1 / 40

APSolute Immunity with DefensePro 4.10 October, 2008

APSolute Immunity with DefensePro 4.10 October, 2008. Adi Sprachman, DefensePro Product Manager. Agenda. DefensePro APSolute Immunity How to run successful POC with DefensePro 4.10 Evaluation Guide BDoS RT Monitoring Non Vulnerability Threats HTTP Mitigator Anti Scanning

elmo
Download Presentation

APSolute Immunity with DefensePro 4.10 October, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. APSolute Immunitywith DefensePro 4.10 October, 2008 Adi Sprachman, DefensePro Product Manager

  2. Agenda • DefensePro APSolute Immunity • How to run successful POC with DefensePro 4.10 • Evaluation Guide • BDoS RT Monitoring • Non Vulnerability Threats • HTTP Mitigator • Anti Scanning • Signature Protection • Summary Page 2

  3. APSolute Immunity Page 3

  4. The Solution: DefensePro APSolute Immunity Page 4

  5. The Solution: DefensePro APSolute Immunity Network Behavioral Analysis Automatic Real-time Signatures Server Behavioral Analysis Client Behavioral Analysis Vulnerability Research Center Static Signatures Protocol Anomaly & Rate Limit Protocol Anomaly & Rate Limit APSolute Immunity Engine Page 5

  6. How to run successful POC with DefensePro 4.10 Page 6

  7. Demonstration Tools • Evaluation guide is available on the web at: http://www.radware.com/content/document.asp?_v=about&document=7586 • Attack Tool – a simple tool to demonstrate DefensePro features http://www.radware.com/content/document.asp?_v=about&document=7827 Page 7

  8. Tests Environment Page 8

  9. BDoS Attack Page 9

  10. DoS/DDoS Illustration BOT Command TCP RST flood Case IRC Server DoS Bot (Infected host) TCP RST packet TCP RST packet DoS Bot (Infected host) Internet Attacker TCP RST packet Public Web Servers TCP RST packet DoS Bot (Infected host) DoS Bot (Infected host) Page 10

  11. DoS/DDoS Illustration BOT Command TCP RST flood Case IRC Server DoS Bot (Infected host) • Standard IPS Approach • Rate limit thresholds • Block legitimate traffic during attack mitigation • High volume (flash crowd) legitimate traffic is detected as attack! • Require manual tuning and configuration of thresholds TCP RST packet TCP RST packet DoS Bot (Infected host) Internet Attacker TCP RST packet Public Web Servers TCP RST packet DoS Bot (Infected host) DoS Bot (Infected host) Page 11

  12. DoS/DDoS Illustration BOT Command Real Time Signature: Block TCP RST packets matching specific packet parameters TCP RST flood Case – APSolute Immunity Approach Behavioral Pattern Detection (1) Detects rate increase of TCP RST packets IRC Server DoS Bot (Infected host) TCP RST packet TCP RST packet DoS Bot (Infected host) Internet Attacker TCP RST packet Behavioral Pattern Detection (2) Identify abnormal ratio of TCP RST packets to other TCP flags Public Web Servers TCP RST packet DoS Bot (Infected host) DoS Bot (Infected host) Page 12

  13. Inbound Traffic Initial Signature Final Signature Start mitigation 18 Filtered Traffic Outbound Traffic Generating a Real Time Signature Mitigation optimization process Public Network Closed feedback 3 PPS, Bandwidth, protocol types distribution[%], TCP flags (syn,fin,rst,..)distribution[%]; inbound-outbound traffic [ratio],… Learning 0 10 Time [sec] Degree of Attack = Low Initial signature is generated: Packet ID Degree of Attack = High Signature Optimization: Packet ID AND Source IP 1 2 5 Signature Optimization: Packet ID AND Source IP AND Packet size Signature Optimization: Packet ID AND Source IP AND Packet size AND TTL Fuzzy Logic Engine Blocking Rules RT statistics Degree of Attack = Low (Positive Feedback) • Attack Characteristics • Source/Destination IP • Source/Destination Port • Packet size • Type of Service • TTL (Time To Live) • DNS Query • DNS ID • Packet ID • TCP sequence number • Fragment offset • More … (up to 20) Degree of Attack = High (Negative Feedback) • Narrowest filters • Packet ID • Source IP Address • Packet size • TTL (Time To Live) Real Time Signature 4 LAN Attack’s footprints detection - 10 seconds Page 13

