leveraging the load balancer to fight ddos
DESCRIPTION
Leveraging the Load Balancer to Fight DDoS. Brough Davis September 2010 GIAC GCIA, GPEN, GCIH, GCFW, GSEC. Objective. DDoS Trends Common Mitigating Methods Load Balancing/ADC Features Conclusion Questions/Comments. DDoS Trends. - PowerPoint PPT PresentationTRANSCRIPT
1SANS Technology Institute - Candidate for Master of Science Degree 1
Leveraging the Load Balancer to Fight DDoS
Brough DavisSeptember 2010
GIAC GCIA, GPEN, GCIH, GCFW, GSEC
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• DDoS Trends• Common Mitigating Methods• Load Balancing/ADC Features• Conclusion• Questions/Comments
SANS Technology Institute - Candidate for Master of Science Degree 3
DDoS Trends
Arbor Networks World Wide Infrastructure Security Report 2009
SANS Technology Institute - Candidate for Master of Science Degree 4
Fear of the Attack Intelligence
• Bot DDoS options• SYN/ICMP Floods, Frag Attacks, invalid header values• Application DDoS – HTTP recursive attacks
• Known Bots with DDoS options • Agobot, SDBot, UrxBot
• Agobot DDoS HTTP Recursive Attack
ddos.httpflood [url] [number] [referrer] [recursive = true||false]
SANS Technology Institute - Candidate for Master of Science Degree 5
Growing Fear is Slow Growing
Arbor Networks World Wide Infrastructure Security Report 2009
SANS Technology Institute - Candidate for Master of Science Degree 6
DDoS Vectors/Mitigation
SANS Technology Institute - Candidate for Master of Science Degree 7
DDoS Mitigation Options• DDoS Commercial Appliances • uRPF, RTBH, Backscatter Analysis• RFC1918/Bogon ACL’s, Rate Limiting• Only Allow Critical Services• Cloud Scale• TCP SYN Cookies, TCPCT• WAF/Reverse Proxy - HTTP(S) Applications• Reverse Turing Tests (Captcha, JavaScript, etc.)
SANS Technology Institute - Candidate for Master of Science Degree 8
The Load Balancing Device
• Brocade ServerIron • Citrix Netscaler • Cisco ACE • F5 BIGIP
SANS Technology Institute - Candidate for Master of Science Degree 9
TCP SYN Cookie/ProxyBrocade ServerIronServerIron(config)# ip tcp syn-proxyServerIron(config)#interface e 3/1ServerIron(config-if-3/1)# ip tcp syn-proxy in ServerIron(config)# server syn-cookie-check-vport
Citrix Netscaler SYN Cookies Enabled by Default
Cisco ACE host1/C1(config)# interface vlan 100 host1/C1(config-if)# syn-cookie 4096
F5 BIG-IPSYN Cookies triggered after 16,384 connections (Configurable)
SANS Technology Institute - Candidate for Master of Science Degree 10
Application Switchingcsw-rule "r1" version eq "1.0" csw-rule "r2" version eq "1.1" csw-rule "r3" nested-rule "r1 || r2" ! csw-policy p1 match r3 forward 1 default forward 0 ! server virtual-name VIP1 1.1.1.1 port http csw-policy p1 port http csw bind http RS1 http RS2 http ! server real RS1 2.2.2.1 port http port http url "HEAD /" port http group-id 1 1 ! server real RS2 2.2.2.2 port http port http url "HEAD /" port http group-id 1 1
Search for HTTP 1.0 or 1.1 Headers
Drop by default. Matched sent to group 1
Apply policy to virtual server service
Real servers in group 1
Application SwitchingReal World Example
• Before– Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full
connects)– 260+Mbps inbound traffic– 1 million current connections to ServerIron (100% CPU)
• Reaction– Upstream router filter all non TCP/80 traffic – ServerIron syn-pxy feature enabled– Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP
1.0/1.1 Header• Result
– ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes.
– Inbound traffic dropped to 8 Mbps
SANS Technology Institute - Candidate for Master of Science Degree 11
SANS Technology Institute - Candidate for Master of Science Degree 12
Cookie Manipulation
Citrix Netscaler• In the navigation pane, expand System, and
click Settings. The System Settings Overview page appears in the right pane.
• Click Advanced Features. The Configure Advanced Features dialog box appears.
• Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box.
SANS Technology Institute - Candidate for Master of Science Degree 13
Reverse Turing Tests
SANS Technology Institute - Candidate for Master of Science Degree 14
Feature Summary
Cisco Brocade F5 Netscaler
TCP SYN Cookie YES YES YES YES
HTTP inspection YES YES YES YES
HTTP Cookie Injection YES YES YES YES
'human' JS check NO NO YES YES
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Shortfalls – Overworking the Load Balancer/ADC– Finding Legitimate Traffic
• Future Planning– Know your traffic trends – Involve the developers– Use Everything (Tiered Defense)