1. Modern DDoS and
DDoS SSL Attacks
Michael Soukonnik
Radware FSU
November 2012

2. DDoS – regular service ?
Slide 2

3. Legends vs. Reality

4. Size does not matter!
• Reality:
– Most organization may never experience an intense attack
– Less intensive application attacks can cause more damage than network
attacks
76 percent of the
attacks surveyed were
under 1Gbps
Slide 4

5. Are we really protected from DDoS?
30%
27%
24%
Internet link
Stateful devices are
is saturated
vulnerable to DDoS
(27% of the 8%
(36% of the attacks) 5%
attacks) 4%
Slide 5

6. 1 fail is enough!
Large-volume network flood attacks
Network scan
Intrusion
Port scan
Radware security incidents report 2011: SYN flood attack
• More than 70% of Radware reported cases in 2011 (e.g., Sockstress)
“Low & Slow” DoS attacks
involved at least 3 attack vectors
Application vulnerability, malware
• Attackers use multi-vulnerability attack campaigns
making mitigation nearly impossible and slow Application DoS attacks
High
Web attacks: XSS, Brute force
Web attacks: SQL Injection
Slide 6

7. Network Attack and Application Attack Coexist
Slide 7

8. Mapping Security Protection Tools
DoS Protection
Behavioral Analysis Large volume network flood attacks
IPS
IP Rep. Network scan
WAF Intrusion
Port scan
SYN flood attack
“Low & Slow” DoS attacks (e.g.Sockstress)
Application vulnerability, malware
High and slow Application DoS attacks
Web attacks: XSS, Brute force
Web attacks: SQL Injection
Slide 8

9. Radware answers
-
Attack Mitigation System (AMS)

10. Network & data center security: mapping the
technologies
DefensePro
 Dynamic signature in 18 sek !!!
 IPS
 DoS Protection
 NBA
 Anti Trojan, Anti Phishing
IPS DoS Protection NBA Reputation
Signature Engine
Signature Detection User
Detection Behavioral
Behavioral Analysis Anti Trojan,
Stateful Analysis Anti Phishing
Inspection Application
Rate-based Behavioral
Rate-based Analysis
SYN Cookies

11. AMS Protection Set
DoS Protection
• Prevent all type of Reputation Engine
network DDoS attacks • Financial fraud
protection
• Anti Trojan & Phishing
IPS
• Prevent application
vulnerability exploits
NBA
WAF
• Prevent application
• Mitigating Web resource misuse
application threats
• Prevent zero-minute
and zero-day attacks
malware
Slide 11

12. The Competitive Advantage: Performance Under Attack
Attack traffic does Device handles attack
12 Million not impact traffic at the expense
PPS legitimate traffic of legitimate traffic!
Attack
Traffic
Attack
Attack
Multi-Gbps Multi-Gbps
Capacity Capacity
Attack
Legitimate Legitimate
Traffic
Traffic Traffic
+ Attack
DefensePro Other Network Security Solutions
Slide 12

13. NY Stock Exchange Under Attack – Multi Vector Attack
Uniquely capable to withstand the sophistication and scale of recent attacks
Attack Vector Dates (~) Attack Peak Protection Mechanisms
Fragmented UDP Flood Low & slow 11/10/2011 1 AM
10/10/2011 11PM- 95 Mbps BDoS
10K PPS DoSS
LOIC UDP
And Intrusions…
10/10/2011 4 AM 50 Mbps BDoS
10/10/2011 8 PM- 11 PM 5K PPS Signatures
DoSS
TCP SYN Flood 11/10/2011 1:40 PM 13.6 Mbps BDoS
24K PPS DoSS
R.U.D.Y 10/10/2011 4 PM 2.1 Mbps Signature
0.7K PPS
LOIC TCP 10/10/2011 11 PM- 11/10/2011 3:30 AM 500 Kbps Signatures
0.2K PPS
Mobile LOIC 10/10/2011 6 PM- 8:30 PM 86 Kbps Signature
13 PPS
#RefRef 10/10/2011 9:45 PM Few packets Signature
Slide 13

