Mitigating DDoS Attacks:

Transcription

1 Mitigating DDoS Attacks: On-premises and in the Cloud Alejandro Dutto

2 DDoS Attacks A Brief History

3 The evolution of attackers September 1996 First high profile DDoS attack. NY ISP Panix.com that was nearly put out of business. January 2008 Anonymous executes a series of high-profile DDoS attacks against the Church of Scientology. December 2010 WikiLeaks supporters hit PayPal, Visa, Mastercard, and other financial sites with DDoS attacks. April 2011 Attackers use a DDoS attack against Sony to mask the theft of millions of customer records. April 2012 Anonymous knocks down the sites of the U.S. Dept. of Justice, the CIA, and the British Secret Intelligence Service. September 2012 Syrian Cyber Fighters launch Operation Ababil with DDoS attacks on 13 U.S. banks to protest an anti-muslim video Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 3

4 Frequency of attacks Feb 05 Bitly Outage as result of DDoS attack Feb 11 Elance Freelance Job Site NTP Reflection Attack; temporary website disruption Feb 11 odesk Temporary website disruption as result of DDoS attack Feb 20 Namecheap Simultaneous attack on 300 websites it registers Mar 04 Meetup Event Planning NTP Amplification attack carried out by extortionists Mar 11 GitHub Code Host UDP based Amplification attack Mar 17 Royalty Free Stock Images DDoS attack by extortionists Mar 20 Hootsuite DDoS attack by extortionists Mar 24 Basecamp DDoS attack by extortionists Mar 27 SurveyGizmo DDoS attack; Site down 2 days; ISP abandoned recovery 2014 Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 4

5 More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 5

6 How does F5 Silverline DDoS Protection protect against DDoS attacks?

7 F5 Offers Comprehensive DDoS Protection Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 7

8 DDoS Architecture Scrubbing Center Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects blackhole routes and steers traffic Inspection Toolsets Traffic Actioner Route Management Scrubbing Center Inspection Plane Flow Collection Flow collection aggregates attack data from all sources Visibility Portal Portal provides real-time reporting and configuration Cloud Signaling Management Legitimate Users Cloud Scrubbing Service Switching Copied traffic for inspection BGP signaling Routing/ACL Netflow Network Mitigation Data Plane Proxy Mitigation Netflow Routing (Customer VRF) GRE Tunnel Proxy IP Reflection X-Connect Customer DDoS Attackers Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and blackholes traffic Network Mitigation removes advanced L4 attacks Proxy Mitigation removes L7 Application attacks Egress Routing returns good traffic back to customer F5 Networks, Inc 8

9 Global Coverage SOC 24/7 Support F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes Seattle, WA US Global Coverage Fully redundant and globally distributed data centers world wide in each geographic region San Jose, CA US Ashburn, VA US Frankfurt, DE Singapore, SG Industry-Leading Bandwidth Attack mitigation bandwidth capacity over 2.0 Tbps Scrubbing capacity of over 1.0 Tbps Guaranteed bandwidth with Tier 1 carriers

10 F5 Silverline DDoS Protection - Service Options Always On Primary protection as the first line of defense Always Available Primary protection available on-demand F5 Networks, Inc 10

11 How does F5 protect against DDoS attacks on premises?

12 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 12

13 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Network Application Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b CLOUD KEY FEATURES Network attacks: ICMP flood, UDP flood, SYN flood Real-time Volumetric DDoS attack detection and mitigation in the cloud Multi-layered L3-L7 DDoS attack protection DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS 24x7 expert SOC services Transparent attack IPS reporting via F5 customer portal SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 13

14 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Network Application Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS NETWORK KEY FEATURES SSL attacks: SSL renegotiation, SSL flood The network tier at the perimeter is layer 3 and 4 network firewall services Simple load balancing to a second tier HTTP attacks: Slowloris, slow POST, recursive POST/GET Application IP reputation database Mitigates transient and IPS low-volume attacks Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 14

15 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network APPLICATION KEY FEATURES Application-aware, CPU-intensive defense mechanisms SSL termination Network and DNS Web application firewall Mitigate asymmetric and SSLbased DDoS attacks IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Application Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 15

16 Key Resources The F5 DDoS Protection Reference Architecture White paper: The F5 DDoS Protection Reference Architecture Best practices: F5 DDoS Protection recommended Practices The F5 Silverline DDoS Protection Service Overview F5 Networks, Inc 16

