protecting against ddos with f5 - motiv | ict security · 6/20/13 1 protecting against ddos with f5...
TRANSCRIPT
6/20/13
1
PROTECTING AGAINST DDOS WITH F5
Luuk Dries
2
Protecting against DDoS is challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict most people will do work via web or mobile by 2020.
95% of workers use at least one personal device for work.
130 million enterprises will use mobile apps by 2014
58% of all e-theft tied to activist groups. 81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloud.
6/20/13
2
3
“
Sixty-five percent [of surveyed organizations] reported experiencing an average of three – DDoS attacks in the past 12 months, with an average downtime of 54 minutes.
– 2012 Ponemon Institute Survey
4
Izz ad-din al Quassam CyberFighters DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase, SunTrust, Capital One and others.
Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.
Anti-DDoS scrubbers used for network attacks. F5 for Layer 7.
Spotlight: Operation Ababil – September 2012
The CyberFighters appeared to have performed extensive network reconnaissance on data centers for each of the targets.
Network reconnaissance likely included timing information on all available links and database queries.
6/20/13
3
5
Which DDoS mitigation to use?
Content Delivery Network
Carrier Service Provider
Cloud-based DDoS Service
Cloud/Hosted Service
Network firewall with SSL inspection
Web Application Firewall
On-premise DDoS solution
Intrusion Detection/Prevention
On-Premise Defense
6
The answer: “All of the above”
6/20/13
4
7
“ It is simply not cost-effective to run all your traffic through a scrubbing center constantly, and many DoS attacks target the application layer – demanding use of a customer premise device anyway.
– Securosis, “Defending Against DoS Attacks”
8
Why isn’t an anti-DDoS service enough? From attack to
protection, cloud-based scrubbing
involves time-consuming steps
Cloud scrubbers are expensive, and
financial approval for activation takes
up to an hour
Re-routing traffic itself can take up to
2 hours…
…but the average attack lasts only
54 minutes. And 25% of attack
traffic is application based, probably
SSL-encrypted and invisible to the
scrubber
For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service. But how many attacks are full-pipe, and what about encrypted attacks?
?
6/20/13
5
9
Real DDoS Use Cases
Using F5 with an anti-DDoS service
Using F5 to mitigate short-lived, small-to-medium DDoS fully
10
Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security
One platform
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
EAL2+ EAL4+ (in process)
DDoS mitigation
6/20/13
6
11
Using an anti-DDoS/Service Provider only
Anti-DDoS service
Anti-DDoS services invoked – rate limiting 90% of traffic, but application tier still down due to asymmetric work loads
12
Use Case #1: F5 + Cloud-scrubber/Service Provider iRule invoked to scrub remaining traffic by URI
• Anti-DDoS service for volumetric attacks • iRule blocks targeted
URLs under attack • Monitoring/management required during attack
Anti-DDoS service
6/20/13
7
13
Use Case #2: Hardened Side-Site Temporary reduction of Layer 7 attack surface
• Hardened side-site activated during attack • Allows authenticated
and SSL access only • Enables most functions for valid users
SSL
14
Use Case #3: Hardened Site with F5 Threat reduction for the entire site
• Pre-defined, hardened virtual servers activated during attacks
• BIG-IP AFM allows only SSL and handles L3/L4 DDoS
• BIG-IP APM/ASM secures applications for authenticated users
SSL
6/20/13
8
15
Use Case #4: Mitigating Network Reconnaissance IP Intelligence – Identify and allow or block IP addresses with malicious activity
IP intelligence service
IP address feed updates every 5 min
Custom application
Financial application
Internally infected devices and servers
Geolocation database
Botnet
Attacker
Anonymous requests
Anonymous proxies
Scanner
Restricted region or country
Major sources of network reconnaissance
16
Deep Dive into F5 DDoS Mitigation Technology
“How do I use the F5 products I’ve already got to help defend against DDoS attacks?”