  14. Launch a Network Flood Attack Monitor your entire network through one full view Zoom-in into attack behavior Monitor the lifecycle of the attack and the protection’s state This is a pure attack case so the ratio of attack to other packets is 1 Rate based info and rate-invariant info yield Degree of Attack 10 1.0 10 Page 14

  15. Automatic Real Time Signatures: DoS Anomaly DoS Anomaly Automatic Real-time Signature Page 15

  16. DoS/DDoS Illustration Flash Crowd Case – APSolute Immunity Approach Behavioral Pattern Detection (1) Detects rate increase of SYN packets Legitimate user APSolute Immunity: No real time signature is generated No user will be blocked! Legitimate Request Legitimate Request Legitimate user Internet Behavioral Pattern Detection (2)  No abnormal ratio of SYN packets to other protocols Legitimate Request Public WEB Servers Legitimate Request Legitimate user Legitimate user Page 16

  17. False Positive Prevention Protection state is normal – No attack was detected Rate is higher than Attack Edge Degree of Attack is low Rate Invariant is less than Baseline 0.117647 6 0.18 Page 17

  18. Non Vulnerability Threats Demonstration Page 18

  19. Non-Vulnerability Threats What is a non-vulnerability threat? Attack uses legitimate application services for malicious activity Each attack session behaves like a legitimate user transaction Cannot be detected through a static signature because the attack does not exploit a vulnerability in the application Threat examples Spam, Phishing, Brute Force, Network & Application Flooding, etc. Page 19

  20. HTTP Mitigator Page 20

  21. Real-Time Signatures: HTTP Flood Example Real Time Signature: Block abnormal users’ access to the specific page(s) under attack Case: HTTP Page Flood Attack Behavioral Pattern Detection (1)  Based on probability analysisIdentify which web page (or pages) has higher than normal hits IRC Server HTTP Bot (Infected host) BOT Command GET /search.php HTTP/1.0 Misuse of Service Resources GET /search.php HTTP/1.0 HTTP Bot (Infected host) Internet Behavioral Pattern Detection (2) Identify abnormal user activity For example: - Normal users download few pages per connection - Abnormal users download many pages per connection Attacker GET /search.php HTTP/1.0 Public Web Servers GET /search.php HTTP/1.0 HTTP Bot (Infected host) HTTP Bot (Infected host) Page 21 Page 21 Page 21

  22. Real-Time Signatures: HTTP Flood Example Case: Flash Crowd Access Behavioral Pattern Detection (1)  Based on probability analysisIdentify which web page (or pages) has higher than normal hits Legitimate user GET /search.php HTTP/1.0 APSolute Immunity: Alert on abnormal Web Hits No real time signature is generated No user will be blocked! GET /search.php HTTP/1.0 Legitimate user Internet GET /search.php HTTP/1.0 Behavioral Pattern Detection (2)  No detection of abnormal user activity Public Web Servers GET /search.php HTTP/1.0 Legitimate user Legitimate user Page 22 Page 22

  23. Baseline Parameters • Rate Based Parameters • Server Characteristics • (GET+POST)/sec • (Other Request Types)/sec • Outbound Bandwidth per sec • User Characteristics • (GET+POST)/Source/sec • (GET+POST)/Connection • Rate Invariant Parameters • URI Size Distribution • In Out Ratio

  24. HTTP Rate Based Anomaly An abnormal rate of GET/POST requests has been detected An abnormal rate of requests per source has been detected Baseline Baseline Real time Requests per source Real time GET/POST Requests Page 24

  25. HTTP Rate Invariant Anomaly Real Time URI size distribution Baseline of URI size distribution Page 25

  26. Mitigation Attack Log line Attack info 192.168.15.200|/accounts12/accounts.html Only requests from this IP address to the attacked URI will be blocked. Use a legitimate client from another IP address to access this page Real TimeSignature Page 26

