Close

From cloud to embedded

Ammune™ is made for multiple defense scenarios

Ammune™ Defense Shield Server

Ammune™ Defense Shield (ADS) server protects on web systems from most types of attacks, while it is known to protect from at least those listed here.

Hostile Bot Attacks

Ammune™ Defense Shield (ADS) server battles bots in a generic way regardless their source, activity type (scrappers, brute force login crackers, credential stuffing bots, etc.), activity volume (high traffic to very low traffic rates) or their ability to process cookies, redirects and JavaScript.

Alerts generated by this module can be used automatically to mitigate bot activity or through a controlled operation as the bot related data is available for immediate forensic analysis.

Application DDoS Attacks
​​​​1. HTTP/s​​​​
Attack TypeAmmune™ DefenseComments
Http/Https flood – Classical botnetsCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Http/Https flood – Human mimickingCheckAdvanced Simulators with synthetic traffic or pre-recorded human based traffic
Http/Https flood – Heavy file downloadsCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
Http/Https flood – Dynamic change IP’sCheck
IP rotating frame, ad-hock js based attacks, etc.
Http/Https flood – IoT source IP’s / anonymous proxiesCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Http/Https flood – Multiple attacking vectors at onceCheck
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)
​​​​2. DNS
Attack TypeAmmune™ DefenseComments
Http/Https flood – Classical botnetsCheck1 to 10Gbps, 1-2 attacking vectors, minimal/no requests randomization
Http/Https flood – Human mimickingCheckAdvanced Simulators with synthetic traffic or pre-recorded human based traffic
Http/Https flood – Heavy file downloadsCheck
Attackers launch small number of file downloading requests which fill the pipe by outgoing traffic
Http/Https flood – Dynamic change IP’sCheck
IP rotating frame, ad-hock js based attacks, etc.
Http/Https flood – IoT source IP’s / anonymous proxiesCheck
camouflage methods for instance – “fresh” IP’s from different available sources
Http/Https flood – Multiple attacking vectors at onceCheck
2-10 vectors at once, advanced requests randomization
Http/Https flood – Parameters randomizationCheck
Randomization at source (IP), header and/or body parameters (get or post requests)
Http/Https flood – Out of scheme parameters and contentsCheck
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Http/Https flood – Cache evadingCheck
Randomization used to escape from caching just into the applicative servers
Http/Https flood – Hit & run / randomly changing traffic volumesCheck
Fast, wave-like attacking scenarios – some seconds up to several minutes for each attacking round
Http/Https flood – Baseline poisoningCheck
Misleading the defense systems customer related behavior baselines to higher values. Usually at attack initiation
Http/Https flood – Mimicking flash crowding eventCheck
Flood attack that mimics burst of normal high traffic scenario, such as response to marketing campaigns
Http/Https flood – At flash crowding eventCheck
Flood attack that blend at given flash crowding event
Http/Https “normal traffic” attack – Asymmetric requestsCheck
Targeting heavy load applicative mechanisms (search engine, heavy post requests, jpeg files to download…)
Network DDoS Attacks
Attack TypeAmmune™ DefenseComments
TCP – SYN flood
CheckFlood of incomplete TCP incoming connections thatremain open
TCP – FIN flood
Check
The Attacker will flood out packets with spoofedsource addresses, spoof ports and FIN flag is set to on
TCP – Flood
Check
Flood of TCP incoming traffic
UDP – Reflected flood
(NTP, SNMP , SSDP and DNS)
Check
Reflection based Flood that applies UDP basedapplicative protocols (NTP, SNMP , SSDP and DNS)
ICMP – Reflected flood
CheckVery similar to UDP attacks, but leverages ICMP transport layer protocol instead of UDP. Most common example is Smurf attack
ICMP – protocol vulnerability
CheckUsing specifically crafted packets to trigger unexpected behavior on server.
 Most common example is Ping of Death attack
Fragmented packets floods (including ping of death)
Check
Flood of fragmented packets. Frequently appears aspart of reflected UDP floods, where large packets are fragmented byintermediate routers. Ping of death attack that uses buffer overflowvulnerability in ICMP stack. It can be triggered by sending large fragmentedICMP packets.
Session exhaustion attack
Check
Firewalls and other security devices, as well aswebservers have limited capacity of tracking sessions. Once too much sessionsare open there is no place in tables for new sessions. In this case new sessionsare dropped. Thus denial of service may be achieved with relatively lowbandwidth attack.
Embedded Ammune™

Embedded Ammune™ is made to be an integral part of a “system on a chip”, running as a software on the embedded Intel x86 or ARM CPUs. It preserves the full functionality of the Ammune™ Defense Shield (ADS) while it can be adapted by its configuration setting to the resources restrictions of the specific hosting system. A possible usage of the system is of embedding it at a modern communication card, which can save some power from the central CPU by eliminating malicious traffic at the communication card.

Embedded Ammune™ is able to integrate seamlessly with hardware offloaded capabilities, such as TLS acceleration, traffic steering, stateless firewall, Syn Proxy, Connection Tracking and Programmable switch, thus achieving very high throughput, while using only a limited computational power.


Integrated Ammune™

Integrated Ammune™ can become a part of common Linux-based security or network products such as Firewalls, Web Application Firewalls (WAFs), Reverse Proxies, Load Balancers, etc. It is a full version of the Ammune™ Defense Shield Server that can be adapted to the performance limitations of a specific hosting system.

