F5 DDoS Protection

F5 DDoS protection
Mariusz Sawczuk – Specialist Systems Engineer North & East EMEA
[2017-03-08]

© F5 Networks, Inc 2
DDoS (Distributed Denial of Service)
Attackers
AttackersAttackers
AttackersAttackers
AttackersAttackers
Attackers Attackers
AttackersAttackers
AttackersAttackers
AttackersAttackers
Attackers
Internet
Web
Clients
Partners
WebsitesRemote
users
Attackers
Switch Switch Switch
DMZ
FW
VPN
FW
VPN
act/stby
AntyMalware Proxy DLP
Users
Applications Data BaseDNS
Data Center
EmailUser User
NextGen
Firewall
NextGen
Firewall
Router Router
act/stby
Multi-Layer
Switch
act/stby
Multi-Layer
Switch
act/stby
Application
DoS
Session
DoS
Network
DoS
Volumetric
DoS

Growing
Anyone
Global Fun
Agenda
War tactics
Diverse
Business
DDoS World is Complex

DDoS attacks hide the Real Threat

Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10 (e.g. XSS),
Slowloris, Slow Post/Read,
HTTP GET/POST floods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSH and ACK floods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Types of DDoS attacks

Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10 (e.g. XSS),
Slowloris, Slow Post/Read,
HTTP GET/POST floods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSH and ACK floods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Blended Volumetric
Types of DDoS attacks

DDoS attacks are easy to launch
Press button and forget
hping3 nmap Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…

Evasion Techniques Differentiation
• Several User-Agents & Referrers
• Random URL/UA/Content-Length
Press button and forget - 2016 Tools Bundle
© 2016 F5 Networks 8

© 2016 F5 Networks 9
DDoS Coin – crowd funding DDoS

DDoS IoT (Internet of Things) – Mirai botnet
Mirai from Japaneess means Future
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

0,54 Tbps
0,62 Tbps
1,0 Tbps
1,2 Tbps
DDoS IoT – Mirai botnet
Known targets of DDoS attacks

STOMP Attack
Non standard attacks
Known “VSE” attack offered by
online Booters (DDoS as a Service)
Exploiting online gaming servers
for amplification
Never implemented attack
A hidden “CFNull” Layer 7 attack:
DDoS Attacks

DDoS Attacks – HTTP Attacks

Coming Through the Front Door

Change of tactics

Mirai
LuaBot
qBot
(GayFgt/Torlus/Bashlite)
Darlloz
IRCTelnet
(Aidra2)
Hajime
DDoS IoT – Other botnets
IoT Malware Families

Protect Your Business and Stay Online During a DDoS Attack
• Mitigate mid-volume, SSL, or application
targeted attacks on-premises
• Complete infrastructure control
• Advanced L7 attack protections
• Turn on cloud-based service to stop
volumetric attacks from ever reaching your
network
• Multi-layered L3-L7 DDoS attack protection
against all attack vectors
• 24/7 attack support from security experts
F5 SILVERLINE DDOS PROTECTION When
under
attack
F5 ON-PREMISES DDOS PROTECTION
F5 Networks DDoS Protection
On-premises and cloud-based services for comprehensive DDoS Protection

Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
F5 Networks DDoS Protection - Reference Architecture

• Only single vendor with native, seamlessly integrated on-premise and cloud-based
scrubbing services
• Leverages industry leading application protections to defend against L7 DDoS and
vulnerability threats
• Most comprehensive HW-based DDoS protection coverage
• Unsurpassed SSL performance with SSL termination and outbound SSL interception
protection
• Ensures app availability and performance while under attack with leading datacenter
scalability and up to 2Tbps of cloud-based scrubbing capacity
• Gartner on DDoS – Go Hybrid!
• “Cloud + On-Premise” Makes the most sense
F5 Networks DDoS Protection - Why F5 Hybrid is better

F5 On Premisses
DDoS Protection BIG-IP

iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood
SYN flood
SSL renegotiation
Data
leakageSlowloris attackXSS
Network
Firewall
WAF WAF
F5 On-premises DDoS protection - Full proxy security

