Logan Best, profile picture
Uploaded byLogan Best
PPTX, PDF376 views

Multi-Layer DDoS Mitigation Strategies

The document discusses multi-layer DDoS mitigation strategies for application servers, load balancers, and firewalls, emphasizing the increasing complexity of DDoS attacks and the rise of DDoS-as-a-service. It outlines various protective measures, including server layer configurations, load balancer features, and the use of third-party scrubbing providers. The content also covers best practices for managing vulnerabilities at the application layer and details on securing network infrastructure to prevent attacks.

Embed presentation

Download to read offline
1 Multi-Layer DDoS Mitigation Strategies Logan Best Senior Infrastructure Engineer logan@webair.com
2 Multi-Layer DDoS Mitigation Strategies Application Server(s) Load Balancers/Proxies Firewall Network 3rd Party Scrubbing 3rd Party CDN/Proxies
3 Fully Managed Web Stack FW & Cache plugins Memcache, Fail2ban, sysctl HAProxy + keepalived, nginx, csync MikroTik, PaloAlto, Juniper RTBH, FlowSpec, Outbound filters Network Taps , Analysis, Automated BGP swing Redirects to CDN in App or via HTTP rewrite Application Server Load Balancers Firewall Network Scrubbing CDN/Proxies
4 Why? - New Attack Landscape • DDoS Ransom on the rise with Bitcoins - Attackers becoming more anonymous • Multiple governments issue warnings about DD4BC • Stress Testers • Used to be called “booters’, available on IRC (EFnet anyone?) • DDoS-as-a-Service • Christmas 2014, Lizard Squad “stress tested” PSN and Xbox Live. Sets up lizardstresser.su to monetize. • Inexpensive - as little as $5/attack • Technically legal, RageBooter.net claims legal, provides full phone support.
5 Why? - Unlikely DDoS Originators • IoT • IoCT? Internet of Compromised Things? • Professor in Berlin creates smart home. Lightbulb unintentionally launches DoS against controller, causing home to lock up. • Proliferation of cheap android devices and LTE will result in perfect mobile storm. • 1 billion devices 0.1% vulnerable: • 100 kilobits per second == 100 gigabits per second • 100 pps == 100 million packets per second
6 More sophisticated attackers • Less total attacks, increase in effectiveness • Attacks are getting more complicated and last longer • More effective L7 Botnets being used
7 Our Environment Founded: 1996 Headquarters: Long Island, NY Services Offered: Public, Private & Hybrid Cloud, Dedicated Servers, Colocation, CDN, Security, DRaaS, and more Customers: Enterprise, Healthcare, SMBs, VoIP providers, eCommerce, Information Technology, and more The Webair Value:  Over 18 years providing customers with best-in-class Managed Hosting solutions  High-touch Support  Full ownership of our customer’s infrastructure stack so they can focus on their core business.  Manages most secure and redundant facility east of Manhattan with trans-Atlantic bypass (Tier III, HIPPA/SSAE16)
8 Full Stack Management “Outsourced Devops”
9 Application Layer • Simple to take sites down with low request volume • Stay under volumetric detection’s radar • Uncached dynamic (db backed) URLs fall over quickly (especially if framework is known) • Poorly written SQL queries • Apps written w/o scale in mind • Cross-site scripting, SQL injection, buffer overflows, file inclusion, oh my… • Search result pages, POST to forms, comments, etc • Botnets storing session cookies, use real ‘hidden’ browsers on infected PCs • Simple HTTP floods lead to state-exhaustion • Part of larger multi-vector attacks
