F5 DDoS Protection

F5 DDoS protection

Mariusz Sawczuk – Specialist Systems Engineer North & East EMEA[2017-03-08]

© F5 Networks, Inc 2

DDoS (Distributed Denial of Service)

Attackers

AttackersAttackers

AttackersAttackers

AttackersAttackers

Attackers Attackers

AttackersAttackers

AttackersAttackers

AttackersAttackers

Attackers

Internet

Web

Clients

Partners

WebsitesRemote

users

Attackers

Switch Switch Switch

DMZ

FW

VPN

FW

VPN

act/stby

AntyMalware Proxy DLP

Users

Applications Data BaseDNS

Data Center

EmailUser User

NextGen

Firewall

NextGen

Firewall

Router Routeract/stby

Multi-Layer

Switch

act/stby Multi-Layer

Switch

act/stby

ApplicationDoS

SessionDoS

NetworkDoS

VolumetricDoS


Growing

Anyone

Global Fun

Agenda

War tactics

Diverse

Business

DDoS World is Complex


DDoS attacks hide the Real Threat


Layer 2

NetworkLayer 3

Layer 4

Layer 5

Layer 6

Layer 7 ApplicationOWASP Top 10 (e.g. XSS),

Slowloris, Slow Post/Read,

HTTP GET/POST floods,…

Session

SSL

DNS, NTP

DNS UDP floods, DNS query floods, DNS NXDOMAIN floods SSL floods, SSL renegotiation, …

SYN/UDP/Conn. floods,

PUSH and ACK floods,

ICMP/Ping floods,

Teardrop, Smurf Attacks, …

Types of DDoS attacks


Layer 2

NetworkLayer 3

Layer 4

Layer 5

Layer 6

Layer 7 ApplicationOWASP Top 10 (e.g. XSS),

Slowloris, Slow Post/Read,

HTTP GET/POST floods,…

Session

SSL

DNS, NTP

DNS UDP floods, DNS query floods, DNS NXDOMAIN floods SSL floods, SSL renegotiation, …

SYN/UDP/Conn. floods,

PUSH and ACK floods,

ICMP/Ping floods,

Teardrop, Smurf Attacks, …

Blended Volumetric

Types of DDoS attacks


DDoS attacks are easy to launchPress button and forget

hping3 nmap Low Orbit ION

High Orbit IONkillapache.pl slowloris

metasploitslowhttptest

RussKill

Pandora

Dirt Jumper

PhantomJS

…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…

Evasion Techniques Differentiation

• Several User-Agents & Referrers

• Random URL/UA/Content-Length

DDoS attacks are easy to launchPress button and forget - 2016 Tools Bundle

© 2016 F5 Networks 8

© 2016 F5 Networks 9

DDoS attacks are easy to launchDDoS Coin – crowd funding DDoS


DDoS IoT (Internet of Things) – Mirai botnetMirai from Japaneess means Future

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/


0,54 Tbps

0,62 Tbps

1,0 Tbps

1,2 Tbps

DDoS IoT – Mirai botnetKnown targets of DDoS attacks


STOMP Attack

Non standard attacks

Known “VSE” attack offered by

online Booters (DDoS as a Service)

Exploiting online gaming servers

for amplification

Never implemented attack

A hidden “CFNull” Layer 7 attack:

DDoS IoT – Mirai botnetDDoS Attacks


DDoS IoT – Mirai botnetDDoS Attacks – HTTP Attacks


DDoS IoT – Mirai botnetComing Through the Front Door


DDoS IoT – Mirai botnetChange of tactics


Mirai

LuaBot

qBot(GayFgt/Torlus/Bashlite)

Darlloz

IRCTelnet(Aidra2)

Hajime

DDoS IoT – Other botnetsIoT Malware Families

F5 Networks DDoS Protection


Protect Your Business and Stay Online During a DDoS Attack

• Mitigate mid-volume, SSL, or application

targeted attacks on-premises

• Complete infrastructure control

• Advanced L7 attack protections

• Turn on cloud-based service to stop

volumetric attacks from ever reaching your

network

• Multi-layered L3-L7 DDoS attack protection

against all attack vectors

• 24/7 attack support from security experts

F5 SILVERLINE DDOS PROTECTION When

under

attack

F5 ON-PREMISES DDOS PROTECTION

F5 Networks DDoS ProtectionOn-premises and cloud-based services for comprehensive DDoS Protection


Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Threat Intelligence Feed

Cloud Network Application

LegitimateUsers

DDoS Attackers

CloudScrubbing

Service

Volumetric attacks and floods, operations

center experts, L3-7 known signature attacks

ISPa/b

Multiple ISP strategy

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Networkand DNS

ApplicationHTTP attacks:

