f5 ddos protection
Post on 20-Mar-2017
124 Views
Preview:
TRANSCRIPT
© F5 Networks, Inc 2
DDoS (Distributed Denial of Service)
Attackers
AttackersAttackers
AttackersAttackers
AttackersAttackers
Attackers Attackers
AttackersAttackers
AttackersAttackers
AttackersAttackers
Attackers
Internet
Web
Clients
Partners
WebsitesRemote
users
Attackers
Switch Switch Switch
DMZ
FW
VPN
FW
VPN
act/stby
AntyMalware Proxy DLP
Users
Applications Data BaseDNS
Data Center
EmailUser User
NextGen
Firewall
NextGen
Firewall
Router Routeract/stby
Multi-Layer
Switch
act/stby Multi-Layer
Switch
act/stby
ApplicationDoS
SessionDoS
NetworkDoS
VolumetricDoS
© F5 Networks, Inc 3
Growing
Anyone
Global Fun
Agenda
War tactics
Diverse
Business
DDoS World is Complex
© F5 Networks, Inc 5
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 ApplicationOWASP Top 10 (e.g. XSS),
Slowloris, Slow Post/Read,
HTTP GET/POST floods,…
Session
SSL
DNS, NTP
DNS UDP floods, DNS query floods, DNS NXDOMAIN floods SSL floods, SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSH and ACK floods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Types of DDoS attacks
© F5 Networks, Inc 6
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 ApplicationOWASP Top 10 (e.g. XSS),
Slowloris, Slow Post/Read,
HTTP GET/POST floods,…
Session
SSL
DNS, NTP
DNS UDP floods, DNS query floods, DNS NXDOMAIN floods SSL floods, SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSH and ACK floods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Blended Volumetric
Types of DDoS attacks
© F5 Networks, Inc 7
DDoS attacks are easy to launchPress button and forget
hping3 nmap Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
Evasion Techniques Differentiation
• Several User-Agents & Referrers
• Random URL/UA/Content-Length
DDoS attacks are easy to launchPress button and forget - 2016 Tools Bundle
© 2016 F5 Networks 8
© F5 Networks, Inc 10
DDoS IoT (Internet of Things) – Mirai botnetMirai from Japaneess means Future
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
© F5 Networks, Inc 11
0,54 Tbps
0,62 Tbps
1,0 Tbps
1,2 Tbps
DDoS IoT – Mirai botnetKnown targets of DDoS attacks
© F5 Networks, Inc 12
STOMP Attack
Non standard attacks
Known “VSE” attack offered by
online Booters (DDoS as a Service)
Exploiting online gaming servers
for amplification
Never implemented attack
A hidden “CFNull” Layer 7 attack:
DDoS IoT – Mirai botnetDDoS Attacks
© F5 Networks, Inc 16
Mirai
LuaBot
qBot(GayFgt/Torlus/Bashlite)
Darlloz
IRCTelnet(Aidra2)
Hajime
DDoS IoT – Other botnetsIoT Malware Families
© F5 Networks, Inc 18
Protect Your Business and Stay Online During a DDoS Attack
• Mitigate mid-volume, SSL, or application
targeted attacks on-premises
• Complete infrastructure control
• Advanced L7 attack protections
• Turn on cloud-based service to stop
volumetric attacks from ever reaching your
network
• Multi-layered L3-L7 DDoS attack protection
against all attack vectors
• 24/7 attack support from security experts
F5 SILVERLINE DDOS PROTECTION When
under
attack
F5 ON-PREMISES DDOS PROTECTION
F5 Networks DDoS ProtectionOn-premises and cloud-based services for comprehensive DDoS Protection
© F5 Networks, Inc 19
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL flood
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
F5 Networks DDoS Protection - Reference Architecture
© F5 Networks, Inc 20
• Only single vendor with native, seamlessly integrated on-premise and cloud-based scrubbing services
• Leverages industry leading application protections to defend against L7 DDoS and vulnerability threats
• Most comprehensive HW-based DDoS protection coverage
• Unsurpassed SSL performance with SSL termination and outbound SSL interception protection
• Ensures app availability and performance while under attack with leading datacenter scalability and up to 2Tbps of cloud-based scrubbing capacity
• Gartner on DDoS – Go Hybrid!
