Seguridad ante los Ataques Ciberneticos DNS. ENRIQUE MEDINA

Transcription

1 Seguridad ante los Ataques Ciberneticos DNS ENRIQUE MEDINA

2 F5 Networks, Inc 2

3 F5 Company Snapshot Founded: 1996 IPO: June 1999 Employees: Over: 3,942 Headquarters: Seattle, WA President and CEO: John McAdam Market symbol: FFIV (NASDAQ) Operations worldwide: 32 countries ADC Market Share 56.6% Application Delivery Controller (ADC) Segment Includes: Server Load Balancing/Layers 4-7 Switching and Advanced (Integrated) Platforms. Graphic created by F5 based on Gartner data. Gartner, Inc. Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 3Q13, F5 Networks, Inc 3

4 F5 Financial Snapshot Q1FY15 revenue: $462.8 M Cash & investments: $1,160 M Zero debt WW Revenue in Millions $1.377 $1.481 $1.730 $1.152 $882 $650 $653 $526 $394 $281 FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 F5 Networks, Inc 4

5 Gartner de ADC Octubre 2015 F5 Networks, Inc 5

6 F5 is everywhere 48 of the Fortune 50 Companies 9 of the top 10 US Airlines 27 of the top 30 US Commercial Banks 5 of the top 5 US Wireless Carriers 10 of the top 10 Global Telecoms Operators 10 of the top 10 Global Brands 9 of the top 10 Global Oil & Gas Companies 10 of the top 10 Global Automotive Companies F5 Networks, Inc 6

7 Acquisition History uroam SSL VPN, APM Swan Labs Acceleration, AAM Traffix Systems Diameter signaling Versafe Web anti-fraud MagniFire App Firewall Acopia File virtualization LineRate Systems DevOps, SDC, Node.js Defense.net Cloud-based security F5 Networks, Inc 7

8 F5 DNS DDoS Protection

9 Dynamic Nature of DDoS Attacks How denial-of-service is changing CRASH CRASH Distributed Denial of Service Denial (DoS) of Service Attack (DDoS) Attack

11 Main two categories of DDoS attacks: Volumetric Network and Application layer (Layer 2-7) Application level Attacks F5 Networks, Inc 11

12 So what problem(s) are we trying to fix? Current Threat Spectrum Current Threat Mitigation Increasing difficulty to detect Increasing risk of service outage Current threat mitigation techniques fail to completely address all threats, particularly those aimed at DDoS. F5 Networks, Inc 12

13 More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 13

14 F5 cloud-based scrubbing with Hybrid defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 14

15 DDoS Protection for the Enterprise Data Center Threat Intelligence Feed Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network Next-Generation Firewall Users leverage NGFW for outbound protection Employees DDoS Attacker Cloud Network Firewall Services + DNS Services + Simple Load Balancing to Tier 3 Application Web Application Firewall Services + SSL Termination Financial Services Customer Partner DDoS Attacker F5 Silverline Cloud-Based Platform Volumetric attacks and size floods, operations center experts, L3-7 known signature attacks ISP may provide rudimentary DDoS service VIPRION Platform DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Can inspectssl at either tier SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET E-Commerce Subscriber Network attacks: ICMP flood, UDP flood, SYN flood F5 Networks, Inc 15

17 Routed Configuration F5 Silverline DDoS Protection Engaged TCP Connection: SYN-ACK SRC: :80 DST: :27182 Data Center TCP Connection: SYN SRC: :27182 DST: :80 BGP Route Advertisement: F5 route for /24 becomes preferred F5 Router F5 Silverline DDoS Protection F5 Router Internet ISP Router GRE Tunnel Customer/IS P Transit Network Customer Router TCP Connection: SRC: :4243 DST: :80 Clean traffic is returned via GRE Tunnel to customer s data center BGP Configuration Change: withdraw advertisement for /24 Customer Admin F5 Networks, Inc 17

20 Portfolio LTM Local Traffic Manager Available Load balancing Health Monitor Server Persistence Router Fast Compression RAM Caching TCP Multiplexing BIG-IP LTM Secure DDoS protection TCP proxy Application proxy SSL offload Application Servers Mail Portal More