Slowloris,slow POST,

recursive POST/GET

Next-GenerationFirewall Corporate Users

SSL attacks:SSL renegotiation,

SSL flood

FinancialServices

E-Commerce

Subscriber

Strategic Point of Control

F5 Networks DDoS Protection - Reference Architecture


• Only single vendor with native, seamlessly integrated on-premise and cloud-based scrubbing services

• Leverages industry leading application protections to defend against L7 DDoS and vulnerability threats

• Most comprehensive HW-based DDoS protection coverage

• Unsurpassed SSL performance with SSL termination and outbound SSL interception protection

• Ensures app availability and performance while under attack with leading datacenter scalability and up to 2Tbps of cloud-based scrubbing capacity

• Gartner on DDoS – Go Hybrid!

• “Cloud + On-Premise” Makes the most sense

F5 Networks DDoS Protection - Why F5 Hybrid is better

F5 On PremissesDDoS Protection BIG-IP


iRule

iRule

iRule

TCP

SSL

HTTP

TCP

SSL

HTTP

iRule

iRule

iRule

ICMP floodSYN flood

SSL renegotiation

DataleakageSlowloris attackXSS

NetworkFirewall

WAF WAF

F5 On-premises DDoS protection - Full proxy security


ApplicationAccess

NetworkAccess

NetworkFirewall

Network DDoSProtection

SSL DDoSProtection

DNS DDoSProtection

Application

DDoS Protection

Web ApplicationFirewall

FraudProtection

Virtual

Patching

F5 On-premises protection - Comprehensive application security


F5 On-premises protection - Comprehensive DDoS protectionMore than only DDoS Protection

ASM DoS + IPI

L7 DoS Profiles

Heavy URLs

AFM DoS + IPI

Device DoS

Protocol DoS

IP Intelligence

B/W Lists

DNS DoS

DNS DoS

DNS SEC

LTM Profiles

HTTP/HTTPS

SSL

SIP

SMTP

BIGIP System

Reaper

75%-90%

iRules


Up to 640 Gbps,7.5M CPS, 576M CCS

in the datacenter and over 1Tbps

in the cloud

F5 On-premises DDoS protection - Performance

10000 Series

11000 Series

5000 Series

2000 series /

4000 series

7000 Series

VIPRION 4800VIPRION 4480

25M

200M

1Gbps3Gbps

5Gbps

VIPRION 2400

New 10Gbps

New VIPRION 2200


Over 110+ L3/4 DDoS vectorswith majority of them mitigated in hardware.

F5 On-premises DDoS protection – DDoS vectors hardware accelerated


F5 On-premises DDoS protection - Recommended by NSS Labs

Network DDoSMitigation Network

Application

SessionSSL

DNS, NTP

Blended


Network DDoS Mitigation


Anonymous Requests

Botnet Attackers



LegitimateUsers

DDoS Attackers

CloudScrubbing

Service



ISPa/b





DNS poisoning

IPS

Networkand DNS



recursive POST/GET



SSL flood

FinancialServices

E-Commerce

Subscriber


• The network tier at the perimeter is layer 3 and 4 network firewall services

• Simple load balancing to a second tier

• IP reputation database

• Mitigates transient and low-volume attacks

NETWORK KEY FEATURES


Demo TCP SYN Flood - SYN Cookies

Flow table

Original SYN transformed into Cookie,

sent back to client with SYN-ACK

Flow table entry

created and inserted

on receipt of ACK

packetConnection Established


Demo TCP SYN Flood - Topology and initial configuration

• The TMOS version 12.1

• Virtual Server info:- Listening on port 80

- Type: Performance L4 (to start with)

- No HTTP profile (to start with)

- Pool members: 3 x Apache servers listening on port 80BIG-IP Platform

Application

10.1.20/24

10.1.10/24

Attacker

.200

VS .80:80

Application

.13.11

Application

User

.100

.12


Demo TCP SYN Flood - Start the attack


Demo TCP SYN Flood - Attack Mitigated


Demo TCP SYN Flood - AFM signatures mitigation


Application

Security

Data Center

Firewall

Access

Security

User

App Servers

ClassicServer

DNS Security

Network DDoS

• Built on the market leading Application Delivery Controller (ADC)

• Consolidates multiple appliance to reduce TCO

• Protects against L2-L4 attacks with the most advanced full proxy architecture

• Delivers over 110 vectors and more hardware-based DOS vectors than any other vendor

• Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps

• Offers a foundation for an integrated L2-L7 Application delivery firewall platform

Network DDoS Mitigation - AFM (Advanced Firewall Manager)


DOS Categories

DOS

Vectors

When to report an attack

Absolute Number in PPSDetection Threshold

When to report an attack

Relative Percent Increase in PPS Detection Threshold

When to mitigate an attack

Absolute Number in PPSMitigation Threshold

Network DDoS Mitigation - AFM: Stateless DDoS MitigationL2-L4 stateless DoS vectors


Demo Different Network DDoS Attacks - Topology and initial configuration


• Virtual Server info:- Listening on all ports

- Type: Standard

- TCP profile: tcp-lan-optimized on outside interface

- Pool members: 1 x servers listening on different portsBIG-IP Platform

Server

10.1.20/24

10.1.10/24

Attacker

.200

VS .80:all ports

User

.100

.11


Demo Different Network DDoS Attacks - Start the attack


Demo Different Network DDoS Attacks - Attacks mittigated


F5 IP Intelligence Service

• Dynamic Feed updated every 5 minutes

• Applied at Virtual-Server Level

9 Pre-Defined Categoriesof Malicious IP’s/Subnets

Customizable Per-Category

Actions (Accept, Warn, Reject)

Policy Name

(attach-able to a Virtual Server)

Network DDoS Mitigation - Dynamic Endpoint Visibility & EnforcementIP Intelligence service


F5 IP INTELLIGENCE SERVICES

• Dynamic services feeds updated frequently

• Policy attached to global, route- domain or VS contexts

• Categorize IP/Sub_net by attack type

• Customizable actions per attack type category (i.e., Accept, Warn, Alert)

• Create multiple customizable IP feeds

DYNAMIC IP BLACK LISTS & WHITE LISTS

• Create IP Black Lists and White Lists that override IP intelligence services

• Merge multiple sources into 1 feed or enforcement policy

• HTTP/S & FTP polling methods

• User defined categories

• Support for IPv6 and IPv4

Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses.

Network DDoS Mitigation - AFM Dynamically update security logic

Session (DNS)DDoSMitigation Network

Application

SessionSSL

DNS, NTP

Blended


DNS DDoS Attacks

Why DNS is popular for DDoS?

• Widely used protocol, open on FWs, open recursion

• DNS is based on UDP

• DNS DDoS often uses spoofed sources

• Large Amplification Factor (100x) - using open resolvers or ANY type to an authoritative NS

Traditional mitigations are failing

• Using an ACL block legitimate clients

• DNS attacks use massive volumes of source addresses, breaking many firewalls

Denial of Service Attacks targeting DNS infrastructure are often complex and standard tools can not provide adequate response to mitigate it without inhibiting the ability of DNS to do its job


DNS DDoS Attacks - DNS UDP Flood

SynopsysMany attackers or botnets flood an authoritative name server,

attempting to exceed its capacity.

Dropped responses = reduced or no site availability.

Mitigation – PERFORMANCE, PERFORMANCE, ….• F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and

to over 20M RPS for chassis. Additionally the possibility to use Rapid

Response Mode to double during the attack.

• Identify unusually high traffic patterns to specific clients using F5 DNS

DDoS Profiles - ICSA–certified FW with support for 30+ DDoS vectors

• Use DNS Anycast to distribute the load between regional DCsDNS Requests DNS Responses

Target DNS

infrastructure


DNS DDoS Attacks - DNS Amplification & NSQUERY

DNS Requests Large DNS Responses

SynopsysBy spoofing a UDP source address, attackers can target a common

source. By requesting for large record types (ANY, DNSSEC, etc), a

36 byte request can result in a response over 100 times larger.

Mitigation• DNS request type validation– force TCP in case of type ANY

• BIG-IP supports DNS type ACLs - filters for acceptable DNS query types

• Identify unusually high traffic patterns to specific clients or from

specific sources via DNS DoS Profiles and apply mitigations

• Drop all unsolicited responses (BIG IP’s default behavior)

[Target Site]


• Querying for randomly-generated non-existent hostnames

• Causes enormous work on DNS resolver

• Blows out DNS caches

• Easy to generate – single packet per name

• Easy to spoof source address – UDP

• Asymmetric

• Low-Bandwidth

DNS DDoS Attacks - NXDOMAIN Random Hostname Attack


Demo DNS Flood - Start the attack


DNS DDoS Mitigation - AFM: DDoS SingnaturesAttack mitigated


Malformed/Protocol Violations Detection

DNS DOS Detection by Query Type

When to report and attack. Absolute and Relative Increase Detection Thresholds

SIP DOS Detection by Method

When to report and attack

Absolute and Relative Increase Detection Thresholds

DNS DDoS Mitigation - AFM: Stateless App. Layer DoS DetectionApplication protocol volumetric attack detection: DNS & SIP


