Mitigating Security Threats with Fastly - Joe Williams at Fastly Altitude 2015


Published on

Fastly Altitude - June 25, 2015. Joe Williams, Computer Operator at GitHub discusses using a CDN to mitigate security threats.

Video of the talk:

Joe's bio: Joe Williams is a Computer Operator at GitHub, and joined their infrastructure team in August 2013. Joe's passion for distributed systems, queuing theory and automation help keep the lights on. When not behind a computer you can generally find him riding a bicycle around Marin, CA.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mitigating Security Threats with Fastly - Joe Williams at Fastly Altitude 2015

  1. 1. Agenda ● Attack vectors ● Mitigation techniques ● Visibility ● Testing ● Future work and recommendations
  2. 2. Attack Vectors ● Javascript injection and Layer 7 (HTTP) ● Bandwidth amplification (SSDP, DNS, NTP) ● SYN flood o Normal and fat SYNs ● HTTP GET flood to HTTPS ● UDP flood ● Slowloris ● Application saturation ● Attacks on secondary applications (marketing sites, etc) ● Attacks on your providers (DNS, CDN, etc)
  3. 3. Mitigation Techniques “The normal stuff” ● BGP based routing and scrubbing providers ● Security devices at the edge of your network ● Heavy use of haproxy
  4. 4. Mitigation Techniques Fast edge configuration changes /banhammer base 403 add /banhammer ip add /securitydevice-mitigations start github.com_80 /scrubbingprovider enable /banhammer ua tarpit add bad-ua
  5. 5. Mitigation Techniques Identify specific attacks at the edge ● Example (slowloris): acl content_present req_len gt 0 tcp-request inspect-delay 10s tcp-request content accept if content_present tcp-request content reject
  6. 6. Mitigation Techniques Identify human requests at the edge acl accept_lang hdr(Accept-Language) -m found acl timezone_cookie hdr_sub(cookie) tz
  7. 7. Mitigation Techniques Tuned timeouts timeout http-request 15s timeout tarpit 30s timeout client 35s timeout connect 5s
  8. 8. Visibility Graphs
  9. 9. Visibility Provider Graphs
  10. 10. Visibility Logging ● Various headers ○ user agent, origin, referer, x-requested-with, etc ● Client GeoIP and Autonomous System ● GeoIP based on Fastly-Client-IP header ● Fastly resp.http.X-Served-By header
  11. 11. Configuration Testing Functional integration testing ● Edge devices and services ● Providers
  12. 12. Configuration Testing ================ running tests for against ================ test: [] http port ... OK (2s) test: [] ssh port ... OK (2s) test: [] https port ... OK (2s) test: [] git port ... OK (2s) test: [] www redirects to ... OK (0s) test: [] redirects to ... OK (0s) test: [] redirects to HTTPS ... OK (0s) test: [] https redirects to https ... OK (0s) test: [] redirects to HTTPS ... OK (0s) <snip> ================ running tests for against ================ test: [] negotiates http/1.1 with ALPN ... OK (0s) test: [] doesn't negotiate http/1.0 with ALPN ... FAILED (expected) test: [] make sure we use good ciphers ... OK (0s) test: [] make sure we dont use bad ciphers ... OK (0s) test: [] ssl fingerprint check ... OK (0s) test: [] make sure we are using the DigiCert High Assurance EV Root CA ... OK (0s)
  13. 13. Future Work and Recommendations ● HTTPS traffic authentication ● Multiple CDN providers ● Multiple DNS providers ● Per service configuration/architecture ○ Per service Fastly IP maps ○ Per service load balancer groups