Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons...
-
Upload
trinhtuyen -
Category
Documents
-
view
220 -
download
1
Transcript of Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons...
![Page 1: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/1.jpg)
© F5 Networks, Inc. CONFIDENTIAL & PROPRIETARY
Anonymous: Tools of the Trade and Lessons Learned
Bill Church Systems Engineer – Federal [email protected]
![Page 2: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/2.jpg)
© F5 Networks, Inc. 2 CONFIDENTIAL & PROPRIETARY
• Anonymous Background
• Evolution of Denial of Service
• DDoS Examples and Strategies for Mitigation
• Practical Strategy for Datacenter Security
Agenda
![Page 3: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/3.jpg)
© F5 Networks, Inc. 3 CONFIDENTIAL & PROPRIETARY
Anonymous Background
![Page 4: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/4.jpg)
4
© F5 Networks, Inc. 4 CONFIDENTIAL & PROPRIETARY
![Page 5: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/5.jpg)
© F5 Networks, Inc. 5 CONFIDENTIAL & PROPRIETARY
Evolution of DDoS
![Page 6: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/6.jpg)
© F5 Networks, Inc. 6 CONFIDENTIAL & PROPRIETARY
3 Classes of DDoS Attack 3DOS
• Each attack session issues requests at an increased rate as compared to a non-attacking session
• Attacker sends requests that are more taxing for the application than the client.
• Traffic volume remains low; detection is difficult
• Attacker sends single Asymmetric workload request, then closes. Attack is highly distributed to generate required power.
• Most challenging type of attack to detect and mitigate.
Request Flooding Asymmetric Workload Repeated One-Shot
![Page 7: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/7.jpg)
© F5 Networks, Inc. 7 CONFIDENTIAL & PROPRIETARY
DoS Attacks Overview (known)
• HTTP, HTTPS, ICMP, SYN Floods, UDP Floods, DNS Request Floods, etc
• Lower layer DoS attacks target ISP connections / bandwidth
• Defendable by proxies and SYN Cookies feature of TMOS
Simple
• Layer-7 DDoS attacks targets HTTP, HTTPS, SOAP, XML and DNS services
• Typically targets server resources
• Not easily detectable, more efficient, less resources and harder to trace
• Defendable by features found in Application Security Manager (ASM)
Complex
![Page 8: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/8.jpg)
© F5 Networks, Inc. 8 CONFIDENTIAL & PROPRIETARY
• Reflection and amplification (including DNS recursion)
• Larger botnets & autonomous propagation
• Botnet markets which are increasingly sophisticated in nature
• Peer-to-peer botnets
• Botnets using encrypted communications
• Attacks against government infrastructure for political purposes
• Use of DoS by organized crime
• Increasing sophistication of malware and malware packaging
DDoS Attacks Evolution Current
![Page 9: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/9.jpg)
© F5 Networks, Inc. 9 CONFIDENTIAL & PROPRIETARY
• Attacks on emerging technologies
• Application layer DoS
• Realistic behavior of DoS traffic (further difficulty in detection)
• Attacks against anti-DoS infrastructure
• Attacks against SCADA systems
• Attacks against shared infrastructure and the ‘cloud’
• Cloud to Cloud
DDoS Attacks Evolution Future
![Page 10: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/10.jpg)
© F5 Networks, Inc. 10 CONFIDENTIAL & PROPRIETARY
Attacks are Moving “Up the Stack”
90% of security investment focused here
Network Threats Application Threats
75% of attacks focused here
![Page 11: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/11.jpg)
© F5 Networks, Inc. 11 CONFIDENTIAL & PROPRIETARY
• Diverse, Distributed Denial of Service
• “Attacks” are becoming increasingly a focussed period of many types of security events.
• Attacking groups are loosely collective, with a variety of methods, tools, resources and skills.
• Attacks start and stop, change in nature, and hit every aspect of a target infrastructure.
• Defensive controls must be broad and deep
3DoS Why The New Acronym?