17 Explore The F5 DDoS Protection Reference Architecture f5.com/architectures F5 Networks, Inc 17

18 Asista a uno de nuestros eventos y entregue la invitación con sus datos para participar en la rifa de una bocina Bose SoundLink Bluetooth III! Andicom 2015 HAPPY HOUR CON Mau Loa Beach Lounge Jueves 3 de Septiembre 6:00-8:00pm Calle 35 No Local Interior Centro Historico Cartagena de Indias, Colombia Asista a uno de nuestros eventos y entregue esta invitación con sus datos para participar en la rifa de una bocina Bose SoundLink Bluetooth III! F5 Networks, Inc 18

19

20 Appendix

21 F5 Networks, Inc 21

22 Today s Solutions Fall Short Neither cloud nor on-premise solutions alone can be the right answer for modern DDoS attacks The time from attack detection to mitigation is unacceptable Solutions are not comprehensive against DDoS and application threats No single throat-to-choke Many attacks are best detected on-premise Many attacks are best blocked in the cloud, before the attack consumes all of the bandwidth to the customer s applications DDoS security-in-depth requires tight integration between on-premise and cloud defenses On-premise solutions are not designed to work with up-stream cloud solutions Too many manual steps in the process Steps are error prone Solutions are not easily extensible Volumetric DDoS Slow-and-low application DDoS Heavy URL weaknesses Web application vulnerabilities Customers must go to multiple vendors to build a complete solution Multiple incident managers to deal with on-premise and cloud threats F5 Networks, Inc 22

23 Reference Architectures Solving Customer Issues

24 Key Resources The F5 DDoS Protection Reference Architecture Placemat: DDoS Protection Reference Architecture White paper: The F5 DDoS Protection Reference Architecture Best Practices: F5 DDoS Protection Recommended Practices F5 Networks, Inc 24

25 DDoS Protection Reference Architecture Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker Cloud Scrubbing Service Volumetric attacks and size floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 25

26 DDoS Protection for a Large FSI Data Center Threat Intelligence Feed Network HSM (FIPS-140) Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network SSL inspection at either tier Application DDoS Attacker Cloud Network attacks: ICMP flood, UDP flood, SYN flood Network Firewall Services + Simple Load Balancing to Tier 3 Web Application Firewall Services + SSL Termination Financial Services Customer Partner DDoS Attacker F5 Silverline Cloud-Based Platform Volumetric attacks and size floods, operations center experts, L3-7 known signature attacks ISP may provide rudimentary DDoS service VIPRION Platform + IP Intelligence (IPI) Module DNS Services BIG-IP Platform SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET SSL re-encryption E-Commerce Subscriber DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning BIG-IP Platform F5 Networks, Inc 26

27 DDoS Protection for the Enterprise Data Center Threat Intelligence Feed Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network Next-Generation Firewall Users leverage NGFW for outbound protection Employees DDoS Attacker Cloud Network Firewall Services + DNS Services + Simple Load Balancing to Tier 3 Application Web Application Firewall Services + SSL Termination Financial Services Customer Partner DDoS Attacker F5 Silverline Cloud-Based Platform Volumetric attacks and size floods, operations center experts, L3-7 known signature attacks ISP may provide rudimentary DDoS service VIPRION Platform DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Can inspectssl at either tier SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET E-Commerce Subscriber Network attacks: ICMP flood, UDP flood, SYN flood F5 Networks, Inc 27

28 DDoS Protection for Small Business Next-Generation Firewall Employees DDoS Attacker Cloud Network & Application Users leverage NGFW for outbound protection Customer Partner F5 Silverline Cloud-Based Platform Network Firewall Services + DNS Services + Web Application Firewall Services + Compliance Control Financial Services E-Commerce DDoS Attacker Volumetric attacks and size floods, operations center experts, L3-7 known signature attacks ISP may provide rudimentary DDoS service BIG-IP Platform DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Subscriber Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET F5 Networks, Inc 28

29 More Sophisticated Attacks are Multi-Layer Network F5 Networks, Inc 29

30 LTM: Stateful DoS Detection & Mitigation Using LTM flow reaper to mitigate connection table attacks Reaper Threshold Controls when connection reaping occurs Uses variety of algorithms 1 st : Longest Idle Connections 2 nd : Bps/PPS/Throughput Statistics 3 rd : Random Eviction Always avoids reaping BigIP-initiated connections TCP SYN Cookies to challenge Client TCP stacks Configurable Threshold (Global) Kicks in only when needed Future Plans Per-VS Connection Table Quotas for both ALL flows, and for Slow Flows Additional User-Specified Reap Choices: Geo-based, Port-Based, Oldest F5 Networks, Inc 30

