SlideShare a Scribd company logo

Web Application Security

MarketingArrowECS_CZ
MarketingArrowECS_CZ

The document discusses how F5 networks provides comprehensive web application security through its full-proxy architecture and web application firewall that protects against common attacks like SQL injection, cross-site scripting, and brute force attacks. It also explains how the F5 solution uses a positive security model to allow wanted transactions while denying everything else, providing implicit security against both known and unknown attacks.

Related slideshows

Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
1 of 63
Download to read offline
Web Application Security Radovan Gibala Senior Systems Engineer F5 Networks gigi@f5.com
© F5 Networks, Inc 2 Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
Web Application Security
© F5 Networks, Inc 4 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Credential Stuffing Password Field obfuscation BotNet protection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X ✓ X X X X X Limited Limited Limited Limited X X X X XLimited
Web Application Firewall
© F5 Networks, Inc 6 Negative vs. Positive Security Model • Negative Security Model • Lock Known Attacks • Everything else is Allowed • Patches implementation is quick and easy (Protection against Day Zero Attacks) • Positive Security Model • (Automatic) Analysis of Web Application • Allow wanted Transactions • Everything else is Denied • Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
FULL-PROXY ARCHITECTURE
© F5 Networks, Inc 8 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule ICMP flood SYN flood SSL renegotiation Data leakageSlowloris attackXSS Network Firewall WAF WAF
© F5 Networks, Inc 9 Application Access Network Access Network Firewall Network DDoS Protection SSL DDoS Protection DNS DDoS Protection Application DDoS Protection Web Application Firewall Fraud Protection F5 provides comprehensive application security Virtual Patching
Web Application Security
Volumetric take-downs Consume bandwidth of target Network layer attack Consume connection state tables Application layer Consume application resources 2005 8 Gbps 2013 300 Gbps 2016 1.2 Tbps Source: How DDoS attacks evolved in the past 20 years, BetaNews
© F5 Networks, Inc 12 Different attack/issue types Application SSL DNS Network
© F5 Networks, Inc 13 DoS is Not a Rocket Science!
DDoS attacks are easy to launch hping3 nmap Low Orbit ION High Orbit IONkillapache.pl slowloris metasploitslowhttptest RussKill Pandora Dirt Jumper PhantomJS …, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
Source: Securelist, Kaspersky Lab, March 2017 Low sophistication, high accessibility • Accessible Booters/stressers easy to find • Lucrative Profit margins of up to 95% • Effective Many DDoS victims pay up
1.2 Tbps1 Tbps620 Gbps Mirai DDoS attacks Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
Critical info on threat source and attack type trends Application Threat Intelligence
SOLUTION Customer Cloud Network and App Protection DDoS attacker DMZ Cloud-Based DDoS Mitigation Platform DDoS Hybrid Defender PROBLEM
© F5 Networks, Inc 19 Rate Limit to Protect the Server Detect and Block Bots and Bad Actors Create and Enforce Dynamic Signatures Analyze Application Stress and Continually Tune Mitigations. Start of Attack Identify Attackers Advanced Attacks Persistent Attacks Multiple Layers of Protection Even basic attacks can take an unprotected server down quickly. Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses. The f5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations. These sophisticated protections maximize application availability while minimizing false positives.
• Detect L7 DDoS Attacks by monitoring TPS, Latency (Automatic), Heavy URLs, URLs, IPs, Heavy URLs and Behavioral DDoS detection • Mitigate L7 DDoS by various methods: Block, Rate limit, Client challenges (bot detection) and Behavioral DDoS mitigation • Leverage Bot Signatures & Geolocation • Proactive Bot Defense for desktop and mobile applications
© F5 Networks, Inc 21 Browser Types TTL 1 2 2 5 5 SRC-IP lower 1 2 2 5 5 DstPort 1 5 6 4 k Server Health 6 4 8 0 Other L3/L4 Predicates Val min Val max URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Chrome Firefox IE / Cortana Safari Opera Threshold Min (Chrome) Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D ….