Filter by DNS Query types

a m mg loc ixfr dname nsec3param

aaaa px rp spf cert nesc3 ipseckey

any md mr eid apl dhcid nsap_ptr

cname mf null nxt axfr zxfer nsap

mx a6 wks key sink rrsig nimloc

ns rt dlv x25 naptr sshfp dnskey

ptr mb hip sig isdn maila mailb

soa ds opt tsig nsec afsdb hinfo

srv kx txt ata gpos tkey minfo

DNS DDoS Mitigation - AFM: Protocol SecurityApplication Protocol compliance & DNS DoS mitigation

Network

Application

SessionSSL

DNS, NTP

Blended

Session (SSL)DDoSMitigation



Anonymous Requests

Botnet Attackers


Cloud Network

LegitimateUsers

DDoS Attackers

CloudScrubbing

Service



ISPa/b





DNS poisoning

IPS

Networkand DNS


FinancialServices

E-Commerce

Subscriber


Application



recursive POST/GET


SSL flood

APPLICATION KEY FEATURES

• Application-aware, CPU-intensive defense mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and SSL-based DDoS attacks

SSL DDoS Mitigation - F5 Reference Architecture


Demo SSL Renegotiation - Start the attack


Demo SSL Renegotiation – Attack mitigatedLTM: SSL Profile

ApplicationDDoSMitigation Network

Application

SessionSSL

DNS, NTP

Blended



Anonymous Requests

Botnet Attackers


Cloud Network

LegitimateUsers

DDoS Attackers

CloudScrubbing

Service



ISPa/b





DNS poisoning

IPS

Networkand DNS


FinancialServices

E-Commerce

Subscriber


Application



recursive POST/GET


SSL flood

APPLICATION KEY FEATURES

• Application-aware, CPU-intensive defense mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and SSL-based DDoS attacks

Application DDoS Mitigation - F5 Reference Architecture


▪ Guards against RPS (TPS) and latency-based anomalies

▪ Provides predictive indicators

▪ Support IP, geolocation, URL and site wide detection criteria

Application DDoS Mitigation - ASM (Application Security Manager)Layer 7 HTTP/S DoS attack protection

▪ Provides heavy URL protection

▪ Protects against threats proactively

▪ Simplified reports access and added qkView violations export support

▪ Advanced Prevention techniques

▪ Client Side Integrity Defense

▪ CAPTCHA (HTML or JS response)

▪ Source IP Blocking

▪ Geolocation blacklisting


Demo Application DDoS Attacks - Topology and initial configuration


• Virtual Server info:- Listening on port 80

- Type: Performance L4 (to start with)

- No HTTP profile (to start with)

- Pool members: 3 x Apache servers listening on port 80BIG-IP Platform

Application

10.1.20/24

10.1.10/24

Attacker

.200

VS .80:80

Application

.13.11

Application

User

.100

.12


• Slow HEADERS (Slowloris) – opening HTTP connections to a web server

and then sending just enough data in an HTTP header (typically 5 bytes

or so) every 299 seconds to keep the connections open. Slow headers

is an attack that very slowly sends a HTTP request. The request headers

are sent so slowly that all available server connections are tied up

waiting for the slow request to complete. Slowloris achieves denial-of-

service with just 394 open connections for typical Apache 2

Application DDoS Attacks - HTTP Slow (Low Bandwith)


Demo Slow HEADERS - Start the attack

• Send the command:

slowhttptest -H -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &

• …. website is down!


Demo Slow HEADERS - LTM: Standard Virtual Server with HTTP Profile

• LTM can protect the Apache servers by preventing the Slow Headers attack from ever reaching them. A Standard Virtual Server with a HTTP profile does not open the server side connection until the full HTTP request is received. Since the attack never completes the HTTP request, the attack is never propagated to the servers.

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard


DOS enhancements and new vectorsAFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide

greater coverage, introducing new vectors, providing more hardware-based vectors, and

improve overall DoS logging. Version 12.0 also provides Sweeper enhancements to Slow

Loris, BiasIdle Cleanup and Reporting

Demo Slow HEADERS - AFM: Not only Network DDoS protection


• Slow POST (R.U.D.Y.) - Like Slowloris, the Slowpost uses a slow, low-

bandwidth approach but instead of sending an HTTP header, it begins

an HTTP POST command and then feeds in the payload of the POST

data very, very slowly. Slow POST is an attack that sends the initial

POST request, and attempts to send each additional piece of POST data

in subsequent packets very slowly. Since the initial POST completes,

LTM creates the connection to the web server. Since the POST data is

very slow to complete, all the available connections are tied up again...



