ASM 11.6 DDoS profile- lior rotkovitch

© F5 Networks, Inc 1
DDOS – 11.6 DOS PROFILE
DECEMBER 2015 SEATTLE
Lior Rotkovitch NPIE ASM Tel Aviv lior@f5.com

Index
• Configuration Overview
• TPS based Anomalies
• Detection
• IP Detection Criteria
• Geolocation Detection Criteria
• URL Detection Criteria
• Site-Wide Detection Criteria
• Prevention
• Client Side Integrity Defense
• CAPTCHA
• Request Blocking
• PBD
• Heavy URL’s
• Reporting
• Demo – how to
• Badger Changes
• Latency Based Anomalies
• Detection
• Prevention

Configuring DoS profile
Goto:
• Local Traffic
• Virtual Server
• Security
• Policies

Goto:
Security
DoS Protection
DoS Profiles
DoS Profile Properties

• TPS based anomaly
• Latency based anomaly
• Heavy URL Protection
• Proactive Bot Defense
• Geolocations
DoS Profile Main Sections

1. Monitoring entities: TPS Latency IP’s URL’s
2. Detecting Increase
3. Activating Prevention
DDoS Profile Concept
Users IP
Servers Database
RPS
TPS
LatencyURL’s

TPS Based Anomaly

TPS Based Anomaly – Detection Basic Concept
1. IP Detection Criteria
2. Geolocation Detection Criteria
3. URL Detection Criteria
4. Site-Wide Detection Criteria Detection
Configure the RPS (TPS) thresholds that
above them ASM will activate prevention

TPS Based Anomaly – Prevention Basic Concept
1. Client Side Integrity Check
2. CAPTCHA Challenge
3. Request Blocking
Each can be activated from one of
the 4 detection criteria
Prevention

TPS based GUI

TPS Based Anomaly
1. IP Detection Criteria - Settings
2. Preventions polices:
a) Client Side Integrity Check
b) CAPTCHA
c) Request Blocking
3. Geolocation Detection Criteria + Preventions Polices
4. URL Detection Criteria + Preventions Polices
5. Site Wide Detection Criteria + Preventions Polices
1
2a
2b
2c
3
4
5

TPS based Anomaly - Concept
IP Detection measure RPS arriving from source IP’s
If TPS reached thresholds it will activate the configured prevention

TPS based Anomaly - Concept
If TPS reached thresholds and CAPCHA challenge is checked
Dos protection will send CAPTCHA challenge to the IP that reached the thresholds

TPS based - IP Detection Criteria Concept
Can you explain?

TPS based - IP Detection Criteria Concept
If TPS reached thresholds and Client
Side Integrity Defense is checked
Dos protection will send Client Side
Integrity Defense to the IP that reached
the thresholds– WHY ?
Source IP Based = IP Detection Criteria
Prevention Detection
We measure source IP that their TPS is increased

IP Detection Criteria – config overview
Monitoring Source IP’s

• The two type of time intervals:
• Long (History Interval): accumulates TPS rate averages for 1 hour at 1
Minute intervals
• Short (Detection Interval): accumulates TPS rate averages for 1 Minute
at 1 seconds intervals
IP Detection Criteria
Calculating TPS increased by – PRE 11.6

• The two type of time intervals:
• Long (History Interval): Measure the last 1 hour TPS average every
10 seconds
• Short (Detection Interval): Measure the last 10 seconds TPS
average every 10 seconds
Calculating TPS increased by – 11.6

TPS based - IP Detection Criteria
Example:
Long (History Interval): 50 TPS
Short (Detection Interval): 370 TPS
TPS increased by: ((370 - 50) /50)*100 = 640%

(Minimum TPS thresholds for detection AND TPS increased by)
40 AND 640% = True
AND

AND
(Minimum TPS thresholds for detection AND TPS increased by) OR TPS reached
40 AND 640% OR 200
OR
(fixed)(ratio)

Prevention types:
Client Side Integrity
Defense
Sending CSID script

• Checking JS capabilities on HTML pages (not resources – image)
• A client is considered JavaScript Proper if it meets the following three criteria:
• The client must support JavaScript
• The client must support HTTP cookies
• The client should calculate the result of a computational challenge inside the JS
• If satisfied = legitimate client that can access the site
Note: is not CHUI
Client side integrity defense

Client side integrity defense - flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page

Client side integrity defense JS script ( PRE 11.6)

POST /file.html HTTP/1.1
Host: 10.1.1.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://10.1.1.100/file.html
Cookie: TSc834b4=6fddbbe2703fc326cd19961072070e948b1d46b558e908644d2504b5;
TSc834b4_77=false_ff434d341dd95fc4;
TSc834b4_75=838458f8d070a4f7aca1a15e0f40083f:baec:WWXJ61tI:1507580388
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
TSc834b4_id=3&TSc834b4_md=1&TSc834b4_rf=0&TSc834b4_ct=0&TSc834b4_pd=0
Client side integrity defense JS - reply
The value of this cookie will be the result of the computational challenge

Client side integrity defense – 11.6 JS

• If didn’t solve the challenge – there is no reply (no request)
• If did solve the challenge but:
• Cookie is wrong format – RST
• Time stamp expired – RST
• If client access a resource (image) without getting
the cookie first he will be blocked
Client side integrity defense – how it is mitigating ?

