Cloudflare hosted a webinar on cyber security fundamentals in Cantonese. It discussed the current threat landscape, challenges to effective security strategies, and how Cloudflare protects web content from threats. Cloudflare's vision is to provide security controls so customers of any size can keep their internet properties safe without sacrificing performance. It protects over 20 million internet properties from over 72 billion cyber threats daily using a global network across 90+ countries. Cloudflare discussed how it protects customers from DDoS attacks, bots, vulnerabilities, and more through integrated solutions that improve performance, acceleration, and security.
3. What you will learn today
3
How does the threat
landscape look like?
Challenges to a successful
security strategy
How do you protect your web
content from these threats?
5. 5
Cloudflare Security Vision
Provide world-class visibility, controls, and guided
configurations so that customers of any size and technical
sophistication can keep their Internet property safe and
secure without sacrificing speed and performance
5
8. Customers benefit from integrated security, performance, and reliability
35% performance
improvement
50% acceleration in
DNS performance
60% reduction in
malicious traffic
41k WAF blocks
per month
900k login attempts
blocked in 2 hours
50% decrease
in page load times
10. Factors increasing exposure to security risks
Greater scrutiny by
government and media
around data, privacy
and security
Greater attack surface area
from more public APIs, moving
to the cloud, and increasing
third-party integrations
Stronger and more
sophisticated attackers
11. Customers’ Security Threats
SYSTEM
DDoS Attack
Attack traffic impacts
availability or performance
Bots
Prevent malicious bots from
abusing site or application
Webpage
Vulnerable Applications
and APIs
Multi-vector attacks that
exploit vulnerabilities
12. Volumetric DNS Flood
Bots
DNS Server
DNS Server Server
Amplification (Layer 3 & 4)
HTTP Flood (Layer 7)
1
2
Bots
3
Bots
Degrades availability and performance of applications, websites, and APIs
HTTP
Application
Application/Login
Types of DDoS Attack Traffic
14. Application and API Vulnerabilities
Fake Website
Visitors
1DNS Spoofing
Malicious Payload
eg: SQLi that ex-filtrates PII
and credentials
3
Attacker
Bots Brute Force
4
Data Snooping
2
15. IoT attacks - the new reality
A botnet army of IoT cameras and a
major attack took out DNS service
provider in 2016.
Over the last few weeks we've seen
DDoS attacks that have switched to
new, large methods of bringing
down web applications.
They appear to come from an IoT
botnet (like Mirai and relations)
which were responsible for the
large attacks against Brian Krebs.
50 Gbps Up to 1Tbps
16. Types of Bot Attacks
Credential Stuffing
Taking-over an account
to abuse the site, to
perform fraudulent
transactions, steal
sensitive data, or
compromise personal
information.
Content Scraping
Stealing public information on
the website such as prices or
valuable SEO content
Resell itemBots
Bots
Inventory Hoarding
Bots automate the purchase of
inventory to resell or keep them
out of hands of customers
Bots
Website with
stolen content
17. Comprehensive Protection from Bad Bots
Stop take-over of user’s account from
automatically applying previously stolen
account credentials.
