Diagnostic
Tools

39
Ready to Protect in Minutes
Fits to Existing Network Topology
Optional Learning Mode Deployment
Low Maintenance and Support
Flexible Deployment Options

40
+
On-Premise Deployment
DDoS Protector Appliance
Off-Site (Out-of-Path)
Deployment
DDoS Protector Appliance
Scenarios: 1 2 3
Where to Protect Against DDoS

41
Supported Deployments

42
• Why DDoS ProtectorTM depends on symmetry
• What are the risks of deploying DDoS ProtectorTM in a wrong
symmetry scenario?
DDoS ProtectorTM
Server: SYN-ACK
Client: ACK
Client: SYN
Internet Web Server
Server: SYN-ACK
Client: ACK
Client: SYN
Server: SYN-ACK
Client: ACK
Client: SYN
Client: GET /
HTTP/1.1
Server: HTTP
Response
Symmetric - inbound and outbound traffic flows through the DefensePro
Asymmetric Ingress Only – only inbound traffic flows through the appliance
Asymmetric mesh - Ingress/egress packets sometimes flow through the
appliance, and sometimes do not
Network Symmetry

43
Environment
Protection Symmetric Asymmetric
Ingress Only Asymmetric "Mesh"
Network-based protections
BDoS Supported Supported Supported
Anti-Scanning Supported Not supported Not supported
Out Of State Supported Supported Not supported
DoS Shield Supported Supported Supported
Connection Limit Supported Supported Supported*
Server-based protections
SYN Protection Transparent Proxy Supported Not supported Not supported
SYN Protection Safe Reset Supported Supported Not supported
DNS Protection Supported Supported Partially supported (no challenge)
HTTP Page Flood Protection Supported Supported Partially supported (no challenge)
Web Cookies Supported Supported Not supported
Server Cracking Supported Not supported Supported*
Miscellaneous
Signature Protection Supported Supported Supported (counting*)
Packet Anomalies Supported Supported Supported
Black White Lists Supported Supported Supported
ACL Supported Not supported Not supported
Supported Modules by Network
Symmetry

44
Place DDoS ProtectorTM at the perimeter to protect as many network IS
elements as possible
DDoS ProtectorTM
Placement of the DDoS ProtectorTM

45
• Main changes from traditional inline deployment
– Detection (in most OOP deployments) is not performed by DDoS
ProtectorTM
– No peace time learning
– Traffic is diverted towards the DDoS ProtectorTM only upon attack
detection
– DDoS ProtectorTM is an active component in the network that
communicate with other routers in the network
– Mitigation is performed only after traffic is diverted to the DDoS
ProtectorTM
Placement of the DDoS ProtectorTM:
In-line or Out of Path

46
Out of Path Diversion Process

47
• SDN based Detection (DefenseFlow)
• Inline DefensePro Detection
• 3rd party based Detection
Detection
• Local Mitigation (Perimeter)
• Central Mitigation (Scrubbing Center)
• Volume Dependent (Inline + Scrubbing Center)
Mitigation
• DefenseFlow Controller
• Script based
• Manual (SOC)
OOP
Controller
Out of Path Solution Building Blocks

48
Summary

49
Unified Logs and Monitoring
…and Unified Reporting
Leverage SmartView Tracker,
SmartLog and SmartEvent for historic
and real-time security status
Integrated Security Management

50
• Check Point DDoS Solutions include access to DDoS Specialists
when under attack
• This is included in the support contract
• You are not alone – Check Point can help you
Help is just a call away…

51
Check Point Can Help you
Check Point Incident Response Team

52
Summary
Customized multi-layered DDoS protection
Ready to protect in minutes
Integrated with Check Point Security Management
Blocks DDoS Attacks Within Seconds

THANK YOU!

ddos-protector-customer-presentation.pdf

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a ddos-protector-customer-presentation.pdf

Semelhante a ddos-protector-customer-presentation.pdf (20)

Último

Último (20)

ddos-protector-customer-presentation.pdf