Content delivery network and web application firewall

CONTENT DELIVERY NETWORK AND

WEB APPLICATION FIREWALL

A Double Whammy for Hackers?

MY BRIEF CREDENTIALS

Principal IT Consultant, CISSP

eBay Bug bounty award.

0-day full CV dump vulnerability on a major job

search site.

Work in Silicon Valley California as a software

developer during Dot COM boom days.

Email: andrewchong2000@gmail.com

DISCLAIMER

The information presented does not reflect the

opinion of my current employer.

The views and opinions expressed are purely from

my personal research.

Any product claim, statistic, quote or other

representation about a product or service should be

verified with the manufacturer or provider.

MAIN TOPICS

How does CDN and WAF help prevent cyber attack

for FI?

Discussing the defacement of Malaysia Airlines

Website even though both CDN and WAF were in

place.

Techniques to close the gap and building strengths

for the future.

REMINDER

This presentation is not:

To tell you to be compliant to MAS TRM guidelines which you already

To tell you the “defense-in-depth” theories which you already knew.

To tell you the dangers and motivation of Cyber Attacks, DDoS

attacks, Malware which you already knew.

To tell you the to give users awareness training which you are

already knew.

To tell you how to create governance process which you already

Blah Blah...

The objective is not to bored all the Ninjas here!

AGENDA

PREPARING A DDOS ATTACK DEFENCE

Purchase an On-Premise DDoS Mitigation Appliance

E.g. Fortinet, Juniper Network, CISCO Guard

Purchase a DDoS Mitigation Service from your ISP

E.g. Clean-Pipe service, Level3

Purchase a DDoS Mitigation Service from a specialized

mitigation service provider

E.g. Akamai, Incaptula, CloudFlare, DOSarrest, ARBOR

Examples of CDN+WAF,

or “Scrubbers”

technology providers

AGENDA

1. Preparing a DDoS Attack Defence

2. Traditional Architecture

3. What is a Content Delivery Network (CDN)?

4. CDN Architecture

5. Key Benefits of Enterprise CDN

6. Key Benefits of Web Application Firewall (WAF)

7. CDN and WAF Architecture

8. WAF Weakness

9. CDN Weakness

10. Case Study: Malaysia Airlines incident (26-Jan-15)

11. Case Study: Lenovo incident (25-Feb-15)

12. DNS Hijacking Prevention Best Practices

13. Questions to ask your Domain Registrar

14. CDN Security Protection Best Practices

TRADITIONAL ARCHITECTURE

So how to solve it?

Solution: Servers are always close to you!

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

WHAT IS A CONTENT DELIVERY NETWORK

(CDN)?

A Content Delivery Network (CDN) is a network of

servers hosted by a service provider in multiple

locations of the world so that the content could

always be served from a server that is nearest to

the consumer requesting for it.

A CDN consists of two key components:

The Origin Server(s) – the content source server.

Cache / Edge servers – the servers that the client see

and request for content.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CDN ARCHITECTURE

CDN Network Architecture

CDN ARCHITECTURE

CDN uses DNS CNAME record to hide your origin (source)

server.

www.dbs.com.sg A record is 23.204.171.241

The “A” in “A” record stands for Address. “A” record is

used to find the address of a computer connected to the

internet from a name.

CDN ARCHITECTURE

23.204.171.241 belong to Akamai.

CDN ARCHITECTURE

po.dbs.com.sg is the SOA or primary DNS server

SOA stands for Start Of Authority

CDN ARCHITECTURE

CDN can also protect your primary/master DNS server (SOA)

CDN ARCHITECTURE

Client request logo.png on images.mydomain.com

The DNS system finds the CNAME and redirects the request to the CDN.

If logo.png is not found or expired in the CDN, it is requested from the Origin

server and refresh the cache in the CDN.

The CDN response to the Client request with the logo.png.

CDN ARCHITECTURE

Request Flow: DNS CDN Origin

CDN have the ability to “pull” content from their origin server

during HTTP requests in order to cache them.

Beside GET request, CDN can also proxy POST requests.

Do check with your CDN provider to block PUT, TRACE,

DELETE, CONNECT, which are unsafe HTTP methods.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

KEY BENEFITS OF ENTERPRISE CDN

Faster site performance

High availability

Web application firewall (WAF)

DDoS protection

DNS DDoS and attack protection

Virtually real-time statistics

CDN vendor threats monitoring (managed service)

KEY BENEFITS OF ENTERPRISE CDN

Other Hidden Benefits!