Protection from scraping and stealing
information from a website
Identify and stop bad bots from adding
malicious content to web properties
such as forums and registration forms
Credential Stuffing
Content Scraping
Content Spam
Block bad bots that fraudulently purchase
goods to deprive legitimate customers or
resell for a higher price
Inventory Hoarding
Credit Card Stuffing
Shield from attempts to validate stolen credit
cards to then make fraudulent purchases
Application DDoS
Prevent bad bots from slowing sites, wasting
bandwidth and compute resources
18. Not All Bots Are Malicious
PartnerSearch Engine
Crawlers
CopyrightSite
Monitoring
Feed
Scraper Spam Click Fake
Googlebots
Botnet
Good Bots
Good Bots
Bad Bots
19. Lost customer trust
and degraded brand value
Lost revenue from
site downtime or higher costs
from bad traffic
Business Impacts Business Impact
● $100,000 is the average
hourly cost of an
infrastructure failure
● $141 average cost for
each lost or stolen
record containing
sensitive and
confidential
information
● $3.62 million is the
average total cost of a
data breachCost categories:
Remediation costs (hardware, services, and software), lost revenue, lost future revenue from
customer churn, wasted marketing spend, negative brand impact, help desk costs, increase
IT staffing costs, loss of user productivity
IDC March 2015, and Ponemon Institute, June 2017
20. Cloudflare DDoS Solution
Scalable, easy-to-use, and high-performance solution to address availability challenges
Stay online
Global Anycast network
with 180++ data centers
absorbs highly
distributed attack traffic
so customers stay online
Protect origin infrastructure
Detect and drop at the edge
volumetric attacks: layer 3 & 4,
DNS, and layer 7
Identify anomalous traffic
Fingerprint HTTP requests to
protect sites against known and
emerging botnets with
automatic mitigation rules
Protect applications
with control
Rate Limiting gives more
granular control to block
harder-to-detect
application-layer attacks
Origin Server
DDoS attack
Anticipate attacks
Shared intelligence across
6M websites proactively
blocks known bad signatures
Stop origin server attacks
Argo Tunnel establishes a direct,
encrypted tunnel for traffic
between the origin server and
Cloudflare's nearest data-
center, protecting origin web
servers from targeted attacks
21. Industry Legacy Scrubbing vs. Cloudflare Always-On
21
Industry Legacy Scrubbing
- Long propagation times (up to 300 sec)
- Asynchronous routing
- Adds significant latency
- Typically requires manual intervention
Always-On
- Zero propagation time
- Synchronous routing
- No added latency
- Immediate, automated mitigation,
with no “cut over” required
22. Cloudflare Solution to Secure Applications
ATTACKS
Attackers try to forge DNS
answers to intercept
customer credentials
Snoop unencrypted sensitive
data entered by customers
Brute-force their way into
login pages
Inject malicious payloads
through forms and APIs
Resilient DNS and DNSSEC
prevents forged answers
Encryption through
SSL/TLS blocks snooping
Log-in protection
through rate limiting
Block OWASP Top 10 and
emerging application-level
attacks through the WAF
● Layered defense to
protect against
sophisticated attackers
● Single control-plane for
more robust and agile
security policies
● Learning from attack
profiles across 20M
websites to keep yours safe
1.
2.
3.
4.
CLOUDFLARE
SOLUTIONS
24. Cloudflare Next Gen Bot Management
One-Click Deployment
● With a single click, deploy rules with Cloudflare recommended bot score thresholds
● No instrumentation with third-party JavaScript required
Control and Configurability
● Scope rules by path or URI pattern, request method, and bot score thresholds
● Select mitigation methods, such as log, CAPTCHA, or block
Rich Analytics and Logs
● Time-series graphs with drill-down tables
● Logs bot management rule, action, and rich request meta-data for every request
Detect and mitigate bad bots by leveraging intelligence from over 13 million Internet
properties. All with one click.
25. Cloudflare Bot Management Methods
Machine Learning
Cloudflare’s ML trains on a
curated subset of
425 billion requests per day
across 13M+ Internet properties
to create a reliable “bot score” for
every request.
Behavioral Analysis
Behavioral analysis detects
anomalies in site-specific
traffic, scoring every request
on how different it is from the
baseline.
Automatic Whitelist
Because not all bots are bad,
the solution automatically
maintains and updates a
white list of "good" bots,
such as those belonging to
search engines.
Mobile SDK
The mobile SDK prevents
attacks against mobile
application APIs by
impersonation and
emulation bots.
25
Detection Protection
今天的Webinar 會cover 以下三個内容:
1)今時今日的網絡威脅趨勢是點樣的?
2) 設立一個成功的安全策略一般會遇到怎樣的挑戰 ?
3)你可以怎樣去保護你的網絡資產而不受這些網絡威脅?
“On today’s webinar we will cover these 3 main things
How does the threat landscape look like?
What are challenges to a successful security strategy
How can you protect your web content from these threats?
We will end with the Q&A so please make sure you ask your questions on the chat and we will answer them at the end.
這裏,我先同大家介紹一下Cloudflare 。相信很多人都在用緊Cloudflare的服務。
大家應該在我們的的網站看到了Mission Statement , Cloudflare is helping build a better internet. 我們係做些什麽, 以及怎樣去做的呢?
簡單來講,我們致力於提供給大家一個更加安全,可靠同埋快速的網絡使用體驗。
點解這個那麽重要? 因爲如果你的網站down左,或者運行很慢,無論哪一種原因,你的業務都會受到影響從。我們就是致力於不另這些情况出现。
The next 30 minutes is packed with useful tips and insights. Before we get into that, let me take a few steps back to talk about what Cloudflare does. As you can see from our Mission Statement, Cloudflare is helping build a better internet. How do we do that? What is it that we do? In simple terms we help build a better internet by making your websites more secure, more reliable and faster.