31 LTM: Stateful DoS Detection & Mitigation Using LTM protocol profiles for per-flow mitigation of connection attacks Per-Flow Wait & Timeout Settings Per-App (VS) Granularity Ensure timely eviction of idle flows Address TCP Exploits Half-open connections Half-closed/FIN conns TCP SYN Cookies challenge Client TCP stacks Enabled at Per-App (VS) Granularity HW Accelerated Configurable Thresholds F5 Networks, Inc 31

32 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES Up-to-date L2-L4 DOS vector coverage Malformed/Bad, Suspicious, and Volumetric Attack Vectors Detection & Mitigation Limits both Global & Per-VS Volumetric Hardware Accelerated on many platforms, Used to identify line-rate bad performance actor SrcIP s and target ed DstIP servers Protects IP infrastructure from malformed & malicious traffic at scale Sweep & Flood IP detection AVR Drill-Down reporting on attackers, targets, geo-analysis Protocol-Aware Detection & Mitigation for HTTP/S, SMTP, FTP, DNS & SIP F5 Networks, Inc 32

33 Dynamically update security logic Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses. F5 IP INTELLIGENCE SERVICES Dynamic services feeds updated frequently Policy attached to global, route- domain or VS contexts Categorize IP/Sub_net by attack type Customizable actions per attack type category (i.e., Accept, Warn, Alert) Create multiple customizable IP feeds DYNAMIC IP BLACK LISTS & WHITE LISTS Create IP Black Lists and White Lists that override IP intelligence services Merge multiple sources into 1 feed or enforcement policy HTTP/S & FTP polling methods User defined categories Support for IPv6 and IPv4 F5 Networks, Inc 33

34 AFM: Dynamic Endpoint Visibility & Enforcement IP intelligence service F5 IP Intelligence Service Dynamic Feed updated every 5 minutes Applied at Virtual-Server Level Policy Name (attach-able to a Virtual Server) 9 Pre-Defined Categories of Malicious IP s/subnets Customizable Per-Category Actions (Accept, Warn, Reject) F5 Networks, Inc 34

35 AFM: Dynamic Endpoint Visibility & Enforcement Dynamic Blacklist & Whitelist (future) Create multiple customizable IP Intelligence feeds HTTPS, HTTP & FTP polling methods User definable categories Polling intervals as low as 5 minutes Merge multiple data sources into a single feed F5 Networks, Inc 35

36 AFM: Stateless DoS Detection & Mitigation L2-L4 stateless dos vectors DOS Vectors When to report an attack Absolute Number in PPS Detection Threshold When to report an attack Relative Percent Increase in PPS Detection Threshold When to mitigate an attack Absolute Number in PPS Mitigation Threshold DOS Categories F5 Networks, Inc 36

37 AFM: EP-Aware DoS Mitigation Endpoint awareness: sweep & flood configuration Configurable Absolute Limits per-endpoint Selectively limits traffic volume from bad actors/ to target VS s Sweep : Per-SrcIP Limit Flood : Per-DstIP Limit DoS Whitelist overrides Sweep/Flood New Category: Endpoint-Aware F5 Networks, Inc 37

38 AFM: EP-Aware DoS Mitigation Endpoint awareness: sweep & flood configuration Configurable Inclusion of Sweep & Flood Volumetric Attack Vectors User-Selects from a list of common volumetric DoS vectors ICMP/UDP/SYN/<Any> V4/v6-specificity Future Plans: UDP Port-Specific Inclusion/Exclusion Per-VS Sweep/Flood F5 Networks, Inc 38

39 More Sophisticated Attacks are Multi-Layer DNS Network F5 Networks, Inc 39

40 AFM: Stateless App. Layer DoS Detection Application protocol volumetric attack detection: DNS & SIP Malformed/Protocol Violations Detection DNS DOS Detection by Query Type When to report and attack. Absolute and Relative Increase Detection Thresholds SIP DOS Detection by Method When to report and attack Absolute and Relative Increase Detection Thresholds F5 Networks, Inc 40

41 AFM: Protocol Security DNS Application Protocol compliance & DoS mitigation : DNS Filter by DNS Query types a m mg loc ixfr dname nsec3param aaaa px rp spf cert nesc3 ipseckey any md mr eid apl dhcid nsap_ptr cname mf null nxt axfr zxfer nsap mx a6 wks key sink rrsig nimloc ns rt dlv x25 naptr sshfp dnskey ptr mb hip sig isdn maila mailb soa ds opt tsig nsec afsdb hinfo srv kx txt ata gpos tkey minfo F5 Networks, Inc 41

