Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com
Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2
(D)DoS Attack Methods and Tools Attacks can be partitioned into three dimensions Network DoS Attack Application flood DoS attacks Directed application DoS attacks Consuming bandwidth resources Target the application resources Exploit application implementation weaknesses 3
Network and Application Attack Coexist DDoS Attack by Types Application Layer Attacks TCP SYN Flood Network Layer Attacks More attacks are targeted at the application layer 4
Attackers Use Multi-Layer DDoS Simultaneous Attack Vectors Large-volume network flood attacks SYN flood attack Low and slow DoS attacks (e.g., Socket stress) Application vulnerability High and slow application DoS attacks Web attacks: brute force login locked 1 successful attack vector = No service 5
DDoS and Traditional Security Attackers Take Advantage of Traditional Security Firewalls track state of network connections (Can be bottleneck) Firewalls allow legitimate traffic (e.g. port 80 to web server) IPS allows legitimate request (e.g. get http/1.0\r\n) Application Control allows legitimate services (DNS or HTTPS) 6
Traditional Firewalls Not Sufficient Not Designed for Network and Application DDoS Protection Basic rate based flood protection affects all traffic (Real users and attack traffic) Lacks Comprehensive Layer 7 DDoS protection Poor detection of sneaky attacks No filters to block attacks and allow real traffic Administrators cannot create custom signatures 7
Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 8
Introducing Check Point Check Point DDoS Protector Block Denial of Service Attacks within seconds! 9
Layers of attacks Network Flood Server Flood Application Directed High volume of packets High rate of new sessions Challenges Web / DNS connectionbased attacks Advanced attack techniques PPS processing capacity ID malicious sources Accurate mitig. Deep packet inspection Ad-hoc filters creation 10
Layers of Defense Network Flood Server Flood Application Directed Behavioral High volume of network packets analysis Automatic and High rate of pre-defined new sessions signatures Web Behavioral / DNS connectionbased DNS HTTP and attacks Advanced Granular attack custom filters techniques Stateless and behavioral engines Protections against misuse of resources Challenge / response mitigation methods Create filters that block attacks and allow users 11
Check Point DDoS Protector Customized multi-layered DDoS protection Protects against attacks within seconds Integrated security management and expert support DDoS Protector 12
DDoS Protector Product Line Enterprise Grade Up to 3 Gbps throughput 2M concurrent sessions 1 Mpps max. DDoS flood attack rate Datacenter Grade Up to 12 Gbps throughput 4M concurrent sessions 10 Mpps max. DDoS flood attack rate 7 models to choose from 1GbE copper and 10GbE fiber connections Low latency 13
Product Information DP x06 Series DP x412 Series Model DP 506 DP 1006 DP 2006 DP 3006 DP 4412 DP 8412 DP 12412 Capacity 0.5Gbps 1Gbps 2Gbps 3Gbps 4GBps 8Gbps 12Gbps Max Concurrent Sessions Max DDoS Flood Attack Protection Rate Latency 2 Million 4 Million 1 Million packets per second 10 Million packets per second <60 micro seconds Real-time signatures Detect and protect against attacks in less than 18 seconds 14
Where to Protect Against DDoS Scenarios: 1 2 3 On-Premise Deployment DDoS Protector Appliance + Off-Site Deployment DDoS Protector Appliance 15
Simple Deployment No network address changes (Layer 2 bridge) 1.Plug it in 2.Let it learn 3.Protected by signatures Baseline good network and application behavior Signatures are ready to protect Ready to protect any size network in minutes 16
High-Availability DDoS Protector Active Passive High availability (HA): 2 compatible devices in a two-node cluster Compatibility: Same platform, software version, software license, throughput license, and signatures Device identification: Primary device is active and secondary device is passive 17
Integrated Security Management Unified Logs and Monitoring and Unified Reporting Leverage SmartView Tracker, SmartLog and SmartEvent for historic and realtime security status 18
DDoS Protector Integration In SmartView Tracker and SmartLog, each log and log update (for sampled source) is being presented separately, so one attack creates many lines of logs presented. In SmartEvent, the attack is consolidated into one event. 19
Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 20
Protection Methods Pre-defined signatures of know attacks and attack tools Stateless engines for dropping malformed packets Syn. Flood Protection Connection Limits Behavioral Engine with automatic signatures to runtime engine for fast attack packets dropping. 21
Behavioral DoS System Modules Zero day protection against unknown DoS/DDoS Flood attacks How Does It Work? Adaptation of the network baselines through statistical analysis The system periodically adapts the decision algorithms to the particular baseline traffic characteristics of the protected network Analysis correlation and decision through Adaptive decision engine Automatic prevention through attack footprint analysis and Closed-Feedback mechanism up to 18 seconds process 22
Types of Attacks Prevented Network DoS Attack Consuming bandwidth resources Real-time protection against: TCP SYN floods TCP SYN+ACK floods TCP FIN floods TCP RESET floods TCP Fragment floods UDP floods ICMP floods IGMP floods Packet Anomalies 23
DNS Flood Protection Basic Module: DNS Traffic Behavioral Analysis Continuous learning of DNS servers traffic patterns on a few dimensions Real-time signature creation upon detection using multiple DNS packet data parameter Mitigation Actions Protocol compliance checks, Challenge Response mechanism, Rate limit Mitigation actions are activated on suspicious sources only 24
HTTP Mitigator Application flood DoS attacks Target the application resources HTTP Mitigator Behavioral Based Bot originated HTTP flood attacks High & Low rate HTTP flood DDoS attacks Page floods Misuse the server resources HTTP bandwidth consumption attacks (e.g., large downloads) 2012 Check Point Software Technologies Slide Ltd. 25 25
Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 26
DDoS Protector Advantages Network Behavioral Analysis with Real Time signatures Detects 0 day attacks, prevents in seconds Hi Accuracy and Usability under Attack Selective challenge actions, action escalation Multi-Layer, highly customizable protections Signature based, Packet Anomaly, Rate Limits, Behavioral Attack Traffic mitigation is not impacting legitimate traffic Flexible Deployment Emergency Response Team part of Support Service NSS and CC EAL4+ certifications 27
Emergency Response and Support Emergency Response Team Help from security experts when under DoS attacks Leverage experience gathered from real-life attacks Check Point customer support World-class support infrastructure Always-on support 7x24 Flexible service options 28
Summary Blocks DDoS Attacks Within Seconds Customized multi-layered DDoS protection Ready to protect in minutes Integrated with Check Point Security Management 29
Thank You