Application
Access
Network
Access
Network
Firewall
Network DDoS
Protection
SSL DDoS
Protection
DNS DDoS
Protection
Application
DDoS Protection
Web Application
Firewall
Fraud
Protection
Virtual
Patching
F5 On-premises protection - Comprehensive application security

F5 On-premises protection - Comprehensive DDoS protection
More than only DDoS Protection
ASM DoS + IPI
L7 DoS Profiles
Heavy URLs
AFM DoS + IPI
Device DoS
Protocol DoS
IP Intelligence
B/W Lists
DNS DoS
DNS DoS
DNS SEC
LTM Profiles
HTTP/HTTPS
SSL
SIP
SMTP
BIGIP System
Reaper
75%-90%
iRules

Up to 640 Gbps,
7.5M CPS, 576M CCS
in the datacenter
and over 1Tbps
in the cloud
F5 On-premises DDoS protection - Performance
10000 Series
11000 Series
5000 Series
2000 series /
4000 series
7000 Series
VIPRION 4800
VIPRION 4480
25M
200M
1Gbps
3Gbps
5Gbps
VIPRION 2400
New 10Gbps
New VIPRION 2200

Over 110+ L3/4
DDoS vectors
with majority of
them mitigated
in hardware.
F5 On-premises DDoS protection – DDoS vectors hardware accelerated

F5 On-premises DDoS protection - Recommended by NSS Labs

Network
DDoS
Mitigation Network
Application
Session
SSL
DNS, NTP
Blended

Network DDoS Mitigation
Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
floods, operations
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
• The network tier at the
perimeter is layer 3 and 4
network firewall services
• Simple load balancing
to a second tier
• IP reputation database
• Mitigates transient and
low-volume attacks
NETWORK KEY FEATURES

Demo TCP SYN Flood - SYN Cookies
Flow table
Original SYN transformed into Cookie,
sent back to client with SYN-ACK
Flow table entry
created and inserted
on receipt of ACK
packet
Connection Established

Demo TCP SYN Flood - Topology and initial configuration
• The TMOS version 12.1
• Virtual Server info:
- Listening on port 80
- Type: Performance L4 (to start with)
- No HTTP profile (to start with)
- Pool members: 3 x Apache servers listening on port 80
BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12

Demo TCP SYN Flood - Start the attack

Demo TCP SYN Flood - Attack Mitigated

Demo TCP SYN Flood - AFM signatures mitigation

Application
Security
Data Center
Firewall
Access
Security
User
App
Servers
Classic
Server
DNS Security
Network DDoS
• Built on the market leading Application Delivery Controller (ADC)
• Consolidates multiple appliance to reduce TCO
• Protects against L2-L4 attacks with the most advanced full proxy architecture
• Delivers over 110 vectors and more hardware-based DOS vectors than any other vendor
• Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps
• Offers a foundation for an integrated L2-L7 Application delivery firewall platform
Network DDoS Mitigation - AFM (Advanced Firewall Manager)

DOS Categories
DOS
Vectors
When to report an attack
Absolute Number in PPS
Detection Threshold
When to report an attack
Relative Percent Increase in
PPS Detection Threshold
When to mitigate an attack
Absolute Number in PPS
Mitigation Threshold
Network DDoS Mitigation - AFM: Stateless DDoS Mitigation
L2-L4 stateless DoS vectors

Demo Different Network DDoS Attacks - Topology and initial configuration
- Listening on all ports
- Type: Standard
- TCP profile: tcp-lan-optimized on outside interface
- Pool members: 1 x servers listening on different ports
BIG-IP Platform
Server
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:all ports
User
.100
.11

Demo Different Network DDoS Attacks - Start the attack

Demo Different Network DDoS Attacks - Attacks mittigated

F5 IP Intelligence Service
• Dynamic Feed updated every 5 minutes
• Applied at Virtual-Server Level
9 Pre-Defined Categories
of Malicious IP’s/Subnets
Customizable Per-Category
Actions (Accept, Warn, Reject)
Policy Name
(attach-able to a Virtual Server)
Network DDoS Mitigation - Dynamic Endpoint Visibility & Enforcement
IP Intelligence service