10 Application Layer Protection • Framework or App specific plugins - WP (NinjaFirewall, Wordfence) • HTTP server modules - mod_evasive, mod_security • Common caching layers can perform rate limiting based on specific request attributes (nginx, varnish) • Cache for security • In memory - (memcache, redis) • Opcode caching - (APC, xcache, eAccelerator) • SQL - (sphinx search, solr, elasticsearch) • File • Follow best practices for web scale: • Disable all unnecessary logging • Scale-out architecture • In-memory session management • (many more!..)
11 Server Layer Linux Kernel /etc/sysctl.conf customization: • Prevent against the common 'syn flood attack' #net.ipv4.tcp_syncookies = 1 • Increase the number of outstanding syn requests allowed #net.ipv4.tcp_max_syn_backlog = 4096 • Reduce # of potential ACK replies (default 5) #net.ipv4.tcp_synack_retries = 3 • Reduce # of connections in TIME_WAIT state #net.ipv4.tcp_fin_timeout = 15 • Enable IP spoofing protection (turn on source route verification) #net.ipv4.conf.all.rp_filter = 1 #net.ipv4.conf.default.rp_filter = 1 • Decrease the time default value for tcp_keepalive_time connection #net.ipv4.tcp_keepalive_time = 1800
12 Server Layer IPTables rules: • Rate limit and block syn flooding: #iptables -N syn-flood #iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN #iptables -A syn-flood -j LOG --log-prefix "SYN flood: “ #iptables -A syn-flood -j DROP • Drop excessive RST packets to avoid smurf attacks #iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT #iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP #iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP #iptables -A INPUT -p icmp -m icmp -j DROP • Drop Invalid Packets #iptables -A INPUT -m state --state INVALID -j DROP #iptables -A FORWARD -m state --state INVALID -j DROP #iptables -A OUTPUT -m state --state INVALID -j DROP
13 Server Layer IPTables rules: •Reject spoofed packets (bogon networks, RFC1918) #iptables -A INPUT -s 10.0.0.0/8 -j DROP #iptables -A INPUT -s 169.254.0.0/16 -j DROP #iptables -A INPUT -s 172.16.0.0/12 -j DROP #iptables -A INPUT -d 239.255.255.0/24 -j DROP #iptables -A INPUT -d 255.255.255.255 -j DROP …….etc • Reject ports, protocols, and IPs not in use. Are you really using UDP port 80? • Fail2Ban • Mindful of NFS overhead (stop logging to NFS!)
14 Load Balancers • Load balancers can shield app/servers from attacks • Already operating at L7, ability to perform complex L7 rules and mitigation, https via offload • Provides inherent synflood protection, slowloris, • Traditional appliance solutions too rigid. Next gen ADC (Application delivery controller) to provide LB, WAF, Cache combined • DIY, our kit: Ansible, Debian/RHEL, HAProxy, keepalived, csync, git, automation software for provisioning, configuration, attack defense • Integrate with 3rd party software easily (geoip, automated blacklists) • Tie into caching: (varnish, nginx)
15 Load Balancers (HAProxy) • Provides rate limiting on many levels: • Connections per IP • Connection rate per IP • Bandwidth usage too high • Client not respecting RFCs (IE for SMTP) • HTTP request rate (L7) - Block based on • Request string/regex • User-Agent • Any other tracked variables • Vulnerability scanners: • Invalid or truncated requests • Denied or tarpitted requests • Failed authentications • 4xx error pages