Demo Slow POST - Start the attack


slowhttptest -B -c 3000 -i 20 -r 50 -u http://10.1.10.80/ &



Demo Slow POST - ASM: Deployment Policy

• ASM Deployment steps (shortened)

Apply!

You can use

Rapid Deployment


Demo Slow POST - ASM Protection

• ASM can protect against Slow POST attacks by just being applied to the virtual server. The policy does NOT need to be in blocking mode. Since ASM must protect itself from slow connections, it will also protect the virtual server by limiting the number of slow connections allowed. The number of allowed connections per TMM is configurable.

• Security > Options > Application Security > Advanced Configuration > System Variables

• When this protection kicks in, ASM will log to /var/log/asm:


• Slow READ - Slow Read is an attack that sends a normal request for a

HTTP page. The attacker then accepts the site data with a very small

TCP window. Upon receiving the first packet of data, the attacker

typically sends back a TCP window size of zero in the acknowledgement.

Since the server received a zero window from the client, it will wait to

send more data, holding open the TCP connection. Once enough zero

window clients have attached to the server, it is unable to accept new

clients. Since this behavior is RFC compliant (rarely happens in normally

functioning networks though), it is difficult for the F5 to detect an

attacker from a real slow client. There are a few ways to protect against

these types of attacks.



Demo Slow READ - Start the attack


slowhttptest -X -c 3000 -i 10 -r 50 -u http://10.1.10.80/ &



Demo Slow READ - ASM: DDoS Profile Defense for browser applications

• Proactive Bot Defense• Many DDoS attacks are simple scripts or programs with very little logic. They exploit the known

behaviors of the application to prevent normal users from accessing the data. Proactive Bot Defense challenges the client to perform some data manipulation using Javascript. Since many scripts are unable to parse and perform the Javascript challenge, they are denied access. Proactive Bot Defense should only be used when you know the normal clients are able to accept Javascript. All modern browsers can pass this challenge.

• Client Side Integrity Defense• Similar to Proactive Bot Defense, the client side Integrity Defense challenges the client with

Javascript. Client Side Integrity Defense differs in that it only challenges clients based upon the criteria set within a DDoS profile.

• Captcha• During an attack, clients can be forced to pass a Captcha challenge. This Captcha challenge

must be passed before the server data is requested and passed to the client.

• These protections are configured as DDoS profiles, and applied to a virtual server.


Demo Slow READ - ASM: TPS-Based Detection & Prevention


Demo Slow READ - ASM: DDoS Profile Defense for browser applications

• DoS Protection ProfileApply DDoS Profile to

Virtual Server


User

Web Bot

Client: Hey server, can I get the web page ?

ASM: no, you are sending too many requests. Are you a browser ?

Yes, I’m a browser

*^lkjdfg@#$

ASM: ok, you are allowed. Here is the web page you asked for.

ASM: Bye Bye – Blocked

Demo Slow READ - ASM: Client-side Integrity Defense


• Ultimate solution for identifying human or bot

• Send challenge to every IP that reached IP detection criteria thresholds

Note: Some argues that CAPTCAH is not a good usability because the user gets CAPTCHA forhis online shop (or similar) and then he will not stay

Demo Slow READ - ASM: Captcha


• Unlike most simple network attacks, which overwhelm computing resources with invalid packets,

HTTP flood attacks look like real HTTP web requests.

• To conventional firewall technology, these requests are indistinguishable from normal traffic

• Two main variations:

• Basic HTTP flood duiring which merely repeats the same request over and over again. Easy to

detect and mitigate.

• Advacned HTTP flood attack whith a recursive-get denial-of service. Clients using this attack

request the main application page, parse the response, and then recursively request every

object at the site. Difficult to detect and mitigate.

Application DDoS Attacks - HTTP Flood


Demo HTTP Flood - Start the attack

• LOIC (Low Orbital Ion Cannon)

• Launch from many sources and…. website will be down!