F5 IP INTELLIGENCE SERVICES
• Dynamic services feeds updated frequently
• Policy attached to global, route- domain or
VS contexts
• Categorize IP/Sub_net by attack type
• Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
• Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
• Create IP Black Lists and White Lists that
override IP intelligence services
• Merge multiple sources into 1 feed or
enforcement policy
• HTTP/S & FTP polling methods
• User defined categories
• Support for IPv6 and IPv4
Maintain a current IP reputation database that allows
you to automatically mitigate traffic from known bad or
questionable IP addresses.
Network DDoS Mitigation - AFM
Dynamically update security logic

Session (DNS)
DDoS
Mitigation Network
Application
Session
SSL
DNS, NTP
Blended

DNS DDoS Attacks
Why DNS is popular for DDoS?
• Widely used protocol, open on FWs, open recursion
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Large Amplification Factor (100x) - using open resolvers or ANY type to an
authoritative NS
Traditional mitigations are failing
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many
firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and
standard tools can not provide adequate response to mitigate it without inhibiting
the ability of DNS to do its job

DNS DDoS Attacks - DNS UDP Flood
Synopsys
Many attackers or botnets flood an authoritative name server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation – PERFORMANCE, PERFORMANCE, ….
• F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
• Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles - ICSA–certified FW with support for 30+ DDoS vectors
• Use DNS Anycast to distribute the load between regional DCsDNS Requests DNS Responses
Target DNS
infrastructure

DNS DDoS Attacks - DNS Amplification & NSQUERY
DNS Requests Large DNS Responses
Synopsys
By spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation
• DNS request type validation– force TCP in case of type ANY
• BIG-IP supports DNS type ACLs - filters for acceptable DNS query types
• Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoS Profiles and apply mitigations
• Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]

• Querying for randomly-generated
non-existent hostnames
• Causes enormous work on DNS resolver
• Blows out DNS caches
• Easy to generate – single packet per name
• Easy to spoof source address – UDP
• Asymmetric
• Low-Bandwidth
DNS DDoS Attacks - NXDOMAIN Random Hostname Attack

Demo DNS Flood - Start the attack

DNS DDoS Mitigation - AFM: DDoS Singnatures
Attack mitigated

Malformed/Protocol Violations Detection
DNS DOS Detection by Query Type
When to report and attack. Absolute and
Relative Increase Detection Thresholds
SIP DOS Detection by Method
When to report and attack
Absolute and Relative Increase Detection Thresholds
DNS DDoS Mitigation - AFM: Stateless App. Layer DoS Detection
Application protocol volumetric attack detection: DNS & SIP

Filter by DNS Query types
a m mg loc ixfr dname nsec3param
aaaa px rp spf cert nesc3 ipseckey
any md mr eid apl dhcid nsap_ptr
cname mf null nxt axfr zxfer nsap
mx a6 wks key sink rrsig nimloc
ns rt dlv x25 naptr sshfp dnskey
ptr mb hip sig isdn maila mailb
soa ds opt tsig nsec afsdb hinfo
srv kx txt ata gpos tkey minfo
DNS DDoS Mitigation - AFM: Protocol Security
Application Protocol compliance & DNS DoS mitigation

Network
Application
Session
SSL
DNS, NTP
Blended
Session (SSL)
DDoS
Mitigation

Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
floods, operations
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Financial
Services
E-Commerce
Subscriber
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware,
CPU-intensive defense
mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-
based DDoS attacks
SSL DDoS Mitigation - F5 Reference Architecture

Demo SSL Renegotiation - Start the attack

Demo SSL Renegotiation – Attack mitigated
LTM: SSL Profile

Application
DDoS
Mitigation Network
Application
Session
SSL
DNS, NTP
Blended

Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
floods, operations
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Financial
Services
E-Commerce
Subscriber
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware,
CPU-intensive defense
mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-
based DDoS attacks
Application DDoS Mitigation - F5 Reference Architecture

