Download PROTECTING AGAINST DDOS WITH F5

6/20/13 PROTECTING AGAINST DDOS
WITH F5
Luuk Dries
Protecting against DDoS is challenging
Webification of apps
Device proliferation
95% of workers use at least
71% of internet
experts predict
most people will do work via web
or mobile by 2020.
one personal device for work.
130 million enterprises will
use mobile apps by 2014
Evolving security threats
Shifting perimeter
58% of all e-theft tied
80% of new apps will
to activist groups.
target the cloud.
81% of breaches
72% IT leaders have or will
involved hacking
move applications to the cloud.
2
1 6/20/13 “
Sixty-five percent [of surveyed organizations] reported
experiencing an average of three – DDoS attacks in the past
12 months, with an average downtime of 54 minutes.
– 2012 Ponemon Institute Survey
3
Spotlight: Operation Ababil – September 2012
Izz ad-din al Quassam CyberFighters
DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC,
Chase, SunTrust, Capital One and others.
Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.
Anti-DDoS scrubbers used for network attacks. F5 for Layer 7.
The CyberFighters appeared to have performed extensive network reconnaissance
on data centers for each of the targets.
Network reconnaissance likely included timing information on all available links and
database queries.
4
2 6/20/13 Which DDoS mitigation to use?
Network firewall with SSL inspection
Content Delivery Network
Web Application Firewall
Carrier Service Provider
On-premise DDoS solution
Cloud-based DDoS Service
Intrusion Detection/Prevention
Cloud/Hosted Service
On-Premise Defense
5
The answer:
“All of the above”
6
3 6/20/13 “
It is simply not cost-effective to run all your traffic through a
scrubbing center constantly, and many DoS attacks target the
application layer – demanding use of a customer premise
device anyway.
– Securosis, “Defending Against DoS Attacks”
7
Why isn’t an anti-DDoS service enough?
From attack to
protection, cloudbased scrubbing
involves timeconsuming steps
Cloud scrubbers are
expensive, and
financial approval
for activation takes
up to an hour
?
…but the average
attack lasts only
54 minutes.
And 25% of attack
traffic is application
based, probably
SSL-encrypted and
invisible to the
scrubber
Re-routing traffic
itself can take up to
2 hours…
For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service.
But how many attacks are full-pipe, and what about encrypted attacks?
8
4 6/20/13 Real DDoS Use Cases
Using F5 with an anti-DDoS service
Using F5 to mitigate short-lived, small-to-medium DDoS fully
9
Introducing the F5 Application Delivery Firewall
Bringing deep application fluency to firewall security
One platform
Network
firewall
Traffic
management
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
EAL2+
EAL4+ (in process)
10
5 6/20/13 Using an anti-DDoS/Service Provider only
Anti-DDoS service
Anti-DDoS services invoked – rate limiting 90% of traffic, but
application tier still down due to asymmetric work loads
11
Use Case #1: F5 + Cloud-scrubber/Service Provider
iRule invoked to scrub remaining traffic by URI
Anti-DDoS service
• 
Anti-DDoS service for
volumetric attacks
• 
iRule blocks targeted
URLs under attack
• 
Monitoring/management
required during attack
12
6 6/20/13 Use Case #2: Hardened Side-Site
Temporary reduction of Layer 7 attack surface
SSL
• 
Hardened side-site
activated during attack • 
Allows authenticated
and SSL access only
• 
Enables most functions
for valid users
BIG-IP AFM allows only • 
SSL and handles L3/L4
DDoS
BIG-IP APM/ASM
secures applications for
authenticated users
13
Use Case #3: Hardened Site with F5
Threat reduction for the entire site
SSL
• 
Pre-defined, hardened • 
virtual servers activated
during attacks
14
7 6/20/13 Use Case #4: Mitigating Network Reconnaissance
IP Intelligence – Identify and allow or block IP addresses with malicious activity
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Major sources of network reconnaissance
Internally infected devices
and servers
15
Deep Dive into F5 DDoS
Mitigation Technology
“How do I use the F5 products I’ve already got to help
defend against DDoS attacks?”
16
8 6/20/13 DDoS MITIGATION
Increasing difficulty of attack detection
Physical (1)
Data Link (2)
Network (3)
Transport (4)
F5 mitigation technologies
Network attacks
Session (5)
Presentation (6)
Session attacks
Application (7)
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation
OWASP Top 10 (SQL
Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding.
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
Packet Velocity Accelerator (PVA) is a purpose-built, customized
hardware solution that increases scale by an order of magnitude above
software-only solutions.