Demo HTTP Flood - Attack mitigated


When any URL based is mitigating, the heavy URL’s that detected will get this mitigation

Application DDoS Mitigation - ASM: Heavy URL Mitigation


Automatic measure latency on

URL’s for 24 hours and decide

who is heavy

Application DDoS Mitigation - ASM: Heavy URL MitigationHeavy URL – configuration


Application DDoS Mitigation - ASM: Heavy URL Reporting

New anti-DDoS features 12.1


RTBH

BGP Black-Hole DoS protection (RTBH)

Automatic DDoS vectors thresholds

Behavioral analysis DDoS (BADOS)

BIG-IP/DHD Silverline signalization

New DDoS Features in TMOS 12.1


• RTBH (Remotely Triggered Black-Hole): Route Injection instructs upstream network devices to drop certain flows at

the edge of the network.

• RTBH is belongs to AFM, and we need AFM provisioned to configure this feature

• When you will configure settings for DDoS vectors at AFM, you can find column 'Bad actors' and instead of rate

limit them you can block them - this is ‚IP Shuning’.

• On top of this we can configure RTBH and signal this information to upstrem routers

• AFM IP-Intelligence (IPI) can now instruct the IP network within the local Autonomous System (AS) to "black-hole"

source or destination addresses which have been blacklisted.

• ARM (Advanced Routing), It belongs to AFM, everytime when you provision AFM you will have Advanced routing

license enabled also. ARM also is included in DHD.

New DDoS Features in TMOS 12.1RTBH


New DDoS Features in TMOS 12.1RTBH


• Today

• Configuration

• Tune and maintain

• Impact leads to mitigate

• React to 0-day

• Static – automatic

• Impacts the good

• Uses wisdom of IT

• BADOS

• Hands free

• Unsupervised

• Predictive

• 0-day capable

• Improves with time (experience)

• Minimal impact on good guys

• Uses wisdom of the crowd

New DDoS Features in TMOS 12.1BADOS – Why?


• 3 modes of detection and prevention Aggressive

+ proactive mitigation until

health is restored

Standard

+ limit all requests based

on servers health

Conservative

Slow down & rate shape bad

actors

• Conservative

• Slows down & rate limit attackers

• Standard

• Like conservative but may rate limit all

requests based on server's health

• Aggressive

• Like standard but proactively performs

all protection actions

New DDoS Features in TMOS 12.1BADOS – Why?

New anti-DDoS features 13.0


New DDoS Features in TMOS 13.0ASM Auto Thresholding (for TPS-based Detection)


New DDoS Features in TMOS 13.0ASM Auto Thresholding (for TPS-based Detection)


New DDoS Features in TMOS 13.0BADOS Improvements


New DDoS Features in TMOS 13.0Proactive Bot Defense Reporting


Security > Reporting > DoS > Visibility > Dashboard

New DDoS Features in TMOS 13.0DoS Reporting Redisign

DDoS and ApplicationAttacksMitigation –iRules Network

Application

SessionSSL

DNS, NTP

Blended


DDoS and Application Attacks Mitigation - iRules Slow HEADERS (Slowloris) defense


DDoS and Application Attacks Mitigation - iRules Slow POST (R.U.D.Y.) defense

DHD (DDoS Hybrid Defender)


DHD – Configure and play


DHD – Simplified configuration

DDoS profile

Log profile

DDoS profile

VLAN/Network Info

Protocol profile

Log profile

Action

Deployment model

Network, protocolProtocol profile

1

2

reference

1

3 Virtual Server

Protected Object


Attack detection

and Visibility via AVR

DHD

Access Network

Tap VLAN

Packet data (Tap)

• Avoid single point of failure network scenario

• Identify DDoS attacks (L3/4, SIP, DNS) via mirrored pkts

• No need to reconfigure network

• No single point of failure

• Visibility

• RTBH with upstream router

• Signal to Silverline

• Simplified and easy POC

• Visibility via AVR

Apps

Edge router

Access router

Rx

Tx

DHD - Out-of-band TAP


Attack detection

And inspection

Clean traffic

DDoS Platform

Edge Network

Access Network

Tap VLAN

DDoS Platform

Attack traffic

SCRUB VLAN

• Avoid single point of failure network scenario

• Doesn’t want to inspect/scrub all traffic

• Identify DDoS attacks via Netflow, IPFIX data

• ease of deployment

• No single point of failure

• Significant cost efficiencies

• Steer traffic to a local scrubber

• Share attacked_IP(s) with Silverline

• Simplified and easy POC

• Visibility via AVR

DHD - Out-of-band Netflow/IPFIX


Choose a context:

Current Attacks, Device,

Single Profile or VS

Choose a filter:

(optional)

Limit by vector name,

or P.O. name

View Status of

Current Attacks

View Current

Traffic Statistics

Total Packets

Dropped Packets

View Current

Configuration

Manual vs. Auto-Mode

Aggregate & SrcIP Limits

Modify Configuration

Settings

Without navigating to new page

Same interface as Profile Page

DHD – AFM DoS “Overview” Page: 13.x


DHDDemo – Slow POST (Application) DDoS Attack mitigated by DHD


• DHD operates in transparent mode

• BADOS (Behavioral DOS) protection

enabled

• Protected Object:- Listening on port 443 (HTTPS)

DHD Platform

Attacker

..200

User

..11:443 (protected)

10.1.20.0/24

10.1.20.0/24

(unprotected) 443:12.