And why are these so important? Because if your website goes down or it’s slow to load, for any reason, it will have a negative impact to your business and cause the revenue lost. And we make it our business that that will never happen
深入到網絡安全這個話題,
我們會為客戶提供高可見性,管理控制能力同埋提供專業和針對性的設置指引,
在不影響客戶訪問速度和性能的情況之下保障網絡資產的安全
So diving into Cybersecurity, In a nutshell, this is our philosophy on how we tackle this issue for our customers.
world-class visibility, controls, and guided configurations
20M customers world wide - huge variety - some tech some not
We will not sacrifice speed and performance for security. We are complete but not complex
Cloudflare 的網絡提供給用戶足夠的廣度和規模去運行他們的網絡程序。
我地獨特的架構可以令所有的產品和服務都可以在每個數據中心的每一個server去運行,從而通過每一個新的colo為我們的客戶提升網絡速度。我們的網絡擁有足夠的規模為企業提供一個安全和高速的應用程序體驗。
Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
Cloudflare 的服務和解決方案適用於所有人。
目前有超過2千萬網絡資產通過我們的網絡去運行並受Cloudflare保護的。包括各個行業比如非营利组织和政府机构等。
We are for everyone.
There are benefits from having a diverse set of customers and we have over 20 million Internet properties on our network across geographies, industry verticals, non-profits, and government agencies
這些是我們的一些客戶。
There are number of customers that have realized benefits from the integrated security, performance, and reliability. Here are some examples.
從這裏開始,將由Sunny 為大家分享更多内容。
I will hand over to Sunny for his in-depth sharing with more insights
Talk Track:
Three factors are leading many of our customers to experience a growing exposure to security threats:
Greater attack surface results from three common trends:
Applications publishing more public APIs
Companies are moving more applications, including production-level workloads, to the cloud
Increasing third-party integrations
Attackers are stronger. Here are three ways:
Greater volume, greater distribution, including IoT devices as sources
Greater motivation through success of holding companies for ransom
Shifting to harder to detect and block “application” layer attacks
A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is
Greater scrutiny for security incidents:
Governments are applying greater scrutiny over privacy and data issues
Media reports of breaches and cybersecurity incidents have increased
Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2)
Questions:
Do any of these actually sound familiar for your business?
Do you believe your exposure is decreasing, increasing or is the same? In what ways?
Background Reading - you can build this into your talk track:
Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are:
Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications
Attackers are stronger, more sophisticated, and highly motivated
Heightened public and government scrutiny of data, privacy, and security
Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact.
In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact.
Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
Talk Track:
In light of this growing exposure to security risks, what are those primary threats you may encounter?
We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting:
Site is unavailable because of denial of service attack
Customer data is compromised, (e.g. breached or stolen)
Increasingly, abusive bot activity
For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like.
Questions:
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
Talk Track:
This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well.
The important take-away is that these attacks are layered.
In other words, a DDoS can attack different parts of your infrastructure.
Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable
Amplification: using a DNS to amplify requests and overload yours server over UDP
HTTP Flood: volumetric HTTP attack to bring down the application
All of those attacks impacts availability and performance of of websites, applications and API’s.
Questions:
This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that?
Which have you experienced in the past, if any? How did you respond to them if you did?
Decrease in the unit cost of DDoS attacks,
Pick a solution that scales well with the attack sizes. It should not be limited by the a few network interfaces.
Talk Track:
When it comes to compromise of sensitive customer data, you may be most familiar with malware.
While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft.
The take-away for this slide is that attackers can take advantage of different vulnerabilities.
DNS Spoofing: visitors are directed to a fake site instead of your site
A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts.
Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers.
Brute Force: attackers are repeatedly trying credentials to take over an account
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data
Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application.
The risk is that sensitive customer data, such as credit card information, might get compromised.
Some recent news to help bolster the point further: https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/
Talk Track:
The third attack: increasingly, bots are becoming more common forms of attack.
