Workshop "Anti DDoS ochrana od F5" Praha, 11.5.2016 Prezentoval: Martin Oravec, F5 Networks

1. Denial of Service
Service Provider Overview
Martin Oravec
Systems Engineer Sales CZ/SK/HU

2. Peering
Router
Internet
Peering
Router
Internet
Cloud
Scrubbing
Service
Silverline
Edge
Router
Edge
Router
PGW
Radio
Access
GiFW/L4
DDOS
BNG
CMTS
DSL/FTTH
Cable IP/MPLS
Backbone
Enterprise
Data Center
CPE
L4-L7 inline DDOS
Mobile Broadband
Fixed Broadband
Enterprise
Data Center (control, mgmt, apps)
L4-L7 inline DDOS
1
4
4
2
1
2
3
4
Protect international transit
links
Inline L4-L7 DDOS for control plane
elements and application servers
Gi Firewall with L4 DDoS, GiFW
and optional CGNAT, DNS, …
Edge
Router
CGFW/L4
DDOS
3
CG Firewall with L4 DDoS and
optional CGNAT, DNS …
Service Provider DDoS solutions overview

3. © F5 Networks, Inc 3
DNS

4. Web Presentations in 90ties and today

5. DNS stats

6. DNS Demand
AVERAGE DAILY QUERY LOAD
FOR DNS (.COM/.NET)
DNSSEC DEPLOYMENT
EXPANDING
100+ DNS QUERIES FOR
SINGLE WEB PAGE
ONE OF MOST ATTACKED
PROTOCOLS
GLOBAL MOBILE DATA = DNS
GROWTH
DISTRIBUTED, HIGH-
PERFORMANCE NEEDS
18X Growth 2011-2016
4G LTE
2.4GB
/mo
Non-4G LTE
86MB
/mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total app and service availability
Geographically dispersed
DNS capacity close to clients
82‘15‘14‘13‘12‘11 120
110
57
77
82
In Billions

7. Denial of Service Attacks - DNS
Why DNS is popular for DDoS?
• Widely used protocol, open on FWs, open recursion
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Large Amplification Factor (100x) - using open resolvers or ANY type to an
authoritative NS
Traditional mitigations are failing
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many
firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and
standard tools can not provide adequate response to mitigate it without inhibiting
the ability of DNS to do its job

8. DNS Flood
Synopsys
Many attackers or botnets flood an authoritative name server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation – PERFORMANCE, PERFORMANCE, ….
• F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
• Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles - ICSA–certified FW with support for 30+ DDoS vectors
• Use DNS Anycast to distribute the load between regional DCsDNS Requests DNS Responses
Target DNS
infrastructure

9. DNS Amplification Attack
DNS Requests Large DNS Responses
Synopsys
By spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation
• DNS request type validation– force TCP in case of type ANY
• BIG-IP supports DNS type ACLs - filters for acceptable DNS query types
• Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoS Profiles and apply mitigations
• Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]

10. Random Sub-domain / NXDOMAIN
Attackers Web bots Open Resolvers
<randomstring>.www.example.com
<anotherstring>.www.example.com
Does not exist | Exists
Increased outbound NXDOMAIN
and SERVFAIL responses
[Target DNS]

11. NXDOMAIN DDoS: DMARC
• Domain-based message authentication, reporting, and conformance (DMARC)
is a mechanism for improving mail handling by mail-receiving organizations.
• The _dmarc DDoS attack vector is interesting in that it makes use of Google’s
and Yahoo’s legitimate DNS servers to launch a DDoS attack on another
entity’s DNS infrastructure
https://devcentral.f5.com/d/a-new-twist-on-dns-nxdomain-ddos-dmarc-attack-vector-analysis

12. DNS the F5 Way
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Hidden Master
DNS
Internal
Firewall
Internet
DMZ
Master DNS
Infrastructure
Internet
• Traditional DNS servers with
vulnerabilities
• Adding performance = DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
Datacenter
F5 DNS Delivery Reimagined
Conventional DNS Thinking
DNS Firewall
DNS DDoS Protection
Protocol Validation
Authoritative DNS
Caching Resolver
Transparent Caching
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
BIG-IP DNS
• Massive performance over 20M RPS!
• Double query max responses in Rapid Res. Mode
• Consolidation: LDNS integration for higher scale
• DoS / DDoS Protection included
• Less CAPEX and OPEX

13. Mitigate Malicious Communication
• Prevent malware and sites hosting
malicious content from ever
communicating with a client
• Inhibit the threat at the earliest
opportunity ‒ Internet activity starts
with a DNS request
Domain
Reputation
• Mitigate DNS threats by blocking
access to malicious IPs
• Reduce malware and virus infections
Response Policy Zone (RPZ) Feed IP Intelligence / URL categories Feed
IP Reputation
URL Categorisation
DNS

14. Complete DNS Protection & Performance with F5
BIG-IP
DNS Firewall
Apps
DNS
Servers
LDNS
Internet
Devices DMZ Data Center
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality.
• DNS DDoS mitigation with DNS Express
• Protocol inspection and validation
• DNS record type ACL*
• Block access to Malicious IPs
• High performance DNS cache
• RPZ – Outbound Domain Filtering
• Stateful – Never accepts unsolicited responses
• ICSA Certified - deployment in the DMZ
• Scale across devices – IP Anycast
• Secure responses – DNSSEC
• Complete DNS control – iRules
• DDoS threshold alerting*
• DNS logging and reporting
• Hardened F5 DNS code – NOT BIND
F5 DNS Firewall Services