• “Cloud + On-Premise” Makes the most sense
F5 Networks DDoS Protection - Why F5 Hybrid is better
© F5 Networks, Inc 22
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP floodSYN flood
SSL renegotiation
DataleakageSlowloris attackXSS
NetworkFirewall
WAF WAF
F5 On-premises DDoS protection - Full proxy security
© F5 Networks, Inc 23
ApplicationAccess
NetworkAccess
NetworkFirewall
Network DDoSProtection
SSL DDoSProtection
DNS DDoSProtection
Application
DDoS Protection
Web ApplicationFirewall
FraudProtection
Virtual
Patching
F5 On-premises protection - Comprehensive application security
© F5 Networks, Inc 24
F5 On-premises protection - Comprehensive DDoS protectionMore than only DDoS Protection
ASM DoS + IPI
L7 DoS Profiles
Heavy URLs
AFM DoS + IPI
Device DoS
Protocol DoS
IP Intelligence
B/W Lists
DNS DoS
DNS DoS
DNS SEC
LTM Profiles
HTTP/HTTPS
SSL
SIP
SMTP
BIGIP System
Reaper
75%-90%
iRules
© F5 Networks, Inc 25
Up to 640 Gbps,7.5M CPS, 576M CCS
in the datacenter and over 1Tbps
in the cloud
F5 On-premises DDoS protection - Performance
10000 Series
11000 Series
5000 Series
2000 series /
4000 series
7000 Series
VIPRION 4800VIPRION 4480
25M
200M
1Gbps3Gbps
5Gbps
VIPRION 2400
New 10Gbps
New VIPRION 2200
© F5 Networks, Inc 26
Over 110+ L3/4 DDoS vectorswith majority of them mitigated in hardware.
F5 On-premises DDoS protection – DDoS vectors hardware accelerated
© F5 Networks, Inc 29
Network DDoS Mitigation
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL flood
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
• The network tier at the perimeter is layer 3 and 4 network firewall services
• Simple load balancing to a second tier
• IP reputation database
• Mitigates transient and low-volume attacks
NETWORK KEY FEATURES
© F5 Networks, Inc 30
Demo TCP SYN Flood - SYN Cookies
Flow table
Original SYN transformed into Cookie,
sent back to client with SYN-ACK
Flow table entry
created and inserted
on receipt of ACK
packetConnection Established
© F5 Networks, Inc 31
Demo TCP SYN Flood - Topology and initial configuration
• The TMOS version 12.1
• Virtual Server info:- Listening on port 80
- Type: Performance L4 (to start with)
- No HTTP profile (to start with)
- Pool members: 3 x Apache servers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
© F5 Networks, Inc 35
Application
Security
Data Center
Firewall
Access
Security
User
App Servers
ClassicServer
DNS Security
Network DDoS
• Built on the market leading Application Delivery Controller (ADC)
• Consolidates multiple appliance to reduce TCO
• Protects against L2-L4 attacks with the most advanced full proxy architecture
• Delivers over 110 vectors and more hardware-based DOS vectors than any other vendor
• Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps
• Offers a foundation for an integrated L2-L7 Application delivery firewall platform
Network DDoS Mitigation - AFM (Advanced Firewall Manager)
© F5 Networks, Inc 36
DOS Categories
DOS
Vectors
When to report an attack
Absolute Number in PPSDetection Threshold
When to report an attack
Relative Percent Increase in PPS Detection Threshold
When to mitigate an attack
Absolute Number in PPSMitigation Threshold
Network DDoS Mitigation - AFM: Stateless DDoS MitigationL2-L4 stateless DoS vectors
© F5 Networks, Inc 37
Demo Different Network DDoS Attacks - Topology and initial configuration
• The TMOS version 12.1
• Virtual Server info:- Listening on all ports
- Type: Standard
- TCP profile: tcp-lan-optimized on outside interface
- Pool members: 1 x servers listening on different portsBIG-IP Platform
Server
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:all ports
User
.100
.11
© F5 Networks, Inc 40
F5 IP Intelligence Service
• Dynamic Feed updated every 5 minutes
• Applied at Virtual-Server Level
9 Pre-Defined Categoriesof Malicious IP’s/Subnets
Customizable Per-Category
Actions (Accept, Warn, Reject)
Policy Name
(attach-able to a Virtual Server)
Network DDoS Mitigation - Dynamic Endpoint Visibility & EnforcementIP Intelligence service
© F5 Networks, Inc 41
F5 IP INTELLIGENCE SERVICES
• Dynamic services feeds updated frequently
• Policy attached to global, route- domain or VS contexts
• Categorize IP/Sub_net by attack type
• Customizable actions per attack type category (i.e., Accept, Warn, Alert)
• Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
• Create IP Black Lists and White Lists that override IP intelligence services
• Merge multiple sources into 1 feed or enforcement policy
• HTTP/S & FTP polling methods
• User defined categories
• Support for IPv6 and IPv4
Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses.
