Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Internet protocol suite wikipedia , lookup
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Cross-site scripting wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
6/20/13 PROTECTING AGAINST DDOS WITH F5 Luuk Dries Protecting against DDoS is challenging Webification of apps Device proliferation 95% of workers use at least 71% of internet experts predict most people will do work via web or mobile by 2020. one personal device for work. 130 million enterprises will use mobile apps by 2014 Evolving security threats Shifting perimeter 58% of all e-theft tied 80% of new apps will to activist groups. target the cloud. 81% of breaches 72% IT leaders have or will involved hacking move applications to the cloud. 2 1 6/20/13 “ Sixty-five percent [of surveyed organizations] reported experiencing an average of three – DDoS attacks in the past 12 months, with an average downtime of 54 minutes. – 2012 Ponemon Institute Survey 3 Spotlight: Operation Ababil – September 2012 Izz ad-din al Quassam CyberFighters DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase, SunTrust, Capital One and others. Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks. Anti-DDoS scrubbers used for network attacks. F5 for Layer 7. The CyberFighters appeared to have performed extensive network reconnaissance on data centers for each of the targets. Network reconnaissance likely included timing information on all available links and database queries. 4 2 6/20/13 Which DDoS mitigation to use? Network firewall with SSL inspection Content Delivery Network Web Application Firewall Carrier Service Provider On-premise DDoS solution Cloud-based DDoS Service Intrusion Detection/Prevention Cloud/Hosted Service On-Premise Defense 5 The answer: “All of the above” 6 3 6/20/13 “ It is simply not cost-effective to run all your traffic through a scrubbing center constantly, and many DoS attacks target the application layer – demanding use of a customer premise device anyway. – Securosis, “Defending Against DoS Attacks” 7 Why isn’t an anti-DDoS service enough? From attack to protection, cloudbased scrubbing involves timeconsuming steps Cloud scrubbers are expensive, and financial approval for activation takes up to an hour ? …but the average attack lasts only 54 minutes. And 25% of attack traffic is application based, probably SSL-encrypted and invisible to the scrubber Re-routing traffic itself can take up to 2 hours… For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service. But how many attacks are full-pipe, and what about encrypted attacks? 8 4 6/20/13 Real DDoS Use Cases Using F5 with an anti-DDoS service Using F5 to mitigate short-lived, small-to-medium DDoS fully 9 Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) 10 5 6/20/13 Using an anti-DDoS/Service Provider only Anti-DDoS service Anti-DDoS services invoked – rate limiting 90% of traffic, but application tier still down due to asymmetric work loads 11 Use Case #1: F5 + Cloud-scrubber/Service Provider iRule invoked to scrub remaining traffic by URI Anti-DDoS service • Anti-DDoS service for volumetric attacks • iRule blocks targeted URLs under attack • Monitoring/management required during attack 12 6 6/20/13 Use Case #2: Hardened Side-Site Temporary reduction of Layer 7 attack surface SSL • Hardened side-site activated during attack • Allows authenticated and SSL access only • Enables most functions for valid users BIG-IP AFM allows only • SSL and handles L3/L4 DDoS BIG-IP APM/ASM secures applications for authenticated users 13 Use Case #3: Hardened Site with F5 Threat reduction for the entire site SSL • Pre-defined, hardened • virtual servers activated during attacks 14 7 6/20/13 Use Case #4: Mitigating Network Reconnaissance IP Intelligence – Identify and allow or block IP addresses with malicious activity Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Major sources of network reconnaissance Internally infected devices and servers 15 Deep Dive into F5 DDoS Mitigation Technology “How do I use the F5 products I’ve already got to help defend against DDoS attacks?” 