16 HAProxy examples stick-table type ip size 256k expire 300s peers mypeers store gpc0,http_req_rate(5s),conn_cur,conn_rate(5s),http_err_rate(5s) acl abuse src_http_req_rate gt 50 acl flag_abuser sc1_inc_gpc0 acl ipwhitelist src -f /path/to/ipwhitelist.txt acl ipblacklist src -f /path/to/ipblacklist.txt tcp-request connection track-sc1 src tcp-request connection reject if ipblacklist tcp-request connection accept if ipwhitelist tcp-request connection reject if { sc1_conn_cur ge 30 } tcp-request connection reject if { sc1_conn_rate ge 20 } tcp-request connection reject if { sc1_get_gpc0 gt 0 } tcp-request content reject if { sc1_get_gpc0 gt 0 } http-request deny if ipblacklist http-request allow if ipwhitelist http-request deny if { sc1_get_gpc0 gt 0 } http-request deny if { sc1_http_err_rate ge 20 } flag_abuser http-request deny if abuse flag_abuser
17 Firewalls • WAF capabilities becoming standard w/ all new FWs • Is WAF even enough? (Palo Alto says no. RASP overtaking WAF) • L7 SSL inspect via passthrough certs • Many great OSS options still exist • MikroTik: • SSH/GUI w/ built in easy packet sniffing • L7 regex matching • VPN (IPSec, PPTP, SSTP, L2TP), BGP, OSPF, etc.. • Run a whole ISP on it :) • HW appliance, w/ support and built in virtualization • Dynamic address lists based on multitude of rules • ‘Good’ IPv6 support FTW!
18 Firewalls
19 Network
20 Network • Block Martian and Bogon routes (automate if possible) • Unicast Reverse Path Forwarding (w/ full routes) • Filter unknown outbound packets to prevent spoofing + retaliation • Proper flow monitoring at the edge - CLI + GUI • Packet sniffing • Strategy around reflection attacks: • Detect internally • Run scan and patch? • Block outbound if you can or redirect to internal server(s) •IPv6 /64 assignments are bad - NDP exhaustion
21 Network • RTBH (remotely triggered blackhole) on your network (but kills dst) • Blackhole srcs upstream via community strings • Automate ^^ via scripts/software • BGP Flowspec: Use BGP to distribute flow specification filters and dynamically filter on routers. • communities based actions (accept, discard, rate-limit, sample, redirect) • Match on combination of source/dest prefix, source/dest port, ICMP type/code, packet size, DSCP, TCP flag, fragment encoding, etc • Leverage ASIC filtering in routers • Available today
22 Network
23 3rd Party on-demand scrubbing Providers: • Staminus communications • Level3 (legacy BlackLotus) • TATA • Savvis • Verisign • Anyone running Arbor gear?? BGP enabled on the fly mitigation
24 3rd Party on-demand scrubbing • On Demand: Enable Mitigation only when needed. “Insurance Policy” • Assume potential attack will always have more BW than you • Many providers now support L7 mitigation via BGP swing • Upgrading capacity as needed via contracts, not hardware • On prem device detects attacks and auto-swings on its own (automation) • “Big Data” play - view details on attack, portal, reports • A ‘required’ value add these days • If BGP cannot be maintained to provider, route withdraws, attack comes b
25 3rd Party CDN/Proxies • “Always on” - All connections proxies via 3rd party (for better, or worse) • Usually work well out of the box with popular applications • Simple way to handle many security touch points: • Caching & CDN • WAF capabilities and common injection detection • SSL offload • Custom Rules • Easy to use for Beginners • Enterprise offerings can: • Cache dynamic applications (EdgeCast/VZW + Fast.ly) • Work with Varnish VCLs and other common formats • Mid-tier origin caching • Option of last resort: CAPTCHA for user verification (eww) • Not a complete solution, origins are usually found
26 3rd Party CDN/Proxies
27 THANK YOU! Logan Best Senior Infrastructure Engineer logan@webair.com *Research data provided via Staminus Communication