Network DDoS Mitigation - AFM Dynamically update security logic
© F5 Networks, Inc 43
DNS DDoS Attacks
Why DNS is popular for DDoS?
• Widely used protocol, open on FWs, open recursion
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Large Amplification Factor (100x) - using open resolvers or ANY type to an authoritative NS
Traditional mitigations are failing
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and standard tools can not provide adequate response to mitigate it without inhibiting the ability of DNS to do its job
© F5 Networks, Inc 44
DNS DDoS Attacks - DNS UDP Flood
SynopsysMany attackers or botnets flood an authoritative name server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation – PERFORMANCE, PERFORMANCE, ….• F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
• Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles - ICSA–certified FW with support for 30+ DDoS vectors
• Use DNS Anycast to distribute the load between regional DCsDNS Requests DNS Responses
Target DNS
infrastructure
© F5 Networks, Inc 45
DNS DDoS Attacks - DNS Amplification & NSQUERY
DNS Requests Large DNS Responses
SynopsysBy spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation• DNS request type validation– force TCP in case of type ANY
• BIG-IP supports DNS type ACLs - filters for acceptable DNS query types
• Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoS Profiles and apply mitigations
• Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]
© F5 Networks, Inc 46
• Querying for randomly-generated non-existent hostnames
• Causes enormous work on DNS resolver
• Blows out DNS caches
• Easy to generate – single packet per name
• Easy to spoof source address – UDP
• Asymmetric
• Low-Bandwidth
DNS DDoS Attacks - NXDOMAIN Random Hostname Attack
© F5 Networks, Inc 49
Malformed/Protocol Violations Detection
DNS DOS Detection by Query Type
When to report and attack. Absolute and Relative Increase Detection Thresholds
SIP DOS Detection by Method
When to report and attack
Absolute and Relative Increase Detection Thresholds
DNS DDoS Mitigation - AFM: Stateless App. Layer DoS DetectionApplication protocol volumetric attack detection: DNS & SIP
© F5 Networks, Inc 50
Filter by DNS Query types
a m mg loc ixfr dname nsec3param
aaaa px rp spf cert nesc3 ipseckey
any md mr eid apl dhcid nsap_ptr
cname mf null nxt axfr zxfer nsap
mx a6 wks key sink rrsig nimloc
ns rt dlv x25 naptr sshfp dnskey
ptr mb hip sig isdn maila mailb
soa ds opt tsig nsec afsdb hinfo
srv kx txt ata gpos tkey minfo
DNS DDoS Mitigation - AFM: Protocol SecurityApplication Protocol compliance & DNS DoS mitigation
© F5 Networks, Inc 52
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
Next-GenerationFirewall Corporate Users
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
Application
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-based DDoS attacks
SSL DDoS Mitigation - F5 Reference Architecture
© F5 Networks, Inc 56
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
Next-GenerationFirewall Corporate Users
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
Application
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-based DDoS attacks
Application DDoS Mitigation - F5 Reference Architecture
© F5 Networks, Inc 57
▪ Guards against RPS (TPS) and latency-based anomalies
▪ Provides predictive indicators
▪ Support IP, geolocation, URL and site wide detection criteria
Application DDoS Mitigation - ASM (Application Security Manager)Layer 7 HTTP/S DoS attack protection
▪ Provides heavy URL protection
▪ Protects against threats proactively
▪ Simplified reports access and added qkView violations export support
▪ Advanced Prevention techniques
▪ Client Side Integrity Defense
▪ CAPTCHA (HTML or JS response)
▪ Source IP Blocking
▪ Geolocation blacklisting
© F5 Networks, Inc 58
Demo Application DDoS Attacks - Topology and initial configuration
• The TMOS version 12.1
• Virtual Server info:- Listening on port 80
