STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect
Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer 7 DDOS protection Reporting
Cyber-attacks in the News for 2011 IBM X-Force 2011 Trend and Risk Report March 2012 F5 Networks, Inc 3
Cyber-attacks in the News for 2012 IBM X-Force 2012 Trend and Risk Report March 2013 F5 Networks, Inc 4
Cyber-attacks in the News for 2013 F5 Networks, Inc 5
How do L7 attacks look like?
Example: SQL-Injection $id = $_GET['id']; $result = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; Will result in: SELECT first_name, last_name FROM users WHERE user_id = 2 F5 Networks, Inc 7
Example: SQL-Injection $id = $_GET['id']; $result = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; Attacker inserts : ' or 1=1 # This results into: SELECT first_name, last_name FROM users WHERE user_id = or 1=1# 1=1 is always true, so all entries will be returned F5 Networks, Inc 8
Example: L7-DDOS L7-DDOS: Valid requests, but unfortunately way too many Tools and Bot-networks make it easy for attackers to generate a huge amount of requests. Interesting DDOS example: Facebook hosted DDOS with notes app Facebook Notes allows users to include <img> tags. Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once. However, using random get parameters, the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood. <img src=http://targetname/file?r=1></img> <img src=http://targetname/file?r=1></img>... <img src=http://targetname/file?r=1000></img> F5 Networks, Inc 9
Example: L7-DDOS http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/ Number of involved Facebook servers: 112 Or use Google to do DDOS attacks: http://chr13.com/2014/03/10/using-google-to-ddos-any-website/ F5 Networks, Inc 10
Network Security does not help against Application attacks (Layer 7)! Non-compliant Information! Infrastructural Intelligence Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Brute force attacks Layer 7 DOS Webscraping CSRF Viruses Botnets Fishing Proxies Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack F5 Networks, Inc 11
How to protect against attacks
Webapplication Firewall (WAF) protects on Layer 7! Unauthorised Access WAF Stops bad requests and responses! Non-compliant Information Browser! Unauthorised Access WAF allows only legitimate requests! Infrastructural Intelligence F5 Networks, Inc 13
F5 Full-proxy architecture WAF WAF Slowloris attack XSS HTTP irule irule HTTP Data leakage SSL renegotiation SSL irule irule SSL SYN flood ICMP flood TCP irule irule TCP Network Firewall F5 Networks, Inc 14
Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws F5 Networks, Inc 15
Silverline Web Application Firewall (WAFaaS) Proven security effectiveness as a convenient cloud-based service Protect web applications and data from layer 7 attacks, and enable compliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP Application Security Manager and backed by 24x7x365 support from F5 experts. Cloud L7 Protection: Geolocation attacks, DDoS, SQL injection, OWASP Top Ten attacks, zero-day threats, AJAX applications, JSON payloads Web Application Firewall Services Private Cloud Hosted Web App Legitimate User WA F WAF Physical Hosted Web App Attackers F5 Silverline VA/DAST Scans Policy can be built from 3 rd Party DAST Public Cloud Hosted Web App F5 Networks, Inc 16
Building The Security Policy
Different ways to build a policy Security policy checked Security policy applied DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Virtual patching with continuous application scanning Out-of-the-box Pre-configure and validated For mission-critical apps including: Microsoft, Oracle, PeopleSoft F5 Networks, Inc 18
Policy Builder Deployment Wizard Define the Policy Builder configuration.
Identify, virtually patch, mitigate vulnerabilities Scan application with a web application security scanner: Import vulnerabilities into BIG-IP ASM Mitigate web app attacks Hacker Generic Scanner Qualys IBM WhiteHat Cenzic HP WI Clients F5 Networks, Inc 20
Reduce operating costs by outsourcing WAF policy management to F5 SOC experts F5 security experts proactively monitor, and fine-tune policies to protect web applications and data from new and emerging threats. Expert policy setup Policy fine-tuning Proactive alert monitoring False positives tuning Detection tuning Whitelist / Blacklist Set up and monitoring F5 Security Operations Center Expert Policy Setup and Management Availability & Support Active Threat Monitoring F5 Networks, Inc 21
ASM Layer 7 DDOS Protection
Automatic HTTP/S DoS attack detection and protection Accurate detection technique based on latency and/or transaction per second (TPS) Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene DETECT A DOS CONDITION IDENTIFY POTENTIAL ATTACKERS DROP ONLY THE ATTACKERS F5 Networks, Inc 23
Highly accurate anti-bot and scanner protection Differentiate between script and browser Inspection of user interaction with browser Distinguish real-user from bot Mitigate automated attacks, scanners, botnets and intellectual property scrappers Detect a persistent scrapper that uses multiple ip addresses or a single request session ASM Website Web Bot User Application Security F5 Networks, Inc 24
Browser Fingerprinting Uniquely identify browsers by their customized attributes such as Screen resolution Time zone Default fonts User agent Installed plug-ins http://browserspy.dk/ Statistical method however strong enough https://panopticlick.eff.org/ Augments sticky cookies not sensitive to private browsing F5 Networks, Inc 25
IP Intelligence and Geo-location Enforcement Botnet Restricted region or country IP intelligence service Attacker IP address feed updates every 5 min Custom application Anonymous requests Financial application Anonymous proxies Scanner Geolocation database Internally infected devices and servers F5 Networks, Inc 26
Reporting
Detailed logging with actionable reports At-a-glance PCI compliance reports Drill-down for information on security posture F5 Networks, Inc 28
Attack Expert System in ASM 1. Click on info tooltip Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged. F5 Networks, Inc 29
Enhanced visibility and analysis Statistics collected URLs Server/client latency Throughput Response codes Methods Client IPs and geos User agents User sessions Views Virtual server Pool member Response codes URLs and HTTP methods Application analytics for assured availability ASM logs provide deeper intelligence grouped by application and user Rules can be applied based on user behavior Latency monitoring provides: Business intelligence/capacity planning Troubleshooting and performance tuning Anomalous behavior detection F5 Networks, Inc 30
WAFaaS: Gain attack insights and intelligence F5 Customer Portal Securely communicate with Silverline SOC experts View centralized attack and threat monitoring reports with details including: source geo-ip mapping blocked vs. alerted attacks blocked traffic and attack types alerted attack types Threats* bandwidth used hits/sec* type of traffic and visits (bots v. humans)* * Limited on initial release Customer Portal Visibility & Compliance Attack Reports F5 Networks, Inc 31