More Related Content

PDF
DDoS Attacks - Scenery, Evolution and Mitigation
byWilson Rogerio Lopes
 
PPTX
Spy hard, challenges of 100G deep packet inspection on x86 platform
byRedge Technologies
 
PPTX
redGuardian DP100 large scale DDoS mitigation solution
byRedge Technologies
 
PDF
Route Origin Validation - A MANRS Approach
byBangladesh Network Operators Group
 
PDF
Ripe71 FastNetMon open source DoS / DDoS mitigation
byPavel Odintsov
 
PDF
Implementing BGP Flowspec at IP transit network
byPavel Odintsov
 
PDF
Make the internet safe with DNS Firewall
byBangladesh Network Operators Group
 
PPT
Why Managed Service Providers Should Embrace Container Technology
bySagi Brody
 
DDoS Attacks - Scenery, Evolution and Mitigation
byWilson Rogerio Lopes
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
byRedge Technologies
 
redGuardian DP100 large scale DDoS mitigation solution
byRedge Technologies
 
Route Origin Validation - A MANRS Approach
byBangladesh Network Operators Group
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
byPavel Odintsov
 
Implementing BGP Flowspec at IP transit network
byPavel Odintsov
 
Make the internet safe with DNS Firewall
byBangladesh Network Operators Group
 
Why Managed Service Providers Should Embrace Container Technology
bySagi Brody
 

What's hot

PDF
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
byCisco Russia
 
PDF
100 M pps on PC.
byRedge Technologies
 
PDF
NetFlow Monitoring for Cyber Threat Defense
byCisco Canada
 
PPTX
F5 tcpdump
byalex wade
 
PDF
DPDK Summit 2015 - Aspera - Charles Shiflett
byJim St. Leger
 
PDF
BGPalerter: BGP prefix monitoring
byBangladesh Network Operators Group
 
PPTX
HAProxy
byArindam Nayak
 
PDF
RIPE 71 and IETF 94 reports webinar
byMen and Mice
 
PPTX
DeiC DDoS Prevention System - DDPS
byPavel Odintsov
 
PDF
Preventing Traffic with Spoofed Source IP address
byBangladesh Network Operators Group
 
PDF
HA Deployment Architecture with HAProxy and Keepalived
byGanapathi Kandaswamy
 
ODT
Load Balancing with HAproxy
byBrendan Jennings
 
PDF
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
byShixiong Shang
 
PDF
Protect your edge BGP security made simple
byPavel Odintsov
 
PDF
Keeping your rack cool
byPavel Odintsov
 
PDF
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
bynullowaspmumbai
 
PDF
DPDK Summit 2015 - Sprint - Arun Rajagopal
byJim St. Leger
 
PPTX
APRICOT 2015 - NetConf for Peering Automation
byTom Paseka
 
ODP
ChinaNetCloud Training - HAProxy Intro
byChinaNetCloud
 
PDF
HAProxy 1.9
byHAProxy Technologies
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
byCisco Russia
 
100 M pps on PC.
byRedge Technologies
 
NetFlow Monitoring for Cyber Threat Defense
byCisco Canada
 
F5 tcpdump
byalex wade
 
DPDK Summit 2015 - Aspera - Charles Shiflett
byJim St. Leger
 
BGPalerter: BGP prefix monitoring
byBangladesh Network Operators Group
 
HAProxy
byArindam Nayak
 
RIPE 71 and IETF 94 reports webinar
byMen and Mice
 
DeiC DDoS Prevention System - DDPS
byPavel Odintsov
 
Preventing Traffic with Spoofed Source IP address
byBangladesh Network Operators Group
 
HA Deployment Architecture with HAProxy and Keepalived
byGanapathi Kandaswamy
 
Load Balancing with HAproxy
byBrendan Jennings
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
byShixiong Shang
 
Protect your edge BGP security made simple
byPavel Odintsov
 
Keeping your rack cool
byPavel Odintsov
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
bynullowaspmumbai
 
DPDK Summit 2015 - Sprint - Arun Rajagopal
byJim St. Leger
 
APRICOT 2015 - NetConf for Peering Automation
byTom Paseka
 
ChinaNetCloud Training - HAProxy Intro
byChinaNetCloud
 
HAProxy 1.9
byHAProxy Technologies
 

Similar to Multi-Layer DDoS Mitigation Strategies

PPTX
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
How to secure your web applications with NGINX
byWallarm
 
PDF
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
PDF
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
PDF
Secured Internet Gateway for ISP with pfsense & FRR
byBangladesh Network Operators Group
 
