Post on 26-Apr-2018
© F5 Networks, Inc. CONFIDENTIAL & PROPRIETARY
Anonymous: Tools of the Trade and Lessons Learned
Bill Church Systems Engineer – Federal bill@f5.com
© F5 Networks, Inc. 2 CONFIDENTIAL & PROPRIETARY
• Anonymous Background
• Evolution of Denial of Service
• DDoS Examples and Strategies for Mitigation
• Practical Strategy for Datacenter Security
Agenda
© F5 Networks, Inc. 3 CONFIDENTIAL & PROPRIETARY
Anonymous Background
4
© F5 Networks, Inc. 4 CONFIDENTIAL & PROPRIETARY
© F5 Networks, Inc. 5 CONFIDENTIAL & PROPRIETARY
Evolution of DDoS
© F5 Networks, Inc. 6 CONFIDENTIAL & PROPRIETARY
3 Classes of DDoS Attack 3DOS
• Each attack session issues requests at an increased rate as compared to a non-attacking session
• Attacker sends requests that are more taxing for the application than the client.
• Traffic volume remains low; detection is difficult
• Attacker sends single Asymmetric workload request, then closes. Attack is highly distributed to generate required power.
• Most challenging type of attack to detect and mitigate.
Request Flooding Asymmetric Workload Repeated One-Shot
© F5 Networks, Inc. 7 CONFIDENTIAL & PROPRIETARY
DoS Attacks Overview (known)
• HTTP, HTTPS, ICMP, SYN Floods, UDP Floods, DNS Request Floods, etc
• Lower layer DoS attacks target ISP connections / bandwidth
• Defendable by proxies and SYN Cookies feature of TMOS
Simple
• Layer-7 DDoS attacks targets HTTP, HTTPS, SOAP, XML and DNS services
• Typically targets server resources
• Not easily detectable, more efficient, less resources and harder to trace
• Defendable by features found in Application Security Manager (ASM)
Complex
© F5 Networks, Inc. 8 CONFIDENTIAL & PROPRIETARY
• Reflection and amplification (including DNS recursion)
• Larger botnets & autonomous propagation
• Botnet markets which are increasingly sophisticated in nature
• Peer-to-peer botnets
• Botnets using encrypted communications
• Attacks against government infrastructure for political purposes
• Use of DoS by organized crime
• Increasing sophistication of malware and malware packaging
DDoS Attacks Evolution Current
© F5 Networks, Inc. 9 CONFIDENTIAL & PROPRIETARY
• Attacks on emerging technologies
• Application layer DoS
• Realistic behavior of DoS traffic (further difficulty in detection)
• Attacks against anti-DoS infrastructure
• Attacks against SCADA systems
• Attacks against shared infrastructure and the ‘cloud’
• Cloud to Cloud
DDoS Attacks Evolution Future
© F5 Networks, Inc. 10 CONFIDENTIAL & PROPRIETARY
Attacks are Moving “Up the Stack”
90% of security investment focused here
Network Threats Application Threats
75% of attacks focused here
© F5 Networks, Inc. 11 CONFIDENTIAL & PROPRIETARY
• Diverse, Distributed Denial of Service
• “Attacks” are becoming increasingly a focussed period of many types of security events.
• Attacking groups are loosely collective, with a variety of methods, tools, resources and skills.
• Attacks start and stop, change in nature, and hit every aspect of a target infrastructure.
• Defensive controls must be broad and deep
3DoS Why The New Acronym?
