akamai kona WAF Help Manual

Web Application Firewall

©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment

Tokenization Web Application

Firewall Website Defense

What We’re Seeing Attacks Are Happening On Multiple Levels

Target of Traditional DDoS Attacks

Network Layer

(Layers 3/4)




What We’re Seeing Attacks Are Happening On Multiple Levels

Target of Traditional DDoS Attacks

Network Layer

(Layers 3/4)

Application Layer

(Layer 7)

Where increasing number of attacks are focused




Web Attacks Are Getting More Sophisticated (e.g. multi-vector) Layers 3&4, Layer 7, DNS, Direct-to-Origin, Large, Small & Stealthy

Unreported 37%

SQL Injection (SQLi) 27%

Denial of Service 23%

Banking Trojan, 3%

Brute Force, 3%

Cross-Site Request Forgery, 2%

Predictable Resource

Location, 2% Stolen Credentials, 2% Clickjacking, 1%

What Attack Methods do Hackers Use?

Source: TrustWave Spider Labs - 2011 - Web Hacking Incident Database




Web Applications (Layer 7) Are Increasingly Targeted ~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

2009 2010 1H2011

Total # Web Application Attacks at Mid-Year 2009–2011

Source: HP CyberSecurity Risks Report 1H2011




Web Applications (Layer 7) Are Increasingly Targeted ~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)

63%

37%

Layer 3/4 Attacks versus non-Web Layer 7 Attacks 1H2011

Layer 3/4 Attacks

Layer 7 Attacks

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

2009 2010 1H2011

Total # Web Application Attacks at Mid-Year 2009–2011

Source: HP CyberSecurity Risks Report 1H2011




On the Web, the Application is the Perimeter

Firewall

Hardware WAF

App server DB Web server

Traditional Data Center Security




In-The-Cloud Security


Firewall

Hardware WAF






In-The-Cloud Security


The threats are distributed, your response needs to be distributed!

Firewall

Hardware WAF






Akamai Intelligent Platform™ Deflecting Network Layer Attacks at the Edge

Network Layer attack mitigation §  Built-in protection is “always on” §  Only Port 80 (HTTP) or Port 443 (HTTPS) traffic

allowed on Platform o  All other traffic dropped at the Akamai Edge

•  Attack traffic never makes it onto Platform •  Customer not charged for traffic dropped at Edge

o  Absorbs attack requests without requiring identification o  Requires CNAME onto Akamai Intelligent Platform

Absorbs attacks through massive scale §  ~5.5 Tbps average throughput; up to 8Tbps §  Distribution of HTTP request traffic across 100,000+

servers; 1,100+ networks §  No re-routing, added latency, or point of failure

Examples of attacks types dropped at Akamai Edge §  UDP Fragments §  ICMP Floods §  SYN Floods §  ACK Floods §  RESET Floods §  UDP Floods




Web Application Protection Web Application Firewall

Application-layer controls §  Does deep packet inspection to protect

against attacks such as SQL Injections & Cross-Site Scripts

Custom Rules §  Create policy-based rules that are

enforced before or after execution of the application layer controls

§  Serve as “Virtual Patches” for new website vulnerabilities

Network Layer Controls §  Allow or restrict requests from

specific IP addresses •  Protect customer Origin from

application layer attacks

§  Implements IP Blacklists & Whitelist

§  Geo blocking

§  10,000 CIDR entries supported •  Named lists — e.g., Tor exit nodes •  30 — 45 minute deployment




Custom Rules Web Application Firewall

Description § WAF Custom Rules implemented

in Akamai metadata written by Akamai Professional Services

§ Rules are created and managed in customer portal

§ Rules are then associated with firewall policies and deployed with WAF in 45 minutes





Description § WAF Custom Rules implemented

in Akamai metadata written by Akamai Professional Services

§ Rules are created and managed in customer portal

§ Rules are then associated with firewall policies and deployed with WAF in 45 minutes

The Result § New rule logic can be built to handle

specific use cases for the customer § Rules can be built that execute when

one or more baseline rules or rate control rules match

§ Output of application vulnerability products can be implemented as “virtual patches”

§  Advanced piping to user validation actions can be achieved (prioritization)




Adaptive Rate Controls Malicious Behavior Detection

§  Specify number of requests per second against a given URL o Controls requests based on behavior

pattern — not request structure •  Use client IP address, session ID, cookies, etc.

§ Configure rate categories to control request rates against digital properties • Mitigate rate-based DDoS attacks

§  Statistics collected for 3 request phases o Client Request — Client to Akamai Server o  Forward Request — Akamai Server to Origin o  Forward Response — Origin to Akamai Server

§  Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy

§  Statistics collected allow for detection of pathological behavior by a client o Request rate is excessive for any stage o Requests causing too many Origin errors




Adaptive Rate Controls Malicious Behavior Detection




Rate Controls Use Case: Blocking IPs Causing Origin Errors

1.  Count the number of Forward Responses that return a 404 error code 2.  Block any IP address that exceeds 5 errors per second

Client Request

Forward Request

Response code 404

Customer Origin

Akamai Edge Server




Rate Controls Use Case: Blocking IPs Causing Origin Errors

1.  Count the number of Forward Responses that return a 404 error code 2.  Block any IP address that exceeds 5 errors per second

Client Request

Forward Request

Response code 404

Customer Origin

Akamai Edge Server

X Custom Error page

Automatic Origin Abuse Mitigation!




Use Case 2: Validate IPs Causing High Origin Load

1.  Count the number of Forward Requests 2.  Validate any IP address that exceeds 20 Forward Requests per second

Forward Request

Forward Response

Customer Origin

Akamai Edge Server Client

Request






Forward Request

Customer Origin


Request






Customer Origin X

Custom Error page

Automatic Origin Overload Prevention!


Request




Security Monitor (1 of 3)

Timeline of Requests by Hour





Visual Display of Requests by Geography





Requests by WAF Rule ID





Requests by WAF Message





Requests by WAF Tag





Multiple ways to display

request statistics





Requests by City





Requests by Client IP address





ARLs being attacked




Any experience. Any device. Anywhere.

akamai kona WAF Help Manual

Documents

Transcript of akamai kona WAF Help Manual