PPTX
Wo defensive trickery_13mar2017
byDan Kaminsky
 
PPTX
Cyber security fundamentals
byCloudflare
 
PDF
End to end web security
byGeorge Boobyer
 
PPTX
Cloudflare
byFadi Abdulwahab
 
PPTX
Cyber Security 101
byCloudflare
 
PPTX
Cyber security fundamentals (Cantonese)
byCloudflare
 
PDF
Network Threat Hunting Training - 202308.pdf
byAri Setiawan
 
PDF
Multi-Layer DDoS Mitigation Strategies
bySagi Brody
 
PDF
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
byPROIDEA
 
PDF
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
byPROIDEA
 
PPTX
#lspe: Dynamic Scaling
bysteveshah
 
PDF
Scalable Architecture 101
byConFoo
 
PDF
Do you lose sleep at night?
byNathan Van Gheem
 
PDF
Rugged DevOps Will help you build ur cloudz
byJames Wickett
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
Make DDoS expensive for the threat actors
byAPNIC
 
How to secure your web applications with NGINX
byWallarm
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
Secured Internet Gateway for ISP with pfsense & FRR
byBangladesh Network Operators Group
 
Wo defensive trickery_13mar2017
byDan Kaminsky
 
Cyber security fundamentals
byCloudflare
 
End to end web security
byGeorge Boobyer
 
Cloudflare
byFadi Abdulwahab
 
Cyber Security 101
byCloudflare
 
Cyber security fundamentals (Cantonese)
byCloudflare
 
Network Threat Hunting Training - 202308.pdf
byAri Setiawan
 
Multi-Layer DDoS Mitigation Strategies
bySagi Brody
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
byPROIDEA
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
byPROIDEA
 
#lspe: Dynamic Scaling
bysteveshah
 
Scalable Architecture 101
byConFoo
 
Do you lose sleep at night?
byNathan Van Gheem
 
Rugged DevOps Will help you build ur cloudz
byJames Wickett
 

Recently uploaded

PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPTX
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PDF
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
PPTX
ChatGPT on education positively snd negatively
by88rtgpscxx
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PDF
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
ChatGPT on education positively snd negatively
by88rtgpscxx
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
Computer Science Degree for College .pptx
byHanenek1
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 