• 
Protect against DDoS
at all layers
• 
Withstand the
largest attacks
• 
Gain visibility and
detection of SSL
encrypted attacks
OSI stack
F5 Mitigation Technologies
OSI stack
17
Defending Layers 3 and 4
Using Performance to mitigate network-based attacks
18
9 6/20/13 Network Floods – Mitigated by
Scale and Performance
VIPRION 4800: 288M concurrent sessions
VIPRION 4480: 144M concurrent sessions
VIPRION 2400: 48M concurrent sessions
BIG-IP 10200v: 36M concurrent sessions
Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second
Layer 3: Configurable rate-limiting of ICMP floods
19
BIG-IP Advanced Firewall Manager (AFM)
Available in a bundle with…
Providing network firewall
And protection for 38 customizable DDoS vectors
BIG-IP AFM
BIG-IP LTM
§  L4 stateful full proxy firewall
§  IPsec, NAT, advanced routing,
full SSL, on-box reporting, and
protocol security
20
10 6/20/13 Defending DNS
21
DNS Security with BIG-IP GTM and DNS Express
DNS DDoS
Solved with…
BIG-IP GTM
with DNS Express
§  250K queries/second per CPU
§  Over 10M/second for VIPRION
§  UDP floods mitigated by highscale full-proxy architecture
§  NXDOMAIN query floods:
intended to attack caches
§  DNS Express is not a cache
§  NXDOMAIN floods can’t
force it to drop zone info
DNS Firewall
§  Filter based on header and
question sections
§  Opcode, query/response
header, response code
§  Allow/drop DNS
response record
§  Anomaly detection
§  Per query type
§  Specify thresholds and
watermarks in DDoS profile
22
11 6/20/13 DNS DDoS: Protocol Security
23
DNS DDoS: Protocol Security
24
12 6/20/13 Defending SSL
Using capacity and cryptographic offload to defend against
SSL floods and protocol attacks.
25
SSL INSPECTION
Use case
!
SSL
SSL
SSL
SSL
• 
Gain visibility and
detection of SSLencrypted attacks
• 
Achieve high-scale/high-• 
performance SSL proxy
Offload SSL—reduce
load on application
servers
26
13 6/20/13 SSL Renegotiation:
Attempted against a BIG-IP in the field. Mitigated by F5 FSE.
27
Mitigating Esoteric Layer 7
Attacks
Apache Killer, Slowloris, Slow POST
28
14 6/20/13 Layer 7 Attack Tools / F5 Mitigations
Attacks
Slowloris
XerXes DoS
LOIC/HOIC
Slow POST
(RUDY)
#RefRef
DoS
Apache
Killer
HashDos
Active
(Since)
Jun 2009
Feb 2010
Nov 2010
Nov 2010
Jul 2011
Aug 2011
Dec 2011
Threat
/Flaw
HTTP Get
Request,
Partial
Header
Flood TCP (8
times increase,
48 threads)
TCP/UDP/
HTTP Get
floods
HTTP web
form field,
Slow 1byte
send
Exploit SQLi
for recursive
SQL ops
Overlapping
HTTP ranges
Overwhelms
hash tables of
all popular
web platforms
– Java, ASP,
Apache,
Tomcat.
Impact
Measure
Attack can be launched remotely, Denial of Services (DOS),
Resource Exhaustion, tools and script publicly available
LTM/iRule
slow
request
completion
*Adaptive Connect Reaper
(threshold)
ASM slow
connect
*ASM attack
signature
iRule/ ASM
(signature regexp)
iRule
29
HashDos
“HashDos” vulnerability affects all major web servers and
application platforms
VIPRION
Single DevCentral iRule mitigates vulnerability for all back end
services
Staff can schedule patches for back-end services on their own
timeline
30
15 6/20/13 Mitigating other Low-Bandwidth
Layer 7 Attacks
Not always a DDoS attack, but still a DoS condition.
31
Automatic HTTP/S DOS Attack
Detection and Protection
•  Accurate detection technique—based on latency
•  Three different mitigation techniques escalated
serially
•  Focus on higher value productivity while automatic
controls intervene
Detect a DOS condition
Identify potential attackers
Drop only the attackers
32
16 6/20/13 REPORTING AND VISIBILITY
33
BIG-IP AFM - Network Firewall Rules
34
17 6/20/13 Different DoS/DDoS Profiles per Listener
•  Enable a unique or general DoS/DDoS profile per Listener
•  All threshold values a configurable
•  80+ pre-defined DoS/DDoS attacks
35
AFM Firewall Match and Drill Down
36
18 6/20/13 devcentral.f5.com
facebook.com/f5networksinc
linkedin.com/companies/f5-networks
twitter.com/f5networks
youtube.com/f5networksinc
37
19