▪ Guards against RPS (TPS) and latency-based anomalies
▪ Provides predictive indicators
▪ Support IP, geolocation, URL and site wide detection criteria
Application DDoS Mitigation - ASM (Application Security Manager)
Layer 7 HTTP/S DoS attack protection
▪ Provides heavy URL protection
▪ Protects against threats proactively
▪ Simplified reports access and added
qkView violations export support
▪ Advanced Prevention techniques
▪ Client Side Integrity Defense
▪ CAPTCHA (HTML or JS response)
▪ Source IP Blocking
▪ Geolocation blacklisting

Demo Application DDoS Attacks - Topology and initial configuration
- Listening on port 80
- Type: Performance L4 (to start with)
- No HTTP profile (to start with)
- Pool members: 3 x Apache servers listening on port 80
BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12

• Slow HEADERS (Slowloris) – opening HTTP connections to a web server
and then sending just enough data in an HTTP header (typically 5 bytes
or so) every 299 seconds to keep the connections open. Slow headers
is an attack that very slowly sends a HTTP request. The request headers
are sent so slowly that all available server connections are tied up
waiting for the slow request to complete. Slowloris achieves denial-of-
service with just 394 open connections for typical Apache 2
Application DDoS Attacks - HTTP Slow (Low Bandwith)

Demo Slow HEADERS - Start the attack
• Send the command:
slowhttptest -H -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &
• …. website is down!

Demo Slow HEADERS - LTM: Standard Virtual Server with HTTP Profile
• LTM can protect the Apache servers by preventing the Slow Headers attack from ever reaching them. A
Standard Virtual Server with a HTTP profile does not open the server side connection until the full HTTP request
is received. Since the attack never completes the HTTP request, the attack is never propagated to the servers.
https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard

DOS enhancements and new vectors
AFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide
greater coverage, introducing new vectors, providing more hardware-based vectors, and
improve overall DoS logging. Version 12.0 also provides Sweeper enhancements to Slow
Loris, BiasIdle Cleanup and Reporting
Demo Slow HEADERS - AFM: Not only Network DDoS protection

• Slow POST (R.U.D.Y.) - Like Slowloris, the Slowpost uses a slow, low-
bandwidth approach but instead of sending an HTTP header, it begins
an HTTP POST command and then feeds in the payload of the POST
data very, very slowly. Slow POST is an attack that sends the initial
POST request, and attempts to send each additional piece of POST data
in subsequent packets very slowly. Since the initial POST completes,
LTM creates the connection to the web server. Since the POST data is
very slow to complete, all the available connections are tied up again...

Demo Slow POST - Start the attack
slowhttptest -B -c 3000 -i 20 -r 50 -u http://10.1.10.80/ &

Demo Slow POST - ASM: Deployment Policy
• ASM Deployment steps (shortened)
Apply!
You can use
Rapid Deployment

Demo Slow POST - ASM Protection
• ASM can protect against Slow POST attacks by just being applied to the virtual server.
The policy does NOT need to be in blocking mode. Since ASM must protect itself from
slow connections, it will also protect the virtual server by limiting the number of slow
connections allowed. The number of allowed connections per TMM is configurable.
• Security > Options > Application Security > Advanced Configuration > System Variables
• When this protection kicks in, ASM will log to /var/log/asm:

• Slow READ - Slow Read is an attack that sends a normal request for a
HTTP page. The attacker then accepts the site data with a very small
TCP window. Upon receiving the first packet of data, the attacker
typically sends back a TCP window size of zero in the acknowledgement.
Since the server received a zero window from the client, it will wait to
send more data, holding open the TCP connection. Once enough zero
window clients have attached to the server, it is unable to accept new
clients. Since this behavior is RFC compliant (rarely happens in normally
functioning networks though), it is difficult for the F5 to detect an
attacker from a real slow client. There are a few ways to protect against
these types of attacks.