- Type: Performance L4 (to start with)
- No HTTP profile (to start with)
- Pool members: 3 x Apache servers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
© F5 Networks, Inc 59
• Slow HEADERS (Slowloris) – opening HTTP connections to a web server
and then sending just enough data in an HTTP header (typically 5 bytes
or so) every 299 seconds to keep the connections open. Slow headers
is an attack that very slowly sends a HTTP request. The request headers
are sent so slowly that all available server connections are tied up
waiting for the slow request to complete. Slowloris achieves denial-of-
service with just 394 open connections for typical Apache 2
Application DDoS Attacks - HTTP Slow (Low Bandwith)
© F5 Networks, Inc 60
Demo Slow HEADERS - Start the attack
• Send the command:
slowhttptest -H -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &
• …. website is down!
© F5 Networks, Inc 61
Demo Slow HEADERS - LTM: Standard Virtual Server with HTTP Profile
• LTM can protect the Apache servers by preventing the Slow Headers attack from ever reaching them. A Standard Virtual Server with a HTTP profile does not open the server side connection until the full HTTP request is received. Since the attack never completes the HTTP request, the attack is never propagated to the servers.
https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard
© F5 Networks, Inc 62
DOS enhancements and new vectorsAFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide
greater coverage, introducing new vectors, providing more hardware-based vectors, and
improve overall DoS logging. Version 12.0 also provides Sweeper enhancements to Slow
Loris, BiasIdle Cleanup and Reporting
Demo Slow HEADERS - AFM: Not only Network DDoS protection
© F5 Networks, Inc 63
• Slow POST (R.U.D.Y.) - Like Slowloris, the Slowpost uses a slow, low-
bandwidth approach but instead of sending an HTTP header, it begins
an HTTP POST command and then feeds in the payload of the POST
data very, very slowly. Slow POST is an attack that sends the initial
POST request, and attempts to send each additional piece of POST data
in subsequent packets very slowly. Since the initial POST completes,
LTM creates the connection to the web server. Since the POST data is
very slow to complete, all the available connections are tied up again...
Application DDoS Attacks - HTTP Slow (Low Bandwith)
© F5 Networks, Inc 64
Demo Slow POST - Start the attack
• Send the command:
slowhttptest -B -c 3000 -i 20 -r 50 -u http://10.1.10.80/ &
• …. website is down!
© F5 Networks, Inc 65
Demo Slow POST - ASM: Deployment Policy
• ASM Deployment steps (shortened)
Apply!
You can use
Rapid Deployment
© F5 Networks, Inc 66
Demo Slow POST - ASM Protection
• ASM can protect against Slow POST attacks by just being applied to the virtual server. The policy does NOT need to be in blocking mode. Since ASM must protect itself from slow connections, it will also protect the virtual server by limiting the number of slow connections allowed. The number of allowed connections per TMM is configurable.
• Security > Options > Application Security > Advanced Configuration > System Variables
• When this protection kicks in, ASM will log to /var/log/asm:
© F5 Networks, Inc 67
• Slow READ - Slow Read is an attack that sends a normal request for a
HTTP page. The attacker then accepts the site data with a very small
TCP window. Upon receiving the first packet of data, the attacker
typically sends back a TCP window size of zero in the acknowledgement.
Since the server received a zero window from the client, it will wait to
send more data, holding open the TCP connection. Once enough zero
window clients have attached to the server, it is unable to accept new
clients. Since this behavior is RFC compliant (rarely happens in normally
functioning networks though), it is difficult for the F5 to detect an
attacker from a real slow client. There are a few ways to protect against
these types of attacks.