• ASM system does not send the CS challenge to:
• Request that is greater than 10 KB
• Multipart request
• Chunked request
• Request that sends an Expect: 100-continue header
• Request that do not use GET or POST method
• Request for resources : GIF, ICO, PNG, JPG, BMP, CSS
Client side integrity defense – limitation

Prevention types:
CAPTCHA Prevention
policy
Sending CAPTCHA

CAPTCHA
Ultimate solution for identifying human or bot
Send challenge to every IP that reached IP detection criteria thresholds

CAPTCHA – Response setting
Failure Response page is served if the first attempted fails

CAPTCHA - flow
Request mypage.php
GET /mypage.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.phpHTML of mypage.php
mypage.php
rendered
5 min and then gets a another CAPTCAH

• If didn’t submit the challenge - not reply (no request DOSing us)
• If didn’t solve the challenge but still sending us attacks ? What will happen ?
• If did solve the challenge but:
• Cookie is wrong format – RST
• Time stamp expired 5 min– RST
CAPTCHA – how it is mitigating ?

Prevention types:
Request Blocking
Resting connections

Request Blocking – how it is mitigating ?
• Request Blocking:
• Blocking:
• Rate Limit:

Request Blocking – how it is mitigating ?
• Rate limit will limit to long (history) TPS rate
• Blocking
• Block all traffic
Example
If long was 50 TPS
And increase in short is 150 TPS
Rate limit to 50 TPS

TPS based with IP detection criteria and their prevention
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
All IP’s that reached the thresholds :

TPS Based Anomaly :
Geolocation Detection Criteria
Monitoring IP’s by country

New L7 DoS Prevention Methods - Geolocation
mitigating based on location

• Geolocation –relative to the whole traffic of the site:
500 % request increase of the whole site from specific country
AND
At least 10 % of the whole site traffic
Geolocation - Detection
AND

Geolocation – prevention
CAPTCHA Challenge
Request Blocking
(note that blocking will block all users from this country)
All clients coming from the specific country

Geolocation – listing
allows access to the web site
regardless of geolocation
detection criteria thresholds only.
Specifies the countries that the
system always blocks whenever
the system detects that there is a
DoS attack regardless of the
thresholds set in the DoS profile

TPS Based Anomaly:
URL Detection Criteria
Monitoring URL’s

Collecting TPS on URLs (10k)
TPS increase by: ration of long and short
AND
Minimum TPS thresholds for detection
They are OR with TPS reached
URL Detection Criteria

URL Detection Criteria– prevention
CAPTCHA Challenge
Request Blocking – Rate limit (No blocking all)
All clients that access the URL:

TPS Based Anomaly:
Site-Wide Detection
Criteria
Monitoring the entire site – URL’s & IP’s

TPS Based Anomaly - Site-Wide Detection Criteria
Collecting TPS on all site
TPS increase by: ration of long and short
AND
Minimum TPS thresholds for detection
They are OR with TPS reached

Site-Wide Detection Criteria – prevention
CAPTCHA Challenge
Request Blocking - only rate limit no blocking
All clients that access the site:

Prevention duration
CAPTCHA Challenge
Request Blocking
Escalate top down every 120 second
if attack is still increasing
De escalate to start from the top

Questions ?
http://www.digitalattackmap.com/

Latency Based Anomaly

Latency Based Anomaly
1
2
1 TPS is measured
if reached thresholds
2 Latency is measure
if reached thresholds
3 Prevention policy is activated
3

quizzzz
2
1
Which prevention policy will be
activate when the detection
criteria (1) will be reach and
the suspicious IP criteria (2)
will be reached ?

Latency Based Anomaly VS TPS Based Anomaly
Which is better for
DoS protection ?

Few more sections
we are getting there

• Send CS challenge to ALL client and thus mitigate bots all the time
• Cookie is sent and then validate by PBD – RST or allowed
Proactive Bot Defense

Proactive Bot Defense

PBD - Client side integrity defense - flow
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page

• Always – sending CS all the time
• During attack – only of other component of the dos profile is in dos mode PBD
will send the CS challenge
This allows second layer of protection (rate limit and PBD)
• Grace period - cookie expiration time 300 = 5min
also use to prevent mass blocking when start PBD during attack
• White list – Cases where Flash send
a request without a cookie
Proactive Bot Defense – configuration

• Cross domain is used to overcome cases where other sites / domain access
the site that is protected by PBD
• CS is working on HTML
• Resources (images) are RST if
arriving without cookie (if accessing
to resource before HTML – no cookie)
• Cross domain allows to add any 3rd
party domains to be added to the
white list and access the resource
Proactive Bot Defense – configuration

