Post on 15-Jan-2017
© 2015 Imperva, Inc. All rights reserved.
Protect Your Assets with Single IP DDoS Protection
Shahar Ben-HadorCISO
Dvir ShapiraDirector, Product Management@imperva@Incapsula_com
© 2015 Imperva, Inc. All rights reserved. Confidential2
Agenda
• DDoS threat trends• Current solutions• IP Protection overview• How Imperva is using IP Protection• Lessons learned
© 2015 Imperva, Inc. All rights reserved.3
Speaker Bio for Dvir Shapira
• Background– BSc in physics (no idea why I did it…) and EE– Saw the bubble burst around me as a part-time startup
employee back at 2001– Held various roles at Applied Materials, CheckPoint, Incapsula
and a few startups.
• Director of product management• Email: dvir@incapsula.com
© 2015 Imperva, Inc. All rights reserved.4
Speaker Bio for Shahar Ben-Hador
• Background– BSc in Math and Computer Science– More than 7 years with Imperva– Held various roles at Imperva around Infrastructure and
Security
• CISO• Email: shaharb@imperva.com
© 2015 Imperva, Inc. All rights reserved.
DDoS Protection Today1
© 2015 Imperva, Inc. All rights reserved. Confidential6
© 2015 Imperva, Inc. All rights reserved. Confidential7
DDoS Propelling the Rise of Cyber Extortion
“Any organization can be hit by a DDoS attack” – Swiss Governmental Computer Emergency Response Team
• Armada Collective, DD4BC, others continue threatening attacks for Ransom
• Even governments are alerting organizations of the growing threat
• The need for comprehensive, upstream mitigation is urgent
© 2015 Imperva, Inc. All rights reserved. Confidential8
You may not be protected even if you have anti-DDoS
• Non-HTTP assets are still vulnerable
• An attack on an exposed server can bring down your entire infrastructure
• Protected HTTP servers can still suffer direct-to-origin attacks
• Public cloud servers can be vulnerable
© 2015 Imperva, Inc. All rights reserved. Confidential9
What are the alternatives?
• Use a different set of IPs
DDoS
LegitTraffic
• On demand BGP
• TCP/UDP proxy
• Single IP protection
© 2015 Imperva, Inc. All rights reserved. Confidential10
IP ProtectionDDoSLegit
Traffic
Incapsula Network
GRE Tunnel
Incapsula IP Address1.2.3.4
Customer Infrastructure
• Provides complete Infrastructure DDoS protection for single IP addresses
• Deploys as an always-on service for immediate detection and mitigation of DDoS attacks
• Enables origin protection for DNS redirection based services (e.g. CDNs)
© 2015 Imperva, Inc. All rights reserved.
Common Use Cases2
Confidential12
Customer Story (1/3)
We have constant DDoS attacks on three IPs in which we use proprietary protocols. Looked at four different vendors, none of them were able to provide a decent protection. Diego T | CTO, Online Poker site
No C-Class ranges, using proprietary protocol
Confidential13
BGP on-demand customer, requires always on
Customer Story (2/3)
We use on-demand BGP, but for one specific server we want to deploy an always on solution.John O | IT Director, video conferencing platform
Confidential14
Customer Story (3/3)
DDoS attacks on a few customers can affect the entire ISP operation. We need to identify the few targets and protect them, to keep our whole network from being burdened by attack.Tim W | Ops Manager, ISP
ISPs need to protect Specific IPs that are vulnerable
© 2015 Imperva, Inc. All rights reserved.
How it Works3
Confidential16 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Traffic is routed directly to the server
Confidential17 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Incapsula establishes a GRE tunnel between its CDN and the origin server
GRE Tunnel
Confidential18 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Incapsula assigns a unique IP to the customer
2.2.2.2 GRE Tunnel
Confidential19 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
Customer changes the DNS record to point to the Incapsula allocated IP
2.2.2.2 GRE Tunnel
Confidential20 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
All traffic is routed through the Incapsula global networkOnly clean traffic is passed to origin
2.2.2.2 GRE Tunnel
© 2015 Imperva, Inc. All rights reserved.
Safeguarding our Own House4
© 2015 Imperva, Inc. All rights reserved. Confidential22
Proof in the Pudding
• All IP ranges need to be protected
• Non-HTTP entry points usually weak links (e.g. VPN tunnels with customers, client server applications)
• We’re implementing on-demand Infrastructure Protection with IP Protection for all non-HTTP apps
• This approach provides full coverage for all assets
© 2015 Imperva, Inc. All rights reserved. Confidential23
Imperva Architecture
Cloud Based DDOS
and WAFProtection
(Incapsula)
Redundant EnterpriseDatabase Firewalls
Redundant Enterprise Web Application
Firewalls
Database Servers Network
Application Servers Network
Web Servers Network
RedundantISP
Connections
Redundant Enterprise Edge
Routers
Redundant Enterprise Firewalls,IPS,AV
Website Protection
Infrastructure Protection
24 © 2015 Imperva, Inc. All rights reserved.
Questions?
© 2015 Imperva, Inc. All rights reserved. Confidential25
Lessons Learned
• Organizations face growing risk of DDoS attacks for ransom
• Existing mitigation solutions may still have vulnerabilities that leave organizations exposed
• Always-on IP-level DDoS protection is the only way to completely secure your network infrastructure