Application DDoS Attacks - HTTP Slow (Low Bandwith)
© F5 Networks, Inc 68
Demo Slow READ - Start the attack
• Send the command:
slowhttptest -X -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &
• …. website is down!
© F5 Networks, Inc 69
Demo Slow READ - ASM: DDoS Profile Defense for browser applications
• Proactive Bot Defense• Many DDoS attacks are simple scripts or programs with very little logic. They exploit the known
behaviors of the application to prevent normal users from accessing the data. Proactive Bot Defense challenges the client to perform some data manipulation using Javascript. Since many scripts are unable to parse and perform the Javascript challenge, they are denied access. Proactive Bot Defense should only be used when you know the normal clients are able to accept Javascript. All modern browsers can pass this challenge.
• Client Side Integrity Defense• Similar to Proactive Bot Defense, the client side Integrity Defense challenges the client with
Javascript. Client Side Integrity Defense differs in that it only challenges clients based upon the criteria set within a DDoS profile.
• Captcha• During an attack, clients can be forced to pass a Captcha challenge. This Captcha challenge
must be passed before the server data is requested and passed to the client.
• These protections are configured as DDoS profiles, and applied to a virtual server.
© F5 Networks, Inc 71
Demo Slow READ - ASM: DDoS Profile Defense for browser applications
• DoS Protection ProfileApply DDoS Profile to
Virtual Server
© F5 Networks, Inc 72
User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, you are sending too many requests. Are you a browser ?
Yes, I’m a browser
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the web page you asked for.
ASM: Bye Bye – Blocked
Demo Slow READ - ASM: Client-side Integrity Defense
© F5 Networks, Inc 73
• Ultimate solution for identifying human or bot
• Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability because the user gets CAPTCHA forhis online shop (or similar) and then he will not stay
Demo Slow READ - ASM: Captcha
© F5 Networks, Inc 74
• Unlike most simple network attacks, which overwhelm computing resources with invalid packets,
HTTP flood attacks look like real HTTP web requests.
• To conventional firewall technology, these requests are indistinguishable from normal traffic
• Two main variations:
• Basic HTTP flood duiring which merely repeats the same request over and over again. Easy to
detect and mitigate.
• Advacned HTTP flood attack whith a recursive-get denial-of service. Clients using this attack
request the main application page, parse the response, and then recursively request every
object at the site. Difficult to detect and mitigate.
Application DDoS Attacks - HTTP Flood
© F5 Networks, Inc 75
Demo HTTP Flood - Start the attack
• LOIC (Low Orbital Ion Cannon)
• Launch from many sources and…. website will be down!
© F5 Networks, Inc 77
When any URL based is mitigating, the heavy URL’s that detected will get this mitigation
Application DDoS Mitigation - ASM: Heavy URL Mitigation
© F5 Networks, Inc 78
Automatic measure latency on
URL’s for 24 hours and decide
who is heavy
Application DDoS Mitigation - ASM: Heavy URL MitigationHeavy URL – configuration
© F5 Networks, Inc 81
RTBH
BGP Black-Hole DoS protection (RTBH)
Automatic DDoS vectors thresholds
Behavioral analysis DDoS (BADOS)
BIG-IP/DHD Silverline signalization
New DDoS Features in TMOS 12.1
© F5 Networks, Inc 82
• RTBH (Remotely Triggered Black-Hole): Route Injection instructs upstream network devices to drop certain flows at
the edge of the network.
• RTBH is belongs to AFM, and we need AFM provisioned to configure this feature
• When you will configure settings for DDoS vectors at AFM, you can find column 'Bad actors' and instead of rate
limit them you can block them - this is ‚IP Shuning’.
• On top of this we can configure RTBH and signal this information to upstrem routers
• AFM IP-Intelligence (IPI) can now instruct the IP network within the local Autonomous System (AS) to "black-hole"
source or destination addresses which have been blacklisted.
