SlideShare ist ein Scribd-Unternehmen logo

DDoS Mitigation Strategies Explained

S
Sam Pickles

The document discusses DDoS mitigation strategies presented by Aura Information Security. It outlines common DDoS threats like NTP amplification attacks and application layer attacks. It then discusses the limitations of traditional firewalls and how the TMOS platform can better mitigate attacks through TCP proxying, behavioral analysis and interaction. The presentation concludes with an overview of Aura's DDoS reference architecture using F5 technology and their managed security services.

Internet
1 von 34
DDoS Mitigation on the Front Line Presenter: Sam Pickles, CTO Aura Information Security
Overview • Why we’re here – Who are Aura Information Security • What we’re seeing in the wild – DDoS Threats • DDoS Mitigation Strategies • DDoS Reference Architecture Extended
Aura RedShield • Aura Information Security • F5 Technology Alliance Partners • NZ’s leading Information Security consulting company. • Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg • Deloitte APAC Tech Fast 500 2010, 2011, 2012 • Electra Business of the Year 2010 / 2011 • Finalists in NZ HiTech Awards 2014 • Customers across NZ Govt and private sector. – NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech • Services: – Penetration Testing, InfoSec Training, Security Research, Security Architecture, Code Reviews • Aura RedEye • Globally registered PCI ASV (Approved Scanning Vendor) • Winner of the ANZIAs 2012 for Security and Privacy
Aura RedShield
RedShield Cloud HTTP(S) HTTP(S) HTTP(S) HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield
HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield RedShield On-Premise
DDoS THREATS
DDoS – Reflected / Amplified Attacker
DDoS – Reflected / Amplified Attacker
NTP Amplification • One small command sends a single UDP request: – ntpdc -c monlist 117.1x.1xx.1x • Response is huge, sent to victim. • Even a small botnet can trigger an avalanche
NTP Amplification Example 1: • February 10th 2014 • Over 400Gbps • 4,529 servers
NTP Amplification Hits RedShield • Large scale NTP attack hit Aura’s network on March 16th 2014 • Target victim is a government sector org • Source addresses = approximately 2500 NTP servers identified • TMOS scrubs by default
200 x Amplification • Each NTP request triggers a large text stream to the victim • Thousands of requests per second
Meanwhile, keep your eyes on the applications… • Application Layer DDoS increasing in popularity • Malicious individuals with limited resources can now cause outages • These attacks work just as well over SSL
Apache Killer Example GET /downloads/folder/path/large-file.pdf HTTP/1.1 Accept: */* Range: bytes=1097728-1098239, 1098240-1098751, 1098752- 1099263, 1099264-1099775, 1099776-1100287, 1100288-1100799, 1100800-1101311, 1101312-1101823, 1101824-1102335, 1102336- 1102847, 1102848-1103359, 1103360-1103871, 1103872-1104383, 1104384-1104895, 1104896-1105407, 1105408-1105919, 1105920- 1106431, 1106432-1106943, 1106944-1107455, 1107456-1107967, 1107968-1108479, 1108480-1108991, 1108992-1109503, 1109504- 1110015, 1110016-1110527, 1110528-1111039, 1111040-1111551 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Constantly Probed
Attacks target vulnerabilities
SSL is Trending Layer 7 DoS Traffic
DOS MITIGATION STRATEGIES
Issues - Weaponized Defenses • Many defensive strategies can be turned against the application • Rate limiting SYNs by destination can cause failed handshakes, even while pipe not full • Blocking DNS or SYN attacks by source IP: Spoofed origin packets cause blocking IP of the attackers choice
Issues – Traditional Firewalls: • Traditional Firewalls have limitations: – Cannot tell spoofed origin traffic from real IP – Limited to Dropping packets • Such defenses can be turned against the app – Max sessions tends to be easily reached – Struggle with encrypted attacks, layer 7, low and slow, and other behavioral attacks
Why TMOS? • TCP inline, all the time – Accelerates and mitigates from the first packet • High capacity SSL, with iRules (see: sslsqueeze) • SSL cert management in one place
TMOS in Action - TCP TCP SSL HTTP ASM SYN Flood SSL Attacks Slow HTTP, Request Floods Layer 7 Attacks iRules Users
TMOS in Action – Other IP AFM GTM DNS Flood NTP, DNS Amplification iRules DNS Query - User
Further Observations: • Effective DDoS mitigation requires: – High speed SSL hardware – TCP full proxy – Behavioural analysis – Interaction with the attack • Challenge suspicious clients to prevent false positives, weaponised defence • Visibility, planning, automation, testing
F5 DDOS REFERENCE ARCHITECTURE
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
Test Driven Security Vulnerability Scanning Application Penetration Testing Remediation and Retesting Continuous Scanning and Analysis Attack Monitoring and Reporting Incident Response and Technical Support
Why not check out… Aura Managed Services overview: http://aurainfosec.com/managed-services.html - redshield FAQ, knowledgebase and forums: https://auraredeye.zendesk.com

