6/20/13  

1  

PROTECTING AGAINST DDOS WITH F5

Luuk Dries

2

Protecting against DDoS is challenging

Webification of apps Device proliferation

Evolving security threats Shifting perimeter

71% of internet experts predict most people will do work via web or mobile by 2020.

95% of workers use at least one personal device for work.

130 million enterprises will use mobile apps by 2014

58% of all e-theft tied to activist groups. 81% of breaches involved hacking

80% of new apps will target the cloud.

72% IT leaders have or will move applications to the cloud.

6/20/13  

2  

3

“

Sixty-five percent [of surveyed organizations] reported experiencing an average of three – DDoS attacks in the past 12 months, with an average downtime of 54 minutes.

– 2012 Ponemon Institute Survey

4

Izz ad-din al Quassam CyberFighters DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase, SunTrust, Capital One and others.

Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.

Anti-DDoS scrubbers used for network attacks. F5 for Layer 7.

Spotlight: Operation Ababil – September 2012

The CyberFighters appeared to have performed extensive network reconnaissance on data centers for each of the targets.

Network reconnaissance likely included timing information on all available links and database queries.

6/20/13  

3  

5

Which DDoS mitigation to use?

Content Delivery Network

Carrier Service Provider

Cloud-based DDoS Service

Cloud/Hosted Service

Network firewall with SSL inspection

Web Application Firewall

On-premise DDoS solution

Intrusion Detection/Prevention

On-Premise Defense

6

The answer: “All of the above”

6/20/13  

4  

7

“ It is simply not cost-effective to run all your traffic through a scrubbing center constantly, and many DoS attacks target the application layer – demanding use of a customer premise device anyway.

– Securosis, “Defending Against DoS Attacks”

8

Why isn’t an anti-DDoS service enough? From attack to

protection, cloud-based scrubbing

involves time-consuming steps

Cloud scrubbers are expensive, and

financial approval for activation takes

up to an hour

Re-routing traffic itself can take up to

2 hours…

…but the average attack lasts only

54 minutes. And 25% of attack

traffic is application based, probably

SSL-encrypted and invisible to the

scrubber

For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service. But how many attacks are full-pipe, and what about encrypted attacks?

?

6/20/13  

5  

9

Real DDoS Use Cases

Using F5 with an anti-DDoS service

Using F5 to mitigate short-lived, small-to-medium DDoS fully

10

Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security

One platform

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

EAL2+ EAL4+ (in process)

DDoS mitigation

6/20/13  

6  

11

Using an anti-DDoS/Service Provider only

Anti-DDoS service

Anti-DDoS services invoked – rate limiting 90% of traffic, but application tier still down due to asymmetric work loads

12

Use Case #1: F5 + Cloud-scrubber/Service Provider iRule invoked to scrub remaining traffic by URI

•  Anti-DDoS service for volumetric attacks •  iRule blocks targeted

URLs under attack •  Monitoring/management required during attack

Anti-DDoS service

6/20/13  

7  

13

Use Case #2: Hardened Side-Site Temporary reduction of Layer 7 attack surface

•  Hardened side-site activated during attack •  Allows authenticated

and SSL access only •  Enables most functions for valid users

SSL

14

Use Case #3: Hardened Site with F5 Threat reduction for the entire site

•  Pre-defined, hardened virtual servers activated during attacks

•  BIG-IP AFM allows only SSL and handles L3/L4 DDoS

•  BIG-IP APM/ASM secures applications for authenticated users

SSL

6/20/13  

8  

15

Use Case #4: Mitigating Network Reconnaissance IP Intelligence – Identify and allow or block IP addresses with malicious activity

IP intelligence service

IP address feed updates every 5 min

Custom application

Financial application

Internally infected devices and servers

Geolocation database

Botnet

Attacker

Anonymous requests

Anonymous proxies

Scanner

Restricted region or country

Major sources of network reconnaissance

16

Deep Dive into F5 DDoS Mitigation Technology

“How do I use the F5 products I’ve already got to help defend against DDoS attacks?”

6/20/13  

9  

17

DDoS MITIGATION

Application attacks Network attacks Session attacks

OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.

