DDoS Cyber Extortion Protect Yourself with · If you need protection from volumetric DDoS,...
Transcript of DDoS Cyber Extortion Protect Yourself with · If you need protection from volumetric DDoS,...
DDoS Cyber ExtortionProtect Yourself with Hybrid SecurityScott Altman Dir. Business Development—F5 Silverline
DDoSCyber Extortion
cy·berˈsībər/
adjective:
ex·tor·tionikˈstôrSH(ə)n/
noun:
• Organized Crime • Disorganized Crime • Vendettas • Boredom • Competition • Attention Seekers • Thrill Seekers • “Exploitionists”
Mean People Are on the Internet
Real-WorldExperiences
Nastygram
Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins
Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins
Right now we will start 30 minutes attack on one of your site's IP’s
Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins
Right now we will start 30 minutes attack on one of your site's IP’s
Our attacks are extremely powerful
Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins
Right now we will start 30 minutes attack on one of your site's IP’s
Our attacks are extremely powerful
Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Nastygram ALl your servers will be DDoS-ed starting Tuesday if you don't pay 20 Bitcoins
Right now we will start 30 minutes attack on one of your site's IP’s
Our attacks are extremely powerful
Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
And nobody will ever know you cooperated
Extortion Groups
• Anonymous but not always “Anonymous” • Armada Collective • DD4BC • Lizard Squad • Phantom Squad • numb3rCapS 5ub$t1tion Cr3W
Gangs and crews and collectives… Oh my!
Who Are They Really?
Who Are They Really?
Ryan Ackroyd from Lulzsec Mustafa Al-Bassam from Lulzsec Kristina Svechinskaya
How do they operate? • Probing attack: 1–2Gbps • Give you some time to
respond; reminder letters • If actual attack; 10–
20Gbps • If payment received, no
attacks (supposedly)
How will you respond? • Do you negotiate with
terrorists? • What’s a bitcoin? • CISO checks your
firewalls. • Call for help? • Head; Meet sand.
DDoS Attack Size Distribution
Ultra-Large attacks are really exciting to talk about! Efficiency of attack = more targets per day Turn the knob until you break
You will never* be able to buy enough bandwidth to counter these attacks.
58% of attacks are <= 10Gbps
Unknown 12%
Over 50 Gbps 6%
10–50 Gbps 20%
1–10 Gbps 38%
500–999 Mbps 23%
ATTACK SIZE
Reality—The Facts• Whatever you have in your
datacenter won’t help you with these attacks.
• When your Internet connection is full, there is nothing you can do.
• It’s simple math: • N = Internet pipe size • X = Attack size • If X = N + 1 bytes, you are having a
bad day.
MAXIMUM PACKETS PER MBPSBut I Have a Firewall!• Were you not listening? • Whatever you have in your data
center won’t help you with these attacks.
• Your firewall can’t protect you from traffic levels beyond your ISP pipe size.
• Most firewalls are AWFUL at connection management.
• SYN/UDP Floods make connections. Lots. Of. Them.
14
PP
S
1,953,125
0.00
500,000.00
1,000,000.00
1,500,000.00
2,000,000.00
0 100 200 300 400 500 600 700 800 900 1000
1,757,813
Mbps
1,562,500
1,367,188
1,171,875
976,563
781,250
585,938
195,313
390,625
Patient Study
The Hybrid ThreatCarphone Warehouse Breach with a DDoS Smoke Screen • DDoS attack before giant data
breach • Massive disruption to draw
attention • 2.4M customers’ data stolen
from web app attack
The Hybrid ThreatCarphone Warehouse Breach with a DDoS Smoke Screen • DDoS attack before giant data
breach • Massive disruption to draw
attention • 2.4M customers’ data stolen
from web app attack
[unnamed] Manufacturing Company • Victim of Dyre malware;
credentials stolen • DDoS attack launched • Wire transfer drained their bank
accounts ($1.75M) • Didn’t receive notice about
fraud for hours because of ongoing DDoS attack
Defense
Silverline DDoS Protection and WAFComplete DDoS mitigation and application security solution
ISP
Multiple ISP strategy
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Next-Generation Firewall Corporate Users
Network Application
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack, DNS poisoning
IPS
Network and DNS
ApplicationHTTP attacks:
Slowloris, slow POST,
recursive POST/GET
SSL attacks: SSL renegotiation,
SSL floodFinancial Services
E-Commerce
Subscriber
Strategic Point of Control
Customer Router
Legitimate Users
DDoS Attackers
Volumetric DDoS protection, 24x7 SOC, proven capability,
detailed reporting
Silverline
DDoS
Cloud
Hybrid integration with BIG-IP
platform
Signaling
F5 Silverline vs. F5 BIG-IP Platform—What’s the Difference?
F5 SILVERLINE
• F5’s own cloud-based platform • F5 managed service offerings: DDOS and
managed WAF • Customer configuration via a portal • Financial investment: OpEx • Sits “in front” of other cloud or data center
offerings
SIMPLE SUMMARY If you need protection from volumetric DDoS,
Silverline is the platform to leverage
F5 Silverline vs. F5 BIG-IP Platform—What’s the Difference?
F5 BIG-IP PLATFORMF5 SILVERLINE
• F5’s own cloud-based platform • F5 managed service offerings: DDOS and
managed WAF • Customer configuration via a portal • Financial investment: OpEx • Sits “in front” of other cloud or data center
offerings
SIMPLE SUMMARY If you need protection from volumetric DDoS,
Silverline is the platform to leverage
• Traditionally what you know F5 for• Hardware/Software/Virtual editions• Your data center, Azure, AWS, or other
clouds• Includes features such as:
• Network firewall, forward proxy, reverse proxy, WAF, load balancing, anti-fraud, web optimization, etc.