CDN vendor manage your SSL certificates lifecycle.

Wildcard SSL certificates are implemented on the edge servers.

“Free” threats consultation from CDN vendor.

Lessen your company cyber-ops workload

Less need to trigger technical control to block attackers

Less need to escalate threats to internal teams

Lessen the effort to fine tune WAF configurations as compared to

implementing your own WAF.

Reduce overall operation cost.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

KEY BENEFITS OF WEB APPLICATION FIREWALL

“Most” Layer 7 attacks can be blocked before reaching the

web server.

A “fast” solution to block vulnerable applications from attacks.

Newly discovered application threats like “Path Relative

Stylesheet Import” (PRSSI) vulnerabilities can be protected by

updating the WAF signatures.

Block automated scanners using signatures and rate control.

Legacy applications can be protected while the application

take time to be upgraded.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CDN AND WAF ARCHITECTURE

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

WAF WEAKNESS

WAF is not possible to protect all layer 7 attacks.

E.g. Application business logic bypass

WAF uses regular expressions to block matching attack

patterns.

WAF regex needs to be constantly fine tune and improve to

block clever attacks.

Due to the bad coding of the application design, specific WAF

rules are often disable or set it to “warning” mode in order to

allow the application to work.

WAF WEAKNESS

WAF can be bypassed given the attack enough time to figure

Example: Blind SQL Injection WAF regular expression bypass

Substring keyword is block. However, left and right keywords are ok!

and+ascii(substring((SELECT%20db_name()),1,1))%3d70

Bypass

and+ascii(right(left((SELECT%20db_name()),1),1))%3d70

and+ascii(right(left((SELECT%20db_name()),2),1))%3d70

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CDN WEAKNESS

Normal domain name request

DNSIPCDNORGIN

CDN WEAKNESS

What if? DNSIPCDNORIGIN

Just because your origin server's IP address is no longer advertised

over DNS, it's still connected to the internet!

If your IP address is not kept secret, attackers can bypass the CDN

to attack your servers directly!

CDN WEAKNESS

Attacking the Origin Server

Weak Point DDoS

Origin IP

CDN WEAKNESS

Common default Origin naming by CDN providers

ORIGIN.<domain name>

ORIGIN.<sub>.<domain name>

DIRECT.<domain name>

Try typo error naming:

CDN WEAKNESS

Akamai debug HTTP request pragma headers

Source: http://mesmor.com/2012/03/18/akamai-pragma-debug-headers/

Pragma: akamai-x-cache-on, akamai-x-cache-remote-on,

akamai-x-check-cacheable, akamai-x-get-cache-key, akamai-

x-get-extracted-values, akamai-x-get-nonces, akamai-x-get-

ssl-client-session-id, akamai-x-get-true-cache-key, akamai-x-

serial-no

curl -s -I -H "Pragma: akamai-x-get-true-cache-key "

http://www.malaysiaairlines.com

CDN WEAKNESS

HTTP/1.1 200 OK

Date: Tue, 10 Feb 2015 04:43:34 GMT

ETag: "12fc58b-2b88d-50eb3ec99f1c0"

Server: Apache

X-Cache: TCP_IMS_HIT from a23-220-203-15.deploy.akamaitechnologies.com (AkamaiGHost/7.1.0.2-14656242) (-), MISS from 10.88.3.70, MISS from 10.88.3.70

X-Serial: 1456

X-Cache-Key: /L/1456/211307/1h/origin.www.malaysiaairlines.com/my/en.html

Content-Type: text/html; charset=UTF-8

Cache-Control: no-cache

Last-Modified: Tue, 10 Feb 2015 04:00:15 GMT

X-Frame-Options: SAMEORIGIN

Proxy-Connection: Keep-Alive

X-True-Cache-Key: /L/origin.www.malaysiaairlines.com/my/en.html

X-Check-Cacheable: YES

X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=

X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=true

X-Akamai-Session-Info: name=AKA_PM_DEV_CHAR_IS_MOBILE; value=false; full_location_id=is_mobile

X-Akamai-Session-Info: name=AKA_PM_FWD_URL; value=/my/en.htm

Default and

guessable origin

CDN WEAKNESS

CDN providers also provide customers with staging CDN platform.

