By recognizing the four main categories of attack, security Security professionals need to understand how to plug the Mitigating Multiple professionals can mitigate even previously unknown vectors: security gap from Layers 3 to 7, and protect against multi-layer 1. Volumetric: Flooding attacks, with a full proxy security architecture. It's time to rethink 2. Computational Asymmetric: Consuming CPU cycles and refine the enterprise security architecture, so organizations 3. Stateful Asymmetric: Abusing memory can remain agile and resilient against future threats. DDoS A tu ack Vectors 4. Vulnerability-based: Exploiting software vulnerabilities The following mindmap shows the detection methods (left) for 5. Blended DDoS: Combination of multiple attack vectors DDoS attack categories (middle) and the mitigations (right). DETECTION MITIGATION Use Web Application Firewall heuristic Signature Based Rate Limiting (L3-L7) latency based detection Strengths: Strengths: - Fast, easy for hardware - Ease of hardware implementation Method: Resource Attacked: implementation - Fast deterministic Packet or Flow Flood Network Bandwidth Set proper thresholds for load - Deterministic/ predictable - False positive rate Considerations: Considerations: Volumetric - Reactive - Dependent on 5-tuple/header info Use Web Application Firewall - Some may not be able to distinguish to distinguish “Good” vs. “Bad” heuristic Transaction volumetric “Good” vs. “Bad” Per Second (TPS) based detection • UDP Packet Floods • ARP/ICMP Floods • DNS Reflection Attack • HTTP flood Client Challenge (L7-L8) Heuristic Flow Analysis Strengths: Strengths: - Use client response to lower - Good at “Good” vs.“Bad” false-pos/neg. rate - Pro-actively finds anomalies Method: Method: - Weed out botnets to protect server Vulnerability/Exploit Create packets/requests Stateful Asymmetric Create malformed/ resources Considerations: requiring security and crafted requests & - Computational challenge can limit - May require “baseline-ing” server infrastructure • SYN Floods packets targeting • LAND Attack per-attacker rate under attack to software security holes • Fragmentation Attacks • Bad TCP Options/Size maintain state • Slow-Loris/Post, Slow Post/GET • Invalid DNS Opcode Considerations: • FTP Ephemeral Opens, Security Appliance Resource Monitoring • Apache killer, PostOfDoom Resource Attacked: Resource Attacked: - May not work with all listener • Slow file download • Apache Struts Software stack of security Memory of security and types (Forwarding, BigTCP) Strengths: and server infrastructure server infrastructure - Based on attack’s target (not specific to attack mechanism) - Low false positive/negative rate Use Web Application Reputation List (L3-L7) Use profile definitions and Firewall flow definition for - Feedback-driven security Computational Asymmetric resource monitoring application logic DOS appliance self-defense mechanism Strengths: • SSL Renegotiation - Detect in Layer 7 and block in Considerations: Layer 3 • Heavy URL’s - Protects only resources that are - Real-time updates • XML DND, XML external monitored entity logic (e.g.: Ask where Set proper protocol - Not server-aware; doesn’t directly protection Considerations: are the closest ATMs?) protect server - Does work against many volumetric network attacks (spoofed source addresses) Method: Resource Attacked: Server Resource Monitoring Create requests that Compute Resources Set proper have large of security and server timeouts Strengths: computational cost infrastructure - Based on attack’s target (not on security and (Middleware/DB) of Use custom scripts for zero day attack and specific to attack mechanism) server infrastructure Server Full Proxy Architecture (L3-L8) other vulnerability exploits protection - Low false positive/negative rate under attack - Server-centric Strengths: - Feedback-driven - Manipulate packages - Programmability Considerations: - Flexibility Application - Protects only resources that are Web Delivery Network Anti-Fraud monitored Application Controller (ADC) Firewall Protection Firewall Session DDoS Protection Reference Architecture Protection Get the DDoS Protection Exclusive 8 Resources! User/End point Next-Generqation Firewall Corporate Users OSI BUILDING http://delivr.com/2wgtk • The first tier at the • The second tier is for 7 Application perimeter is layer 3 application-aware, Tier 1 Tier 2 and 4 network CPU-intensive defense Network attacks: Financial firewall services SSL attacks: mechanisms ICMP flood, SSL renegotiation, Services 6 Multiple ISP UDP flood, SSL flood Strategy SYN flood • Simple load • SSL termination balancing Session Legitimate 5 to a second tier Users • Web application firewall E-Commerce ISPa/b • IP reputation • Mitigate asymmetric and Network Application database and DNS SSL-based DDoS attacks DNS attacks: 4 HTTP attacks: DDoS DNS amplification, Slowloris, query flood, Attacker slow POST, DDoS Protection • Mitigates dictionary attack, recursive POST/GET Subscriber DNS poisoning Network volumetric and Cloud Scrubbing 3 Service DNS DDoS attacks IPS Threat Feed Intelligence 2 Anonymous Anonymous Strategic Point of Control 1 Scanner Botnet Attackers Proxies Requests Sources : F5 Security Forums h"p://resources.idgenterprise.com/original/AST-0127081_Mi@ga@ng_Mul@ple_DDoSA"ack_Vectors_Infographic.PDF
Recommend
More recommend