16 8 6/20/13 DDoS MITIGATION Increasing difficulty of attack detection Physical (1) Data Link (2) Network (3) Transport (4) F5 mitigation technologies Network attacks Session (5) Presentation (6) Session attacks Application (7) Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. • Protect against DDoS at all layers • Withstand the largest attacks • Gain visibility and detection of SSL encrypted attacks OSI stack F5 Mitigation Technologies OSI stack 17 Defending Layers 3 and 4 Using Performance to mitigate network-based attacks 18 9 6/20/13 Network Floods – Mitigated by Scale and Performance VIPRION 4800: 288M concurrent sessions VIPRION 4480: 144M concurrent sessions VIPRION 2400: 48M concurrent sessions BIG-IP 10200v: 36M concurrent sessions Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second Layer 3: Configurable rate-limiting of ICMP floods 19 BIG-IP Advanced Firewall Manager (AFM) Available in a bundle with… Providing network firewall And protection for 38 customizable DDoS vectors BIG-IP AFM BIG-IP LTM § L4 stateful full proxy firewall § IPsec, NAT, advanced routing, full SSL, on-box reporting, and protocol security 20 10 6/20/13 Defending DNS 21 DNS Security with BIG-IP GTM and DNS Express DNS DDoS Solved with… BIG-IP GTM with DNS Express § 250K queries/second per CPU § Over 10M/second for VIPRION § UDP floods mitigated by highscale full-proxy architecture § NXDOMAIN query floods: intended to attack caches § DNS Express is not a cache § NXDOMAIN floods can’t force it to drop zone info DNS Firewall § Filter based on header and question sections § Opcode, query/response header, response code § Allow/drop DNS response record § Anomaly detection § Per query type § Specify thresholds and watermarks in DDoS profile 22 11 6/20/13 DNS DDoS: Protocol Security 23 DNS DDoS: Protocol Security 24 12 6/20/13 Defending SSL Using capacity and cryptographic offload to defend against SSL floods and protocol attacks. 25 SSL INSPECTION Use case ! SSL SSL SSL SSL • Gain visibility and detection of SSLencrypted attacks • Achieve high-scale/high-• performance SSL proxy Offload SSL—reduce load on application servers 26 13 6/20/13 SSL Renegotiation: Attempted against a BIG-IP in the field. Mitigated by F5 FSE. 27 Mitigating Esoteric Layer 7 Attacks Apache Killer, Slowloris, Slow POST 28 14 6/20/13 Layer 7 Attack Tools / F5 Mitigations Attacks Slowloris XerXes DoS LOIC/HOIC Slow POST (RUDY) #RefRef DoS Apache Killer HashDos Active (Since) Jun 2009 Feb 2010 Nov 2010 Nov 2010 Jul 2011 Aug 2011 Dec 2011 Threat /Flaw HTTP Get Request, Partial Header Flood TCP (8 times increase, 48 threads) TCP/UDP/ HTTP Get floods HTTP web form field, Slow 1byte send Exploit SQLi for recursive SQL ops Overlapping HTTP ranges Overwhelms hash tables of all popular web platforms – Java, ASP, Apache, Tomcat. Impact Measure Attack can be launched remotely, Denial of Services (DOS), Resource Exhaustion, tools and script publicly available LTM/iRule slow request completion *Adaptive Connect Reaper (threshold) ASM slow connect *ASM attack signature iRule/ ASM (signature regexp) iRule 29 HashDos “HashDos” vulnerability affects all major web servers and application platforms VIPRION Single DevCentral iRule mitigates vulnerability for all back end services Staff can schedule patches for back-end services on their own timeline 30 15 6/20/13 Mitigating other Low-Bandwidth Layer 7 Attacks Not always a DDoS attack, but still a DoS condition. 31 Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • Three different mitigation techniques escalated serially • Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers 32 16 6/20/13 REPORTING AND VISIBILITY 33 BIG-IP AFM - Network Firewall Rules 34 17 6/20/13 Different DoS/DDoS Profiles per Listener • Enable a unique or general DoS/DDoS profile per Listener • All threshold values a configurable • 80+ pre-defined DoS/DDoS attacks 35 AFM Firewall Match and Drill Down 36 18 6/20/13 devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc 37 19