Protect Your Assets with Single IP DDoS Protection

download Protect Your Assets with Single IP DDoS Protection

If you can't read please download the document

  • date post

    15-Jan-2017
  • Category

    Technology

  • view

    347
  • download

    0

Embed Size (px)

Transcript of Protect Your Assets with Single IP DDoS Protection

PowerPoint Presentation

Protect Your Assets with Single IP DDoS ProtectionShahar Ben-HadorCISODvir ShapiraDirector, Product Management

@imperva

@Incapsula_com

2015 Imperva, Inc. All rights reserved.

1

AgendaDDoS threat trendsCurrent solutionsIP Protection overviewHow Imperva is using IP ProtectionLessons learned

Confidential2

2015 Imperva, Inc. All rights reserved.Speaker Bio for Dvir ShapiraBackgroundBSc in physics (no idea why I did it) and EESaw the bubble burst around me as a part-time startup employee back at 2001Held various roles at Applied Materials, CheckPoint, Incapsula and a few startups.

Director of product managementEmail: dvir@incapsula.com3

2015 Imperva, Inc. All rights reserved.

3

Speaker Bio for Shahar Ben-HadorBackgroundBSc in Math and Computer ScienceMore than 7 years with ImpervaHeld various roles at Imperva around Infrastructure and Security

CISOEmail: shaharb@imperva.com4

2015 Imperva, Inc. All rights reserved.

4

DDoS Protection Today1

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.

5

Confidential6

2015 Imperva, Inc. All rights reserved.Over the past few months, groups like DD4BC, Armada Collective, Vikingdom and others have targeted financial institutions, hosting companies, and many other organizations with increasing frequency and intensity. [CLICK]

Just this week, the Swiss governments cyberdefence agency released this note that Armada Collective sent to several financial institutions [click]

This criminals have one goal: to terrorize legitimate businesses that lack the means to defend themselves into paying up ransom [CLICK]

6

Confidential7DDoS Propelling the Rise of Cyber ExtortionAny organization can be hit by a DDoS attack Swiss Governmental Computer Emergency Response Team

Armada Collective, DD4BC, others continue threatening attacks for RansomEven governments are alerting organizations of the growing threatThe need for comprehensive, upstream mitigation is urgent

2015 Imperva, Inc. All rights reserved.What were seeing is that DDoS continues to be the weapon of choice7

You may not be protected even if you have anti-DDoSNon-HTTP assets are still vulnerableAn attack on an exposed server can bring down your entire infrastructureProtected HTTP servers can still suffer direct-to-origin attacksPublic cloud servers can be vulnerable

Confidential8

2015 Imperva, Inc. All rights reserved.

8

What are the alternatives?Use a different set of IPsConfidential9

DDoSLegitTraffic

Use a different set of IPsOn demand BGP solutionTCP/UDP proxySingle IP protection

On demand BGPTCP/UDP proxySingle IP protection

2015 Imperva, Inc. All rights reserved.IP ProtectionConfidential10

DDoSLegitTrafficIncapsula NetworkGRE TunnelIncapsula IP Address1.2.3.4

Customer Infrastructure

Provides complete Infrastructure DDoS protection for single IP addressesDeploys as an always-on service for immediate detection and mitigation of DDoS attacksEnables origin protection for DNS redirection based services (e.g. CDNs)

2015 Imperva, Inc. All rights reserved.Incapsula market-leading DDoS protection now available for single IP addresses. The benefits of DDoS protection have only been available to HTTP servers and entire BGP-enabled C-class ranges.

Now, Incapsula can immediately stop any size attack on any IP without the need to monitor or configure an entire network.

With Incapsula IP Protection, network operations managers that thought they couldnt afford the hassle or expense of strong DDoS protection now have a solution

10

Common Use Cases2

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.

11

Customer Story (1/3)Confidential12

We have constant DDoS attacks on three IPs in which we use proprietary protocols. Looked at four different vendors, none of them were able to provide a decent protection.

