Presentación de Ignacio Berrozpe, de Check Point, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
How is this huge threat repository is generated?The solution has multiple feeds of signatures, patterns and reputation.Some are check point proprietary some are incorporated using inputs from other security vendors.REmerging threats – global network of sensors to identify threats earlirt and provide protections fasterEmulation – GWs can’t handle it, too power consumingEmulate files to identify hidden attacks and malwareGenerate alerts and reports underlying threat risk & operationThe emulator creates a report which includes the network activity, disk access, registry access, processes which are created / killed, and more.
Introducing Check Point’s new Anti-Bot SW Blade to REVOLUTIONIZE BOT PREVENTION!
How is this huge threat repository is generated?The solution has multiple feeds of signatures, patterns and reputation.Some are check point proprietary some are incorporated using inputs from other security vendors.REmerging threats – global network of sensors to identify threats earlirt and provide protections fasterEmulation – GWs can’t handle it, too power consumingEmulate files to identify hidden attacks and malwareGenerate alerts and reports underlying threat risk & operationThe emulator creates a report which includes the network activity, disk access, registry access, processes which are created / killed, and more.
In this way, if one company is attacked with malware, it is instantly shared with ThreatCloud. A signature of the attack is added to the massive database, and is leveraged by all other companies. This shuts down the ability of an attack to spread over multiple companies.
Talk about the value of the Check Point SSL inspection integration
Hi may name is XXXX I am working as a XXX here at Check Point.It is an honor for me to be here today, to talk about: How increasing numbers of organizations are affected by the DDOS phenomenonHow organizations can protect themselves against these kinds of overload attacks.Click
A DoS attack is launched from a single source to overwhelm and disable the target service.A Distributed Denial-of-service (DDoS) attack is coordinated and simultaneously launched from multiple sources to overwhelm and disable a target service. These multiple attack sources are typically part of a "bot-net" (a network of compromised computers) and can be scattered across a region or around the globe. The botnet can act dynamically in terms of which bots are attacking a target at any given moment, making it very difficult to detect and block the attack.
DoS attacks have been used by all manner of organizations and groups to further their cause. Who are these groups and what are their motivations? Hacktivistsare individuals or groups that are organized and motivated to make social and political points primarily through public IT disruption by leveraging DoS and other attack methods. From Wikipedia1, "The term was first coined in 1996 by a member of the Cult of the Dead Cow hacker collective named Omega." If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the use of legal and/or illegal digital tools in pursuit of political ends". In addition to social and political motivations, some believe that a small subset of hacktivists are actually tied to organized crime and use hacktivism as a diversion to facilitate stealing information for financial gain. Nation state driven DoS attacks, presumably sanctioned by one or more governments, are also conducted for many different reasons. These reasons are age old and obvious—from creating havoc and disrupting governmental operations, to good old fashioned spying and stealing national secrets. Note, however, that attacks that might appear as nation state driven can actually be unsponsored acts perpetrated by a few who are motivated to carry out acts under their own perception of patriotism. Conducting an attack for financial gain is a common denominator in a vast majority of the DoS attacks launched on governments and businesses alike. A for-hire DoS attacker can be paid to conduct a DoS attack against the buyer’s competitor, thereby deriving financial gain for both the buyer and the attacker. In other cases the DoS attacks are merely a diversion for the actual objective to steal information—personal records, account records, intellectual property—all to be sold or somehow used for capital gain. Lastly, there have been instances of DoS "ransom attacks" where the target is told to pay a ransom, otherwise they’ll be DoS’d and their systems rendered unusable.
Lets take look at this old slide with cybercrime trends for 2012. DDOS attacks according to this report was the fourth most seen attack type businesses were targeted with was DDOS attacks.What have happened and what we are seeing happening. Is that there is an increase of DDOS activities starting from 2012 an continuously increasing today.One of the major reasons is because organizations still today are not prepared to take care of these types of threats.Another reason these treats have been so successful, is because DDOS attacks have become more sophisticated able to bypass or bring down traditional security solution like Firewall, IPS or application control, but at the same time still very easy for the attackers to execute.