23 Usted permite el acceso directo a su base de datos desde internet?? What SQL Hacker Query Web if engine: server was embedded successful, Query : Request the is properly is string it obeying returned OR formatted, the 1=1 with # no into SELECT I Errors, The HTTP Created will execute username protocol, * application FROM the it following parameter users assumed WHERE request: the username= OR SELECT provided I will 1=1; POST parse DROP * a FROM valid it, login.php execute TABLE users HTTP/1.1 users! the script # behind it, AND WHERE HOST: username= forward password= test a formatted SQL query OR 1=1 Content-Length: # AND password= test 29 to the username=%27or+1%3d1+%23&password=test database F5 Networks, Inc 23

26 Denial of Service Attacks Against DNS 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% APPLICATION LAYER ATTACKS 86% 70% 37% 31% 17% DNS is now the second most targeted protocol after HTTP. 9% 10% HTTP DNS HTTPS SMTP SIP/VoIP IRC Other DNS DoS techniques range from: Flooding requests to a given host Reflection attacks against DNS infrastructure Reflect / Amplification attacks DNS Cache Poisoning attempts Cybercrime is a persistent threat in today s world and, despite best efforts, no business is immune. Network Solutions TRADITIONAL DDOS MITIGATION 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job DNS is based on UDP DNS DDoS often uses spoofed sources Using an ACL block legitimate clients DNS attacks use massive volumes of source addresses, breaking many firewalls. F5 Networks, Inc 26

27 AFM: Stateless DoS Detection & Mitigation L2-L4 stateless dos vectors DOS Vectors When to report an attack Absolute Number in PPS Detection Threshold When to report an attack Relative Percent Increase in PPS Detection Threshold When to mitigate an attack Absolute Number in PPS Mitigation Threshold DOS Categories F5 Networks, Inc 27

28 AFM: Protocol Security DNS Application Protocol compliance & DoS mitigation : DNS Filter by DNS Query types a m mg loc ixfr dname nsec3param aaaa px rp spf cert nesc3 ipseckey any md mr eid apl dhcid nsap_ptr cname mf null nxt axfr zxfer nsap mx a6 wks key sink rrsig nimloc ns rt dlv x25 naptr sshfp dnskey ptr mb hip sig isdn maila mailb soa ds opt tsig nsec afsdb hinfo srv kx txt ata gpos tkey minfo F5 Networks, Inc 28

29 DNS Flood DNS Performance Synopsys Many attackers or botnets flood an authoritative name server, attempting to exceed its capacity. Dropped responses = reduced or no site availability. [Target Site] DNS Requests DNS Responses Mitigation BIG-IP offers exceptional capacity, per appliance, to over 2M RPS and to over 10M RPS per chassis. Big-IP can also identify unusually high traffic patterns to specific clients via DNS DoS Profiles. F5 Networks, Inc 29

30 DNS DoS Attack Absorption Rapid Response Mode (RRM) DENIAL OF SERVICE Primary Customers ALL An effective way of absorbing volumetric DNS attacks is to simply absorb them. BIG-IP provides massive scale and RRM provides an accelerated path for Authoritative Deployments. Doubles the performance of DNS Express from 11.4 by providing a fast path to the DNS Express engine. DNS Query Stream 35 Good and Bad Actors IPV4/V6 LISTENER PROTOCOL VALIDATION IRULES DNSSEC GSLB (GTM) GTM IRULES DNS EXPRESS Millions of RPS DNS Response Stream w/b RRM F5 Networks, Inc 30

31 Malformed Packets Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. Protocol Validation Clients The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. IPv4 / IPv6 TCP / UDP Protocol Validation + ACL DNSSEC irules irules DNSSEC 64 GSLB GSLB irules 64 DNS Express Caching Resolver DNS 6-4 DNS LB Pool BIND Big-IP GTM Hud Filter F5 Networks, Inc 31

32 DNS Amplification Attack DoS ACL and Drop Unsolicited Responses Synopsys By spoofing a UDP source address, attackers can target a common source. By requesting for large record types (ANY, DNSSEC, etc), a 36 byte request can result in a response over 100 times larger. [Target Site] Small DNS Requests Large DNS Responses Mitigation BIG-IP supports DNS type ACLs. Only allow DNS types you need to support. Drop all unsolicited responses (default behavior). Identify unusually high traffic patterns to specific clients via DNS DoS Profiles. F5 Networks, Inc 32