The three most common we have seen and blocked are:
Content scraping: which essentially steals website content and hurts SEO or revenue
Check out fraud: the most common is the “sneaker bot” which takes limited inventory and buys before actual customers can get them
Account takeover: the result typically of a brute force login to then use a compromised account
, , Prevent,, security from
with 40% of the Internet traffic being bot, it’s a certainty that your external facing digital asset is getting some bot traffic. The biggest challenge when dealing with bots is that not all bot traffic is malicious, so you cannot just block all bot traffic… that would have been easy….
There are good bot like search engine crawler which are operated by search engines like Google, Bing, Baidu… These bots help with search engine optimization, so that a website shows up higher in web search results.
Partner bot – for traffic coming from partners like ticketing booking service such as Expedia or Priceline trying to book airline tickets or hotels
Site monitoring bots: monitoring system outages –alert users of major changes or downtime.
Copyright: Monitors copyright law violation. looks for duplicate text, music, images, or even video.
Feed bot: These bots crawl the Internet looking for newsworthy content to add to a platform's news feed. Content aggregator sites or social media networks may operate these bots
BAD BOTS: on the other hand you have the bad bots that impact your sales, revenue, end user experience or disrupt your service and these bad bots need to be blocked
Scraper Bots: Scraper bots will steal original content from a site and reprint it on various sites throughout the internet without permission. Usually, victims of scraper bots don’t even know their content’s been stolen unless they’re actively searching for it. These bots are executed with malicious intents - to steal content. Scrapers program these bots to scrape prices and product catalog so that they can undermine the pricing strategies of the target website. Competitors use third-party scrapers to perform this illegal act, and the unprotected website’s competitive advantage is usurped by the scraper and competition.
Spam bots - Spam bots primarily target community portals, blog comment sections and lead collection forms. They come in the middle of user conversations and insert unwanted advertisements, links and banners. This frustrates genuine users participating in forums and commenting on blog posts. Often times, these spam bots insert links that may be malicious in nature - like for example, phishing sites, targeting unsuspected users into divulging sensitive information like bank accounts and passcodes. These bots spread spam content and advertising links all over the internet. They’ll also collect email addresses, phone numbers, and other personal information submitted by users through forms filled out online.
Click Bots. Click bots are the ad fraud bots that advertisers have grown to know and despise. These bots set out to intentionally engage with your advertising, therefore skewing your data incorrectly and costing you money for fraudulent clicks.
Scalper bots - These bots target ticketing websites, and make bulk purchases. The modus operandi is to purchase hundreds of tickets as soon as the bookings open, and sell it to reseller websites at many times the original cost of the ticket. The original unprotected ticket selling website stands to lose genuine customers because of their inability to purchase tickets at the original cost.
Botnets: DDoS, short for Distributed Denial of Service, is an attack that attempts to make a website unavailable by overwhelming it with traffic from multiple sources. DDoS attacks are often performed by botnets. A botnet (the combination of robot and network) is a network of private computers infected with malware…….
https://www.cloudflare.com/learning/bots/how-to-manage-good-bots/
https://www.shieldsquare.com/what-are-the-different-types-of-bots/
https://www.ezanga.com/blog/good-bots-bad-bots-and-what-you-need-to-know
https://areyouahuman.com/downloads/GoodBotsvBadBots_FINAL.pdf
Talk Track:
So what happens when you experience one or more of these problems we just discussed? Many of our customers shared with us they have both intangible and tangible costs.
You can see some of the potential cost categories and, if you are interested, we can schedule time with your team to get a better handle on the costs if you don’t know details right now.
However, for the purposes of this conversation, we’ve found it’s often helpful to think about and to discuss the potential costs. The areas of cost can range, as you can see on the list, from remediation costs to loss of user productivity. It doesn’t need to be accurate. But reviewing these can reveal whether the problem is a one-hundred dollar a month problem, or a one-hundred thousand dollar a month problem.
Some questions include:
What is the cost for an hour of downtime due to a DDoS in lost customers?
What would be the cost if just one customer record were breached in terms of remediation or customer churn?
What happens to revenue or your brand when malicious bots abuse your site?
Source:
IDC, March 2015: “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified”, Stephen Elliot. This was commissioned by AppDynamics
Ponemon Institute, 2017
Internal background reading - Enablement:
These are discovery/conversation slides
This is very important. You will have a more difficult time ultimately doing the sale or upsell without it unless the customer’s hair is on fire to buy something.
On the right hand side are the types of costs to explore with customers. Potential responses from customers and options for responses:
If the customer responds: I don’t know
“That’s fine. I could imagine the person who would know would be interested. Could we include him in future meetings as a way to help you get the answers?”
