DDoS Cyber ExtortionProtect Yourself with Hybrid SecurityScott Altman Dir. Business Development—F5 Silverline

DDoSCyber Extortion

cy·berˈsībər/

adjective:

ex·tor·tionikˈstôrSH(ə)n/

noun:

• Organized Crime • Disorganized Crime • Vendettas • Boredom • Competition • Attention Seekers • Thrill Seekers • “Exploitionists”

Mean People Are on the Internet

Real-WorldExperiences

Nastygram

Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins

Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins

Right now we will start 30 minutes attack on one of your site's IP’s

Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins

Right now we will start 30 minutes attack on one of your site's IP’s

Our attacks are extremely powerful

Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins

Right now we will start 30 minutes attack on one of your site's IP’s

Our attacks are extremely powerful

Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins

Right now we will start 30 minutes attack on one of your site's IP’s

Our attacks are extremely powerful

Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated

Extortion Groups

• Anonymous but not always “Anonymous” • Armada Collective • DD4BC • Lizard Squad • Phantom Squad • numb3rCapS 5ub$t1tion Cr3W

Gangs and crews and collectives… Oh my!

Who Are They Really?

Who Are They Really?

Ryan Ackroyd from Lulzsec Mustafa Al-Bassam from Lulzsec Kristina Svechinskaya

How do they operate? • Probing attack: 1–2Gbps • Give you some time to

respond; reminder letters • If actual attack; 10–

20Gbps • If payment received, no

attacks (supposedly)

How will you respond? • Do you negotiate with

terrorists? • What’s a bitcoin? • CISO checks your

firewalls. • Call for help? • Head; Meet sand.

DDoS Attack Size Distribution

Ultra-Large attacks are really exciting to talk about! Efficiency of attack = more targets per day Turn the knob until you break

You will never* be able to buy enough bandwidth to counter these attacks.

58% of attacks are <= 10Gbps

Unknown 12%

Over 50 Gbps 6%

10–50 Gbps 20%

1–10 Gbps 38%

500–999 Mbps 23%

ATTACK SIZE

Reality—The Facts• Whatever you have in your

datacenter won’t help you with these attacks.

• When your Internet connection is full, there is nothing you can do.

• It’s simple math: • N = Internet pipe size • X = Attack size • If X = N + 1 bytes, you are having a

bad day.

MAXIMUM PACKETS PER MBPSBut I Have a Firewall!• Were you not listening? • Whatever you have in your data

center won’t help you with these attacks.

• Your firewall can’t protect you from traffic levels beyond your ISP pipe size.

• Most firewalls are AWFUL at connection management.

• SYN/UDP Floods make connections. Lots. Of. Them.

14

PP

S

1,953,125

0.00

500,000.00

1,000,000.00

1,500,000.00

2,000,000.00

0 100 200 300 400 500 600 700 800 900 1000

1,757,813

Mbps

1,562,500

1,367,188

1,171,875

976,563

781,250

585,938

195,313

390,625

Patient Study

The Hybrid ThreatCarphone Warehouse Breach with a DDoS Smoke Screen • DDoS attack before giant data

breach • Massive disruption to draw

attention • 2.4M customers’ data stolen

from web app attack

The Hybrid ThreatCarphone Warehouse Breach with a DDoS Smoke Screen • DDoS attack before giant data

breach • Massive disruption to draw

attention • 2.4M customers’ data stolen

from web app attack

[unnamed] Manufacturing Company • Victim of Dyre malware;

credentials stolen • DDoS attack launched • Wire transfer drained their bank

accounts ($1.75M) • Didn’t receive notice about

fraud for hours because of ongoing DDoS attack

Defense

Silverline DDoS Protection and WAFComplete DDoS mitigation and application security solution

ISP

Multiple ISP strategy

Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Threat Intelligence Feed

Next-Generation Firewall Corporate Users

Network Application

Network attacks: ICMP flood, UDP flood, SYN flood

DNS attacks: DNS amplification,

query flood, dictionary attack, DNS poisoning

IPS

Network and DNS

ApplicationHTTP attacks:

Slowloris, slow POST,

recursive POST/GET

SSL attacks: SSL renegotiation,

SSL floodFinancial Services

E-Commerce

Subscriber

Strategic Point of Control

Customer Router

Legitimate Users

DDoS Attackers

Volumetric DDoS protection, 24x7 SOC, proven capability,

detailed reporting

Silverline

DDoS

Cloud

Hybrid integration with BIG-IP

platform

Signaling

F5 Silverline vs. F5 BIG-IP Platform—What’s the Difference?

F5 SILVERLINE

• F5’s own cloud-based platform • F5 managed service offerings: DDOS and

managed WAF • Customer configuration via a portal • Financial investment: OpEx • Sits “in front” of other cloud or data center

offerings

SIMPLE SUMMARY If you need protection from volumetric DDoS,

Silverline is the platform to leverage

F5 Silverline vs. F5 BIG-IP Platform—What’s the Difference?

F5 BIG-IP PLATFORMF5 SILVERLINE

• F5’s own cloud-based platform • F5 managed service offerings: DDOS and

managed WAF • Customer configuration via a portal • Financial investment: OpEx • Sits “in front” of other cloud or data center

offerings

SIMPLE SUMMARY If you need protection from volumetric DDoS,

Silverline is the platform to leverage

• Traditionally what you know F5 for• Hardware/Software/Virtual editions• Your data center, Azure, AWS, or other

clouds• Includes features such as:

• Network firewall, forward proxy, reverse proxy, WAF, load balancing, anti-fraud, web optimization, etc.