• ARM (Advanced Routing), It belongs to AFM, everytime when you provision AFM you will have Advanced routing
license enabled also. ARM also is included in DHD.
New DDoS Features in TMOS 12.1RTBH
© F5 Networks, Inc 84
• Today
• Configuration
• Tune and maintain
• Impact leads to mitigate
• React to 0-day
• Static – automatic
• Impacts the good
• Uses wisdom of IT
• BADOS
• Hands free
• Unsupervised
• Predictive
• 0-day capable
• Improves with time (experience)
• Minimal impact on good guys
• Uses wisdom of the crowd
New DDoS Features in TMOS 12.1BADOS – Why?
© F5 Networks, Inc 85
• 3 modes of detection and prevention Aggressive
+ proactive mitigation until
health is restored
Standard
+ limit all requests based
on servers health
Conservative
Slow down & rate shape bad
actors
• Conservative
• Slows down & rate limit attackers
• Standard
• Like conservative but may rate limit all
requests based on server's health
• Aggressive
• Like standard but proactively performs
all protection actions
New DDoS Features in TMOS 12.1BADOS – Why?
© F5 Networks, Inc 91
Security > Reporting > DoS > Visibility > Dashboard
New DDoS Features in TMOS 13.0DoS Reporting Redisign
© F5 Networks, Inc 93
DDoS and Application Attacks Mitigation - iRules Slow HEADERS (Slowloris) defense
© F5 Networks, Inc 97
DHD – Simplified configuration
DDoS profile
Log profile
DDoS profile
VLAN/Network Info
Protocol profile
Log profile
Action
Deployment model
Network, protocolProtocol profile
1
2
reference
1
3 Virtual Server
Protected Object
© F5 Networks, Inc 98
Attack detection
and Visibility via AVR
DHD
Access Network
Tap VLAN
Packet data (Tap)
• Avoid single point of failure network scenario
• Identify DDoS attacks (L3/4, SIP, DNS) via mirrored pkts
• No need to reconfigure network
• No single point of failure
• Visibility
• RTBH with upstream router
• Signal to Silverline
• Simplified and easy POC
• Visibility via AVR
Apps
Edge router
Access router
Rx
Tx
DHD - Out-of-band TAP
© F5 Networks, Inc 99
Attack detection
And inspection
Clean traffic
DDoS Platform
Edge Network
Access Network
Tap VLAN
DDoS Platform
Attack traffic
SCRUB VLAN
• Avoid single point of failure network scenario
• Doesn’t want to inspect/scrub all traffic
• Identify DDoS attacks via Netflow, IPFIX data
• ease of deployment
• No single point of failure
• Significant cost efficiencies
• Steer traffic to a local scrubber
• Share attacked_IP(s) with Silverline
• Simplified and easy POC
• Visibility via AVR
DHD - Out-of-band Netflow/IPFIX
© F5 Networks, Inc 100
Choose a context:
Current Attacks, Device,
Single Profile or VS
Choose a filter:
(optional)
Limit by vector name,
or P.O. name
View Status of
Current Attacks
View Current
Traffic Statistics
Total Packets
Dropped Packets
View Current
Configuration
Manual vs. Auto-Mode
Aggregate & SrcIP Limits
Modify Configuration
Settings
Without navigating to new page
Same interface as Profile Page
DHD – AFM DoS “Overview” Page: 13.x
© F5 Networks, Inc 101
DHDDemo – Slow POST (Application) DDoS Attack mitigated by DHD
• The TMOS version 12.1
• DHD operates in transparent mode
• BADOS (Behavioral DOS) protection
enabled
• Protected Object:- Listening on port 443 (HTTPS)
DHD Platform
Attacker
..200
User
..11:443 (protected)
10.1.20.0/24
10.1.20.0/24
(unprotected) 443:12.
User
.100
© F5 Networks, Inc 102
DHDDemo – Slow POST (Application) DDoS Attack mitigated by DHD
• slowhttptest -B -c 3000 -i 20 -r 50 -u https://10.1.20.11/
Slow POST (R.U.D.Y.) - Like Slowloris, uses a
slow, low-bandwidth approach, but instead
of sending an HTTP header, it begins an
HTTP POST command and then feeds in the
payload of the POST data very, very slowly.