Diego T | CTO, Online Poker site

No C-Class ranges, using proprietary protocol

2015 Imperva, Inc. All rights reserved.Gaming companies Forex streaming

New customers who want infrastructure protection for their custom, non-HTTP protocols (e.g. gaming, betting). Up till now the only way to portect custom protocols was to put THE ENTIRE IP range that contained the custom protocol behind a scrubbing solution. While is inconvenient for many reasons, one big downside of this was that many customers SIMPLY dont have an an entire c-class range of IP addresses.

Therefore these organizations had, really, no way to effectively protect their critical assets.

12

BGP on-demand customer, requires always onCustomer Story (2/3)Confidential13

We use on-demand BGP, but for one specific server we want to deploy an always on solution.

John O | IT Director, video conferencing platform

2015 Imperva, Inc. All rights reserved.Why always-on vs on-demand mention pros n cons13

Customer Story (3/3)Confidential14

DDoS attacks on a few customers can affect the entire ISP operation. We need to identify the few targets and protect them, to keep our whole network from being burdened by attack.

Tim W | Ops Manager, ISP

ISPs need to protect Specific IPs that are vulnerable

2015 Imperva, Inc. All rights reserved.Protect all your customers14

How it Works3

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.

15

Confidential16 2016 Imperva, Inc. All rights reserved.How it worksCustomer

Origin Server

1.1.1.1

Traffic is routed directly to the server

2015 Imperva, Inc. All rights reserved.

16

Confidential17 2016 Imperva, Inc. All rights reserved.How it worksCustomer

Origin Server

1.1.1.1

Incapsula establishes a GRE tunnel between its CDN and the origin server

GRE Tunnel

2015 Imperva, Inc. All rights reserved.Use a different IP address when setting up the GRE. 17

Confidential18 2016 Imperva, Inc. All rights reserved.How it worksCustomer

Origin Server

1.1.1.1

Incapsula assigns a unique IP to the customer

2.2.2.2

GRE Tunnel

2015 Imperva, Inc. All rights reserved.

18

Confidential19 2016 Imperva, Inc. All rights reserved.How it worksCustomer

Origin Server

Customer changes the DNS record to point to the Incapsula allocated IP

2.2.2.2

GRE Tunnel

2015 Imperva, Inc. All rights reserved.

19

Confidential20 2016 Imperva, Inc. All rights reserved.How it worksCustomer

Origin Server

All traffic is routed through the Incapsula global networkOnly clean traffic is passed to origin

2.2.2.2

GRE Tunnel

2015 Imperva, Inc. All rights reserved.

20

Safeguarding our Own House4

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.

21

Proof in the PuddingAll IP ranges need to be protectedNon-HTTP entry points usually weak links (e.g. VPN tunnels with customers, client server applications)Were implementing on-demand Infrastructure Protection with IP Protection for all non-HTTP appsThis approach provides full coverage for all assets

Confidential22

2015 Imperva, Inc. All rights reserved.Imperva ArchitectureConfidential23

Cloud Based DDOSand WAFProtection (Incapsula)

Redundant EnterpriseDatabase FirewallsRedundant Enterprise Web Application Firewalls

Database Servers NetworkApplication Servers NetworkWeb Servers Network

RedundantISPConnections

Redundant Enterprise Edge Routers

Redundant Enterprise Firewalls,IPS,AV

Website ProtectionInfrastructure Protection

2015 Imperva, Inc. All rights reserved.

23

24Questions?

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.Lessons LearnedOrganizations face growing risk of DDoS attacks for ransomExisting mitigation solutions may still have vulnerabilities that leave organizations exposedAlways-on IP-level DDoS protection is the only way to completely secure your network infrastructureConfidential25

2015 Imperva, Inc. All rights reserved.

2015 Imperva, Inc. All rights reserved.