SIMPLE SUMMARY If you need to ensure security and availability within

your locations, BIG-IP is the platform to leverage

© 2016 F5 Networks

San Jose, CA USA

Ashburn, VA USA

Frankfurt GERMANY

Singapore SINGAPORE

Seattle, WA USA

Silverline Service ArchitectureSecurity Operation Centers (SOCs)

Scrubbing Centers 24/7

SupportGlobal

CoverageIndustry-Leading

Bandwidth20

Warsaw POLAND

F5 Silverline DDoS Protection ServiceMultiple Service Options

21

F5 Silverline DDoS Protection ServiceMultiple Service Options

21

F5 Silverline DDoS Protection Service

Always On

Primary protection as thefirst line of defense

Multiple Service Options

21

Always Available

Primary protection available on-demand

Hybrid IntegrationSignaling notifications to Silverline from BIG-IP platform • Volumetric attack conditions • DDoS Hybrid Defender integration • Bad-actor detection by BIG-IP

Application Security Manager (ASM)

Silverline response • Callback to customer (”Are you OK?”) • Ticket generation • Activity log • Blacklist bad-actor IPs

Network Defense

Requirements: • Stateful

• Review and inspect every connection request • Packet-based systems do not understand application traffic

• Performant* • Match security components (CPS, Max CPS, BW) to

bandwidth requirements • No added latency without value

• Intelligent • L3/L4 isn’t enough • Understand DNS, HTTP, basic application characteristics • Incorporate application delivery mechanisms

Network

Network attacks: ICMP flood, UDP flood, SYN flood

DNS attacks: DNS amplification,

query flood, dictionary attack, DNS poisoning

Network and DNS

Connection Performance

“We put an F5 (product) in front of anything Internet facing; otherwise it dies.”

-Bank

“Without the F5 (product) in front of our firewalls, they’d never survive.”

-Bank

“(BIG-IP) LTMs are default-deny—I’ve used them as my perimeter for years… why don’t

the rest of your customers do this?” -Entertainment

MAXIMUM PACKETS PER MBPS

PP

S

1,953,125

0.00

500,000.00

1,000,000.00

1,500,000.00

2,000,000.00

0 100 200 300 400 500 600 700 800 900 1000

1,757,813

Mbps

1,562,500

1,367,188

1,171,875

976,563

781,250

585,938

195,313

390,625 5250v

10255v2250B

12250v

Network Defense: Protecting DNSWhen DNS is down, everything is down

• Likely single point of failure • Typically under-provisioned

Network Defense: Protecting DNSWhen DNS is down, everything is down

• Likely single point of failure • Typically under-provisioned

Recommendations • Leverage BIG-IP Advanced Firewall Manager

(AFM)+BIG-IP DNS combo; granular DNS firewall controls

• Use BIG-IP DNS as public front-end; hidden master (DNS Express)

• Overprovision DNS services against NXDOMAIN query floods

• Blacklist as a last resort

Application Defense

Requirements • SSL Savvy

• Everything is going to be encrypted • Handle SSL, TLS, DHE, ECDHE, 4096-bit keys

• Deep HTTP Intelligence • More than a RegEx engine, understand application flow • No added latency without value • Tool Integration

• Actionable Reporting • WAF administration is not the easiest task • Effective application learning is a necessity • Simplified workflow

Application

ApplicationHTTP attacks:

Slowloris, slow POST,

recursive POST/GET

SSL attacks: SSL renegotiation,

SSL flood

BIG-IP Application Security Manager

Demystifying the Industry Buzzword: RASP—Runtime Application Self-Protection

An agent in the runtime container for each application or server

The right tool for the job

Application Security Options

RASP—Runtime Application Self-Protection • Instance of protection for one app

(SQL Injection, XSS) • Anomalies are mitigated with delays,

captcha, etc. • Lack of integrations, not appropriate for

DDoS mitigation • App language dependent (Java, .NET)

and up to 10% or more lower perf.*

WAF—Web Application Firewall • Enterprise-grade protection/performance

for all apps • PCI and regulatory compliance

requirements • DAST integrations for scanning and WAFs

for patching all apps • Most effective against L7 DoS, Brute Force,

Web Injection, Scraping, XSS

* Source: “Runtime Application Self-Protection: Tech Capabilities,” Gartner Research

The right tool for the job

Application Security Options

RASP—Runtime Application Self-Protection • Instance of protection for one app

(SQL Injection, XSS) • Anomalies are mitigated with delays,

captcha, etc. • Lack of integrations, not appropriate for

DDoS mitigation • App language dependent (Java, .NET)

and up to 10% or more lower perf.*

WAF—Web Application Firewall • Enterprise-grade protection/performance

for all apps • PCI and regulatory compliance

requirements • DAST integrations for scanning and WAFs

for patching all apps • Most effective against L7 DoS, Brute Force,

Web Injection, Scraping, XSS

* Source: “Runtime Application Self-Protection: Tech Capabilities,” Gartner Research

The right tools for the job

Key Takeaway Secure coding is not something that everyone

can maintain at the same level.

It is always better to have a security option that applies to your own situation.

Wrap Up

© F5 Networks, Inc CONFIDENTIAL© F5 Networks, Inc 31

• Add class to your personal schedule.

• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!

Give Feedback – Get Points!