“I understand. Who would know about these numbers in your organization?”
“Sure. Do you think you could make an educated guess? Is this $5 per incident or $50,000 per incident?”
We have found that it’s valuable for companies to quickly get a sense of the business impacts you most care about.
These two were consistently what customers shared as big concerns, whether they use Cloudflare or not.
Which of these are important to you?
What connection do you see between these and downtime from DoS and breached customer data?
Who in the org care about these impacts?
Here are some examples from conversations with existing customers:
Trust
A financial services customer said lost of trust would directly impact customer and revenue
A medical ecommerce customer said losing trust would be “game over” as a business
A hospitality company values the brand as key to their business and downtime hurt the brand
A media site said losing trust of readers as a news site by being down would impact short-term ad revenues and long-term brand (which impacted advertisers)
Trust goes down, Revenue goes down in every case
If you had to give a dollar amount of the impact, what would it be?
Notes: Are costs critical to the buying decision?
Costs could be the increased costs of backend servers during attacks
-- For example, the service HaveIbeenPwnd, saw a 5x increase in Azure services due to attacks
-- A media company customer saw bandwidth costs increase 1000x from attack traffic
Revenue could be the impact during an outage
Downtime for many companies, from e-commerce, to SaaS, to ad-driven businesses, can be in the tens of thousands of dollars, due to lost customers, lost ad dollars
If you have to pick an area with the biggest potential impact, which would it be?
RESEARCH from competitors:
The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record.
2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC June 2017
https://www.theatlantic.com/technology/archive/2016/10/a-lot/505025/
https://www.ponemon.org/blog/2014-cost-of-data-breach-united-states
https://security.radware.com/uploadedFiles/Resources_and_Content/Attack_Tools/CyberSecurityontheOffense.pdf
https://www.corero.com/company/newsroom/press-releases/market-study-indicates-ddos-protection-is-a-high-priority-for-data-centres-hosting-providers-and-network-services-providers/
https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-oct-ddos-report.pdf
Talk Track:
Cloudflare’s DDoS Solution has several components.
First, our infrastructure scales to address the growing size of DDoS attacks. It does this through an Anycast network which creates a larger surface area to absorb highly distributed attacks.
Second, we put in place automatic detection and mitigation. This leverages our visibility across 20M customers and 10% of HTTP traffic.
Lastly, we give customers control for those layer 7 attacks which may not look like DDoS attacks to us, but for your environment need to be blocked by on customized rules you create.
The big message is: The DDoS solution is:
Scalable
Easy to Use
Fast
Our protections are layered:
Global Anycast absorbs distributed traffic
The Argo tunnel stops attack traffic to the origin server, without the hassle of opening up firewall ports and configuring ACLs
Drop at the edge high volume of ¾ and layer 7 traffic
Fingerprinting looks at patterns in traffic attributes to respond quickly to dynamic threats
Share intelligence across all to proactively identify threats
Give granular control to users for harder-to-detect Layer 7
Before we go further, could we talk about which, if any, of these are things you’d like to ask about?
Talk Track
Earlier we discussed four common vectors for attacks to compromise or steal sensitive data.
The take-away for this slide is this: when there are multiple vectors, you need a layered defense.
To defend against malicious payloads, you need a Web Application Firewall - WAF checks the payload against malicious OWASP on the application
To mitigate damage by malicious bots you need to be able move the attack surface closer to the attacker - Cloudflare Workers lets you apply custom security rules and filtering logic at the network edge. This helps in early detection of malicious bots and prevents them from consuming resources
To prevent unintended snooping of data, you need easy to manage and deploy encryption - TLS encrypts the content so protects against sniffing
To block brute force logins, you need rate-based log-in protection - Rate Limiting checks against threshold volume to protect against DDOS, brute-force or scraping
To prevent forged DNS answers that can send customers to a fake site, you need resilient DNS and DNSSEC - DNS tells us the address the request goes to and secure DNS protects against phishing
To protect your origin web server from targeted attacks that directly use the server IP address, you need an easy way to expose web servers securely to the internet. The Argo tunnel stops attack traffic, without the hassle of opening up firewall ports and configuring ACLs by ensuring that requests route through Cloudflare’s WAF and unmetered DDoS before reaching the web server
All these work seamlessly and are easy to set up and configure through the Cloudflare UI as well as through a rich set of APIs.