User

.100


DHDDemo – Slow POST (Application) DDoS Attack mitigated by DHD

• slowhttptest -B -c 3000 -i 20 -r 50 -u https://10.1.20.11/

Slow POST (R.U.D.Y.) - Like Slowloris, uses a

slow, low-bandwidth approach, but instead

of sending an HTTP header, it begins an

HTTP POST command and then feeds in the

payload of the POST data very, very slowly.

Slow POST is an attack that sends the initial

POST request, and attempts to send each

additional piece of POST data in subsequent

packets very slowly. Since the POST data is

very slow to complete, all the available

connections are tied up again.

F5 SilverlineDDoS Protection

Silverline


DDoS Attacks Size

24%

38%

20%

6%

12%

0.5-1 Gbps 1-10 Gbps 10-50 Gbps Over 50Gbps Unknown


F5 Silverline - 3 Cloud-based Security Services


Global Coverage

Fully redundant and globally

distributed data centers world

wide in each geographic region

• San Jose, CA US

• Ashburn, VA US

• Frankfurt, DE

• Singapore, SG

Industry-Leading Bandwidth

• Attack mitigation bandwidth

capacity over 2.0 Tbps

• Scrubbing capacity up to 1.0

Tbps (with upstream ACLs)

• Guaranteed bandwidth with

Tier 1 carriers

24/7 Support

F5 Security Operations Center

(SOC) in Seattle: staffed

24x7x365 with security experts

for DDoS Protection and WAF.

Warsaw is staffed for Websafe.

• Seattle, WA U.S.

• Warsaw, Poland

SOC

SOC

F5 Silverline - Global Coverage


• Monitoring and mitigating attacks while reducing false positives requires a 24/7 staff of skilled DDoS analysts

• Full provisioning and configuration

• Proactive alert monitoring

• Identification and inspection of attacks

• Custom and script mitigation

• Service level agreements time to

• Notify, mitigate, escalate

Availability & Support

Tier II DDoS Analysts and Above

Active DDoS Threat Monitoring

Security Operations Center (SOC)

F5 Silverline - Security Operation CenterOutsourcing DDoS monitoring and mitigation



Anonymous Requests

Botnet Attackers



LegitimateUsers

CloudScrubbing

Service



ISPa/b





DNS poisoning

IPS

Networkand DNS



recursive POST/GET



SSL flood

FinancialServices

E-Commerce

Subscriber


DDoS Attackers

• Real-time Volumetric DDoSattack detection and mitigation in the cloud

• Multi-layered L3-L7 DDoSattack protection

• 24x7 expert SOC services

• Transparent attack reporting via F5 customer portal

CLOUD KEY FEATURES

F5 Silverline DDoS Protection - Cloud-based Scrubbing Center


InspectionToolsets

Scrubbing Center

Inspection Plane

Traffic ActionerRoute Management

Flow Collection

Portal

Switching Routing/ACLNetwork

Mitigation

Routing(Customer VRF)

GRE Tunnel

Proxy

IP Reflection

L2VPN Customer

Data Plane

Netflow Netflow

Copied trafficfor inspection

BGP signaling

Signaling

Visibility

Management

Proxy Mitigation

Switching mirrors traffic to Inspection

Toolsets and Routing layer

Inspection Tools provide input on

attacks for Traffic Actioner & SOC

Traffic Actioner injects routes and steers

traffic

Network Mitigation removes advanced L4

attacks

Proxy Mitigation removes L7

Application attacks

Flow collection aggregates attack

data from all sources

Egress Routing returns good traffic back to customer

Portal provides real-time reporting and

configuration

Ingress Router applies ACLs and

filters traffic

LegitimateUsers

DDoS Attackers

Volumetric DDoS protection, Managed Application firewall

service, zero-day threat mitigation with iRules

Silverline

WAF

DDoS

Cloud

F5 Silverline DDoS Protection - Scrubbing Center Architecture


Europe

Customer DC

Customer App

CloudNetwork

GRETunnels

US East US West

GRETunnels

CloudNetwork

CloudNetwork

DDoS Attack

Asia

Legitimate

Traffic

InternetInternet

DDoS Attack Legitimate

Traffic

Response Traffic

Response Traffic

Anycast


Primary protection as the first line of defense

The Always On subscription stops bad traffic from ever reaching your network by continuously processing all

traffic through the cloud-scrubbing service and returning only legitimate traffic to your network.