© F5 Networks, Inc 22 Browser Types tN>t Load (PPS) Chrome Firefox IE / Cortana Safari Opera Max (Chrome) Threshold Fixed during attack Min (Chrome) Current Value URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Server Health
Use Case - DDoS Attacks DDOS Managed Service Hacker Bots Silverline Cloud Services Users Layer 3 DDOS Protection On-Premises Layer 7 DDOS Protection Core DDoS Hybrid Defender Advanced WAF Users Option: consolidate into a single layer 3-7 solution Silverline Always On under attack Communication (signaling) Problem: • DDOS attacks are growing, but your resources are not • DDoS mitigation time is slow due to manual initiation and difficult policy tuning Benefits: • On-premise hardware acts immediately and automatically to mitigate attacks. • Silverline cloud services minimizes the risk of larger attacks crippling your site or applications Solution: • Always-on protection with on-premises hardware • Mitigate with layered defense strategy and cloud services • F5 SOC monitoring with portal • Protect against all attacks with granular control • Eliminate time-consuming manual tuning with machine learning
Web Application Security
of Internet traffic is automated of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017
Client-Side Attacks Malware Ransomware Man-in-the-browser Session hijacking Cross-site request forgery Cross-site scripting DDoS Attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL App Infrastructure Attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Web Application Attacks API attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse Acommon source of many threat vectors Malware Ransomware Man-in-the-browser Cross-site scripting Dictionary attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplication Heavy URL API attacks Cross-site scripting Injection Malware Abuse of functionality Credential stuffing Phishing
Application Threat Intelligence Reaper panic The latest thingbot making press waves was predicted in "The Hunt for IoT" volume 3
Thingbots: Multi-purpose Attack Bots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1 Bot Brickerbot 2 Bots WireX Reaper 3 Bots Mirai BigBrother Rediation 1 Bot Remaiten 1 Bot Moon 1 Bot Aidra 1 Bot Hydra 3 Bots Satori Fam Amnesia Persirai 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1 Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Crypto-miner Thingbot Attack Type
Shortcomings of Today’s Approach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection
What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic
Web Scraping Protection Pro-Active Bot Prevention L7 DoS WAF SOLUTION PROBLEM Behavioural analysis to identify malicious bots
© F5 Networks, Inc 32 Bots that simulate browsers Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA No you are not, bye bye -> block this guy. DNS Server Bummer Capability ? CATPCHA ?
Bot that simulates browser Headless Chrome Sentry MBA
© F5 Networks, Inc 34 How bots that simulate browsers are evaluated and scored Evaluating request High Score Pass Low Score Send CAPTCHA and If valid CAPTCHA – Pass Otherwise - Block 0 – 59 – browser 60 – 99 – Unknown 100 – Bot
Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis and Fingerprinting
How unique are you? Browsers attributes
Web HybridNative
• • • •
Web Application Security
Web Application Security
• No prior breach • Dozens of account takeovers left users picking up food bills they never ordered • Unsuspecting victims received receipts via email, after it was too late Fraudsters eat for free as Deliveroo accounts hit by mystery breach
70 MILLION 427 MILLION 150 MILLION 3 BILLION In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media 117 MILLION “Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more”2 3 out of 4
USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME
Info on emerging threats What is it? Who does it affect? Protection strategy recommendations Application Threat Intelligence
Breached Credential Database Comparison WAF SOLUTION PROBLEM Distributed brute force protection
Web Application Security
In the first quarter of 2017, a new specimen of malware emerged every 4.2 seconds 1 in every 131 emails included malware in 2016 of all breaches in 2016 involved some form of malware Sources: 1) Malware trends 2017, G DATA Software 2) Symantec Internet Security Threat Report, April 2017 3) WannaCry Update, Rapid7 Blog, May 2017 4.2 seconds 1 in every 131 Over half (51%)
Use our research to learn about new types of malware Application Threat Intelligence
Injects into running processes Hooks functions inside Windows DLLs MitM – sends credentials to command and control center
WAF Man-in-the-Browser malware Online users SOLUTION PROBLEM
Web Application Security
• • • • • • •
Web Application Security
F5 ADVANCED WAF
F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Key Benefits: • Protects Web and mobile apps from exploits, bots, theft, app-layer DoS • Prevent malware from stealing data and credentials • Prevent Brute Force attacks that use stolen credentials • Eliminate time-consuming manual tuning for App-layer DoS protection Defend against bots • Proactive bot defense • Anti-bot mobile SDK • Client and server monitoring Protect apps from DoS • Auto-tuning • Behavioral analytics • Dynamic signatures Prevent Account Takeover • App-level encryption • Mobile app tampering • Brute Force protection Mobile Bot Mitigation Credential Protection App-Layer DoS Hacker Anti-bot Mobile SDK Bots F5 Advanced WAF Users credentials
F5 ASM L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM
F5 Advanced WAF L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM DataSafe BaDoS Unlimited Credential Stuffing (S) (A) Anti. Bot Mobile (S)ubscription License (A)dd On License(I)ncluded in the AWAF Threat Campaigns (S) (A) API Security Upstream Signaling C. Device ID (S)
What are LTM features available on ASM? Starting with BIG-IP ASM version 13.1.0.1 The following LB capabilities have been added to ASM (with no need for LTM license) • Up to 3 Pool Members • LB Methods Supported • Round Robin • Ratio (member) • Ratio (Node)
What are LTM features available on AWAF? Starting with BIG-IP version 13.1.0.2 the following LTM features are part of AWAF (Advanced WAF) license: Load Balancing • No limit on IP Pool Members number • LB Methods Supported • Round Robin • Ratio (member) • Least Connections (member) • Ratio (node) • Least Connections (node) • Weighted Least Connection (member) • Weighted Least Connection (node) • Ratio Least Connection (member) • Ratio Least Connection (node) Persistency • Cookie Persistency • Source Address • Host • Destination Address
Summary
Hybrid DDoS Protection Fraud Prevention Access Control Powerful WAF
ANTI- DDoS APP INFRASTRUCTURE ANTI-DDoS DNSTLS/SSL ADVANCED WEB APPLICATION FIREWALL Web Application Attacks App Infrastructure Attacks DDoS Attacks Client-Side Attacks ANTI-DDoS BOT DEFENSE CREDENTIAL PROTECTION WEB ACCESS MANAGEMENT WAF IDENTITY ACCESS MGMT IAM DDoS Hybrid Defender Advanced WAF Access Management SSL Orchestrator
Web Application Security

More Related Content

Web Application Security

  • 1. Web Application Security Radovan Gibala Senior Systems Engineer F5 Networks gigi@f5.com
  • 2. © F5 Networks, Inc 2 Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
  • 4. © F5 Networks, Inc 4 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Credential Stuffing Password Field obfuscation BotNet protection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X ✓ X X X X X Limited Limited Limited Limited X X X X XLimited
  • 6. © F5 Networks, Inc 6 Negative vs. Positive Security Model • Negative Security Model • Lock Known Attacks • Everything else is Allowed • Patches implementation is quick and easy (Protection against Day Zero Attacks) • Positive Security Model • (Automatic) Analysis of Web Application • Allow wanted Transactions • Everything else is Denied • Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
  • 8. © F5 Networks, Inc 8 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule ICMP flood SYN flood SSL renegotiation Data leakageSlowloris attackXSS Network Firewall WAF WAF
  • 9. © F5 Networks, Inc 9 Application Access Network Access Network Firewall Network DDoS Protection SSL DDoS Protection DNS DDoS Protection Application DDoS Protection Web Application Firewall Fraud Protection F5 provides comprehensive application security Virtual Patching
  • 11. Volumetric take-downs Consume bandwidth of target Network layer attack Consume connection state tables Application layer Consume application resources 2005 8 Gbps 2013 300 Gbps 2016 1.2 Tbps Source: How DDoS attacks evolved in the past 20 years, BetaNews
  • 12. © F5 Networks, Inc 12 Different attack/issue types Application SSL DNS Network
  • 13. © F5 Networks, Inc 13 DoS is Not a Rocket Science!
  • 14. DDoS attacks are easy to launch hping3 nmap Low Orbit ION High Orbit IONkillapache.pl slowloris metasploitslowhttptest RussKill Pandora Dirt Jumper PhantomJS …, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
  • 15. Source: Securelist, Kaspersky Lab, March 2017 Low sophistication, high accessibility • Accessible Booters/stressers easy to find • Lucrative Profit margins of up to 95% • Effective Many DDoS victims pay up
  • 16. 1.2 Tbps1 Tbps620 Gbps Mirai DDoS attacks Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
  • 17. Critical info on threat source and attack type trends Application Threat Intelligence
  • 18. SOLUTION Customer Cloud Network and App Protection DDoS attacker DMZ Cloud-Based DDoS Mitigation Platform DDoS Hybrid Defender PROBLEM
  • 19. © F5 Networks, Inc 19 Rate Limit to Protect the Server Detect and Block Bots and Bad Actors Create and Enforce Dynamic Signatures Analyze Application Stress and Continually Tune Mitigations. Start of Attack Identify Attackers Advanced Attacks Persistent Attacks Multiple Layers of Protection Even basic attacks can take an unprotected server down quickly. Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses. The f5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations. These sophisticated protections maximize application availability while minimizing false positives.
  • 20. • Detect L7 DDoS Attacks by monitoring TPS, Latency (Automatic), Heavy URLs, URLs, IPs, Heavy URLs and Behavioral DDoS detection • Mitigate L7 DDoS by various methods: Block, Rate limit, Client challenges (bot detection) and Behavioral DDoS mitigation • Leverage Bot Signatures & Geolocation • Proactive Bot Defense for desktop and mobile applications
  • 21. © F5 Networks, Inc 21 Browser Types TTL 1 2 2 5 5 SRC-IP lower 1 2 2 5 5 DstPort 1 5 6 4 k Server Health 6 4 8 0 Other L3/L4 Predicates Val min Val max URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Chrome Firefox IE / Cortana Safari Opera Threshold Min (Chrome) Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D ….
  • 22. © F5 Networks, Inc 22 Browser Types tN>t Load (PPS) Chrome Firefox IE / Cortana Safari Opera Max (Chrome) Threshold Fixed during attack Min (Chrome) Current Value URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Server Health
  • 23. Use Case - DDoS Attacks DDOS Managed Service Hacker Bots Silverline Cloud Services Users Layer 3 DDOS Protection On-Premises Layer 7 DDOS Protection Core DDoS Hybrid Defender Advanced WAF Users Option: consolidate into a single layer 3-7 solution Silverline Always On under attack Communication (signaling) Problem: • DDOS attacks are growing, but your resources are not • DDoS mitigation time is slow due to manual initiation and difficult policy tuning Benefits: • On-premise hardware acts immediately and automatically to mitigate attacks. • Silverline cloud services minimizes the risk of larger attacks crippling your site or applications Solution: • Always-on protection with on-premises hardware • Mitigate with layered defense strategy and cloud services • F5 SOC monitoring with portal • Protect against all attacks with granular control • Eliminate time-consuming manual tuning with machine learning
  • 25. of Internet traffic is automated of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017
  • 26. Client-Side Attacks Malware Ransomware Man-in-the-browser Session hijacking Cross-site request forgery Cross-site scripting DDoS Attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL App Infrastructure Attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Web Application Attacks API attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse Acommon source of many threat vectors Malware Ransomware Man-in-the-browser Cross-site scripting Dictionary attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplication Heavy URL API attacks Cross-site scripting Injection Malware Abuse of functionality Credential stuffing Phishing
  • 27. Application Threat Intelligence Reaper panic The latest thingbot making press waves was predicted in "The Hunt for IoT" volume 3
  • 28. Thingbots: Multi-purpose Attack Bots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1 Bot Brickerbot 2 Bots WireX Reaper 3 Bots Mirai BigBrother Rediation 1 Bot Remaiten 1 Bot Moon 1 Bot Aidra 1 Bot Hydra 3 Bots Satori Fam Amnesia Persirai 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1 Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Crypto-miner Thingbot Attack Type
  • 29. Shortcomings of Today’s Approach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection
  • 30. What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic
  • 31. Web Scraping Protection Pro-Active Bot Prevention L7 DoS WAF SOLUTION PROBLEM Behavioural analysis to identify malicious bots
  • 32. © F5 Networks, Inc 32 Bots that simulate browsers Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA No you are not, bye bye -> block this guy. DNS Server Bummer Capability ? CATPCHA ?