Demo Slow READ - Start the attack
slowhttptest -X -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &

Demo Slow READ - ASM: DDoS Profile Defense for browser applications
• Proactive Bot Defense
• Many DDoS attacks are simple scripts or programs with very little logic. They exploit the known
behaviors of the application to prevent normal users from accessing the data. Proactive Bot
Defense challenges the client to perform some data manipulation using Javascript. Since many
scripts are unable to parse and perform the Javascript challenge, they are denied access.
Proactive Bot Defense should only be used when you know the normal clients are able to accept
Javascript. All modern browsers can pass this challenge.
• Client Side Integrity Defense
• Similar to Proactive Bot Defense, the client side Integrity Defense challenges the client with
Javascript. Client Side Integrity Defense differs in that it only challenges clients based upon the
criteria set within a DDoS profile.
• Captcha
• During an attack, clients can be forced to pass a Captcha challenge. This Captcha challenge
must be passed before the server data is requested and passed to the client.
• These protections are configured as DDoS profiles, and applied to a virtual server.

Demo Slow READ - ASM: TPS-Based Detection & Prevention

Demo Slow READ - ASM: DDoS Profile Defense for browser applications
• DoS Protection Profile
Apply DDoS Profile to
Virtual Server

User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, you are sending too many requests.
Are you a browser ?
Yes, I’m a browser
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the web page
you asked for.
ASM: Bye Bye – Blocked
Demo Slow READ - ASM: Client-side Integrity Defense

• Ultimate solution for identifying human or bot
• Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability because the user gets CAPTCHA for
his online shop (or similar) and then he will not stay
Demo Slow READ - ASM: Captcha

• Unlike most simple network attacks, which overwhelm computing resources with invalid packets,
HTTP flood attacks look like real HTTP web requests.
• To conventional firewall technology, these requests are indistinguishable from normal traffic
• Two main variations:
• Basic HTTP flood duiring which merely repeats the same request over and over again. Easy to
detect and mitigate.
• Advacned HTTP flood attack whith a recursive-get denial-of service. Clients using this attack
request the main application page, parse the response, and then recursively request every
object at the site. Difficult to detect and mitigate.
Application DDoS Attacks - HTTP Flood

Demo HTTP Flood - Start the attack
• LOIC (Low Orbital Ion Cannon)
• Launch from many sources and…. website will be down!

Demo HTTP Flood - Attack mitigated

When any URL based is
mitigating, the heavy URL’s
that detected will get this
mitigation
Application DDoS Mitigation - ASM: Heavy URL Mitigation

Automatic measure latency on
URL’s for 24 hours and decide
who is heavy
Application DDoS Mitigation - ASM: Heavy URL Mitigation
Heavy URL – configuration

Application DDoS Mitigation - ASM: Heavy URL Reporting

RTBH
BGP Black-Hole DoS protection (RTBH)
Automatic DDoS vectors thresholds
Behavioral analysis DDoS (BADOS)
BIG-IP/DHD Silverline signalization
New DDoS Features in TMOS 12.1

• RTBH (Remotely Triggered Black-Hole): Route Injection instructs upstream network devices to drop certain flows at
the edge of the network.
• RTBH is belongs to AFM, and we need AFM provisioned to configure this feature
• When you will configure settings for DDoS vectors at AFM, you can find column 'Bad actors' and instead of rate
limit them you can block them - this is ‚IP Shuning’.
• On top of this we can configure RTBH and signal this information to upstrem routers
• AFM IP-Intelligence (IPI) can now instruct the IP network within the local Autonomous System (AS) to "black-hole"
source or destination addresses which have been blacklisted.
• ARM (Advanced Routing), It belongs to AFM, everytime when you provision AFM you will have Advanced routing
license enabled also. ARM also is included in DHD.
RTBH

RTBH

• Today
• Configuration
• Tune and maintain
• Impact leads to mitigate
• React to 0-day
• Static – automatic
• Impacts the good
• Uses wisdom of IT
• BADOS
• Hands free
• Unsupervised
• Predictive
• 0-day capable
• Improves with time (experience)
• Minimal impact on good guys
• Uses wisdom of the crowd
BADOS – Why?