15. © F5 Networks, Inc 15
AFM

16. F5 Carrier Class Network Firewall
Provides
Multi-Layer
Security
Protection
Comprehensive Purpose-built & Virtual Appliances
Standards & Protocol Support
Highly Scalable & Manageable
Consolidation of Network Functions
HIGH PERFORMANCE / SCALABLE / HIGH AVAILABILITY / PROGRAMMABLE / CONSOLIDATION OF NETWORK
FUNCTIONS

17. • Protects from malformed and malicious traffic at scale
• L2-L4 DoS Vectors
• Malformed/bad, suspicious, and volumetric attack vectors
• Hardware accelerated on many platforms
• Per-endpoint limits (src & dst)
• Includes also protocol specific DoS detection and mitigation
(DNS+SIP)
DOS capabilities throughout the product
• Purpose-built hardware
• SYN cookies in hardware to protect CPS resources
• Per source CPS limits on virtual servers
• Sweeper to protect connection table
• Various timer and protocol knobs
AFM DDoS detection and mitigation

18. IMS & VoLTE Security Threat - Signaling Storm
SGi LAN
PGW PEeNodeB SecuritySGW
Internet APN
IMS APN
Internet APN
IMS APN
User Equipment
P-CSCF
Signaling (SIP)*
Legend
Symptom = DOS attack / Signaling Storm
Impact = Disruption of Service
Cause = Fault (PGW Down) / Bad Software / Mis-configuration / DDoS using mobiles
Remedy = Per Prefix (/64) Rate Limiting*
*implement on SGi Firewall or P-CSCF Firewall (or both) with SIP DDoS capabilities
*High PPS
*Aggressive retries
*Multiple UEs

19. IMS & IMS & VoLTE Security Threat - Unsolicited Scan
SGi LAN
PGW PEeNodeB SecuritySGW
Internet APN
IMS APN
Internet APN
IMS APN
User Equipment
P-CSCF
Symptom = DOS attack / Prefix Scan / Unsolicited Packets
Impact = Disruption of Service / Excessive Signaling
Cause = Virus / Worm / Malicious User
Remedy = Firewall Policy with SIP ALG
IP Packets*
Legend
*High PPS
*Increment per /64
*Multiple UEs

20. Leveraging the F5 Carrier Class Firewall for High-Scale
DDoS Mitigation on the Gi-LAN
• Internet or mobile device-based DDoS attacks,
such as TCP/ICMP/UDP/SYN floods, impacting
network resources, resulting in service outages
or degradation
• Internet-based IP port sweeps causing RAN
exhaustion and battery drain
• Malware/botnets infecting mobile devices
DDoS Threats
• Use a powerful and flexible network firewall
with policy rules, DDoS vectors, and scripting to
protect AN and device resources
• Use IP intelligence and dynamically updateable
list of blocked IP addresses (temporarily)
Solution
PGW/GGSN
BNG AFM
Internet
Attacker
Web bot

21. Dynamically updateable list of blocked IP addresses for a period of time
Sources of “shunned” IPs
• Internal: Explicit (CLI/GUI), Auto Sweep/flood, Behavioral DNS DoS, WAF
• External (via API): SIEM, IDS/IPS, other security management system
Sub-second mitigation, thousands of entries
SIEM / IDP
PGW/GGSN
BNG
AFM
Internet
Attacker
Web bot
Sweep/Flood, DNS, WAFINTERNAL SHUN
EXTERNAL SHUN
Leveraging the F5 Carrier Class Firewall for Dynamic
Security Enforcement

22. Solving the Full-Pipe Problem (RTBH rfc5635)
• Volumetric DDoS Attack fills Datacenter’s Upstream
Bandwidth “Full-Pipe Problem”
• Availability is suffering; Attack traffic must be stopped
further upstream then Datacenter
• AFM signals to upstream network to drop specific
source or destination traffic using BGP
• Specific traffic is dropped on Network Edge
• The network can be sectioned into multiple
communities -> an ability to drop in specific parts of
their network.
Data Center
ISP Router
Customer/ISP
Transit Network
AFM
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
AFM Signals
Upstream Network
to Drop Attack
Traffic

23. IPv6 traffic does not pass through CGNAT
• Need to avoid unsolicited traffic from Internet (back to basics)
ICMPv6: Essential for network operations
• Neighbour discovery - Replaces router advertisement
• Essential for hacking IPv6 networks
Tunneling
• Used as transition path from v4 to v6
• Hide attack/malware traffic from security devices
Capacities
• Dual-stack IPv4/IPv6 will require higher CPS and higher connection count
How IPv6 Changes Security

24. Integrated Firewall + CGNAT on the Gi-LAN
NAT44
Gi-FW Internet
Private
IPv4
Public
IPv6
Public
IPv6
Public
IPv4 IPv4
CGNAT
IPv6
Gi-FW
Time
Traffic
distribution
UNPRECEDENTED SCALE AND
PERFORMANCE
NAT44 → NAT64
PGW / BNG
GRADUAL TRANSITION FROM IPV4
CGNAT TO IPV6 GI-FW
INVESTMENT PROTECTION

25. © F5 Networks, Inc 25
CONS
AFM
DNS
CGNAT Consolidate with

26. Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load
Balancer & SSL
Application DDoS
Web Application Firewall
Web Access
Management

27. BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load
Balancer & SSL
Application DDoS
Web Application Firewall
Web Access
Management
Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management

28. Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI, Parental
Control, …
CG-NAT
Consolidating SP’s service functions

29. Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI CG-NAT
PGW/
GGSN
FirewallDPI CG-NAT
Consolidating SP’s service functions