Multi-Layer DDoS Mitigation Strategies

  • 1.
    1 Multi-Layer DDoS MitigationStrategies Logan Best Senior Infrastructure Engineer logan@webair.com
  • 2.
    2 Multi-Layer DDoS MitigationStrategies Application Server(s) Load Balancers/Proxies Firewall Network 3rd Party Scrubbing 3rd Party CDN/Proxies
  • 3.
    3 Fully Managed WebStack FW & Cache plugins Memcache, Fail2ban, sysctl HAProxy + keepalived, nginx, csync MikroTik, PaloAlto, Juniper RTBH, FlowSpec, Outbound filters Network Taps , Analysis, Automated BGP swing Redirects to CDN in App or via HTTP rewrite Application Server Load Balancers Firewall Network Scrubbing CDN/Proxies
  • 4.
    4 Why? - NewAttack Landscape • DDoS Ransom on the rise with Bitcoins - Attackers becoming more anonymous • Multiple governments issue warnings about DD4BC • Stress Testers • Used to be called “booters’, available on IRC (EFnet anyone?) • DDoS-as-a-Service • Christmas 2014, Lizard Squad “stress tested” PSN and Xbox Live. Sets up lizardstresser.su to monetize. • Inexpensive - as little as $5/attack • Technically legal, RageBooter.net claims legal, provides full phone support.
  • 5.
    5 Why? - UnlikelyDDoS Originators • IoT • IoCT? Internet of Compromised Things? • Professor in Berlin creates smart home. Lightbulb unintentionally launches DoS against controller, causing home to lock up. • Proliferation of cheap android devices and LTE will result in perfect mobile storm. • 1 billion devices 0.1% vulnerable: • 100 kilobits per second == 100 gigabits per second • 100 pps == 100 million packets per second
  • 6.
    6 More sophisticated attackers •Less total attacks, increase in effectiveness • Attacks are getting more complicated and last longer • More effective L7 Botnets being used
  • 7.
    7 Our Environment Founded: 1996 Headquarters:Long Island, NY Services Offered: Public, Private & Hybrid Cloud, Dedicated Servers, Colocation, CDN, Security, DRaaS, and more Customers: Enterprise, Healthcare, SMBs, VoIP providers, eCommerce, Information Technology, and more The Webair Value:  Over 18 years providing customers with best-in-class Managed Hosting solutions  High-touch Support  Full ownership of our customer’s infrastructure stack so they can focus on their core business.  Manages most secure and redundant facility east of Manhattan with trans-Atlantic bypass (Tier III, HIPPA/SSAE16)
  • 8.
  • 9.
    9 Application Layer • Simpleto take sites down with low request volume • Stay under volumetric detection’s radar • Uncached dynamic (db backed) URLs fall over quickly (especially if framework is known) • Poorly written SQL queries • Apps written w/o scale in mind • Cross-site scripting, SQL injection, buffer overflows, file inclusion, oh my… • Search result pages, POST to forms, comments, etc • Botnets storing session cookies, use real ‘hidden’ browsers on infected PCs • Simple HTTP floods lead to state-exhaustion • Part of larger multi-vector attacks
  • 10.
    10 Application Layer Protection •Framework or App specific plugins - WP (NinjaFirewall, Wordfence) • HTTP server modules - mod_evasive, mod_security • Common caching layers can perform rate limiting based on specific request attributes (nginx, varnish) • Cache for security • In memory - (memcache, redis) • Opcode caching - (APC, xcache, eAccelerator) • SQL - (sphinx search, solr, elasticsearch) • File • Follow best practices for web scale: • Disable all unnecessary logging • Scale-out architecture • In-memory session management • (many more!..)
  • 11.
    11 Server Layer Linux Kernel/etc/sysctl.conf customization: • Prevent against the common 'syn flood attack' #net.ipv4.tcp_syncookies = 1 • Increase the number of outstanding syn requests allowed #net.ipv4.tcp_max_syn_backlog = 4096 • Reduce # of potential ACK replies (default 5) #net.ipv4.tcp_synack_retries = 3 • Reduce # of connections in TIME_WAIT state #net.ipv4.tcp_fin_timeout = 15 • Enable IP spoofing protection (turn on source route verification) #net.ipv4.conf.all.rp_filter = 1 #net.ipv4.conf.default.rp_filter = 1 • Decrease the time default value for tcp_keepalive_time connection #net.ipv4.tcp_keepalive_time = 1800
  • 12.
    12 Server Layer IPTables rules: •Rate limit and block syn flooding: #iptables -N syn-flood #iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN #iptables -A syn-flood -j LOG --log-prefix "SYN flood: “ #iptables -A syn-flood -j DROP • Drop excessive RST packets to avoid smurf attacks #iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT #iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP #iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP #iptables -A INPUT -p icmp -m icmp -j DROP • Drop Invalid Packets #iptables -A INPUT -m state --state INVALID -j DROP #iptables -A FORWARD -m state --state INVALID -j DROP #iptables -A OUTPUT -m state --state INVALID -j DROP
  • 13.
    13 Server Layer IPTables rules: •Rejectspoofed packets (bogon networks, RFC1918) #iptables -A INPUT -s 10.0.0.0/8 -j DROP #iptables -A INPUT -s 169.254.0.0/16 -j DROP #iptables -A INPUT -s 172.16.0.0/12 -j DROP #iptables -A INPUT -d 239.255.255.0/24 -j DROP #iptables -A INPUT -d 255.255.255.255 -j DROP …….etc • Reject ports, protocols, and IPs not in use. Are you really using UDP port 80? • Fail2Ban • Mindful of NFS overhead (stop logging to NFS!)
