Mitigating Security Threats with Fastly - Joe Williams at Fastly Altitude 2015

4,419 views

Published on

Fastly Altitude - June 25, 2015. Joe Williams, Computer Operator at GitHub discusses using a CDN to mitigate security threats.

Video of the talk: http://fastly.us/Altitude2015_Mitigating-Security-Threats-2

Joe's bio: Joe Williams is a Computer Operator at GitHub, and joined their infrastructure team in August 2013. Joe's passion for distributed systems, queuing theory and automation help keep the lights on. When not behind a computer you can generally find him riding a bicycle around Marin, CA.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,419
On SlideShare
0
From Embeds
0
Number of Embeds
2,734
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Mitigating Security Threats with Fastly - Joe Williams at Fastly Altitude 2015

  1. 1. Agenda ● Attack vectors ● Mitigation techniques ● Visibility ● Testing ● Future work and recommendations
  2. 2. Attack Vectors ● Javascript injection and Layer 7 (HTTP) ● Bandwidth amplification (SSDP, DNS, NTP) ● SYN flood o Normal and fat SYNs ● HTTP GET flood to HTTPS ● UDP flood ● Slowloris ● Application saturation ● Attacks on secondary applications (marketing sites, etc) ● Attacks on your providers (DNS, CDN, etc)
  3. 3. Mitigation Techniques “The normal stuff” ● BGP based routing and scrubbing providers ● Security devices at the edge of your network ● Heavy use of haproxy
  4. 4. Mitigation Techniques Fast edge configuration changes /banhammer base 403 add github.com/some/bad/path /banhammer ip add 1.1.1.1 /securitydevice-mitigations start github.com_80 /scrubbingprovider enable /banhammer ua tarpit add bad-ua
  5. 5. Mitigation Techniques Identify specific attacks at the edge ● Example (slowloris): acl content_present req_len gt 0 tcp-request inspect-delay 10s tcp-request content accept if content_present tcp-request content reject
  6. 6. Mitigation Techniques Identify human requests at the edge acl accept_lang hdr(Accept-Language) -m found acl timezone_cookie hdr_sub(cookie) tz
  7. 7. Mitigation Techniques Tuned timeouts timeout http-request 15s timeout tarpit 30s timeout client 35s timeout connect 5s
  8. 8. Visibility Graphs
  9. 9. Visibility Provider Graphs
  10. 10. Visibility Logging ● Various headers ○ user agent, origin, referer, x-requested-with, etc ● Client GeoIP and Autonomous System ● GeoIP based on Fastly-Client-IP header ● Fastly resp.http.X-Served-By header
  11. 11. Configuration Testing Functional integration testing ● Edge devices and services ● Providers
  12. 12. Configuration Testing ================ running tests for github.com against 127.0.0.100 ================ test: [github.com] http port ... OK (2s) test: [github.com] ssh port ... OK (2s) test: [github.com] https port ... OK (2s) test: [github.com] git port ... OK (2s) test: [github.com] www redirects to github.com ... OK (0s) test: [github.com] fi.github.com redirects to enterprise.github.com ... OK (0s) test: [github.com] embed.github.com redirects to HTTPS ... OK (0s) test: [github.com] https embed.github.com redirects to https embed.githubusercontent.com ... OK (0s) test: [github.com] render.github.com redirects to HTTPS ... OK (0s) <snip> ================ running tests for github.map.fastly.net against github.map.fastly.net ================ test: [github.map.fastly.net] negotiates http/1.1 with ALPN ... OK (0s) test: [github.map.fastly.net] doesn't negotiate http/1.0 with ALPN ... FAILED (expected) test: [github.map.fastly.net] make sure we use good ciphers ... OK (0s) test: [github.map.fastly.net] github.map.fastly.net make sure we dont use bad ciphers ... OK (0s) test: [github.map.fastly.net] ssl fingerprint check ... OK (0s) test: [github.map.fastly.net] make sure we are using the DigiCert High Assurance EV Root CA ... OK (0s)
  13. 13. Future Work and Recommendations ● HTTPS traffic authentication ● Multiple CDN providers ● Multiple DNS providers ● Per service configuration/architecture ○ Per service Fastly IP maps ○ Per service load balancer groups

×