So, is it true are theses attacks really happening?Yes CLICKYes CLICK Yes CLICKAnd… CLICK Yes,Just looks at the what the news have been writing abou in the last 6 moths in countries like Denmark, Finland, Norway and Sweden.What's interesting here to note is that when reading these articles CLICKThey claim that “It is impossible to protect against these DDOS attacks.”And this is not true.CLICK
What kind of attackexample do we have out the that organizations are targeted with?We have the Volumetric attacks, they can be caused by some one using public available innocent DNS server as amplifiers in order to be able to generate large UDP floods of DNS reposes towards a target.One of the most common attack method seen in the wild are of course the traditional SYN Flood attack.And of course Application based attacks…. CLICK
The idea with Volumetric attacks is to send a mixture of traffic to the organization in order to consume the bandwidth on the internet connection towards the target so that no legitimate traffic is going to be able to pass through to the target machine
The mixture of the traffic towards the target can contain for example a UDP flood generated by using and DNS amplification attack.The way this UDP flood is generated is quite simple, the attacker will send a DNS request to an innocent public available DNS sever like goggle DNS server 8.8.8.8 for example. In this request the attacker will spoof the source IP to and use the Victims IP address as the source IP, this will cause the DNS server to respond back to the source.Doing this the attackers use amplification to increase the traffic volume in an attack. The attacker uses an extension to the DNS protocol (EDNS0) that enables large DNS messages. The attacker composes a DNS request message of approximately 60 bytes to trigger delivery of a response message of approximately 4000 bytes to the target. The resulting amplification factor, approximately 70:1, significantly increases the volume of traffic the target receives, accelerating the rate at which the target's pipe will be saturated.CLICK
SYN attacks are quite easy to generate since the source IP does not have to be coming from a valid source and the packet does not have to be especially large. On the target the state table on Firewalls and Servers will be consumed and the organization will be unable to provide services to it’s intended users.
As we said before attacks are getting more sophisticated.Application layer attacks can be targeted at specific application implementation weakness and might cause more damageThey are pretty easy for the attacker to execute because they require less bandwidth and resources from the attacker and there is no need to fill-up the target’s Internet connection. You can for example download the attack tool slowloris or tors hammer to your computer.Connect the computer to a 3G ConnectionHide you source IP in the Tor anonymizer networkAnd bring down multiple web servers that still have for example Slow HTTP Get application weaknesses.These types of attacks are very sneaky and difficult to detect with traditional network monitoring or by solutions that are based only on thresholds and volume-based measures since they are generating a very small amount of traffic, from an traditional security perspective using firewalls, IPS or application control the traffic will be seen as legitimate traffic and allowed to pass since they are not exploiting any application vulnerabilities.CLICKLow & Slow attacks exploit application implementation weaknessesUsing relatively low volume and low number of connections In many cases, targeted application DoS attacks are used in parallel to volumetric DDoS attacksThis kind of attacks can go undetected by solutions that are based only on thresholds and volume-based measures
So lets look at a real world example,When you need to protect your organizations against Denial Of Services attacks, do not just stare yourself blind on the numbers of packets per second or the amount of bandwidth that can be handle with an could based services or an on site solution.In the US banking attack example they where not only targeted with one attack vector they were targeted with a mixture of multiple types of attacks vectors going from Network Flood attacks, Application flood attacks to Application DOS attack.The goal of the attacker is to bring down the target in a DOS attack, he will use any means necessary in order to succeed. When you are building a defense against these types of attacks you need to consider protection types for all these types of attack vectors.CLICK
Poor detection of sly attacks for example where attackers a sending legitimate HTTP traffic but with slow transfer speed to use up servers resourcesBasic filters to aggressively clear connection table when under attack, witch will also affect legitimate users traffic.The signatures used in IPS systems is focused on protecting against exploitation of vulnerabilities, but to protect against DoS attack you need to be bale to create customer signatures based on traffic patterns.