  • 14.
    14 Load Balancers • Loadbalancers can shield app/servers from attacks • Already operating at L7, ability to perform complex L7 rules and mitigation, https via offload • Provides inherent synflood protection, slowloris, • Traditional appliance solutions too rigid. Next gen ADC (Application delivery controller) to provide LB, WAF, Cache combined • DIY, our kit: Ansible, Debian/RHEL, HAProxy, keepalived, csync, git, automation software for provisioning, configuration, attack defense • Integrate with 3rd party software easily (geoip, automated blacklists) • Tie into caching: (varnish, nginx)
  • 15.
    15 Load Balancers (HAProxy) •Provides rate limiting on many levels: • Connections per IP • Connection rate per IP • Bandwidth usage too high • Client not respecting RFCs (IE for SMTP) • HTTP request rate (L7) - Block based on • Request string/regex • User-Agent • Any other tracked variables • Vulnerability scanners: • Invalid or truncated requests • Denied or tarpitted requests • Failed authentications • 4xx error pages
  • 16.
    16 HAProxy examples stick-table typeip size 256k expire 300s peers mypeers store gpc0,http_req_rate(5s),conn_cur,conn_rate(5s),http_err_rate(5s) acl abuse src_http_req_rate gt 50 acl flag_abuser sc1_inc_gpc0 acl ipwhitelist src -f /path/to/ipwhitelist.txt acl ipblacklist src -f /path/to/ipblacklist.txt tcp-request connection track-sc1 src tcp-request connection reject if ipblacklist tcp-request connection accept if ipwhitelist tcp-request connection reject if { sc1_conn_cur ge 30 } tcp-request connection reject if { sc1_conn_rate ge 20 } tcp-request connection reject if { sc1_get_gpc0 gt 0 } tcp-request content reject if { sc1_get_gpc0 gt 0 } http-request deny if ipblacklist http-request allow if ipwhitelist http-request deny if { sc1_get_gpc0 gt 0 } http-request deny if { sc1_http_err_rate ge 20 } flag_abuser http-request deny if abuse flag_abuser
  • 17.
    17 Firewalls • WAF capabilitiesbecoming standard w/ all new FWs • Is WAF even enough? (Palo Alto says no. RASP overtaking WAF) • L7 SSL inspect via passthrough certs • Many great OSS options still exist • MikroTik: • SSH/GUI w/ built in easy packet sniffing • L7 regex matching • VPN (IPSec, PPTP, SSTP, L2TP), BGP, OSPF, etc.. • Run a whole ISP on it :) • HW appliance, w/ support and built in virtualization • Dynamic address lists based on multitude of rules • ‘Good’ IPv6 support FTW!
  • 18.
  • 19.
  • 20.
    20 Network • Block Martianand Bogon routes (automate if possible) • Unicast Reverse Path Forwarding (w/ full routes) • Filter unknown outbound packets to prevent spoofing + retaliation • Proper flow monitoring at the edge - CLI + GUI • Packet sniffing • Strategy around reflection attacks: • Detect internally • Run scan and patch? • Block outbound if you can or redirect to internal server(s) •IPv6 /64 assignments are bad - NDP exhaustion
  • 21.
    21 Network • RTBH (remotelytriggered blackhole) on your network (but kills dst) • Blackhole srcs upstream via community strings • Automate ^^ via scripts/software • BGP Flowspec: Use BGP to distribute flow specification filters and dynamically filter on routers. • communities based actions (accept, discard, rate-limit, sample, redirect) • Match on combination of source/dest prefix, source/dest port, ICMP type/code, packet size, DSCP, TCP flag, fragment encoding, etc • Leverage ASIC filtering in routers • Available today
  • 22.
  • 23.
    23 3rd Party on-demandscrubbing Providers: • Staminus communications • Level3 (legacy BlackLotus) • TATA • Savvis • Verisign • Anyone running Arbor gear?? BGP enabled on the fly mitigation
  • 24.
    24 3rd Party on-demandscrubbing • On Demand: Enable Mitigation only when needed. “Insurance Policy” • Assume potential attack will always have more BW than you • Many providers now support L7 mitigation via BGP swing • Upgrading capacity as needed via contracts, not hardware • On prem device detects attacks and auto-swings on its own (automation) • “Big Data” play - view details on attack, portal, reports • A ‘required’ value add these days • If BGP cannot be maintained to provider, route withdraws, attack comes b
  • 25.
    25 3rd Party CDN/Proxies •“Always on” - All connections proxies via 3rd party (for better, or worse) • Usually work well out of the box with popular applications • Simple way to handle many security touch points: • Caching & CDN • WAF capabilities and common injection detection • SSL offload • Custom Rules • Easy to use for Beginners • Enterprise offerings can: • Cache dynamic applications (EdgeCast/VZW + Fast.ly) • Work with Varnish VCLs and other common formats • Mid-tier origin caching • Option of last resort: CAPTCHA for user verification (eww) • Not a complete solution, origins are usually found
  • 26.
  • 27.
    27 THANK YOU! Logan Best SeniorInfrastructure Engineer logan@webair.com *Research data provided via Staminus Communication

