Embed Size (px)
Citation preview
Bullet-proofing your Internet applications against the evolving threatsChris Wang | Cloudflare @chriswang_tech
If you use the Internet, you already use Cloudflare
#cloudsec
Cloudflare's global anycast network
8.7MHTTP request s / second
on average
19M+Internet properties
30Tbps network capacity
180+cities
#cloudsec
In case you haven't heard about Cloudflare...
#cloudsec
Cloudflare solves today’s Internet challenges
DNS Anycast net work
Load balancing
Always online
CDN Web opt im izat ion
Mobile opt im izat ion
WAN opt im izat ion
Rat elim it ing
WAF
SSLDDoS Threatanalyt ics
Ent erpr iselogs
Appsplat form
Traf f icm onit or ing
PLATFORM
Workers Access St ream Mobile SDK
#cloudsec
Defining security threats
1 - DDoS attacks2 - Web application attacks
Defense against DDoS requires scalable solutions
#cloudsec
DDoS aims to make your internet service unavailable
Up to 600,000 devices (Mirai 2016)
#cloudsec
DDoS attacks are getting more "affordable"
#cloudsec
300Gbps // Volumetric Layer 3/4
400Gbps // NTP Reflection
1Tbps // IoT Botnet Layer 7 Attack
1.7 Tbps // Memcached reflection/amplification Attack
DDoS attacks are getting larger
#cloudsec
Telegram
Source: https://twitter.com/durov/status/1138942773430804480
#cloudsec
Put numbers in scale 25Tb
20Tb
15Tb
10Tb
5Tb
30 TbpsCloudflare
Network Capacity
942 Gbps Largest DDoS attack
mitigated by Cloudflare
#cloudsec
"Always-On" = No slow ing down
Industry Legacy Scrubbing- Long propagation times (up to 300 sec)- Adds significant latency- Typically requires manual intervention
Always-On- Zero propagation time- No added latency- Immediate, automated mitigation,
with no “cut over” required
Defense against web application attacks require fast
actions on large dataset
#cloudsec
Web app attacks aim to gain unauthorized access by exploiting vulnerabilities in web apps
Source: OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks
#cloudsec
Web app attacks still follow the old cycles
#4 Fixes / patches deployed by the user
#3 Fixes / patches issued by vendor #2 Exploit attempts by attackers
#1 Discovery of a new vulnerability (0-day)
#cloudsec
WAF "as a service" means faster response to new vulnerabilities
#4 Fixes / patches deployed by the user
#3 Fixes / patches issued by vendor #2 Exploit attempts by attackers
#1 Discovery of a new vulnerability (0-day)
#cloudsec
Stopping CVE-2019-0604 (1/2)2019-05-11 9:33AM: CVE-2019-0604, a Remote Code Execution vulnerability in Microsoft SharePoint Servers which was not previously known to be exploitable via the web. CVSS v3 rating = 8.8
2019-05-11 2:45PM: Cloudflare internal vulnerability score = 9.8Cloudflare WAF Rule 100157 deployed in Log mode
2019-05-11 4:47PM: First probes observed by Cloudflare. Believed to be reconnaissance probes.
Timestamps in UTC; Source: https://blog.cloudflare.com/stopping-cve-2019-0604/
#cloudsec
Stopping CVE-2019-0604 (2/2)
2019-05-13 2:13PM: Cloudflare WAF Rule 100157 deployed in Block mode
2019-05-16: UK’s NCSC's alert of highly successful exploitation attempts against UK organisations. On the same day, ~7000 malicious requests blocked by Cloudflare WAF Rule 100157
Responding to the ever-evolving threat landscape
Some best practices we find useful ....
#cloudsec
Choose a DDoS solution that's scalable, always-on & cost-effective
Ensure it doesn't slow down your visitors (or make it even faster)
How to prepare against DDoS attacks
#cloudsec
Choose a cloud managed WAF with a large user base
Patch the applications (eventually)
How to prepare against web app attacks
#cloudsec
Lucky Draw Main stage 4:50-5:00pm
Remember visit usat booth 黄2!
THANK YOU