14. Network Attack and Application Attack Coexist
Slide 14

15. SSL Attacks
SSL services are extremely vulnerable to DDoS attacks
• SSL Handshake Flood
Establishing a secure connection requires 15 times more processing on the
server than on the client, opening multiple sessions quickly exhaust the server’s
resources
• SSL Renegotiation Flood
Client asks for key replacement during existing session, similar effect on the
server, could be blocked on the server side.
Popular since the release of THC-SSL-DOS last October
• HTTPS Flood
Exhausting the web application running on top of the secure session
Slide 15

16. Leading Israeli bank under attack
December 11, 2011

17. Israeli Bank: Course of Events
15:05 PM- Attack Starts
HTTPS Flood
• 167 attackers open up to 70 SSL sessions per second
• Established sessions contains HTTP requests for the secure login page
GET /InternalSite/CustomUpdate/eBank_Login.asp
• Constant User-Agent: wget
Attack Peak Measurements
• Service became unavailable in seconds
•200 Mbps
•360K Concurrent Connections
15:22 PM- ERT Initiated •1100 CPS
16:10PM- Attack blocked, service revived
• ODS-3 deployed on-site, no SSL protection
• High rate allows easy identification of attackers
• Custom Signature suspend sources sending more than 5 “SSL Client
Hello” per second
Slide 17

18. AMS Encrypted Attack Mitigation
Solution

19. AMS Encrypted Attacks Mitigation
Application “cookie” L7 ASIC Regex
engines engine
Once anTraffic Anomalies
attack is detectedNetwork-Based 3 main security actions that are done on each
there are DoS Application-Based DoS “Directed” Application DoS
client who tries to connect to the protected server(s): and SSL) Attacks (Clear and SSL)
Floods Attacks Attacks (Clear
Clear Attack Protection – DefensePro “authenticates” the source through a “safe-reset
SYN Clear
cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack.
HTTP Signature– DefensePro receives the decrypted 1st HTTP client request from the
“Authenticated”
Encrypted engine and applies application layer signatures. This is done in order to Encrypted
SSL clients
remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined
or custom signatures.
Packet anomalies, Behavioral DoS &
Encrypted
Black & white lists TCP cookie engines
Clear
Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro
generates a Web cookie challenge (302 or JS challenge) that is encrypted and
returned to the client by the Alteon SSL engine. Client responses are decrypted
Client-side
termination point
and sent to the DefensePro, which validates the response. A client that responds
correctly is “authenticated” (application level “authentication”) and forced to open
Alteon’s SSL SSL certificates,
a new connection directly to the protected server.
Acceleration Engine not used for legal sessions
Slide 19

20. AMS Encrypted Attacks Mitigation
AMS- Protecting the HTTPS service
Attack Target Protection
Network Floods TCP Service SYN Cookies
BDoS
SSL Floods SSL Service Signatures
SSL Mitigation*
Application Floods Web Service SSL Mitigation
Signatures
* SSL Mitigation expands the resources- Alteon can handle up to 45K
SSL sessions
• Banks and other financial institutions not able to export certificate
(MSSP and such)
• Unique solution that requires two devices, will be merged in the future
to 1 box
Slide 20

21. Sample of AMS Security Customers
Financial Services Retail Services
Government, Healthcare & Education Carrier & Technology Services
Slide 22

22. Summary
• Radware AMS protects against all types of DDoS attacks and application attacks
• Radware AMS first of all enables legal users to work under attack
• AMS can protect against SSL DDoS without using legal SSL certificates
• AMS works automatically – within 18 seconds from an attack raise dynamic signature
starts to work against the attack. No human interference usually required
• In case of very complicated attack Radware Emergency Response Team
can be involved on line
• ERT enables counter attack against DDoS sources
Slide 23

23. Thank You
www.radware.com