Empfohlen

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationImperva Incapsula
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Bangladesh Network Operators Group
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 

Empfohlen

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationImperva Incapsula
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Bangladesh Network Operators Group
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attackDosarrest007
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDeivid Toledo
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesImperva Incapsula
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)NAIM Networks, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...North Texas Chapter of the ISSA
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones, CCIE, CISSP, PMP
 
F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
 

Weitere ähnliche Inhalte

Was ist angesagt?

DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attackDosarrest007
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDeivid Toledo
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesImperva Incapsula
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)NAIM Networks, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...North Texas Chapter of the ISSA
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 

Was ist angesagt? (20)

DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
What is ddos attack
What is ddos attackWhat is ddos attack
What is ddos attack
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWARE
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
 

Ähnlich wie DDoS Mitigation Strategies Explained

F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksJeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksMedia Perspectives
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptxMarioCruz664886
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideAndris Soroka
 
MT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportMT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportDell EMC World
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPROIDEA
 
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...Hillel Kobrovski
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Real-Time Innovations (RTI)
 

Ähnlich wie DDoS Mitigation Strategies Explained (20)

F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric Security
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric Security
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
SonicWall
SonicWallSonicWall
SonicWall
 
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksJeroen Wijdogen (Akamai) | TU - Hacks & Attacks
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
 
MT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportMT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT Support
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
 
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 

Kürzlich hochgeladen

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 

Kürzlich hochgeladen (20)

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 

DDoS Mitigation Strategies Explained

  • 1. DDoS Mitigation on the Front Line Presenter: Sam Pickles, CTO Aura Information Security
  • 2. Overview • Why we’re here – Who are Aura Information Security • What we’re seeing in the wild – DDoS Threats • DDoS Mitigation Strategies • DDoS Reference Architecture Extended
  • 3. Aura RedShield • Aura Information Security • F5 Technology Alliance Partners • NZ’s leading Information Security consulting company. • Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg • Deloitte APAC Tech Fast 500 2010, 2011, 2012 • Electra Business of the Year 2010 / 2011 • Finalists in NZ HiTech Awards 2014 • Customers across NZ Govt and private sector. – NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech • Services: – Penetration Testing, InfoSec Training, Security Research, Security Architecture, Code Reviews • Aura RedEye • Globally registered PCI ASV (Approved Scanning Vendor) • Winner of the ANZIAs 2012 for Security and Privacy
  • 5. RedShield Cloud HTTP(S) HTTP(S) HTTP(S) HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield
  • 6. HTTP(S) Vulnerability Scanning Target 100% Shielding Analyst-Driven Reports Web Security Expert Team RedShield RedShield On-Premise
  • 8. DDoS – Reflected / Amplified Attacker
  • 9. DDoS – Reflected / Amplified Attacker
  • 10. NTP Amplification • One small command sends a single UDP request: – ntpdc -c monlist 117.1x.1xx.1x • Response is huge, sent to victim. • Even a small botnet can trigger an avalanche
  • 11. NTP Amplification Example 1: • February 10th 2014 • Over 400Gbps • 4,529 servers
  • 12. NTP Amplification Hits RedShield • Large scale NTP attack hit Aura’s network on March 16th 2014 • Target victim is a government sector org • Source addresses = approximately 2500 NTP servers identified • TMOS scrubs by default
  • 13. 200 x Amplification • Each NTP request triggers a large text stream to the victim • Thousands of requests per second
  • 14. Meanwhile, keep your eyes on the applications… • Application Layer DDoS increasing in popularity • Malicious individuals with limited resources can now cause outages • These attacks work just as well over SSL
  • 15. Apache Killer Example GET /downloads/folder/path/large-file.pdf HTTP/1.1 Accept: */* Range: bytes=1097728-1098239, 1098240-1098751, 1098752- 1099263, 1099264-1099775, 1099776-1100287, 1100288-1100799, 1100800-1101311, 1101312-1101823, 1101824-1102335, 1102336- 1102847, 1102848-1103359, 1103360-1103871, 1103872-1104383, 1104384-1104895, 1104896-1105407, 1105408-1105919, 1105920- 1106431, 1106432-1106943, 1106944-1107455, 1107456-1107967, 1107968-1108479, 1108480-1108991, 1108992-1109503, 1109504- 1110015, 1110016-1110527, 1110528-1111039, 1111040-1111551 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
  • 18. SSL is Trending Layer 7 DoS Traffic
  • 20. Issues - Weaponized Defenses • Many defensive strategies can be turned against the application • Rate limiting SYNs by destination can cause failed handshakes, even while pipe not full • Blocking DNS or SYN attacks by source IP: Spoofed origin packets cause blocking IP of the attackers choice
  • 21. Issues – Traditional Firewalls: • Traditional Firewalls have limitations: – Cannot tell spoofed origin traffic from real IP – Limited to Dropping packets • Such defenses can be turned against the app – Max sessions tends to be easily reached – Struggle with encrypted attacks, layer 7, low and slow, and other behavioral attacks
  • 22. Why TMOS? • TCP inline, all the time – Accelerates and mitigates from the first packet • High capacity SSL, with iRules (see: sslsqueeze) • SSL cert management in one place
  • 23. TMOS in Action - TCP TCP SSL HTTP ASM SYN Flood SSL Attacks Slow HTTP, Request Floods Layer 7 Attacks iRules Users
  • 24. TMOS in Action – Other IP AFM GTM DNS Flood NTP, DNS Amplification iRules DNS Query - User
  • 25. Further Observations: • Effective DDoS mitigation requires: – High speed SSL hardware – TCP full proxy – Behavioural analysis – Interaction with the attack • Challenge suspicious clients to prevent false positives, weaponised defence • Visibility, planning, automation, testing
  • 27. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
  • 28. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0
  • 29. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
  • 30. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 0 Attacker Attacker Attacker
  • 31. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
  • 32. L3-7 DDoS L7 Policy Mgt DNS Vulnerability Mgt Analyst Reports SIEM Hybrid Cloud – Mode 1 Attacker Attacker Attacker Attacker Attacker AttackerAttacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker
  • 33. Test Driven Security Vulnerability Scanning Application Penetration Testing Remediation and Retesting Continuous Scanning and Analysis Attack Monitoring and Reporting Incident Response and Technical Support
  • 34. Why not check out… Aura Managed Services overview: http://aurainfosec.com/managed-services.html - redshield FAQ, knowledgebase and forums: https://auraredeye.zendesk.com