© F5 Networks, Inc. 12 CONFIDENTIAL & PROPRIETARY
Layer-7 Attacks
F I R E W A L L
DDoS Appliance
App Accel
Load Balancer
Web Serv
Web Serv
Web Serv
Data base
Bandwidth Carriers
ISP’s Bandwidth Your Bandwidth
State Tables
ACL Perf
.Degrade
State Tables: IPs
Low & Slow Layer 7 – Random Layer 7 – Logical
State Tables: TCP Flood Negative Caching
Proxy Bypass
State Tables: Too Many
Connections
Many: CPU
Database Load Log Attack
Memory Exhaustion Connection Floor
Many: Thread Jam
Memory Exhaustion
BANDWIDTH >> PACKET >> CONNECTION >> OS >>HTTP(S) >> APP >> DB
© F5 Networks, Inc. 13 CONFIDENTIAL & PROPRIETARY
Mitigation controls which are failing…
• Network Firewalls
• Any Technology which blocks IP addresses
• Basic Rate Limiting • Connections per second • Per service, per client IP, etc
• Signature Scanning / IPS • SSL blinding • Out-of-band devices
© F5 Networks, Inc. 14 CONFIDENTIAL & PROPRIETARY
Mitigating controls must sit in path, know the application, and enforce behaviors - not IP addresses, or known bad strings
© F5 Networks, Inc. 15 CONFIDENTIAL & PROPRIETARY
“ 15
It would appear that the security experts are not expertly secured
Anonymous
© F5 Networks, Inc. 16 CONFIDENTIAL & PROPRIETARY
DDoS Eamples / Mitigation
© F5 Networks, Inc. 17 CONFIDENTIAL & PROPRIETARY
SlowLoris
© F5 Networks, Inc. 18 CONFIDENTIAL & PROPRIETARY
Resolution
Detect and drop slow requests to complete transmitting headers, and limits the Header size
Handling SlowLoris…
© F5 Networks, Inc. 19 CONFIDENTIAL & PROPRIETARY
Countermeasures (similar to Slowloris) a) Lower TCP Connection Reaper
percent from low 85/high 95 to low 75/high 90
b) Lower TCP timeouts
XerXes (2)…
© F5 Networks, Inc. 20 CONFIDENTIAL & PROPRIETARY
Countermeasures (similar to Slowloris) a) Lower TCP Connection Reaper percent from low
85/high 95 to low 75/high 90, Lower TCP timeouts
LOIC (exploited in “Wikileak” saga)
© F5 Networks, Inc. 21 CONFIDENTIAL & PROPRIETARY
Slow Post Attacks
© F5 Networks, Inc. 22 CONFIDENTIAL & PROPRIETARY
Microsoft Apache
“While we recognize this is an issue, the issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.”
“What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.”
What The Vendors Say About Slow Post
© F5 Networks, Inc. 23 CONFIDENTIAL & PROPRIETARY
iRules ASM
• Check on length and the client payload sent e.g. < 2048 bytes (def)
• Check on duration of connection with client e.g. < 2 seconds (def)
• If exceed custom duration or length, response to client retry
• ASM counts the number of slow post connections, connection above Y seconds are considered a slow connection.
• ASM will then prevent more than X slow connections to happen at the same time.
Handling Slow POST attack …
© F5 Networks, Inc. 24 CONFIDENTIAL & PROPRIETARY
Handling Slow POST attack (iRule)
© F5 Networks, Inc. 25 CONFIDENTIAL & PROPRIETARY
• Use the target site’s own processing power against itself. Its effectiveness is due to the fact that it exploits a vulnerability in a widespread SQL service
• Live fire exercises from the creator(s) took down “Pastebin” for 42 minutes after a 17 second attack
• Attackers combine with previous techniques like Slowloris and Slow POST to extend the impact
#RefRef
© F5 Networks, Inc. 26 CONFIDENTIAL & PROPRIETARY
“ I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection.
Anonymous
© F5 Networks, Inc. 27 CONFIDENTIAL & PROPRIETARY
• Block SQL commands from being inserted into HTTP requests (attack signatures for SQLi)
• Mitigation of Slowloris and Slow POST combo attacks
#RefRef Mitigation
© F5 Networks, Inc. 28 CONFIDENTIAL & PROPRIETARY
Handling “Apache Killer”
HEAD / HTTP/1.1 Host:xxxx Range:bytes=0-,5-1,5-2,5-3,…
© F5 Networks, Inc. 29 CONFIDENTIAL & PROPRIETARY
SSL/TLS Vulnerability BEAST (7)…
© F5 Networks, Inc. 30 CONFIDENTIAL & PROPRIETARY
Addressing SSL/TLS vulnerability seamlessly
30
Enforcer • SSL Client Profile –
enforce TLS 1.2 • SSL Server Profile
– Automated compatibility (need not be TLS1.2)
Server • Negotiable with
its supported crypto algorithm
Client o Different browser that
would not support SSL/TLS 1.2 yet e.g. Firefox, Chrome, Safari
o Pre-configured application policies
© F5 Networks, Inc. 31 CONFIDENTIAL & PROPRIETARY
SSL DoS Tool
© F5 Networks, Inc. 32 CONFIDENTIAL & PROPRIETARY
“ Establishing a secure SSL connection requires 15x more processing power on the server than on the client.
THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.
This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.
© F5 Networks, Inc. 33 CONFIDENTIAL & PROPRIETARY
Mitigating the THC SSL DoS Threat
© F5 Networks, Inc. 34 CONFIDENTIAL & PROPRIETARY
THC-SSL-DOS Mitigation for LTM
© F5 Networks, Inc. 35 CONFIDENTIAL & PROPRIETARY
Do not accept connections with abnormally small advertised window sizes
Do not enable persistent connections and HTTP pipelining unless performance really benefits from it
Limit the absolute connection lifetime to some reasonable value
Slow Read DoS
© F5 Networks, Inc. 36 CONFIDENTIAL & PROPRIETARY
© F5 Networks, Inc. 37 CONFIDENTIAL & PROPRIETARY
DNS Security (10)…
GTM
DNS Server
• DNS is a likely target • Without DNS, virtually everything is
down • F5 DNS Services profile scales DNS
infrastructure • Full slave domain copy
Benefits • High Performance DNS • >1M DNS RPS • Scalable DNS • Secure DNS Queries • BGP Anycast • DNSSec • IPv6
© F5 Networks, Inc. 38 CONFIDENTIAL & PROPRIETARY
Practical Strategy for Data Center Security
© F5 Networks, Inc. 39 CONFIDENTIAL & PROPRIETARY
Which is More Effective? Patrol vs Moat
vs
Bridge Mode Full Proxy Mode
© F5 Networks, Inc. 40 CONFIDENTIAL & PROPRIETARY
Bridge mode vs Proxy mode
Passive listener – Reactive response
Risk Transference – “Offload” to traditional defense
Visibility + Control –Identify/Mediate in Real time
Flexible + Scale Up - Unified defense Front Line
Bridge Proxy
Proactive + Resilient – Layered Resistance to ongoing attacks
© F5 Networks, Inc. 41 CONFIDENTIAL & PROPRIETARY
DDoS mitigation
Hardened Defense
Defense against DNS flooding (DNS
Express, IPAnyCast)
Reinforce against attacks e.g. ICMP, UDP flood, UDP fragments, etc
Resource Availability
Connection Reapers
Adaptive Reaper
Geo-location aware routing
Anomaly Detection
Client Side Integrity (legit/whitelist)
Brute force prevention
IP Enforcer
Rule based detection (redirect, request
throttling, etc)
Network Mitigation
Rate Shaping
Transaction Limiting
Latency Limiting
SYN Check
Protect Detect React
© F5 Networks, Inc. 42 CONFIDENTIAL & PROPRIETARY
Attack Identification
Traffic Thresholds
iRule/ASM Attack Signatures for Known DDoS attacks
DDoS attack relief
Modify WIP (global distro)
Attack Mitigations
Cleansing the traffic
Syn cookies, total sessions, ramp & dissolve rates
Line-Rate Hardware mitigation
iRule/ASM Attack Signatures for Known DDoS attacks
iRule/ASM Logging Signatures for analysis of unknown attack
iRule/ASM custom rule creation
DDoS Strategic Mitigation Approach
© F5 Networks, Inc. 43 CONFIDENTIAL & PROPRIETARY
Weak link: Disjointed Security
False sense of security by deploying various FW,AV,
IDS/IPS (Running different
platforms)
Lack sophistication & visibility
(who, where, what?) Mismatched collection of nonintegrated defences (complexity to manage, maintain and high cost)
“Next-generation” security solutions Perform at unprecedented speed, scale as needed, and support thousands of users easily and cost-effectively.
Rethink Yesterday’s Security Strategies
© F5 Networks, Inc. 44 CONFIDENTIAL & PROPRIETARY
Questions?
© 2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.
CONFIDENTIAL & PROPRIETARY