Proactive Bot Defense – Cross domain example
www.yahoo.com yimg.com
User
GET /index.php? HTTP/1.1
Host: www.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0)
Gecko/20100101 Firefox/34.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.29.46.32/
Cookie: SESSION=693c11f1f299b501be5add6067c29ea3;
TS0191700e=011fbae73d73f535821bb42d9f5c9164b50b43df2a02bb48
4f639d38772307fb6e4075c65515e8906e46c4b2f656857368425bf379
GET /index.php? HTTP/1.1
Host: yimg.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0)
Gecko/20100101 Firefox/34.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.29.46.32/
Cookie: SESSION=693c11f1f299b501be5add6067c29ea3;
TS0191700e=011fbae73d73f535821bb42d9f5c9164b50b43df2a02bb48
4f639d38772307fb6e4075c65515e8906e46c4b2f656857368425bf379
Proactive Bot Defense - on Proactive Bot Defense - on

Heavy URL’s

• Some URL might be heavy – search box
• Heavy URL’s consume more processing resources from the server
• Even few request can cause high latency
Heavy URL’s

Heavy URL pre condition configuration

Heavy URL pre condition

Heavy URL – Mitigation
When any URL based is mitigating, the heavy URL’s that detected will get this mitigation

Heavy URL – configuration
Automatic measure latency on
URL’s for 24 hours and decide
who is heavy

Heavy URL – Reporting

White list for DoS profile
White list – for all dos features
and
if a white list IP send a 1000 requests to a specific URL we will not collect data on that URL

Reporting

Reporting
1- Security -> Event Logs -> DoS -> Application Events / Attacks
2- Security -> Reporting -> DoS -> Overview Summary -> …..

Security -> Event Logs -> DoS -> Application Attacks
Provides: summary on a specific attack ID

Security -> Event Logs -> DoS -> Application Attacks
Provides: details on a specific Attack ID

Security -> Event Logs -> DoS -> Application Events
Provides details on a specific Event ID
Events are:
Attack start
Attack end
Change mitigation

Security -> Reporting -> DoS -> Overview Summary
AVR
Graphs

Graph index
Incomplete: Traffic that reached the server, and was dropped by the server. The system did not perform any
DoS mitigation on this traffic. Transactions were reset, and responses did not get to the client.
BIG-IP Response: Traffic that did not reach the server, but is a response to the client from BIG-IP modules not
mentioned in the legend (meaning, a response from sources other than DoS and Cache).
Cached by BIG-IP: Traffic that is served from cache configured in the Web Acceleration profile.
Whitelisted: Traffic that reached the server from IP addresses on the IP Address whitelist in the DoS profile.
Passthrough: Traffic that reached the server - no mitigation was apply on it
Blocked: Traffic that was blocked as a result of the prevention policy in the DoS profile.
Proactive Mitigation: Amount of times we served Proactive (CSID)
CAPTCHA Mitigation: Amount of times we served CAPTCHA
CS Integrity Mitigation: Amount of times we served (CSID)

Graph index Which prevention initiated the blocking ?

Graphs - Source IP

Demo how to
― Can you demo it ?
o What do you want to see ?
― What do you have ?
o Everything
― Ha ok so start with everything

Trigger thresholds:
• IP detection criteria
• Geolocation detection criteria
• URL detection criteria
• Site Wide detection criteria
Chose Prevention:
• CSID
• CAPTCHA
• Request blocking
Show change mitigation in the reports
Steps to demo

Simulating detection – TPS based anomaly
Lowering thresholds

How we trigger detection ?
1. IP Detection – lots pf requests from single IP to any URL
2. Geolocation – IP’s from different county
3. URL Detection – lots of requests to specific URL
4. Site Wide– lots of requests from any IP to any URL’s
1
2
3
4
Btw: who should we trigger ? The TPS increase by or the TPS reached ?

Load with Jmeter
Provide increase in TPS
Uses XFF for various s IP’s
Target specific URL
Target multiple UR’s from
multiple IP’s (XFF)
DDoS XFF:
Local Traffic -> Profiles -> Services -> HTTP

How do we show prevention ?
Options for demo:
• CSID – show RST
• CAPTCHA – show it in a browser
• Request Blocking - show RST

Demo CSID or Request blocking – block all
Wget
wget -r --user-agent="Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" --no-check-certificate 172.29.46.36
Activate Jmeter
Active Wget until you see REST – will do the same for CSID or request blocking with block all

Demo CAPTCHA with Browser
Activate Jmeter
Surf the virtual IP whit a browser until
you see a CAPTCHA

Simulate latency
heavy URL + Latency Based Anomaly
Edit:
vi sell.php
sleep(3)
Lower thresholds

Tools – browser + f5 key
Any of the prevention can be
simulate with holding the f5
keyboard key until rests or
CAPTCHA occurs

ASM 11.6 DDoS profile- lior rotkovitch

Related slideshows

More Related Content

ASM 11.6 DDoS profile- lior rotkovitch