Integrated Ammune™ inspects traffic through tcpdump (native Linux). Mitigation rules are exported through Integrated Ammune™ API directly to the Linux machine iptables or to other security solutions

Ammune™ Global Defense Shield (AGDS) Solution

Ammune™ Global Defense Shield (AGDS) protects from large scale DDoS attacks. Operating as an external “scrubbing center” using and optimizing public clouds resources to protect on customers services and web systems without a need to open the encrypted traffic, AGDS keeps customers’ privacy to the maximum, enabling a major economic optimization as well, with no need to preserve internal IT resources.

Ammune™ Local Defense Shield (ALDS) Solution

Ammune™ Local Defense Shield (ALDS) protects on Service providers (SPs) infrastructure from large scale DDoS attacks, while can serve as an added value service to SP end customers. Operating as an internal “scrubbing center” at the SP Data Centers (DCs), ALDS keeps SP customers’ privacy to the maximum, enabling a major economic optimization as well.

ALDS deployment architecture are made of an Ammune™ Point of Presence (A-PoP) units. Each A-PoP is connected to a DC backbone via its edge routers. Each A-PoP operates as a standalone system which can absorb a pre-defined maximum amount of traffic


Ammune™ Next-Generation Web Application Firewall (WAF) Product

Ammune™ Web Application Firewall (WAF) protects on HTTP/HTTPS servers from classical threats on web systems (OWASP 10), more sophisticated automated threats (OWASP 20) as well as on attacks on APIs.

Ammune™ unsupervised learning technology ensures continuous and real-time protection from such attacks with an excellent precision rate, during normal and attack times.

OWASP Top 10 threats






Attack TypeAmmune™ DefenseComments
InjectionCheckInjecting malicious commands to be executed by web application through non-sanitized inputs. Injection types such as SQL , LDAP and directory traversals
Broken authenticationCheck
Weak management of user identification, session management may lead to account takeover by either old cookies or credential stuffing (OAT-08)
Sensitive data exposureCheck
Broad range of threats including sending sensitive information as response by mistake, poor encryption and etc.
XML External entitiesCheck
Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.
Security misconfigurationCheck
Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.
Cross site scripting (XSS)Check
Embedding of attacker controllable input in html reply to other client may lead to malicious code execution in client browser.
Broken access control
Check
Randomization at source (IP), header and/or body parameters (get or post requests)
Insecure deserialization
Check
Adding non-exist parameters and /or fields contents. Occur at random order at the request structure
Using components with known vulnerabilities
Check
Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws can be accidental (e.g. coding error) or intentional (e.g. backdoor in component). DB of vulnerabilities in common Web infrastructure components rises all the time.
Insufficient logging and monitoring
Check
Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident.
Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.
Cross site request forgery (CSRF)
Check
Attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Remote file inclusion (RFI)
Check
The application loads data from an attacker-controlled resource at runtime, enabling a variety of malicious activities
API security protection
Attack TypeAmmune™ DefenseComments
Insufficient API access control
CheckDue to lack of persistent session and browser. API client authorization shall be treated with additional care.  Access to only authorized source or client-side application shall be limited when possible.
Insecure authorization and permission tokens
CheckOAuth 2.0 API standard separates permission and authorization steps from actual request handling. Most implementations use client side cookies to communicate information from authorization and permission services to other services. This feature allows API users to escalate permissions if token validation is not secure enough.
OWASP Top 20 - Automated Threats
ThreatGroupAmmune™ WAFComments
OAT-007 Credential CrackingCredentials brute force threatsCheckIdentify valid login credentials by trying different values for usernames and/or passwords.
OAT-008 Credential StuffingCredentials brute force threatsCheckMass log in attempts used to verify the validity of stolen username/password pairs.
OAT-001 CardingMoney related brute force threatsCheckMultiple payment authorization attempts used to verify the validity of bulk stolen payment card data.
OAT-002 Token CrackingMoney related brute force threatsCheckMass enumeration of coupon numbers, voucher codes, discount tokens, etc.
OAT-010 Card CrackingMoney related brute force threatsCheckIdentify missing start/expiry dates and security codes for stolen payment card data by trying different values.
OAT-011 ScrapingContent relate campaignsCheckAutomatically collecting large number of meaningful data, such as prices list, discounts and etc. Such data can be used by attackers for unfair competition
OAT-017 SpammingContent relate campaignsCheckMalicious or questionable information addition that appears in public or private content, databases or user messages.
OAT-012 Cashing outMoney relate threatsCheckUsing previous verified or cracked cards or token to buy goods
OAT-020 Account AggregationMalicious account managementCheckUse by an intermediary application that collects together multiple accounts and interacts on their behalf.
OAT-019 Account CreationMalicious account managementCheckCreate multiple accounts for subsequent misuse.
OAT-014 Vulnerability ScanningAttack preparation threatsCheckUse automatic vulnerability scanners to find web system weakness.
OAT-004 FingerprintingAttack preparation threatsCheckDiscover system architecture, used software and services as preparation for targeted attack.
OAT-018 FootprintingAttack preparation threatsCheckAutomatically map the application services and functionality
OAT-006 ExpeditingGaining unfair advantage by /automationCheckHasten slow, multi-step actions
OAT-016 SkewingGaining unfair advantage by /automationCheckAltering metrics
OAT-005 ScalpingGaining unfair advantage by /automationCheckObtain limited availability of premium goods
OAT-013 SnipingGaining unfair advantage by /automationCheckLast minute bid to avoid competition
OAT-021 Denial of InventoryGaining unfair advantage by /automationCheckDepleting goods out of stock by capturing it without ever completing purchase