Slow POST is an attack that sends the initial
POST request, and attempts to send each
additional piece of POST data in subsequent
packets very slowly. Since the POST data is
very slow to complete, all the available
connections are tied up again.
© F5 Networks, Inc 104
DDoS Attacks Size
24%
38%
20%
6%
12%
0.5-1 Gbps 1-10 Gbps 10-50 Gbps Over 50Gbps Unknown
© F5 Networks, Inc 106
Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
• San Jose, CA US
• Ashburn, VA US
• Frankfurt, DE
• Singapore, SG
Industry-Leading Bandwidth
• Attack mitigation bandwidth
capacity over 2.0 Tbps
• Scrubbing capacity up to 1.0
Tbps (with upstream ACLs)
• Guaranteed bandwidth with
Tier 1 carriers
24/7 Support
F5 Security Operations Center
(SOC) in Seattle: staffed
24x7x365 with security experts
for DDoS Protection and WAF.
Warsaw is staffed for Websafe.
• Seattle, WA U.S.
• Warsaw, Poland
SOC
SOC
F5 Silverline - Global Coverage
© F5 Networks, Inc 107
• Monitoring and mitigating attacks while reducing false positives requires a 24/7 staff of skilled DDoS analysts
• Full provisioning and configuration
• Proactive alert monitoring
• Identification and inspection of attacks
• Custom and script mitigation
• Service level agreements time to
• Notify, mitigate, escalate
Availability & Support
Tier II DDoS Analysts and Above
Active DDoS Threat Monitoring
Security Operations Center (SOC)
F5 Silverline - Security Operation CenterOutsourcing DDoS monitoring and mitigation
© F5 Networks, Inc 108
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL flood
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
DDoS Attackers
• Real-time Volumetric DDoSattack detection and mitigation in the cloud
• Multi-layered L3-L7 DDoSattack protection
• 24x7 expert SOC services
• Transparent attack reporting via F5 customer portal
CLOUD KEY FEATURES
F5 Silverline DDoS Protection - Cloud-based Scrubbing Center
© F5 Networks, Inc 109
InspectionToolsets
Scrubbing Center
Inspection Plane
Traffic ActionerRoute Management
Flow Collection
Portal
Switching Routing/ACLNetwork
Mitigation
Routing(Customer VRF)
GRE Tunnel
Proxy
IP Reflection
L2VPN Customer
Data Plane
Netflow Netflow
Copied trafficfor inspection
BGP signaling
Signaling
Visibility
Management
Proxy Mitigation
Switching mirrors traffic to Inspection
Toolsets and Routing layer
Inspection Tools provide input on
attacks for Traffic Actioner & SOC
Traffic Actioner injects routes and steers
traffic
Network Mitigation removes advanced L4
attacks
Proxy Mitigation removes L7
Application attacks
Flow collection aggregates attack
data from all sources
Egress Routing returns good traffic back to customer
Portal provides real-time reporting and
configuration
Ingress Router applies ACLs and
filters traffic
LegitimateUsers
DDoS Attackers
Volumetric DDoS protection, Managed Application firewall
service, zero-day threat mitigation with iRules
Silverline
WAF
DDoS
Cloud
F5 Silverline DDoS Protection - Scrubbing Center Architecture
© F5 Networks, Inc 110
Europe
Customer DC
Customer App
CloudNetwork
GRETunnels
US East US West
GRETunnels
CloudNetwork
CloudNetwork
DDoS Attack
Asia
Legitimate
Traffic
InternetInternet
DDoS Attack Legitimate
Traffic
Response Traffic
Response Traffic
Anycast
© F5 Networks, Inc 111
Primary protection as the first line of defense
The Always On subscription stops bad traffic from ever reaching your network by continuously processing all
traffic through the cloud-scrubbing service and returning only legitimate traffic to your network.
Primary protection available on-demand
The Always Available subscription runs on stand-by and can be initiated when under attack. Client routers
monitoring (optional)
Always AvailableAlways On
Proactive Hybrid
AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation when the datacenter is under volumetric attack
Silverline is always on and the first point of detection and mitigation for volumetric attacks
before traffic is passed to the datacenter.
