Multi-Layered DDoS Attacks · dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2...
Transcript of Multi-Layered DDoS Attacks · dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2...
Multi-Layered DDoSAttacks
Joakim SundbergSecurity Architect
F5 Agility 2014 2
The evolution of attackers
April 2012Anonymous knocks down the sites of the U.S. Dept. of Justice, the CIA, and the British Secret Intelligence Service.
December 2010WikiLeaks supporters hit PayPal, Visa, Mastercard, and other financial sites with DDoS attacks.
January 2008Anonymous executes a series of high-profile DDoS attacks against the Church of Scientology.
Script kiddies
September 2012Syrian Cyber Fighters launch Operation Ababilwith DDoS attacks on 13 U.S. banks to protest an anti-Muslim video.
April 2011Attackers use a DDoS attack against Sony to mask the theft of millions of customer records.
2008 2009 2010 2011 20122007 2013
The rise of hacktivism
Cyber war
F5 Agility 2014 3
Protecting against DDoS is challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict most people will do work via web or mobile by 2020.
95% of workers use at least one personal device for work.
130 million enterprises will use mobile apps by 2014
58% of all e-theft tied to activist groups.
81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloud.
F5 Agility 2014 4
More sophisticated attacks are multi-layer
Application
SSL
DNS
Network
F5 Agility 2014 5
DDoS hides the real threat
DDoS Attack on Bank Hid $900,000 CyberheistFeb 13, 2013
F5 Agility 2014 6
Which DDoS technology to use?
Cloud/Hosted Service
Content delivery network
Communications service provider
Cloud-based DDoS service
On-Premises Defense
Network firewall with SSL inspection
Web application firewall
On-premises DDoS solution
Intrusion detection/prevention
Answer: All of the above
© F5 Networks, Inc 8CONFIDENTIAL
Attackers are proficient at network reconnaissanceThey obtain a list of site URIsSort by time-to-complete (CPU cost)Sort list by megabytes (Bandwidth)
Spiders (bots) available to automateThough they are often known by the security communityCan be executed with a simple wget script
Tools and Methods of Latest DoS Attacks
Exploiting POST for Fun & DoSDetermine:URL’s accepting POSTMax size for POST
Bypass CDN protections (POST isn’t cache-able)Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application infrastructure
Network Reconnaissance Example
F5 Agility 2014 10
BIG-IP ASM – Heavy URL Detection
F5 Agility 2014 11
Layer 7 DoS Variations
• Attacks like SlowLoris are easily mitigated by signatures
• However, those signatures are often easily bypassed by variants
• Enforcing good requests at the protocol level is more effective
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
UDP Amplification Attacks
DMZClients
LDNS Internet DNS Firewall inBIG-IP GTM
Data Center
DNS Servers
Apps
Considerations• DNS or NTP requests may seem well-formed• IP-spoofing likely, so IP-blacklisting limited effectivenessMitigations• Highly scalable DNS infrastructure needed to absorb volume• Refuse NXDOMAIN requests
How can F5 help me
implement a DDoS Solution
F5 Agility 2014 14
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive
POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network and DNS
Tier 1
F5 Agility 2014 15
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive
POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network and DNS
Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services
• Simple load balancing to a second tier
• IP reputation database• Mitigates volumetric
and DNS DDoS attacks
Tier 1 Key Features
F5 Agility 2014 16
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive
POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network and DNS
Tier 1
F5 Agility 2014 17
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive
POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network and DNS
Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms
• SSL termination• Web application firewall• Mitigate asymmetric and
SSL-based DDoS attacks
Tier 2 Key Features
F5 Agility 2014 18
Application attacksNetwork attacks Session attacks
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 m
itiga
tion
tech
nolo
gies
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
F5 m
itiga
tion
tech
nolo
gies
OSI stack
OSI stack
DDoS MITIGATION