Therefore you need a DDOS protection solution that have multiple layers of security in order to protect against these different types of attack vectors.CLICKIt should be able to do behavioral analysis on the network traffic in order to understand if it indeed is a flood or an increase of legitimate traffic. It should be capable of handling the amount of Packets Per Seconds that the organization is being hammered with during an network Flood.CLICKthe solution should be able to generate real-time signature in order to correctly only block the illegitimate traffic.CLICKIt should be capable of detect the suspicious sources and identify the attacker in those sources by using different types of challenges methods on the application layer in order allow the legitimate users to access the system while the organization is targeted.CLICK It should also be bale to use granular custom filters in order to block sneaky Low & Slow application based attacks.
This is exactly what we can do with Check Point DDOS Protector: it have customized multi-layer protection modulesit will automatically identify and protect against an attack within secondsit is fully automated, automatically learning the behavior and adapting the base line of the network environmentIt uses challenge methods to accurately identify attacking sources.____DDoS Protector’s customized multi-layered DDoS protection blocks a wide range of attacksBehavioral analysis comparing typical vs. abnormal trafficAutomatically generated and pre-defined signatures Using advanced challenge/response techniquesCustomized protection optimized to meet specific network environment and security needs DDoSProtectorTM is ready to protect any size network in minutesProduct line of 7 new appliances offering:Low-latency (less than 60 microseconds)High-performance (up to 12 Gbps)Port density of up to 16 ports (both 1 GE and 10 GE options available)On premise inline deployment for immediate response to attacksTransparent network device easily fits into existing network topology (layer 2 bridge)Filter traffic before it reaches the firewall to protect networks, servers and block exploits Integrated with Check Point security management suite Leverage SmartEvent, SmartLog and SmartViewTracker for real-time and historic view of overall network security and DDoS attack status Policy management with both Web UI and command line interfaceTeam of security experts provide immediate help for customers facing DoS
There are 2 DDoS protection deployment types:on the customer premisesCLICKor on the customer premises working together with an cloud based service called DefensePipeThe On-Premise solution have a quick response time and can be customized for the organizations requirements.The additional Cloud based service called DefensePipe, helps with moving the problem away from the protected network – it Fits when attack is on bandwidthThey way DefensePipe works is that when the organization is under attack and the On-Premise DP detects that there is an risk for a pipe saturation the DP will inform the cloud base DefensePie service that there is a pipe saturation risk and redirection of traffic is requested. The cloud base service will take care and clean the traffic when it is redirected, the clean traffic will be sent back to the organization.CLIKC
The deployment options for DDOS protector is very flexible.It is completely transparent, you do not need to redesign you network topology. You can deploy it as a standalone or High Availability cluster. You can Deploy it in Symmetric as well as Asymmetric network environments.You can deploy it in an emergency deployment when the organization is under attack in order to directly start protecting the business.You have an optional Learning mode deployment where you let the system learn behavior for one week before configuring it to protect the environment.Since the systems automatically adjusting baselines and integrated to our event management system the maintenance cost is very low.
Together with a valid support contract DDOS Protectorincludes support from a team called Emergency Response team at no additional cost.The idea with DDOS Protector is that it should automatically mitigate an attack, but if it is for some reason not doing that we are not leaving you in the dark by your self.You are requesting access to the ERT team under special situations for example when you are under a DOS attack and the solution for some reason is not automatically mitigating the attack. ERT will then help you adjust the system in order to block the attack.ERT is an reactive team and the way to get access to the team is to open a Severity 1 critical ticket to Check Point TAC. Inform TAC that you have a DDOS Protector in your production environment and that you are currently under an DDOS attack that is not automatically mitigated by the DDOS Protector, there for you request access to ERT. Check Point TAC will establish a Conf Call with you ERT and TAC and you need to be able to provide Remote access to DP over for example Webex in order for ERT to help you.CLICK
To summarize this with DDOS Protector you have fast response time to minimizeDDoS damages Application adaptation for customer’s specific environmentPossibility to do Emergency deployments to be able to protect an attacked organization within minutesLow maintenance cost based on the event management integration and automatic baseline adaptions and behavioral learning in the system.
Thank you for listening to me, if you would like to get more information please contact any Check Point representative here.