  27. Anti Scanning Protections Page 27

  28. Self Propagating Network Malware 1st Infected Computer Malware 2nd Infected Computer Infected Computer Infected Computer Infected Computer 3rd Infected Computer • Standard IPS Approach • No signature for new malware • Rate limit thresholds • Quarantine legitimate user and servers during attack mitigation • Unable to detect slow spreading activities • Require manual configuration and tuning of thresholds Network Scanning Network Scanning • APSolute Immunity Approach • Detect accurate attack pattern • Automatic generation of real time signature • Block attack traffic only Page 28

  29. SYN ACK PSH+ACK Reset ACK ACK PSH+ACK SYN+ACK FIN+ACK ACK FIN+ACK ACK Connection Score TCP Example One connection Flow User Server No reply Single Connection Score 2 3 4 6 1

  30. 80 21 199.200.1.6 199.200.1.3 25 199.200.1.4 ACK ACK ACK SYN SYN SYN PSH+ACK SYN+ ACK SYN+ ACK SYN+ ACK Visualization of the Problem Legitimate Case User/Source Distribution Space Narrow Width – Few connections High Height – “Good” Stateful behavior per connection “Normal” Distribution Connection behavioral score Port/IP Page 30

  31. 25 25 25 25 25 25 25 199.200.1.8 199.200.1.7 199.200.1.6 199.200.1.4 199.200.1.3 199.200.1.2 199.200.1.1 SYN SYN SYN SYN SYN SYN SYN RST RST RST RST RST Visualization of the Problem “Pure” Scan Case User/Source Distribution Space “Abnormal” Distribution Broad Width – “Many” connections Low Height – “Bad” Stateful behavior per connection Connection behavioral score Port/IP Page 31

  32. Detection of Self-Propagating Malware Average Height Width Width Height Automatic RT Signatures Others… Degree of Attack User/Source Distribution Space “Normal” Distribution “Abnormal” Distribution Connection behavioral score Connection behavioral score Port&IP Port&IP 80 50 78 29 25 33 53 112 70 111 Decision-Making Mitigation Normal Suspect Attack Page 32 Page 32

  33. Real Time Signature Malware is Blocked. User is not quarantined Real TimeSignature Page 33

  34. Signature Protection Page 34

  35. Server based intrusions Web vulnerabilities SMTP server intrusions FTP server intrusions SIP server intrusions SQL server intrusions DNS server intrusions… Worms & Viruses Trojans & Backdoors Client side vulnerabilities Phishing SIP Anomalies IRC bots Spyware Anonymizers Protocol anomalies IPv6 attacks SSL based attacks Signature Protection Over 2000 vulnerabilities covered Page 35

  36. Summary Page 36

  37. APSolute Immunity Value • Full Protection against – • Non-vulnerability based threats • Zero-minute attacks • SSL based attacks • VoIP service threats Provides OPEX Reduction Business Continuity • ”Hands-off” security features (minimum configuration and “maintenance-free”) through automatic real-time protection • Seamless integration into the network environment, no modification of network settings (transparent device) • Maintain critical application availability even under attack • Block attacks without blocking legitimate user traffic Page 37

  38. The only solution providing automatic real-time signatures on top of full standard IPS capabilities Real time protection from Non-vulnerability based threats Zero-minute attacks SSL based attacks VoIP service threats Protection from old attacks without performance penalty The most accurate detection and prevention of new & emerging threats APSolute Immunity Differentiators Page 38

  39. NSS Report 2008 Highlights “This level of performance is extremely impressive, and is achieved with virtually no end-user configuration” "Under eight hours of extended attack it continued to block 100 per cent of attack traffic, while passing 100 per cent of legitimate traffic. There almost no increase in user response times as we placed the device under increasing loads of DoS traffic – this is an outstanding feat." “At the other end of the scale, all of the ‘low and slow’ attacks weredetected relatively quickly and also mitigated completely. …It would appear to be very difficult to evade this device… thanks to the fuzzy logic mechanism employed to compare “normal” vs. “abnormal” traffic.“ “Radware has done a good job…making this one of the best Attack Mitigator devices we have seen in our labs to date.” “Overall we found the DefensePro 1020 to be a robust and capable Attack Mitigator and believe that it should be on any short list as a candidate for a mitigation solution on the network perimeter.“ Page 39

More Related