Hinweis der Redaktion

  1. F5 TMOS platforms present the opportunity to mitigate a wide variety of security threats from network, to application layer, in a consolidated architecture. In this talk, we’ll illustrate this by taking a look at what our F5s are picking up in the wild; and discuss our view of datacenter security for your critical applications.
  2. This attack was launched against CDN provider Cloudflare and is claimed to be the worlds biggest DDoS so far (this record won’t last!)
  3. All those byte ranges cause the server to produce a full copy of the large-file.pdf response, for each byte range. A PDF of 2MB can thus cause this single response to take up 50MB of memory while the server responds. Multiply by thousands or more, and a single individual can cause a website outage without needing a botnet. This example hit RedShield in March.
  4. An average customer on RedShield currently receives around 100-200 L7 DoS reconnaissance probes per month. Each IP address tends to make 3-15 requests and tests one or two techniques to verify whether the server is a potential target. Interestingly, these attacks almost never escalate against policies in blocking mode, but are more often seen during initial policy tuning phase before blocking is enabled. Monitoring ASM immediately after deployment is critical, as is progression towards blocking mode.
  5. This type of attack doesn’t get picked up by network monitoring systems; bandwidth requirements are small. A few Mbps can completely disable a vulnerable service; much smaller than a smash-up style amplified Botnet. Most administrators would suspect application problems, try rebooting servers, read error logs etc. These attacks can be hard to troubleshoot as this is legitimate HTTP. Attacks like this are also often launched over HTTPS in an effort to avoid detection. A favorite of Anonymous; particularly prevalent against government targets due to popularity with hacktivists.
  6. This proportion of traffic is steadily rising. We see SSL attacks up ~30% from previous year.
  7. These layers all actively mitigate different types of attacks, and cover the full spectrum from network to application, from DDoS to advanced hacking techniques. Each layer is naturally part of the infrastructure stack – not a bottleneck, but an accelerator. Each layer earns its permanent place in the application stack by offloading, accelerating, improving performance and reliability of applications. When attack traffic strikes, the infrastructure responds from the very first packet, whilst continuing its function and processing desirable user traffic. Contrast this approach with a firewall, or other reactive device such as a DDoS mitigator; which needs to insert itself into suspicious sessions when attacks are detected. This requires another point of SSL certificate management, and another place to define your applications, and the device will generally cause performance degradation such as latency and additional TCP overhead.
  8. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  9. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  10. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  11. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  12. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.
  13. Mode 0: Normal Operation. - Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP. - Vulnerabilities in the application are found by Aura RedEye or third party scanners. - Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules. - Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports. - Vulnerabilities and Incidents are detected and mitigated.