• 3 modes of detection and prevention
Aggressive
+ proactive
mitigation until
health is restored
Standard
+ limit all
requests based
on servers health
Conservative
Slow down &
rate shape bad
actors
• Conservative
• Slows down & rate limit attackers
• Standard
• Like conservative but may rate limit all
requests based on server's health
• Aggressive
• Like standard but proactively performs
all protection actions
BADOS – Why?

ASM Auto Thresholding (for TPS-based Detection)

BADOS Improvements

Proactive Bot Defense Reporting

Security > Reporting > DoS > Visibility > Dashboard
DoS Reporting Redisign

DDoS and
Application
Attacks
Mitigation –
iRules Network
Application
Session
SSL
DNS, NTP
Blended

DDoS and Application Attacks Mitigation - iRules
Slow HEADERS (Slowloris) defense

DDoS and Application Attacks Mitigation - iRules
Slow POST (R.U.D.Y.) defense

DHD – Configure and play

DHD – Simplified configuration
DDoS profile
Log profile
DDoS profile
VLAN/Network Info
Protocol profile
Log profile
Action
Deployment model
Network, protocolProtocol profile
1
2
reference
1
3 Virtual Server
Protected Object

Attack detection
and Visibility via AVR
DHD
Access Network
Tap VLAN
Packet data (Tap)
• Avoid single point of failure network scenario
• Identify DDoS attacks (L3/4, SIP, DNS) via
mirrored pkts
• No need to reconfigure network
• No single point of failure
• Visibility
• RTBH with upstream router
• Signal to Silverline
• Simplified and easy POC
• Visibility via AVR
Apps
Edge router
Access router
Rx
Tx
DHD - Out-of-band TAP

Attack detection
And inspection
Clean traffic
DDoS Platform
Edge Network
Access Network
Tap VLAN
DDoS Platform
Attack traffic
SCRUB VLAN
• Avoid single point of failure network scenario
• Doesn’t want to inspect/scrub all traffic
• Identify DDoS attacks via Netflow, IPFIX data
• ease of deployment
• No single point of failure
• Significant cost efficiencies
• Steer traffic to a local scrubber
• Share attacked_IP(s) with Silverline
• Simplified and easy POC
• Visibility via AVR
DHD - Out-of-band Netflow/IPFIX

Choose a context:
Current Attacks, Device,
Single Profile or VS
Choose a filter:
(optional)
Limit by vector name,
or P.O. name
View Status of
Current Attacks
View Current
Traffic Statistics
Total Packets
Dropped Packets
View Current
Configuration
Manual vs. Auto-Mode
Aggregate & SrcIP Limits
Modify Configuration
Settings
Without navigating to new page
Same interface as Profile Page
DHD – AFM DoS “Overview” Page: 13.x

DHD
Demo – Slow POST (Application) DDoS Attack mitigated by DHD
• DHD operates in transparent mode
• BADOS (Behavioral DOS) protection
enabled
• Protected Object:
- Listening on port 443 (HTTPS)
DHD Platform
Attacker
..200
User
..11:443 (protected)
10.1.20.0/24
10.1.20.0/24
(unprotected) 443:12.
User
.100

DHD
Demo – Slow POST (Application) DDoS Attack mitigated by DHD
• slowhttptest -B -c 3000 -i 20 -r 50 -u https://10.1.20.11/
Slow POST (R.U.D.Y.) - Like Slowloris, uses a
slow, low-bandwidth approach, but instead
of sending an HTTP header, it begins an
HTTP POST command and then feeds in the
payload of the POST data very, very slowly.
Slow POST is an attack that sends the initial
POST request, and attempts to send each
additional piece of POST data in subsequent
packets very slowly. Since the POST data is
very slow to complete, all the available
connections are tied up again.