Primary protection available on-demand

The Always Available subscription runs on stand-by and can be initiated when under attack. Client routers

monitoring (optional)

Always AvailableAlways On

Proactive Hybrid

AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation when the datacenter is under volumetric attack

Silverline is always on and the first point of detection and mitigation for volumetric attacks

before traffic is passed to the datacenter.

Reactive Hybrid

F5 Silverline DDoS Protection - Service Options


Traffic Steering to Silverline Capabilities

ASYMETRIC L3/L4

TUNNEL CLEAN TRAFFIC

PROTECT ENTIRE NETBLOCK /24

FULL PROXY (SYMETRIC)L7SSL TERMINATIONWAF

BGP (BORDER GATEWAY PROTOCOL)ROUTED MODE

DNS PROXY MODE

SINGLE APPLICATION (IP)

F5 Silverline DDoS Protection

F5 Silverline Portal Silverline Portal


• Stas, Visibility, Reporting and Intelligence

• Real time attack view

• Real time mitigation view

• Real time scrubbing & clean traffic view

• Non-Attack (regular) traffic reporting capability

• Instant, downloadable PDF reports

• Secure set up & management of SOC services

• Knowledge base & how to

F5 Silverline Portal

https://portal.f5silverline.com


• Securely communicate with Silverline SOC experts

• View centralized attack and threat monitoring reports with details including:

• source geo-IP mapping

• blocked vs. alerted attacks

• blocked traffic and attack types

• alerted attack types

• Threats*

• bandwidth used

• hits/sec*

• type of traffic and visits (bots v. humans)*

Customer PortalVisibility &

Compliance Attack Reports

F5 Silverline Portal - Stats, Visibility, Reporting & IntelligenceF5 Customer Portal


F5 Silverline Portal - Stats: Traffic (Post i Pre-Scrubbing)

• Dashboard > Netflow: Traffic, Application, Zones


Downloadable PDFsfor internal reporting

F5 Silverline Portal - Stats: Attack Reporting


Directly manage configuration via customer portal

• Configure Proxy and Routing attributes

• Manage SSL Certificates

• Update White and Black List information

• Check health status of GRE tunnels

• Administer users and roles

• Download reports and view audit history

F5 Silverline Portal - Configuration and Provisioning


F5 Silverline Portal - Configuration: Routed mode


F5 Silverline Portal - Configuration: Proxy mode







F5 Hybrid Signaling BIG-IP / DHD

Silverline


• New Hybrid DDoS Signaling iApp available for BIG-IP

• DHD can signal to Silverline natively

https://support.f5silverline.com/hc/en-us/sections/205571867-Hybrid-Signaling

F5 Networks Hybrid DDoS ProtectionSilverline Signalling


• Configure connection to Silverline

F5 Networks Hybrid DDoS ProtectionSilverline Signalling for DHD

Conclusion


Virtual Edition Appliance Chassis

BIG-IP Platform on-premises

F5 Silverline Cloud Security

Anti-DDoS

Managed ServiceWeb Application

Firewall

Managed Service

High Performance Security Simplified Security Scalable Security

Conclusion: F5 Hybrid Security


TMOS - Full Proxy

DDoSProtection

App Protection

Network Protection

Web Fraud

Protection

SSL Visibility & Protection

DNS Protection

App Access

Virtual Edition Appliance Chassis

BIG-IP Platform

Conclusion: Rethink…Multi-Layer Security with F5


Performance

Minimize business

impact from

volumetric

attacks7.5M

Extensibility

Take immediate

action on new

DDoS threats

Protection

Protect against the

full spectrum of

modern cyber threats

attacks

Expertise

Augment resources

with F5 Security

experts

24x7x365 DDoS support

from Security Operations

Centers in the US, APAC,

and EMEA

1,000’s of iRules

have been written

to mitigate traffic

based on any type

of content data

Up to 640 Gbps;

7.5M CPS; 576M

CCS; in the

datacenter and over

1Tbps in the cloud

100+ DDoS Vectors;

Most advanced app

security; 98% of

fortune 1000 trust

their traffic to F5

Conclusion: Key DDoS Mitigation Values


Q & A

Technology

F5 DDoS Protection