Sample Presentation Title Placed Here Presentation Author … · 2016-03-16 · DefensePro...
Transcript of Sample Presentation Title Placed Here Presentation Author … · 2016-03-16 · DefensePro...
APDoS-高階持續性的癱瘓式攻擊
Radware Taiwan
Benson Chen
DoS/DDoS也有APT???
2
https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack
標準DDoS和APDoS有何不同??
3
標準DDoS APDoS
Layer4攻擊多數以高速或慢速攻擊造成網路設備無法負荷,而Layer7攻擊多數以高速的方式造成應用服務停擺
包括了常見標準DoS/DDoS攻擊
Layer4或Layer7的攻擊多數針對已知的IP及服務
持續了解並偵查(誘騙及檢測)不同有用的訊息例如: 有效IP、防護設備、L7 Challenge方式、Behavioral計算方式、Threshold計算方式或Byte的限制方式。
運用不同的Mbps、PPS或CPS等不同種類的Layer4或Layer7攻擊
持續攻擊並製作一個或多個不同種類的攻擊方式,想辦法繞過防護設備。攻擊時間也許一週、也許一個月、也許更久。 大頻寬式攻擊
標準DDoS攻擊
4 4
APDoS-持續了解、偵查及攻擊
5
IPS/IDS/WAF/Virus Wall
API Cloud Service
Service
Encryption App parameter
IP Address
Internet Pipe Firewall/UTM Load Balancer/ADC Server SQL Server
Standard
DoS/DDoS
Overload/Bypass
Auto-Learning
DoS/DDoS
Behavioral
Challenge
Bypass
Byte/Threshold
Challenge
Bypass
了解自己,提升防護能力
Layer 4 Attack
7 7
• 架構:
– Asymmetric or Symmetric
• Behaviroal 演算方式:
– 防護的演算方式
– 多久能進行防護
– 誤判率及防護率
– 可防護的種類
– 可同時防護的數量
• Stateful及Stateless設備的極限:
– 線上設備哪些是Stateful?哪些是Stateless?
– 誤判率及防護率
– Threshold/Byte 精準度
• 頻寬的極限:
– 多少頻寬量攻擊會造成滿載
– 頻寬Upgrade及提供清洗服務需花多少時間
• External Router的處理能力:
– 對於不同種類的Layer4攻擊,Router可負荷之能力
• Server的處理能力:
– 對於不同種類的Layer4攻擊,Router可負荷之能力
Layer 7 Attack
8 8
• Security 防護的極限:
– 防護設備於何種狀況會Overload/Bypass
– 誤判率及防護率
– Threshold/Byte的精準度
– 攻擊採樣的方式
• L7 Challenge 種類方式:
– 有多少Challenge種類及演算方式
– 多久能進行防護,是否容易Bypass
– Challenge是否會影響服務
– 可防護的種類(HTTP/HTTPS/DNS….)
– 如果Challenge失效是否有其它防護方式?
• Server/Business的狀態:
– 是否有服務進行加密或使用API?
– 哪些服務無法中斷?
– Client的連線的流程及所需保護的設備有哪些?
– ADC相關應用??
– 後端DB可負荷之能力?