F5 M

itiga

tion

Tech

nolo

gies

Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Increasing difficulty of attack detection

•  Protect against DDoS at all layers

•  Withstand the largest attacks

•  Gain visibility and detection of SSL encrypted attacks

F5 m

itiga

tion

tech

nolo

gies

OSI stack OSI stack

18

Defending Layers 3 and 4

Using Performance to mitigate network-based attacks

6/20/13  

10  

19

Network Floods – Mitigated by Scale and Performance

Layer 3: Configurable rate-limiting of ICMP floods

Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second

BIG-IP 10200v: 36M concurrent sessions

VIPRION 2400: 48M concurrent sessions

VIPRION 4480: 144M concurrent sessions

VIPRION 4800: 288M concurrent sessions

20

BIG-IP Advanced Firewall Manager (AFM)

Available in a bundle with…

BIG-IP AFM

BIG-IP LTM

Providing network firewall And protection for 38 customizable DDoS vectors

§  L4 stateful full proxy firewall §  IPsec, NAT, advanced routing,

full SSL, on-box reporting, and protocol security

6/20/13  

11  

21

Defending DNS

22

DNS Security with BIG-IP GTM and DNS Express

Solved with…

BIG-IP GTM with DNS Express

§  250K queries/second per CPU §  Over 10M/second for VIPRION

DNS DDoS §  UDP floods mitigated by high-

scale full-proxy architecture

§  NXDOMAIN query floods: intended to attack caches § DNS Express is not a cache § NXDOMAIN floods can’t

force it to drop zone info

DNS Firewall §  Filter based on header and

question sections § Opcode, query/response

header, response code § Allow/drop DNS

response record §  Anomaly detection

§ Per query type § Specify thresholds and

watermarks in DDoS profile

6/20/13  

12  

23

DNS DDoS: Protocol Security

24

DNS DDoS: Protocol Security

6/20/13  

13  

25

Defending SSL

Using capacity and cryptographic offload to defend against SSL floods and protocol attacks.

26

SSL INSPECTION

SSL !

SSL

•  Gain visibility and detection of SSL-encrypted attacks

•  Achieve high-scale/high-performance SSL proxy

•  Offload SSL—reduce load on application servers

Use case

SSL

SSL

6/20/13  

14  

27

SSL Renegotiation: Attempted against a BIG-IP in the field. Mitigated by F5 FSE.

28

Mitigating Esoteric Layer 7 Attacks

Apache Killer, Slowloris, Slow POST

6/20/13  

15  

29

Layer 7 Attack Tools / F5 Mitigations Attacks Slowloris XerXes DoS LOIC/HOIC Slow POST

(RUDY) #RefRef DoS

Apache Killer

HashDos

Active (Since)

Jun 2009 Feb 2010 Nov 2010 Nov 2010 Jul 2011 Aug 2011 Dec 2011

Threat /Flaw

HTTP Get Request, Partial Header

Flood TCP (8 times increase, 48 threads)

TCP/UDP/ HTTP Get floods

HTTP web form field, Slow 1byte send

Exploit SQLi for recursive SQL ops

Overlapping HTTP ranges

Overwhelms hash tables of all popular web platforms – Java, ASP, Apache, Tomcat.

Impact Attack can be launched remotely, Denial of Services (DOS), Resource Exhaustion, tools and script publicly available

Measure LTM/iRule slow request completion

*Adaptive Connect Reaper (threshold)

ASM slow connect

*ASM attack signature

iRule/ ASM (signature -regexp)

iRule

30

HashDos “HashDos” vulnerability affects all major web servers and application platforms

VIPRION

Single DevCentral iRule mitigates vulnerability for all back end services

Staff can schedule patches for back-end services on their own timeline

6/20/13  

16  

31

Mitigating other Low-Bandwidth Layer 7 Attacks

Not always a DDoS attack, but still a DoS condition.

32

Automatic HTTP/S DOS Attack Detection and Protection •  Accurate detection technique—based on latency •  Three different mitigation techniques escalated

serially •  Focus on higher value productivity while automatic

controls intervene

Drop only the attackers

Identify potential attackers

Detect a DOS condition

6/20/13  

17  

33

REPORTING AND VISIBILITY

34

BIG-IP AFM - Network Firewall Rules

6/20/13  

18  

35

Different DoS/DDoS Profiles per Listener

•  Enable a unique or general DoS/DDoS profile per Listener

•  All threshold values a configurable

•  80+ pre-defined DoS/DDoS attacks

36

AFM Firewall Match and Drill Down

6/20/13  

19  

37

devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc