ASM 11.6 DDoS profile- lior rotkovitch
- 1. © F5 Networks, Inc 1
DDOS – 11.6 DOS PROFILE
DECEMBER 2015 SEATTLE
Lior Rotkovitch NPIE ASM Tel Aviv lior@f5.com
- 2. © F5 Networks, Inc 2
Index
• Configuration Overview
• TPS based Anomalies
• Detection
• IP Detection Criteria
• Geolocation Detection Criteria
• URL Detection Criteria
• Site-Wide Detection Criteria
• Prevention
• Client Side Integrity Defense
• CAPTCHA
• Request Blocking
• PBD
• Heavy URL’s
• Reporting
• Demo – how to
• Badger Changes
• Latency Based Anomalies
• Detection
• Prevention
- 3. © F5 Networks, Inc 3
Configuring DoS profile
Goto:
• Local Traffic
• Virtual Server
• Security
• Policies
- 5. © F5 Networks, Inc 5
Configuring DoS profile
Goto:
Security
DoS Protection
DoS Profiles
DoS Profile Properties
- 6. © F5 Networks, Inc 6
• TPS based anomaly
• Latency based anomaly
• Heavy URL Protection
• Proactive Bot Defense
• Geolocations
DoS Profile Main Sections
- 7. © F5 Networks, Inc 7
1. Monitoring entities: TPS Latency IP’s URL’s
2. Detecting Increase
3. Activating Prevention
DDoS Profile Concept
Users IP
Servers Database
RPS
TPS
LatencyURL’s
- 9. © F5 Networks, Inc 9
TPS Based Anomaly – Detection Basic Concept
1. IP Detection Criteria
2. Geolocation Detection Criteria
3. URL Detection Criteria
4. Site-Wide Detection Criteria Detection
Configure the RPS (TPS) thresholds that
above them ASM will activate prevention
- 10. © F5 Networks, Inc 10
TPS Based Anomaly – Prevention Basic Concept
1. Client Side Integrity Check
2. CAPTCHA Challenge
3. Request Blocking
Each can be activated from one of
the 4 detection criteria
Prevention
- 12. © F5 Networks, Inc 12
TPS Based Anomaly
1. IP Detection Criteria - Settings
2. Preventions polices:
a) Client Side Integrity Check
b) CAPTCHA
c) Request Blocking
3. Geolocation Detection Criteria + Preventions Polices
4. URL Detection Criteria + Preventions Polices
5. Site Wide Detection Criteria + Preventions Polices
1
2a
2b
2c
3
4
5
- 13. © F5 Networks, Inc 13
TPS based Anomaly - Concept
IP Detection measure RPS arriving from source IP’s
If TPS reached thresholds it will activate the configured prevention
- 14. © F5 Networks, Inc 14
TPS based Anomaly - Concept
If TPS reached thresholds and CAPCHA challenge is checked
Dos protection will send CAPTCHA challenge to the IP that reached the thresholds
- 15. © F5 Networks, Inc 15
TPS based - IP Detection Criteria Concept
Can you explain?
- 16. © F5 Networks, Inc 16
TPS based - IP Detection Criteria Concept
If TPS reached thresholds and Client
Side Integrity Defense is checked
Dos protection will send Client Side
Integrity Defense to the IP that reached
the thresholds– WHY ?
Source IP Based = IP Detection Criteria
Prevention Detection
We measure source IP that their TPS is increased
- 17. © F5 Networks, Inc 17
IP Detection Criteria – config overview
Monitoring Source IP’s
- 18. © F5 Networks, Inc 18
• The two type of time intervals:
• Long (History Interval): accumulates TPS rate averages for 1 hour at 1
Minute intervals
• Short (Detection Interval): accumulates TPS rate averages for 1 Minute
at 1 seconds intervals
IP Detection Criteria
Calculating TPS increased by – PRE 11.6
- 19. © F5 Networks, Inc 19
• The two type of time intervals:
• Long (History Interval): Measure the last 1 hour TPS average every
10 seconds
• Short (Detection Interval): Measure the last 10 seconds TPS
average every 10 seconds
Calculating TPS increased by – 11.6
- 20. © F5 Networks, Inc 20
TPS based - IP Detection Criteria
Example:
Long (History Interval): 50 TPS
Short (Detection Interval): 370 TPS
TPS increased by: ((370 - 50) /50)*100 = 640%
- 21. © F5 Networks, Inc 21
TPS based - IP Detection Criteria
(Minimum TPS thresholds for detection AND TPS increased by)
40 AND 640% = True
AND
- 22. © F5 Networks, Inc 22
TPS based - IP Detection Criteria
AND
(Minimum TPS thresholds for detection AND TPS increased by) OR TPS reached
40 AND 640% OR 200
OR
(fixed)(ratio)
- 23. © F5 Networks, Inc 23
Prevention types:
Client Side Integrity
Defense
Sending CSID script
- 24. © F5 Networks, Inc 24
• Checking JS capabilities on HTML pages (not resources – image)
• A client is considered JavaScript Proper if it meets the following three criteria:
• The client must support JavaScript
• The client must support HTTP cookies
• The client should calculate the result of a computational challenge inside the JS
• If satisfied = legitimate client that can access the site
Note: is not CHUI
Client side integrity defense
- 25. © F5 Networks, Inc 25
Client side integrity defense - flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
- 26. © F5 Networks, Inc 26
Client side integrity defense JS script ( PRE 11.6)
- 27. © F5 Networks, Inc 27
POST /file.html HTTP/1.1
Host: 10.1.1.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://10.1.1.100/file.html
Cookie: TSc834b4=6fddbbe2703fc326cd19961072070e948b1d46b558e908644d2504b5;
TSc834b4_77=false_ff434d341dd95fc4;
TSc834b4_75=838458f8d070a4f7aca1a15e0f40083f:baec:WWXJ61tI:1507580388
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
TSc834b4_id=3&TSc834b4_md=1&TSc834b4_rf=0&TSc834b4_ct=0&TSc834b4_pd=0
Client side integrity defense JS - reply
The value of this cookie will be the result of the computational challenge
- 29. © F5 Networks, Inc 29
• If didn’t solve the challenge – there is no reply (no request)
• If did solve the challenge but:
• Cookie is wrong format – RST
• Time stamp expired – RST
• If client access a resource (image) without getting
the cookie first he will be blocked
Client side integrity defense – how it is mitigating ?
- 30. © F5 Networks, Inc 30
• ASM system does not send the CS challenge to:
• Request that is greater than 10 KB
• Multipart request
• Chunked request
• Request that sends an Expect: 100-continue header
• Request that do not use GET or POST method
• Request for resources : GIF, ICO, PNG, JPG, BMP, CSS
Client side integrity defense – limitation
- 31. © F5 Networks, Inc 31
Prevention types:
CAPTCHA Prevention
policy
Sending CAPTCHA
- 32. © F5 Networks, Inc 32
CAPTCHA
Ultimate solution for identifying human or bot
Send challenge to every IP that reached IP detection criteria thresholds
- 33. © F5 Networks, Inc 33
CAPTCHA – Response setting
Failure Response page is served if the first attempted fails
- 34. © F5 Networks, Inc 34
CAPTCHA - flow
User Browser DoS Profile App
Request mypage.php
GET /mypage.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.phpHTML of mypage.php
mypage.php
rendered
5 min and then gets a another CAPTCAH
- 35. © F5 Networks, Inc 35
• If didn’t submit the challenge - not reply (no request DOSing us)
• If didn’t solve the challenge but still sending us attacks ? What will happen ?
• If did solve the challenge but:
• Cookie is wrong format – RST
• Time stamp expired 5 min– RST
CAPTCHA – how it is mitigating ?
- 36. © F5 Networks, Inc 36
Prevention types:
Request Blocking
Resting connections
- 37. © F5 Networks, Inc 37
Request Blocking – how it is mitigating ?
• Request Blocking:
• Blocking:
• Rate Limit:
- 38. © F5 Networks, Inc 38
Request Blocking – how it is mitigating ?
• Rate limit will limit to long (history) TPS rate
• Blocking
• Block all traffic
Example
If long was 50 TPS
And increase in short is 150 TPS
Rate limit to 50 TPS
- 39. © F5 Networks, Inc 39
TPS based with IP detection criteria and their prevention
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
All IP’s that reached the thresholds :
- 40. © F5 Networks, Inc 40
TPS Based Anomaly :
Geolocation Detection Criteria
Monitoring IP’s by country
- 41. © F5 Networks, Inc 41
New L7 DoS Prevention Methods - Geolocation
mitigating based on location
- 42. © F5 Networks, Inc 42
• Geolocation –relative to the whole traffic of the site:
500 % request increase of the whole site from specific country
AND
At least 10 % of the whole site traffic
Geolocation - Detection
AND
- 43. © F5 Networks, Inc 43
Geolocation – prevention
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
(note that blocking will block all users from this country)
All clients coming from the specific country
- 44. © F5 Networks, Inc 44
Geolocation – listing
allows access to the web site
regardless of geolocation
detection criteria thresholds only.
Specifies the countries that the
system always blocks whenever
the system detects that there is a
DoS attack regardless of the
thresholds set in the DoS profile
- 45. © F5 Networks, Inc 45
TPS Based Anomaly:
URL Detection Criteria
Monitoring URL’s
- 46. © F5 Networks, Inc 46
Collecting TPS on URLs (10k)
TPS increase by: ration of long and short
AND
Minimum TPS thresholds for detection
They are OR with TPS reached
URL Detection Criteria
- 47. © F5 Networks, Inc 47
URL Detection Criteria– prevention
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking – Rate limit (No blocking all)
All clients that access the URL:
- 48. © F5 Networks, Inc 48
TPS Based Anomaly:
Site-Wide Detection
Criteria
Monitoring the entire site – URL’s & IP’s
- 49. © F5 Networks, Inc 49
TPS Based Anomaly - Site-Wide Detection Criteria
Collecting TPS on all site
TPS increase by: ration of long and short
AND
Minimum TPS thresholds for detection
They are OR with TPS reached
- 50. © F5 Networks, Inc 50
Site-Wide Detection Criteria – prevention
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking - only rate limit no blocking
All clients that access the site:
- 51. © F5 Networks, Inc 51
Prevention duration
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
Escalate top down every 120 second
if attack is still increasing
De escalate to start from the top
- 52. © F5 Networks, Inc 52
Questions ?
http://www.digitalattackmap.com/
- 54. © F5 Networks, Inc 54
Latency Based Anomaly
1
2
1 TPS is measured
if reached thresholds
2 Latency is measure
if reached thresholds
3 Prevention policy is activated
3
- 55. © F5 Networks, Inc 55
quizzzz
2
1
Which prevention policy will be
activate when the detection
criteria (1) will be reach and
the suspicious IP criteria (2)
will be reached ?
- 56. © F5 Networks, Inc 56
Latency Based Anomaly VS TPS Based Anomaly
Which is better for
DoS protection ?
- 58. © F5 Networks, Inc 58
• Send CS challenge to ALL client and thus mitigate bots all the time
• Cookie is sent and then validate by PBD – RST or allowed
Proactive Bot Defense
- 60. © F5 Networks, Inc 60
PBD - Client side integrity defense - flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
- 61. © F5 Networks, Inc 61
• Always – sending CS all the time
• During attack – only of other component of the dos profile is in dos mode PBD
will send the CS challenge
This allows second layer of protection (rate limit and PBD)
• Grace period - cookie expiration time 300 = 5min
also use to prevent mass blocking when start PBD during attack
• White list – Cases where Flash send
a request without a cookie
Proactive Bot Defense – configuration
- 62. © F5 Networks, Inc 62
• Cross domain is used to overcome cases where other sites / domain access
the site that is protected by PBD
• CS is working on HTML
• Resources (images) are RST if
arriving without cookie (if accessing
to resource before HTML – no cookie)
• Cross domain allows to add any 3rd
party domains to be added to the
white list and access the resource
Proactive Bot Defense – configuration
- 63. © F5 Networks, Inc 63
Proactive Bot Defense – Cross domain example
www.yahoo.com yimg.com
User
GET /index.php? HTTP/1.1
Host: www.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0)
Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.29.46.32/
Cookie: SESSION=693c11f1f299b501be5add6067c29ea3;
TS0191700e=011fbae73d73f535821bb42d9f5c9164b50b43df2a02bb48
4f639d38772307fb6e4075c65515e8906e46c4b2f656857368425bf379
Connection: keep-alive
GET /index.php? HTTP/1.1
Host: yimg.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0)
Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.29.46.32/
Cookie: SESSION=693c11f1f299b501be5add6067c29ea3;
TS0191700e=011fbae73d73f535821bb42d9f5c9164b50b43df2a02bb48
4f639d38772307fb6e4075c65515e8906e46c4b2f656857368425bf379
Connection: keep-alive
Proactive Bot Defense - on Proactive Bot Defense - on
- 65. © F5 Networks, Inc 65
• Some URL might be heavy – search box
• Heavy URL’s consume more processing resources from the server
• Even few request can cause high latency
Heavy URL’s
- 68. © F5 Networks, Inc 68
Heavy URL – Mitigation
When any URL based is mitigating, the heavy URL’s that detected will get this mitigation
- 69. © F5 Networks, Inc 69
Heavy URL – configuration
Automatic measure latency on
URL’s for 24 hours and decide
who is heavy
- 71. © F5 Networks, Inc 71
White list for DoS profile
White list – for all dos features
and
if a white list IP send a 1000 requests to a specific URL we will not collect data on that URL
- 73. © F5 Networks, Inc 73
Reporting
1- Security -> Event Logs -> DoS -> Application Events / Attacks
2- Security -> Reporting -> DoS -> Overview Summary -> …..
- 74. © F5 Networks, Inc 74
Security -> Event Logs -> DoS -> Application Attacks
Provides: summary on a specific attack ID
- 75. © F5 Networks, Inc 75
Security -> Event Logs -> DoS -> Application Attacks
Provides: details on a specific Attack ID
- 76. © F5 Networks, Inc 76
Security -> Event Logs -> DoS -> Application Events
Provides details on a specific Event ID
Events are:
Attack start
Attack end
Change mitigation
- 77. © F5 Networks, Inc 77
Security -> Reporting -> DoS -> Overview Summary
AVR
Graphs
- 78. © F5 Networks, Inc 78
Graph index
Incomplete: Traffic that reached the server, and was dropped by the server. The system did not perform any
DoS mitigation on this traffic. Transactions were reset, and responses did not get to the client.
BIG-IP Response: Traffic that did not reach the server, but is a response to the client from BIG-IP modules not
mentioned in the legend (meaning, a response from sources other than DoS and Cache).
Cached by BIG-IP: Traffic that is served from cache configured in the Web Acceleration profile.
Whitelisted: Traffic that reached the server from IP addresses on the IP Address whitelist in the DoS profile.
Passthrough: Traffic that reached the server - no mitigation was apply on it
Blocked: Traffic that was blocked as a result of the prevention policy in the DoS profile.
Proactive Mitigation: Amount of times we served Proactive (CSID)
CAPTCHA Mitigation: Amount of times we served CAPTCHA
CS Integrity Mitigation: Amount of times we served (CSID)
- 79. © F5 Networks, Inc 79
Graph index Which prevention initiated the blocking ?
- 81. © F5 Networks, Inc 81
Demo how to
― Can you demo it ?
o What do you want to see ?
― What do you have ?
o Everything
― Ha ok so start with everything
- 82. © F5 Networks, Inc 82
Trigger thresholds:
• IP detection criteria
• Geolocation detection criteria
• URL detection criteria
• Site Wide detection criteria
Chose Prevention:
• CSID
• CAPTCHA
• Request blocking
Show change mitigation in the reports
Steps to demo
- 83. © F5 Networks, Inc 83
Simulating detection – TPS based anomaly
Lowering thresholds
- 84. © F5 Networks, Inc 84
How we trigger detection ?
1. IP Detection – lots pf requests from single IP to any URL
2. Geolocation – IP’s from different county
3. URL Detection – lots of requests to specific URL
4. Site Wide– lots of requests from any IP to any URL’s
1
2
3
4
Btw: who should we trigger ? The TPS increase by or the TPS reached ?
- 85. © F5 Networks, Inc 85
Load with Jmeter
Provide increase in TPS
Uses XFF for various s IP’s
Target specific URL
Target multiple UR’s from
multiple IP’s (XFF)
DDoS XFF:
Local Traffic -> Profiles -> Services -> HTTP
- 86. © F5 Networks, Inc 86
How do we show prevention ?
Options for demo:
• CSID – show RST
• CAPTCHA – show it in a browser
• Request Blocking - show RST
- 87. © F5 Networks, Inc 87
Demo CSID or Request blocking – block all
Wget
wget -r --user-agent="Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" --no-check-certificate 172.29.46.36
Activate Jmeter
Active Wget until you see REST – will do the same for CSID or request blocking with block all
- 88. © F5 Networks, Inc 88
Demo CAPTCHA with Browser
Activate Jmeter
Surf the virtual IP whit a browser until
you see a CAPTCHA
- 89. © F5 Networks, Inc 89
Simulate latency
heavy URL + Latency Based Anomaly
Edit:
vi sell.php
sleep(3)
Lower thresholds
- 90. © F5 Networks, Inc 90
Tools – browser + f5 key
Any of the prevention can be
simulate with holding the f5
keyboard key until rests or
CAPTCHA occurs