CDN staging platforms allows customers to test the changes before

implementing on production CDN.

Theoretically, staging platform will be less “robust” than the

production platform.

CDN staging platform may not be monitored at all! A good way for

hackers to test for vulnerabilities without being caught or alerted.

To find the staging platforms url, just google it and guess it!

Or simply sign-up for the CDN provider service to find out!

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CASE STUDY: MALAYSIA AIRLINES INCIDENT (26-JAN-15)

Source: http://www.theguardian.com/world/2015/jan/26/malaysia-airlines-

website-hacked-by-lizard-squad

Name Server (NS) is akam.net (using Akamai CDN! Holy S***)

Start Of Authority (SOA) is barbara.ns.cloudflare.com

Why 2 CDN vendors? Really?

HTTP Response Header

Server: LIZARDSQUAD

Who will bother to change the server banner after a

defacement? (e.g. modify httpd.conf, registry)

Most likely it is a DNS hijacking attack!

Source: http://www.computerworld.com/article/2874928/malaysia-airlines-

claim-dns-hijacked-site-not-hacked-but-attackers-threaten-data-dump.html

Source: http://www.washingtonpost.com/news/morning-

mix/wp/2015/01/26/lizard-squad-hacks-malaysia-airlines-claiming-link-to-

islamic-state/

Phishing attack possible cause.

Source: http://www.tnooz.com/article/explainer-malaysian-airlines-

website-attack/

After site went back to normal, the DNS records are as follows:

SOA is now rusa.skali.com.my

Is this the correct SOA?

Or they’ve move out of Cloudflare?

Search historical DNS records using DNSHistory.org

Malaysiaairlines.com SOA is rusa.skali.com.my!

Malaysiaairlines.com domain Registrar is Webnic.cc

Webnic.cc got compromised? Most likely... But no public news to

confirm.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CASE STUDY: LENOVO INCIDENT (25-FEB-15)

Source: http://www.theguardian.com/technology/2015/feb/26/lenovo-website-

hacked-and-defaced-by-lizard-squad-in-superfish-protest

Source: http://www.eweek.com/security/lenovo.com-hacked-but-soon-

restored-after-intervention-by-cloudflare.html

Source: https://twitter.com/lizardcircle

The EPP Authorization Code is basically a password for the domain

and is one of the most powerful safeguards against unauthorized

transfers of a domain name.

In other words, EPP Authorization Codes are an extra security

measure ensuring that only the actual domain name owner is able to

initiate an outgoing domain transfer towards another Registrar

Client locked

EPP code

Source: https://twitter.com/lizardcircle

Lenovo emails has also been hijacked due to the DNS hijacked.

Source: http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-

hijack-of-lenovo-google-domains/

Source: http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-

hijack-of-lenovo-google-domains/

Rootkit!

What is a Rootkit?

A Rootkit is a stealthy type of malicious software, designed to

hide the existence of certain processes or programs from

normal methods of detection and enable continued privileged

access to a computer.

Damages: A Rootkit might covertly steal user passwords and

sensitive data or conduct other unauthorized activities.

Webnic registrar offline for around 5 days after the incident.

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

DNS HIJACKING PREVENTION BEST PRACTICE

Major DNS Hijacking incidents

DNS Hijacking aka Domain Theft is the process by

which the registration of a currently registered

domain name is transferred without the permission

of its original registrant, generally by exploiting a

vulnerability in the domain name registration

system.

Registrar Clients locks:

Purpose: To prevent unauthenticated changes.

clientUpdateProhibited

clientTransferProhibited

clientDeleteProhibited

This is useless when the attacker has obtain the credentials to

a registrar account.

Source: https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-

defenses.html

Registrar Servers locks:

Purpose: The registrar will contact the previously agreed upon admin

contact to verify the changes.

Requires call back to a specified phone number

Only certain individuals can make changes

serverUpdateProhibited

serverTransferProhibited

serverDeleteProhibited

Source: https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-defenses.html

After the incident, Malaysia Airlines implemented both

Registrar Client Lock and Registrar Server Lock.

After the incident, Lenovo implemented both Registrar Client

Lock and Registrar Server Lock.