Radware Attack Mitigation System/Service
Our Track Record
Global Technology Partners
Over 10,000 Customers
10
43.7
54.8
68.4 77.6 81.4
88.6 94.6
108.9
144.1
167.0
189.2 193.0
221.9
1%
25%
25% 13% 5%
9% 7%
15%
32%
16%
13% 2%
15%
50.00
100.00
150.00
200.00
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
USD Millions
Company Growth
Our Behavioral protection-3 party certificate & Gartner
11
Multi-vector attacks target all layers of the infrastructure
Radware AMS 彈性的解決方式
IPS/IDS
“Low & Slow” DoS
attacks (e.g.Slowloris)
Large volume network
flood attacks
Syn
Floods
Network
Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
12
XSS, CSRF SQL Injections
DefensePro 多層次防護
Behavioral-based protections
DME DDoS Mitigation Engine
L7 Regex Acceleration
ASIC Multi Purpose Multi Cores CPU’s
& Reputation Engine
Hardware Architecture – Tailored for Attack Mitigation
13 Radware Confidential
讓自動學習防護成為您真正的幫手-Layer 4 Attack
0.0%
100.0%
TCP Flag Distribution Analysis
0.0%
50.0%
100.0%TCP Flag Distribution
Analysis Rate Analysis Flash Crowd
RST Flood
Attack
Rate Analysis
Rate/Rate Invariant Behavioral Technology Real Time Signature Technology
Closed
Feedback
INITIAL FILTER
START
MITIGATION
FINAL FILTER
0 Up to 10 sec 10+X
sec
Best Detection Accuracy Best Mitigation Accuracy Best Time to Protection
六種不同的Challenge幫您辨識駭客
15
302 Redirect、Java、 Advance Java、Cloud Java、Active/Passive Challenge互動服務能針對使用者連線進行確認,提供了更準確及高速度的防範。一旦發現使用者其實為攻擊主機,管理員服務就會即時進行丟棄,確保後端服務的品質及穩定。
Detect & learn Learning stops
Characterization state
Attack detected by
Detection Engines
Detect
Suspicious
Sources
Identify Attack
Sources
Mitigation state
Block HTTP traffic
from attack sources
Attack
Termination
Detect & Learn again
Time
Learning only
HTTP Mitigator 自動化防護技術
Slide 16
DNS自動化防護機制
Perimeter
DefensePro
DNS Firewall IPS
Alteon
Stateless ensure Secure DNS Delivery without compromising high performance and availability
Flood Attacks
Server Brute Force
Stateless Compliance
Tier-1
Statelessness
High Performance
Ensure Availability
Layer 7 採樣技術
Slide 18
Volumetric FTP vulnerability Attacks
FTP Servers Attacker
FTP vulnerability attacks
FTP vulnerability attacks
FTP vulnerability attacks
FTP vulnerability attacks
FTP vulnerability attacks
Suspend
Attack
Source IP
強化您SSL應用的安全
快速佈署,快速防護
最低延遲,最高效能
無需提交真正加密金鑰,確保客戶的個資保密
完全自動,無須人工介入
Radware DefenseSSL進階防護
獨特的SSL攻擊緩解解決方案
19
來源指紋探測系統
Combining all the parameters together to obtain a
unique identifier of the actual device
Independent of the IP Address
Browser Plugins Info OS Info
Canvas Info Fonts Info
Local Network Info
20
效能監控,確保服務品質
Datacenter Application Dashboard View:
Presents current and time-series
application performance data in the
datacenter in the left and right panes,
respectively
Hovering over a transaction
presents the volume and the
%SLA and allows to drill-
down to the transaction
details
APSolute Vision協助IT人員更容易管理:
彈性
即時判別,分類,與反應攻擊事件與風險
靈活性
依照用戶別提供即時監控表與歷史報表功能
效率性
簡易管理資料中心設備
提升IT生產力 集中控管政策建立, 管理, 及分派 加強政策部署的穩定及速度 全面控管並可滿足區域性的管理要求
最簡易的管理
22
Emergency Response Team (ERT)-You’re not alone
Protecting against top
attack campaigns
Emergency Response Team (ERT)
- 24x7 team of security experts for
fast mitigation under attack
23
Distributed Mitigation-AMS
24
Traditional
Protection
New Behavioral
Protection
Clean
Traffic
Attack
Know DoS/DDoS
Tool
TCP Layer attack
UDP Layer attack
Fragment Attack
ICMP network attack
Other: IP flood
DNS attack
HTTP attack
SIP attack
SSL attack
Low and Slow attack
APDoS attack
Connection attack
…….
Signature
Detection
Rate-based Challenge
Application
Behavioral Analysis
Network Behavioral
Analysis
Stateful Inspection
SYN for ACK/Request
Thanks!