Reactive Hybrid
F5 Silverline DDoS Protection - Service Options
© F5 Networks, Inc 112
Traffic Steering to Silverline Capabilities
ASYMETRIC L3/L4
TUNNEL CLEAN TRAFFIC
PROTECT ENTIRE NETBLOCK /24
FULL PROXY (SYMETRIC)L7SSL TERMINATIONWAF
BGP (BORDER GATEWAY PROTOCOL)ROUTED MODE
DNS PROXY MODE
SINGLE APPLICATION (IP)
F5 Silverline DDoS Protection
© F5 Networks, Inc 115
• Stas, Visibility, Reporting and Intelligence
• Real time attack view
• Real time mitigation view
• Real time scrubbing & clean traffic view
• Non-Attack (regular) traffic reporting capability
• Instant, downloadable PDF reports
• Secure set up & management of SOC services
• Knowledge base & how to
F5 Silverline Portal
https://portal.f5silverline.com
© F5 Networks, Inc 116
• Securely communicate with Silverline SOC experts
• View centralized attack and threat monitoring reports with details including:
• source geo-IP mapping
• blocked vs. alerted attacks
• blocked traffic and attack types
• alerted attack types
• Threats*
• bandwidth used
• hits/sec*
• type of traffic and visits (bots v. humans)*
Customer PortalVisibility &
Compliance Attack Reports
F5 Silverline Portal - Stats, Visibility, Reporting & IntelligenceF5 Customer Portal
© F5 Networks, Inc 117
F5 Silverline Portal - Stats: Traffic (Post i Pre-Scrubbing)
• Dashboard > Netflow: Traffic, Application, Zones
© F5 Networks, Inc 119
Downloadable PDFsfor internal reporting
F5 Silverline Portal - Stats: Attack Reporting
© F5 Networks, Inc 120
Directly manage configuration via customer portal
• Configure Proxy and Routing attributes
• Manage SSL Certificates
• Update White and Black List information
• Check health status of GRE tunnels
• Administer users and roles
• Download reports and view audit history
F5 Silverline Portal - Configuration and Provisioning
© F5 Networks, Inc 127
• New Hybrid DDoS Signaling iApp available for BIG-IP
• DHD can signal to Silverline natively
https://support.f5silverline.com/hc/en-us/sections/205571867-Hybrid-Signaling
F5 Networks Hybrid DDoS ProtectionSilverline Signalling
© F5 Networks, Inc 128
• Configure connection to Silverline
F5 Networks Hybrid DDoS ProtectionSilverline Signalling for DHD
© F5 Networks, Inc 130
Virtual Edition Appliance Chassis
BIG-IP Platform on-premises
F5 Silverline Cloud Security
Anti-DDoS
Managed ServiceWeb Application
Firewall
Managed Service
High Performance Security Simplified Security Scalable Security
Conclusion: F5 Hybrid Security
© F5 Networks, Inc 131
TMOS - Full Proxy
DDoSProtection
App Protection
Network Protection
Web Fraud
Protection
SSL Visibility & Protection
DNS Protection
App Access
Virtual Edition Appliance Chassis
BIG-IP Platform
Conclusion: Rethink…Multi-Layer Security with F5
© F5 Networks, Inc 132
Performance
Minimize business
impact from
volumetric
attacks7.5M
Extensibility
Take immediate
action on new
DDoS threats
Protection
Protect against the
full spectrum of
modern cyber threats
attacks
Expertise
Augment resources
with F5 Security
experts
24x7x365 DDoS support
from Security Operations
Centers in the US, APAC,
and EMEA
1,000’s of iRules
have been written
to mitigate traffic
based on any type
of content data
Up to 640 Gbps;
7.5M CPS; 576M
CCS; in the
datacenter and over
1Tbps in the cloud
100+ DDoS Vectors;
Most advanced app
security; 98% of
fortune 1000 trust
their traffic to F5
Conclusion: Key DDoS Mitigation Values
top related