SIMPLE SUMMARY If you need to ensure security and availability within
your locations, BIG-IP is the platform to leverage
© 2016 F5 Networks
San Jose, CA USA
Ashburn, VA USA
Frankfurt GERMANY
Singapore SINGAPORE
Seattle, WA USA
Silverline Service ArchitectureSecurity Operation Centers (SOCs)
Scrubbing Centers 24/7
SupportGlobal
CoverageIndustry-Leading
Bandwidth20
Warsaw POLAND
F5 Silverline DDoS Protection ServiceMultiple Service Options
21
F5 Silverline DDoS Protection ServiceMultiple Service Options
21
F5 Silverline DDoS Protection Service
Always On
Primary protection as thefirst line of defense
Multiple Service Options
21
Always Available
Primary protection available on-demand
Hybrid IntegrationSignaling notifications to Silverline from BIG-IP platform • Volumetric attack conditions • DDoS Hybrid Defender integration • Bad-actor detection by BIG-IP
Application Security Manager (ASM)
Silverline response • Callback to customer (”Are you OK?”) • Ticket generation • Activity log • Blacklist bad-actor IPs
Network Defense
Requirements: • Stateful
• Review and inspect every connection request • Packet-based systems do not understand application traffic
• Performant* • Match security components (CPS, Max CPS, BW) to
bandwidth requirements • No added latency without value
• Intelligent • L3/L4 isn’t enough • Understand DNS, HTTP, basic application characteristics • Incorporate application delivery mechanisms
Network
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack, DNS poisoning
Network and DNS
Connection Performance
“We put an F5 (product) in front of anything Internet facing; otherwise it dies.”
-Bank
“Without the F5 (product) in front of our firewalls, they’d never survive.”
-Bank
“(BIG-IP) LTMs are default-deny—I’ve used them as my perimeter for years… why don’t
the rest of your customers do this?” -Entertainment
MAXIMUM PACKETS PER MBPS
PP
S
1,953,125
0.00
500,000.00
1,000,000.00
1,500,000.00
2,000,000.00
0 100 200 300 400 500 600 700 800 900 1000
1,757,813
Mbps
1,562,500
1,367,188
1,171,875
976,563
781,250
585,938
195,313
390,625 5250v
10255v2250B
12250v
Network Defense: Protecting DNSWhen DNS is down, everything is down
• Likely single point of failure • Typically under-provisioned
Network Defense: Protecting DNSWhen DNS is down, everything is down
• Likely single point of failure • Typically under-provisioned
Recommendations • Leverage BIG-IP Advanced Firewall Manager
(AFM)+BIG-IP DNS combo; granular DNS firewall controls
• Use BIG-IP DNS as public front-end; hidden master (DNS Express)
• Overprovision DNS services against NXDOMAIN query floods
• Blacklist as a last resort
Application Defense
Requirements • SSL Savvy
• Everything is going to be encrypted • Handle SSL, TLS, DHE, ECDHE, 4096-bit keys
• Deep HTTP Intelligence • More than a RegEx engine, understand application flow • No added latency without value • Tool Integration
• Actionable Reporting • WAF administration is not the easiest task • Effective application learning is a necessity • Simplified workflow
Application
ApplicationHTTP attacks:
Slowloris, slow POST,
recursive POST/GET
SSL attacks: SSL renegotiation,
SSL flood
BIG-IP Application Security Manager
Demystifying the Industry Buzzword: RASP—Runtime Application Self-Protection
An agent in the runtime container for each application or server
The right tool for the job
Application Security Options
RASP—Runtime Application Self-Protection • Instance of protection for one app
(SQL Injection, XSS) • Anomalies are mitigated with delays,
captcha, etc. • Lack of integrations, not appropriate for
DDoS mitigation • App language dependent (Java, .NET)
and up to 10% or more lower perf.*
WAF—Web Application Firewall • Enterprise-grade protection/performance
for all apps • PCI and regulatory compliance
requirements • DAST integrations for scanning and WAFs
for patching all apps • Most effective against L7 DoS, Brute Force,
Web Injection, Scraping, XSS
* Source: “Runtime Application Self-Protection: Tech Capabilities,” Gartner Research
The right tool for the job
Application Security Options
RASP—Runtime Application Self-Protection • Instance of protection for one app
(SQL Injection, XSS) • Anomalies are mitigated with delays,
captcha, etc. • Lack of integrations, not appropriate for
DDoS mitigation • App language dependent (Java, .NET)
and up to 10% or more lower perf.*
WAF—Web Application Firewall • Enterprise-grade protection/performance
for all apps • PCI and regulatory compliance
requirements • DAST integrations for scanning and WAFs
for patching all apps • Most effective against L7 DoS, Brute Force,
Web Injection, Scraping, XSS
* Source: “Runtime Application Self-Protection: Tech Capabilities,” Gartner Research
The right tools for the job
Key Takeaway Secure coding is not something that everyone
can maintain at the same level.
It is always better to have a security option that applies to your own situation.
Wrap Up
© F5 Networks, Inc CONFIDENTIAL© F5 Networks, Inc 31
• Add class to your personal schedule.
• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!
Give Feedback – Get Points!