Close

Slider Title

Short Excerptdd

See More

Slider Title

Short Excerpt

See More

From cloud to embedded

Ammune™ is made for multiple defense scenarios

Ammune™ Defense Shield Server

Ammune™ Defense Shield (ADS) server protects on web systems from most types of attacks, while it is known to protect from at least those listed here.

Hostile Bot Attacks

Ammune™ Defense Shield (ADS) server battles bots in a generic way regardless their source, activity type (scrappers, brute force login crackers, credential stuffing bots, etc.), activity volume (high traffic to very low traffic rates) or their ability to process cookies, redirects and JavaScript.

Alerts generated by this module can be used automatically to mitigate bot activity or through a controlled operation as the bot related data is available for immediate forensic analysis.

Application DDoS Attacks
​​​​1. HTTP/s​​​​
Attack TypeAmmune™ DefenseComments
Http/Https flood – Classical botnetsCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Http/Https flood – Human mimickingCheckAdvanced Simulators with synthetic traffic or pre-recorded human based traffic
Http/Https flood – Heavy file downloadsCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
Http/Https flood – Dynamic change IP’sCheck
IP rotating frame, ad-hock js based attacks, etc.
Http/Https flood – IoT source IP’s / anonymous proxiesCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Http/Https flood – Multiple attacking vectors at onceCheck
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)
​​​​2. DNS
Attack TypeAmmune™ DefenseComments
Http/Https flood – Classical botnetsCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Http/Https flood – Human mimickingCheckAdvanced Simulators with synthetic traffic or pre-recorded human based traffic
Http/Https flood – Heavy file downloadsCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
Http/Https flood – Dynamic change IP’sCheck
IP rotating frame, ad-hock js based attacks, etc.
Http/Https flood – IoT source IP’s / anonymous proxiesCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Http/Https flood – Multiple attacking vectors at onceCheck
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)
Network DDoS Attacks
Attack TypeAmmune™ DefenseComments
TCP – SYN flood
CheckFlood of incomplete TCP incoming connections thatremain open
TCP – FIN flood
Check
The Attacker will flood out packets with spoofedsource addresses, spoof ports and FIN flag is set to on
TCP – Flood
Check
Flood of TCP incoming traffic
UDP – Reflected flood
(NTP, SNMP , SSDP and DNS)
Check
Reflection based Flood that applies UDP basedapplicative protocols (NTP, SNMP , SSDP and DNS)
ICMP – Reflected flood
CheckVery similar to UDP attacks, but leverages ICMP transport layer protocol instead of UDP. Most common example is Smurf attack
ICMP – protocol vulnerability
CheckUsing specifically crafted packets to trigger unexpected behavior on server.
 Most common example is Ping of Death attack
Fragmented packets floods (including ping of death)
Check
Flood of fragmented packets. Frequently appears aspart of reflected UDP floods, where large packets are fragmented byintermediate routers. Ping of death attack that uses buffer overflowvulnerability in ICMP stack. It can be triggered by sending large fragmentedICMP packets.
Session exhaustion attack
Check
Firewalls and other security devices, as well aswebservers have limited capacity of tracking sessions. Once too much sessionsare open there is no place in tables for new sessions. In this case new sessionsare dropped. Thus denial of service may be achieved with relatively lowbandwidth attack.
Embedded Ammune™

Embedded Ammune™ is made to be an integral part of a “system on a chip”, running as a software on the embedded Intel x86 or ARM CPUs. It preserves the full functionality of the Ammune™ Defense Shield (ADS) while it can be adapted by its configuration setting to the resources restrictions of the specific hosting system. A possible usage of the system is of embedding it at a modern communication card, which can save some power from the central CPU by eliminating malicious traffic at the communication card.

Embedded Ammune™ is able to integrate seamlessly with hardware offloaded capabilities, such as TLS acceleration, traffic steering, stateless firewall, Syn Proxy, Connection Tracking and Programmable switch, thus achieving very high throughput, while using only a limited computational power.


Integrated Ammune™

Integrated Ammune™ can become a part of common Linux-based security or network products such as Firewalls, Web Application Firewalls (WAFs), Reverse Proxies, Load Balancers, etc. It is a full version of the Ammune™ Defense Shield Server that can be adapted to the performance limitations of a specific hosting system.

Integrated Ammune™ inspects traffic through tcpdump (native Linux). Mitigation rules are exported through Integrated Ammune™ API directly to the Linux machine iptables or to other security solutions

Ammune™ Global Defense Shield (AGDS) Solution

Ammune™ Global Defense Shield (AGDS) protects from large scale DDoS attacks. Operating as an external “scrubbing center” using and optimizing public clouds resources to protect on customers services and web systems without a need to open the encrypted traffic, AGDS keeps customers’ privacy to the maximum, enabling a major economic optimization as well, with no need to preserve internal IT resources.

Ammune™ Local Defense Shield (ALDS) Solution

Ammune™ Local Defense Shield (ALDS) protects on Service providers (SPs) infrastructure from large scale DDoS attacks, while can serve as an added value service to SP end customers. Operating as an internal “scrubbing center” at the SP Data Centers (DCs), ALDS keeps SP customers’ privacy to the maximum, enabling a major economic optimization as well.

ALDS deployment architecture are made of an Ammune™ Point of Presence (A-PoP) units. Each A-PoP is connected to a DC backbone via its edge routers. Each A-PoP operates as a standalone system which can absorb a pre-defined maximum amount of traffic


Ammune™ Next-Generation Web Application Firewall (WAF) Product

Ammune™ Web Application Firewall (WAF) protects on HTTP/HTTPS servers from classical threats on web systems (OWASP 10), more sophisticated automated threats (OWASP 20) as well as on attacks on APIs.

Ammune™ unsupervised learning technology ensures continuous and real-time protection from such attacks with an excellent precision rate, during normal and attack times.

OWASP Top 10 threats



Attack TypeAmmune™ DefenseComments
InjectionCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Broken authenticationCheck
Advanced Simulators with synthetic traffic or pre-recorded human based traffic
Sensitive data exposureCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
XML External entitiesCheck
IP rotating frame, ad-hock js based attacks, etc.
Security misconfigurationCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Cross site scripting (XSS)Check
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)



API security protection
Attack TypeAmmune™ DefenseComments
Http/Https flood – Classical botnetsCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Http/Https flood – Human mimickingCheckAdvanced Simulators with synthetic traffic or pre-recorded human based traffic
OWASP Top 20 - Automated Threats





Attack TypeAmmune™ DefenseComments
InjectionCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Broken authenticationCheck
Advanced Simulators with synthetic traffic or pre-recorded human based traffic
Sensitive data exposureCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
XML External entitiesCheck
IP rotating frame, ad-hock js based attacks, etc.
Security misconfigurationCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Cross site scripting (XSS)Check
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)