33 DNS Attack Mitigation Spread the attack with IP Anycast Thwart an attack by spreading the load to multiple data centers. DENIAL OF SERVICE Primary Customers ALL Attackers will target the attack using a single IP address representing the victim, your datacenter. IP Anycast advertises a common IP address into the internet routing tables which route to different DCs. Data Center Data Center Data Center F5 Networks, Inc 33

34 DNS Tunneling - Overview Subscribers with data-capable devices may still be permitted DNS traffic even without data subscription. Providers use HTTP redirect to steer customers to a portal to sign up, or permit certain unblocked sites. Some customer attempt DNS tunneling to pass data frames inside of DNS records to the internet. DNS REQUEST DNS REQUEST Internet DNS Tunnel Subscriber Encoded requested URL DNS Tunnel Target Host DNS Resolver DNS Server Runs a DNS Tunneling Client DNS RESPONSE SP Datacente r DNS RESPONSE myhost.com DNS Tunnel Aware Server WEB PAGE ENCODED IN TXT FIELDS F5 Networks, Inc 34

35 Preventing DNS Abuse DNS Tunneling Prevent it with irules Suspend Threshold Classify the traffic Mobile or fixed. Determine the SLA for RPS and allowed response size. Drop Threshold When a client sends in a query Is the query for a blocked domain? (A tunnel host) Is the query rate above allowed rate? Increment score. Client previously above allowed rate? Increment score. Resolve request and analyze response. - Factor in the response size to the score. QUERY RATE SCORING RESPONSE SIZE SCORING Take an action Is the client above the score threshold? - Drop the request Client A Client B Client C Client D Client E Client F - Suspend DNS service for a period. F5 Networks, Inc 35

36 DNS Cache Poisoning F5 Networks, Inc 36

37 DNS Cache Poisoning Mitigation DNSSEC Real-time Signing Client site.example.com +dnssec? Recursive Name server Data Center GTM [Text] Attacker F5 Networks, Inc 37

38 Mitigate Malicious Communication Open Service DNS Query Filtering by Reputation Select Your Service Response Policy Zone (RPZ) Live Feed Domain Reputation Live updates BIG-IP Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections. Prevent malware and sites hosting malicious content from ever communicating with a client. Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request. F5 Networks, Inc 38

39 Complete DNS Protection & Performance Devices DMZ Data Center F5 DNS Firewall Services LDNS DNS DDoS mitigation with DNS Express Protocol inspection and validation DNS record type ACL* Block access to Malicious IPs (DNS Firewall) High performance DNS cache Stateful Never accepts unsolicited responses Internet ICSA Certified - deployment in the DMZ Scale across devices IP Anycast Secure responses DNSSEC DNSSEC responses rate limited Complete DNS control irules DDoS threshold alerting* DNS logging and reporting Hardened F5 DNS code NOT BIND DNS Servers Apps F5 Networks, Inc *Requires provisioning only BIG-IP Advanced Firewall Manager to access functionality. 39

40 Plataformas -SOLUCION UNIFICADA (Seguridad, disponibilidad y aceleracion en la misma plataforma) -SOLUCION ESCALABLE( Crecimientos en hardware y en software (modulos nuevos) -CRECIMIENTO GARANTIZADO, los clientes siempre quieren crecer sus plataformas. -SOLUCION ROBUSTA, son equipos Carrier Class F5 Networks, Inc 40

41 DNS Authoritative on F5 VIPRION DNS Express is Utilized for BIG-IP Numbers Responses per Second M RPS B2150 Blade B2100 Blade B2250 Blade B4200 Blade B4300 Blade 2400 w/b w/b w/b w/b RRM F5 Networks, Inc 41

42 DNS Caching on F5 VIPRION Responses per Second M RPS B2150 Blade B2100 Blade B4300 Blade B2250 Blade 2400 w/b Chassis 2400 w/b Chassis F5 Networks, Inc 42

43 The F5 Firewall Technologies Bringing deep DNS and application fluency to firewall security F5 Networks, Inc 43

45