![Page 12: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/12.jpg)
© F5 Networks, Inc. 12 CONFIDENTIAL & PROPRIETARY
Layer-7 Attacks
F I R E W A L L
DDoS Appliance
App Accel
Load Balancer
Web Serv
Web Serv
Web Serv
Data base
Bandwidth Carriers
ISP’s Bandwidth Your Bandwidth
State Tables
ACL Perf
.Degrade
State Tables: IPs
Low & Slow Layer 7 – Random Layer 7 – Logical
State Tables: TCP Flood Negative Caching
Proxy Bypass
State Tables: Too Many
Connections
Many: CPU
Database Load Log Attack
Memory Exhaustion Connection Floor
Many: Thread Jam
Memory Exhaustion
BANDWIDTH >> PACKET >> CONNECTION >> OS >>HTTP(S) >> APP >> DB
![Page 13: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/13.jpg)
© F5 Networks, Inc. 13 CONFIDENTIAL & PROPRIETARY
Mitigation controls which are failing…
• Network Firewalls
• Any Technology which blocks IP addresses
• Basic Rate Limiting • Connections per second • Per service, per client IP, etc
• Signature Scanning / IPS • SSL blinding • Out-of-band devices
![Page 14: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/14.jpg)
© F5 Networks, Inc. 14 CONFIDENTIAL & PROPRIETARY
Mitigating controls must sit in path, know the application, and enforce behaviors - not IP addresses, or known bad strings
![Page 15: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/15.jpg)
© F5 Networks, Inc. 15 CONFIDENTIAL & PROPRIETARY
“ 15
It would appear that the security experts are not expertly secured
Anonymous
![Page 16: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/16.jpg)
© F5 Networks, Inc. 16 CONFIDENTIAL & PROPRIETARY
DDoS Eamples / Mitigation
![Page 17: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/17.jpg)
© F5 Networks, Inc. 17 CONFIDENTIAL & PROPRIETARY
SlowLoris
![Page 18: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/18.jpg)
© F5 Networks, Inc. 18 CONFIDENTIAL & PROPRIETARY
Resolution
Detect and drop slow requests to complete transmitting headers, and limits the Header size
Handling SlowLoris…
![Page 19: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/19.jpg)
© F5 Networks, Inc. 19 CONFIDENTIAL & PROPRIETARY
Countermeasures (similar to Slowloris) a) Lower TCP Connection Reaper
percent from low 85/high 95 to low 75/high 90
b) Lower TCP timeouts
XerXes (2)…
![Page 20: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/20.jpg)
© F5 Networks, Inc. 20 CONFIDENTIAL & PROPRIETARY
Countermeasures (similar to Slowloris) a) Lower TCP Connection Reaper percent from low
85/high 95 to low 75/high 90, Lower TCP timeouts
LOIC (exploited in “Wikileak” saga)
![Page 21: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/21.jpg)
© F5 Networks, Inc. 21 CONFIDENTIAL & PROPRIETARY
Slow Post Attacks
![Page 22: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/22.jpg)
© F5 Networks, Inc. 22 CONFIDENTIAL & PROPRIETARY
Microsoft Apache
“While we recognize this is an issue, the issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.”
“What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.”
What The Vendors Say About Slow Post
![Page 23: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/23.jpg)
© F5 Networks, Inc. 23 CONFIDENTIAL & PROPRIETARY
iRules ASM
• Check on length and the client payload sent e.g. < 2048 bytes (def)
• Check on duration of connection with client e.g. < 2 seconds (def)
• If exceed custom duration or length, response to client retry
• ASM counts the number of slow post connections, connection above Y seconds are considered a slow connection.
• ASM will then prevent more than X slow connections to happen at the same time.
Handling Slow POST attack …
![Page 24: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/24.jpg)
© F5 Networks, Inc. 24 CONFIDENTIAL & PROPRIETARY
Handling Slow POST attack (iRule)
![Page 25: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/25.jpg)
© F5 Networks, Inc. 25 CONFIDENTIAL & PROPRIETARY
• Use the target site’s own processing power against itself. Its effectiveness is due to the fact that it exploits a vulnerability in a widespread SQL service
• Live fire exercises from the creator(s) took down “Pastebin” for 42 minutes after a 17 second attack
• Attackers combine with previous techniques like Slowloris and Slow POST to extend the impact
#RefRef
![Page 26: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/26.jpg)
© F5 Networks, Inc. 26 CONFIDENTIAL & PROPRIETARY
“ I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection.
Anonymous
![Page 27: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/27.jpg)
© F5 Networks, Inc. 27 CONFIDENTIAL & PROPRIETARY
• Block SQL commands from being inserted into HTTP requests (attack signatures for SQLi)
• Mitigation of Slowloris and Slow POST combo attacks
#RefRef Mitigation
![Page 28: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/28.jpg)
© F5 Networks, Inc. 28 CONFIDENTIAL & PROPRIETARY
Handling “Apache Killer”
HEAD / HTTP/1.1 Host:xxxx Range:bytes=0-,5-1,5-2,5-3,…
![Page 29: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/29.jpg)
© F5 Networks, Inc. 29 CONFIDENTIAL & PROPRIETARY
SSL/TLS Vulnerability BEAST (7)…
![Page 30: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/30.jpg)
© F5 Networks, Inc. 30 CONFIDENTIAL & PROPRIETARY
Addressing SSL/TLS vulnerability seamlessly
30
Enforcer • SSL Client Profile –
enforce TLS 1.2 • SSL Server Profile
– Automated compatibility (need not be TLS1.2)
Server • Negotiable with
its supported crypto algorithm
Client o Different browser that
would not support SSL/TLS 1.2 yet e.g. Firefox, Chrome, Safari
o Pre-configured application policies
![Page 31: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/31.jpg)
© F5 Networks, Inc. 31 CONFIDENTIAL & PROPRIETARY
SSL DoS Tool
![Page 32: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/32.jpg)
© F5 Networks, Inc. 32 CONFIDENTIAL & PROPRIETARY
“ Establishing a secure SSL connection requires 15x more processing power on the server than on the client.
THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.
This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.
![Page 33: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/33.jpg)
© F5 Networks, Inc. 33 CONFIDENTIAL & PROPRIETARY
Mitigating the THC SSL DoS Threat
![Page 34: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/34.jpg)
© F5 Networks, Inc. 34 CONFIDENTIAL & PROPRIETARY
THC-SSL-DOS Mitigation for LTM
![Page 35: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/35.jpg)
© F5 Networks, Inc. 35 CONFIDENTIAL & PROPRIETARY
Do not accept connections with abnormally small advertised window sizes
Do not enable persistent connections and HTTP pipelining unless performance really benefits from it
Limit the absolute connection lifetime to some reasonable value
Slow Read DoS
![Page 36: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/36.jpg)
© F5 Networks, Inc. 36 CONFIDENTIAL & PROPRIETARY
![Page 37: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/37.jpg)
© F5 Networks, Inc. 37 CONFIDENTIAL & PROPRIETARY
DNS Security (10)…
GTM
DNS Server
• DNS is a likely target • Without DNS, virtually everything is
down • F5 DNS Services profile scales DNS
infrastructure • Full slave domain copy
Benefits • High Performance DNS • >1M DNS RPS • Scalable DNS • Secure DNS Queries • BGP Anycast • DNSSec • IPv6
![Page 38: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/38.jpg)
© F5 Networks, Inc. 38 CONFIDENTIAL & PROPRIETARY
Practical Strategy for Data Center Security
![Page 39: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/39.jpg)
© F5 Networks, Inc. 39 CONFIDENTIAL & PROPRIETARY
Which is More Effective? Patrol vs Moat
vs
Bridge Mode Full Proxy Mode
![Page 40: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/40.jpg)
© F5 Networks, Inc. 40 CONFIDENTIAL & PROPRIETARY
Bridge mode vs Proxy mode
Passive listener – Reactive response
Risk Transference – “Offload” to traditional defense
Visibility + Control –Identify/Mediate in Real time
Flexible + Scale Up - Unified defense Front Line
Bridge Proxy
Proactive + Resilient – Layered Resistance to ongoing attacks
![Page 41: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/41.jpg)
© F5 Networks, Inc. 41 CONFIDENTIAL & PROPRIETARY
DDoS mitigation
Hardened Defense
Defense against DNS flooding (DNS
Express, IPAnyCast)
Reinforce against attacks e.g. ICMP, UDP flood, UDP fragments, etc
Resource Availability
Connection Reapers
Adaptive Reaper
Geo-location aware routing
Anomaly Detection
Client Side Integrity (legit/whitelist)
Brute force prevention
IP Enforcer
Rule based detection (redirect, request
throttling, etc)
Network Mitigation
Rate Shaping
Transaction Limiting
Latency Limiting
SYN Check
Protect Detect React
![Page 42: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/42.jpg)
© F5 Networks, Inc. 42 CONFIDENTIAL & PROPRIETARY
Attack Identification
Traffic Thresholds
iRule/ASM Attack Signatures for Known DDoS attacks
DDoS attack relief
Modify WIP (global distro)
Attack Mitigations
Cleansing the traffic
Syn cookies, total sessions, ramp & dissolve rates
Line-Rate Hardware mitigation
iRule/ASM Attack Signatures for Known DDoS attacks
iRule/ASM Logging Signatures for analysis of unknown attack
iRule/ASM custom rule creation
DDoS Strategic Mitigation Approach
![Page 43: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/43.jpg)
© F5 Networks, Inc. 43 CONFIDENTIAL & PROPRIETARY
Weak link: Disjointed Security
False sense of security by deploying various FW,AV,
IDS/IPS (Running different
platforms)
Lack sophistication & visibility
(who, where, what?) Mismatched collection of nonintegrated defences (complexity to manage, maintain and high cost)
“Next-generation” security solutions Perform at unprecedented speed, scale as needed, and support thousands of users easily and cost-effectively.
Rethink Yesterday’s Security Strategies
![Page 44: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/44.jpg)
© F5 Networks, Inc. 44 CONFIDENTIAL & PROPRIETARY
Questions?
![Page 45: Anonymous: Tools of the Trade and Lessons Learned · Anonymous: Tools of the Trade and Lessons Learned ... • Anonymous Background ... (including DNS recursion)](https://reader031.fdocuments.net/reader031/viewer/2022022511/5ae148f57f8b9ad47c8b9d59/html5/thumbnails/45.jpg)
© 2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.
CONFIDENTIAL & PROPRIETARY