Most domains implement Registrar Client Lock only to avoid inconvenience

when there is a need for fast turnaround time.

Example: www.dbs.com.sg

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

QUESTIONS TO ASK YOUR DOMAIN REGISTRAR

Choose a reputable Domain Registrar. Do your research by

asking the following questions:

Q1: What are my authentication options?

Q2: How will authorized changes be verified?

Q3: Can I lock changes to a call back number?

Q4: Backup plan when primary authentication method fails?

Q5: Can the above be circumvented via API, Rookit or portal?

AGENDA

4. CDN Architecture

8. WAF Weakness

9. CDN Weakness

CDN SECURITY PROTECTION BEST PRACTICES

Don’t use guessable origin domain name. The attacker can guess

the origin system DNS record to bypass the controls. Or using

Shodan (http://shodanhq.com).

E.g. origin.www.<domain name>

Disable CDN debugging features. The debugging information can be

used by attacks to design a DDoS attack.

Only allow your Origin server to communicate with your CDN servers

by white-listing the CDN servers on your firewall.

Only allow your Primary DSN server to communicate with your CDN

DNS servers by white-listing the CDN DNS servers on your firewall.

To prevent Direct-to-Origin attacks

Subscribe to your ISP Clean-Pipe service or to a Scrubber service

provider.

THANK YOU!

References:

https://www.incapsula.com/blog/

https://blogs.akamai.com/2013/08/bypassing-content-delivery-

security.html

https://blogs.akamai.com/2015/01/dns-hijacking-dangers-and-

defenses.html

https://blogs.akamai.com/2014/06/fresh-wave-of-online-

extortion-attacks-underway.html

https://blogs.akamai.com/

https://blog.cloudflare.com/

http://mesmor.com/2012/03/18/akamai-pragma-debug-

headers/

Content delivery network and web application firewall

Internet

Transcript of Content delivery network and web application firewall

Comodo Advanced Network Firewall Engine

New AT&T Network Based Firewall for AT&T NetBond User Guide · 2019. 10. 2. · Network Based Firewall User Guide 1. Product overview: Network Based Firewall for AT&T NetBond® AT&T

Network Security UTM Firewall - D-Link

The Why and How of Content Delivery Cloud - RiverbedCDC_Infographic... · OfContent Delivery Cloud Fast Content Delivery ... of content and network ... Web Application Firewall

Computer Network Simulation of Firewall and VoIP ... · Paper—Computer Network Simulation of Firewall and VoIP Performance Monitoring 1 Introduction Computer network capabilities

Stormshield Network Firewall Tunnels VPN SSLpavillard51.free.fr/FTP-PUBLIK/NetASQ/snfrtno_VPN_SSL_Tunnel.pdf · NOTE TECHNIQUE Stormshield Network Firewall Tunnels VPN SSL Document

SISTEM KEAMANAN JARINGAN (FIREWALL) SYSTEM SECURITY NETWORK (Firewall)

BIG-IP® Network Firewall: Policies and Implementations · Setting network firewall policies for a self IP address ... Viewing Network Firewall staged policy events on the local BIG-IP

BIG-IP Network Firewall: Policies and · What is the BIG-IP Network Firewall? The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs,

Network Security: What is a Firewall? Firewall, VPN, IDS/IPS, SIEMabc/teaching/bbm463/... · 2016. 11. 3. · 3.11.2016 1 Network Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak

Firewall Configuration and Administrationmawelton.people.ysu.edu/CSIS3755/CSIS 3755 - Chapter 8.pdf · Firewall Configuration and Administration . ... Your Firewall Network Address

Network Security Solution. 2 Security Gateway Switch Network Security Products Multi-Homing VPN/Firewall SPI Firewall Anti-Virus Anti-Spam

Lecture Notes Secured Network with Firewall

Network Security and Firewall - Theseus

Network Firewall Security

Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.

Network Firewall Security-133

Guidelines on firewalls and firewall policy · PDF fileFirewalls and Network Architectures ... firewall into existing network and security infrastructures. Additionally, firewall solution

Ch 3 Firewall and Perimeter Security. Contents Firewall –packet-filter firewall: filters at the network or transport layer –proxy firewall: filters at.

Advanced Network Protection Mcafee Generation Firewall 35250