42 More Sophisticated Attacks are Multi-Layer SSL DNS Network F5 Networks, Inc 42

43 SSL Renegotiation Mitigation F5 Networks, Inc 43

44 More Sophisticated Attacks are Multi-Layer Application SSL DNS Network F5 Networks, Inc 44

45 AFM: Stateless HTTP DoS Mitigation Application protocol compliance & DoS mitigation: HTTP Configurable HTTP Protocol Checking Per-App (VS) Granularity Can be fine-tuned for each app. Report or Block based on: Method File Type Header Field Detect & Block Evasion Techniques Can be referenced in multiple policies on multiple firewalls F5 Networks, Inc 45

46 ASM Stateful Protection F5 Networks, Inc 46

47 ASM: L7 DDoS Mitigation Transaction Per Seconds (TPS) based anomaly detection TPS-based anomaly detection allows you to detect and mitigate DoS attacks based on the client side. Latency based anomaly detection Latency-based anomaly detection allows you to detect and mitigate attacks based on the behavior of the server side. F5 Networks, Inc 47

48 ASM: Heavy URL F5 Networks, Inc 48

49 Manageability and Visibility Application-oriented policies and reports Logging Generation and Storage of Individual Security Events Configure local and remote high-speed network firewall logging Independently controlled Logging for Access Control, DoS, IP-Intel Log Destinations & Publishers consistent with BIG-IP logging framework Reporting Visualization of Security Statistics Reporting used for Visualizing Traffic/Attack Patterns over time Geo & IPFIX & Stale Rules reporting Access-Control & DoS: Drill-Downs by contexts, IP, Rule, etc. Integration with 3rd party SIEM systems Report type HIPPA & PCI compliance reporting DDoS attack report IP Enforcer stats F5 Networks, Inc 49

50 Silverline DDoS Protection

51 The attacks are definitely getting larger and we know that trend will continue as the number of websites we support increases. That is why we are working with F5. When the big attacks come, we ll be ready. F5 Silverline DDoS Protection -- Chris Fanini, Co-Founder and CTO, Weebly Key benefits of F5 Protection against the largest attacks Advanced and unique DDoS mitigation techniques Team of industry expert DDoS fighters Simple installation process F5 Reference Architectures DDoS Protection View on F5.com F5 Networks, Inc 51

52 We chose F5 Silverline DDoS Protection because of the breakthrough new technology developed by Barrett Lyon and its ability to provide DDoS mitigation without the damaging side effects of legacy mitigation solutions. F5 Silverline DDoS Protection -- Tim Turner, CIO of the Afisha Rambler SUP Holding Key benefits of F5 Simple installation process No upfront investment in on-premise equipment Continuous DDoS mitigation and analysis Advanced and unique DDoS mitigation techniques F5 Reference Architectures DDoS Protection View on F5.com F5 Networks, Inc 52

53 The F5 Silverline DDoS Protection Customer Portal Secure set up & management of SOC services Knowledge base & how to Battlefield F5 Silverline DDoS Protection Real time attack view Real time mitigation view Real time scrubbing & clean traffic view Instant, downloadable PDF reports Non-Attack (regular) traffic reporting capability F5 Networks, Inc 53

54 Portal Customer Configuration Status Proxy and GRE configuration and provisioning are available within the portal for ease of management. F5 Networks, Inc 54

55 Portal Customer GRE Provisioning F5 Networks, Inc 55

56 Portal: F5 customer portal Total Traffic The F5 Silverline DDoS Protection F5 customer portal Total Traffic report allows you to review clean traffic vs bad traffic. Flagged items are communications with the F5 Silverline DDoS Protection team and are detailed with event timeline and alert information. F5 Networks, Inc 56

57 Portal: F5 customer portal Timeline of events Event Detail Real time F5 customer portal shows: Type of attack IP origin Mitigation process Yellow flagged annotations of SOC communications F5 Networks, Inc 57

58 Portal: Countermeasures Mitigation breakdown of traffic blocked as well as timelines provide detailed visibility of filtering capabilities used. F5 Networks, Inc 58

59 Application View The Application View provides ongoing traffic stats and timelines. F5 Networks, Inc 59

60 Portal: Support View The support area includes assistance request submission and status, as well as a detailed knowledge base with information such as set up, terminology, best practices, and more provided by our world class DDOS All Star Team. F5 Networks, Inc 60

61 F5 Silverline DDoS Protection Attack Reporting Downloadable PDFs for internal reporting F5 Networks, Inc 61

62