F5 Silverline
DDoS Protection
Silverline

DDoS Attacks Size
24%
38%
20%
6%
12%
0.5-1 Gbps 1-10 Gbps 10-50 Gbps Over 50Gbps Unknown

F5 Silverline - 3 Cloud-based Security Services

Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
• San Jose, CA US
• Ashburn, VA US
• Frankfurt, DE
• Singapore, SG
Industry-Leading Bandwidth
• Attack mitigation bandwidth
capacity over 2.0 Tbps
• Scrubbing capacity up to 1.0
Tbps (with upstream ACLs)
• Guaranteed bandwidth with
Tier 1 carriers
24/7 Support
F5 Security Operations Center
(SOC) in Seattle: staffed
24x7x365 with security experts
for DDoS Protection and WAF.
Warsaw is staffed for Websafe.
• Seattle, WA U.S.
• Warsaw, Poland
SOC
SOC
F5 Silverline - Global Coverage

• Monitoring and mitigating attacks while
reducing false positives requires a 24/7
staff of skilled DDoS analysts
• Full provisioning and configuration
• Proactive alert monitoring
• Identification and inspection of attacks
• Custom and script mitigation
• Service level agreements time to
• Notify, mitigate, escalate
Availability & Support
Tier II DDoS Analysts
and Above
Active DDoS Threat
Monitoring
Security Operations Center (SOC)
F5 Silverline - Security Operation Center
Outsourcing DDoS monitoring and mitigation

Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Legitimate
Users
Cloud
Scrubbing
Service
floods, operations
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
DDoS
Attackers
• Real-time Volumetric DDoS
attack detection and
mitigation in the cloud
• Multi-layered L3-L7 DDoS
attack protection
• 24x7 expert SOC services
• Transparent attack
reporting via F5 customer
portal
CLOUD KEY FEATURES
F5 Silverline DDoS Protection - Cloud-based Scrubbing Center

Inspection
Toolsets
Scrubbing Center
Inspection Plane
Traffic Actioner
Route Management
Flow
Collection
Portal
Switching Routing/ACL
Network
Mitigation
Routing
(Customer VRF)
GRE Tunnel
Proxy
IP Reflection
L2VPN Customer
Data Plane
Netflow Netflow
Copied traffic
for inspection
BGP signaling
Signaling
Visibility
Management
Proxy
Mitigation
Switching mirrors
traffic to Inspection
Toolsets and Routing
layer
Inspection Tools
provide input on
attacks for Traffic
Actioner & SOC
Traffic Actioner injects
routes and steers
traffic
Network Mitigation
removes advanced L4
attacks
Proxy Mitigation
removes L7
Application attacks
Flow collection
aggregates attack
data from all sources
Egress Routing
returns good traffic
back to customer
Portal provides real-
time reporting and
configuration
Ingress Router
applies ACLs and
filters traffic
Legitimate
Users
DDoS
Attackers
Volumetric DDoS protection,
Managed Application firewall
service, zero-day threat
mitigation with iRules
Silverline
WAF
DDoS
Cloud
F5 Silverline DDoS Protection - Scrubbing Center Architecture

Europe
Customer DC
Customer App
Cloud
Network
GRE
Tunnels
US East US West
GRE
Tunnels
Cloud
Network
Cloud
Network
DDoS Attack
Asia
Legitimate
Traffic
InternetInternet
DDoS Attack Legitimate
Traffic
Response
Traffic
Response
Traffic
Anycast

Primary protection as the first line of defense
The Always On subscription stops bad traffic from ever
reaching your network by continuously processing all
traffic through the cloud-scrubbing service and
returning only legitimate traffic to your network.
Primary protection available on-demand
The Always Available subscription runs on stand-by and
can be initiated when under attack. Client routers
monitoring (optional)
Always AvailableAlways On
Proactive Hybrid
AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation
when the datacenter is under volumetric attack
Silverline is always on and the first point of detection and mitigation for volumetric attacks
before traffic is passed to the datacenter.
Reactive Hybrid
F5 Silverline DDoS Protection - Service Options

Traffic Steering to Silverline Capabilities
ASYMETRIC L3/L4
TUNNEL CLEAN TRAFFIC
PROTECT ENTIRE NETBLOCK /24
FULL PROXY (SYMETRIC)
L7
SSL TERMINATION
WAF
BGP (BORDER GATEWAY PROTOCOL)
ROUTED MODE
DNS
PROXY MODE
SINGLE APPLICATION (IP)
F5 Silverline DDoS Protection

F5 Silverline Portal Silverline Portal

• Stas, Visibility, Reporting and Intelligence
• Real time attack view
• Real time mitigation view
• Real time scrubbing & clean traffic view
• Non-Attack (regular) traffic reporting capability
• Instant, downloadable PDF reports
• Secure set up & management of SOC services
• Knowledge base & how to
F5 Silverline Portal
https://portal.f5silverline.com

• Securely communicate with Silverline SOC
experts
• View centralized attack and threat
monitoring reports with details including:
• source geo-IP mapping
• blocked vs. alerted attacks
• blocked traffic and attack types
• alerted attack types
• Threats*
• bandwidth used
• hits/sec*
• type of traffic and visits (bots v. humans)*
Customer Portal
Visibility &
Compliance Attack Reports
F5 Silverline Portal - Stats, Visibility, Reporting & Intelligence
F5 Customer Portal

F5 Silverline Portal - Stats: Traffic (Post i Pre-Scrubbing)
• Dashboard > Netflow: Traffic, Application, Zones

Downloadable PDFs
for internal
reporting
F5 Silverline Portal - Stats: Attack Reporting

Directly manage configuration via customer portal
• Configure Proxy and Routing attributes
• Manage SSL Certificates
• Update White and Black List information
• Check health status of GRE tunnels
• Administer users and roles
• Download reports and view audit history
F5 Silverline Portal - Configuration and Provisioning

F5 Silverline Portal - Configuration: Routed mode

F5 Silverline Portal - Configuration: Proxy mode

F5 Hybrid Signaling BIG-IP /
DHD
Silverline

• New Hybrid DDoS Signaling iApp available for BIG-IP
• DHD can signal to Silverline natively
https://support.f5silverline.com/hc/en-us/sections/205571867-Hybrid-Signaling
F5 Networks Hybrid DDoS Protection
Silverline Signalling

• Configure connection to Silverline
F5 Networks Hybrid DDoS Protection
Silverline Signalling for DHD

Virtual Edition Appliance Chassis
BIG-IP Platform on-premises
F5 Silverline Cloud Security
Anti-DDoS
Managed Service
Web Application
Firewall
Managed Service
High Performance Security Simplified Security Scalable Security
Conclusion: F5 Hybrid Security

TMOS - Full Proxy
DDoS
Protection
App
Protection
Network
Protection
Web
Fraud
Protection
SSL
Visibility &
Protection
DNS
Protection
App
Access
Virtual Edition Appliance Chassis
BIG-IP Platform
Conclusion: Rethink…Multi-Layer Security with F5

Performance
Minimize business
impact from
volumetric
attacks7.5M
Extensibility
Take immediate
action on new
DDoS threats
Protection
Protect against the
full spectrum of
modern cyber threats
attacks
Expertise
Augment resources
with F5 Security
experts
24x7x365 DDoS support
from Security Operations
Centers in the US, APAC,
and EMEA
1,000’s of iRules
have been written
to mitigate traffic
based on any type
of content data
Up to 640 Gbps;
7.5M CPS; 576M
CCS; in the
datacenter and over
1Tbps in the cloud
100+ DDoS Vectors;
Most advanced app
security; 98% of
fortune 1000 trust
their traffic to F5
Conclusion: Key DDoS Mitigation Values

F5 DDoS Protection

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à F5 DDoS Protection

Similaire à F5 DDoS Protection (20)

Plus de MarketingArrowECS_CZ

Plus de MarketingArrowECS_CZ (20)

Dernier

Dernier (20)

F5 DDoS Protection