The high level takeaways are:
Multiple attack vectors
Cloudflare has layered defense
Easy to configure across all services
Learn across 9m websites
Background Reading - you can build this into your talk track:
Reduce risks of data compromise through layered defense
Attackers often use several attack vectors when attempting to compromise customer data. To protect themselves, companies need a layered defense.
REDUCE SPOOFING THROUGH SECURE DNS
Cache poisoning or "spoofing" tricks unsuspecting site visitors to enter sensitive data, such as credit card numbers, into an attacked site. This type of attack occurs when an attacker poisons the cache of a DNS name server with incorrect records. Until the cache entry expires, that name server will return the fake DNS records. Instead of being directed to the correct site, visitors are routed to an attacker's site, allowing the bad actor to extract sensitive data.
DNSSEC verifies DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative name server and not a man-in-the-middle attacker.
STOP ATTACK TRAFFIC TO THE ORIGIN WEB SERVER
If an attacker knows the server's IP address, they can attack it directly and bypass existing security solutions. To address this problem, most companies use a solution called Origin Protection. We call it BGP Origin Protection, Incapsula calls it IP Protection and Akamai calls it Site Shield. The underlying technology is often a GRE tunnel and it's slow, expensive and only available as an on-demand service.
What exactly does Argo Tunnel do?
exposes web servers securely to the internet, without opening up firewall ports and configuring ACLs
ensures requests route through Cloudflare before reaching the web server, so attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access
Every server has an internal firewall that controls what can connect to that server. The firewall decides what connections can reach the server. (Note: Firewall only controls what can get in, not what can get out). By default, Firewall says no connection can reach the server. Usually you have to change the firewall so that connections to port 443 (HTTPS) can reach the serverWith Tunnel, you keep the firewall totally locked down. Nothing can get in. The Tunnel client installed and running on the server makes an outbound connection to Cloudflare. That's allowed – remember the firewall only cares about what establishes an inbound connection. Outbound is allowed. Because there is an outbound connection from the server to Cloudflare, Cloudflare can communicate with server.But if anything else tries to connect to the server, the firewall drops the connection. Someone trying to get the origin server’s IP by doing a scan of all IP's will not get a response from the server behind Tunnel – it is like the server is not there, or offline.
REDUCE SNOOPING THROUGH ENCRYPTION
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. In the case of a "man-in-the-middle" attack, the browser thinks it is talking to the server on an encrypted channel, and the server thinks it is talking to the browser, but they are both talking to the attacker who is sitting in the middle. All traffic passes through this man-in-the-middle, who is able to read and modify any of the data.
Fast encryption/termination, easy certificate management, and support of the latest security standards enable customers to secure transmission of user data.
BLOCK MALICIOUS PAYLOADS THROUGH AUTO-UPDATED, SCALABLE WAF
Attackers exploit application vulnerabilities by submitting malicious payloads that can extract sensitive data from the database, the user's browser, or from injecting malware that can compromise targeted systems.
A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections.
The Cloudflare Web Application Firewall (WAF) updates rules based on threats identified because of its 6M customers, and can protect customers without hurting application performance because of its low-latency inspection and integration with traffic acceleration.
REDUCE ACCOUNT TAKE-OVERS THROUGH LOGIN PROTECTION
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Cloudflare enables users to customize rules to identify and block at the edge these hard-to-detect attacks through its rate-limiting rules
Cloudflare has protected its customers against some of the largest DDoS attacks which ever occurred. In fact, our 10 Tbps global anycast network is 10X bigger than the latest and largest DDoS attack, which allows us to protect all internet assets on our network even against the new, massive IoT-based DDoS attacks.
With the addition of Rate Limiting Cloudflare complements the existing services DDoS and Web Application Firewall (WAF) Services. Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period. Cloudflare does not charge for blocked traffic, so that our customers only pay for good traffic but not attack traffic. Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic.
The main benefits of Rate Limiting include:
Precise DDoS Mitigation: Rate Limiting provides simple to use but powerful configuration capabilities to protect against denial-of-service attacks
Protect Customer Data: Rate Limiting is the right service to protect sensitive customer information against brute force login attacks
Enforce Usage Limits: Enforce usage limits on your API endpoints by limiting HTTP requests
Cost Protection: Avoid the unpredictable cost of traffic spikes or attacks by setting thresholds which only allow good traffic through.