Editor's Notes

  • #2 Speaker: Logan
  • #3 Speaker: Logan
  • #4 Speaker: Logan
  • #5 Speaker: Logan
  • #6 Speaker: Logan 100Gbps attack, being generous - How exactly do you reboot your home?
  • #7 Speaker: Logan lower # of total attacks can do with less attacks, with low BW L7 attacks bonnets ingest and follow cookies, parse JS
  • #8 Speaker: Logan MSP cloud service prov.
  • #9 Speaker: Logan full stack mgmt, full infra outsourcing. a lot we have to do as a company at each layer to make sure they’re secure value proposition
  • #10 Speaker: Logan 1st layer, talking about OSS (WP, drupal, frameworks like CakePHP, Django), enterprise apps, java apps search engine example
  • #11 Speaker: Logan what can the application do itself to protect itself? caching with speed cache cron
  • #12 Speaker: Logan Simple things like per-IP rate limiting, flooding rate limits, and syn cookies should be enabled without a question. The sysctl variables improves the overall network handling efficiency and protects about common SYN/ACK Denial of service attacks. In syslog on server, I saw lots of "nf_conntrack: table full, dropping packet". And netstat showed lots of TIME_WAIT.
  • #13 Speaker: Logan In syslog on server, I saw lots of "nf_conntrack: table full, dropping packet". And netstat showed lots of TIME_WAIT.
  • #14 Speaker: Logan alternative: sshguard
  • #15 Speaker: Logan An application delivery controller (ADC) is a computer network device in a datacenter, often part of an application delivery network (ADN), that helps perform common tasks such as those done by web sites to remove load from the web servers themselves. Many also provide load balancing.
  • #16 Speaker: Logan
  • #17 Speaker: Logan Our Basic HAP ddos config ACL’s. Many many more options to harden applications of all types
  • #18 Speaker: Logan
  • #19 Speaker: Logan
  • #20 Speaker: Logan L3 distribution islands
  • #21 Speaker: Logan bogons are pubic ranges not allocated yet, cron to update URPF, packet comes in, want to be sure your routing table is telling you that it’s a source IP that you can route back to. if spoofed you don’t want to accept it. outbound as well filter_outbound acl NetFlow/sFlow collectors, arbor stuff mention NTP and DNS reflection specifically, we block all inbound/outbound NTP. can’t sync, reroute outbound NTP to our own detail IPv6 Allocation/Assignment flow (Allocate /64 to client, assign /120 etc to vlan)
  • #22 Speaker: Logan Being able to tell transit prove to block upstream doing attackers dirty work, letting them win flowspec, new protocol being adopted. more abilities at the phys layer, instead of black holing build policies to rate limit, police it , reroute to internal scrubbing farms.
  • #23 Speaker: Logan OOB access
  • #24 Speaker: Logan Prolexic/Black Lotus? announcing IP space to providers, who are then propagating it to the rest of the internet. attack clogs pipes. when attack comes in, tell scrubbing farm to announce that /24 to the Internet, routing table updates in 30 sec. Been around since around 2002.
  • #25 Speaker: Logan SLA on attack BW traditionally L4 w/DNS swing combine mitigation with automated swing learn & understand packet patterns, std deviation
  • #26 Speaker: Logan change DNS custom rules (pay to play) captcha not a complete solution. provider gave up
  • #28 Speaker: Logan going to see more proactive defense, deploying honeypots building data signatures to prevent attacks earlier 3rd party proxies are probably already doing that.