6/20/13
9
17
DDoS MITIGATION
Application attacks Network attacks Session attacks
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 M
itiga
tion
Tech
nolo
gies
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS at all layers
• Withstand the largest attacks
• Gain visibility and detection of SSL encrypted attacks
F5 m
itiga
tion
tech
nolo
gies
OSI stack OSI stack
18
Defending Layers 3 and 4
Using Performance to mitigate network-based attacks
6/20/13
10
19
Network Floods – Mitigated by Scale and Performance
Layer 3: Configurable rate-limiting of ICMP floods
Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second
BIG-IP 10200v: 36M concurrent sessions
VIPRION 2400: 48M concurrent sessions
VIPRION 4480: 144M concurrent sessions
VIPRION 4800: 288M concurrent sessions
20
BIG-IP Advanced Firewall Manager (AFM)
Available in a bundle with…
BIG-IP AFM
BIG-IP LTM
Providing network firewall And protection for 38 customizable DDoS vectors
§ L4 stateful full proxy firewall § IPsec, NAT, advanced routing,
full SSL, on-box reporting, and protocol security
6/20/13
11
21
Defending DNS
22
DNS Security with BIG-IP GTM and DNS Express
Solved with…
BIG-IP GTM with DNS Express
§ 250K queries/second per CPU § Over 10M/second for VIPRION
DNS DDoS § UDP floods mitigated by high-
scale full-proxy architecture
§ NXDOMAIN query floods: intended to attack caches § DNS Express is not a cache § NXDOMAIN floods can’t
force it to drop zone info
DNS Firewall § Filter based on header and
question sections § Opcode, query/response
header, response code § Allow/drop DNS
response record § Anomaly detection
§ Per query type § Specify thresholds and
watermarks in DDoS profile
6/20/13
13
25
Defending SSL
Using capacity and cryptographic offload to defend against SSL floods and protocol attacks.
26
SSL INSPECTION
SSL !
SSL
• Gain visibility and detection of SSL-encrypted attacks
• Achieve high-scale/high-performance SSL proxy
• Offload SSL—reduce load on application servers
Use case
SSL
SSL
6/20/13
14
27
SSL Renegotiation: Attempted against a BIG-IP in the field. Mitigated by F5 FSE.
28
Mitigating Esoteric Layer 7 Attacks
Apache Killer, Slowloris, Slow POST
6/20/13
15
29
Layer 7 Attack Tools / F5 Mitigations Attacks Slowloris XerXes DoS LOIC/HOIC Slow POST
(RUDY) #RefRef DoS
Apache Killer
HashDos
Active (Since)
Jun 2009 Feb 2010 Nov 2010 Nov 2010 Jul 2011 Aug 2011 Dec 2011
Threat /Flaw
HTTP Get Request, Partial Header
Flood TCP (8 times increase, 48 threads)
TCP/UDP/ HTTP Get floods
HTTP web form field, Slow 1byte send
Exploit SQLi for recursive SQL ops
Overlapping HTTP ranges
Overwhelms hash tables of all popular web platforms – Java, ASP, Apache, Tomcat.
Impact Attack can be launched remotely, Denial of Services (DOS), Resource Exhaustion, tools and script publicly available
Measure LTM/iRule slow request completion
*Adaptive Connect Reaper (threshold)
ASM slow connect
*ASM attack signature
iRule/ ASM (signature -regexp)
iRule
30
HashDos “HashDos” vulnerability affects all major web servers and application platforms
VIPRION
Single DevCentral iRule mitigates vulnerability for all back end services
Staff can schedule patches for back-end services on their own timeline
6/20/13
16
31
Mitigating other Low-Bandwidth Layer 7 Attacks
Not always a DDoS attack, but still a DoS condition.
32
Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • Three different mitigation techniques escalated
serially • Focus on higher value productivity while automatic
controls intervene
Drop only the attackers
Identify potential attackers
Detect a DOS condition
6/20/13
18
35
Different DoS/DDoS Profiles per Listener
• Enable a unique or general DoS/DDoS profile per Listener
• All threshold values a configurable
• 80+ pre-defined DoS/DDoS attacks
36
AFM Firewall Match and Drill Down