  • 33. Bot that simulates browser Headless Chrome Sentry MBA
  • 34. © F5 Networks, Inc 34 How bots that simulate browsers are evaluated and scored Evaluating request High Score Pass Low Score Send CAPTCHA and If valid CAPTCHA – Pass Otherwise - Block 0 – 59 – browser 60 – 99 – Unknown 100 – Bot
  • 35. Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis and Fingerprinting
  • 36. How unique are you? Browsers attributes
  • 41. • No prior breach • Dozens of account takeovers left users picking up food bills they never ordered • Unsuspecting victims received receipts via email, after it was too late Fraudsters eat for free as Deliveroo accounts hit by mystery breach
  • 42. 70 MILLION 427 MILLION 150 MILLION 3 BILLION In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media 117 MILLION “Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more”2 3 out of 4
  • 43. USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME
  • 44. Info on emerging threats What is it? Who does it affect? Protection strategy recommendations Application Threat Intelligence
  • 47. In the first quarter of 2017, a new specimen of malware emerged every 4.2 seconds 1 in every 131 emails included malware in 2016 of all breaches in 2016 involved some form of malware Sources: 1) Malware trends 2017, G DATA Software 2) Symantec Internet Security Threat Report, April 2017 3) WannaCry Update, Rapid7 Blog, May 2017 4.2 seconds 1 in every 131 Over half (51%)
  • 48. Use our research to learn about new types of malware Application Threat Intelligence
  • 49. Injects into running processes Hooks functions inside Windows DLLs MitM – sends credentials to command and control center
  • 55. F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Key Benefits: • Protects Web and mobile apps from exploits, bots, theft, app-layer DoS • Prevent malware from stealing data and credentials • Prevent Brute Force attacks that use stolen credentials • Eliminate time-consuming manual tuning for App-layer DoS protection Defend against bots • Proactive bot defense • Anti-bot mobile SDK • Client and server monitoring Protect apps from DoS • Auto-tuning • Behavioral analytics • Dynamic signatures Prevent Account Takeover • App-level encryption • Mobile app tampering • Brute Force protection Mobile Bot Mitigation Credential Protection App-Layer DoS Hacker Anti-bot Mobile SDK Bots F5 Advanced WAF Users credentials
  • 56. F5 ASM L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM
  • 57. F5 Advanced WAF L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM DataSafe BaDoS Unlimited Credential Stuffing (S) (A) Anti. Bot Mobile (S)ubscription License (A)dd On License(I)ncluded in the AWAF Threat Campaigns (S) (A) API Security Upstream Signaling C. Device ID (S)
  • 58. What are LTM features available on ASM? Starting with BIG-IP ASM version 13.1.0.1 The following LB capabilities have been added to ASM (with no need for LTM license) • Up to 3 Pool Members • LB Methods Supported • Round Robin • Ratio (member) • Ratio (Node)
  • 59. What are LTM features available on AWAF? Starting with BIG-IP version 13.1.0.2 the following LTM features are part of AWAF (Advanced WAF) license: Load Balancing • No limit on IP Pool Members number • LB Methods Supported • Round Robin • Ratio (member) • Least Connections (member) • Ratio (node) • Least Connections (node) • Weighted Least Connection (member) • Weighted Least Connection (node) • Ratio Least Connection (member) • Ratio Least Connection (node) Persistency • Cookie Persistency • Source Address • Host • Destination Address
  • 62. ANTI- DDoS APP INFRASTRUCTURE ANTI-DDoS DNSTLS/SSL ADVANCED WEB APPLICATION FIREWALL Web Application Attacks App Infrastructure Attacks DDoS Attacks Client-Side Attacks ANTI-DDoS BOT DEFENSE CREDENTIAL PROTECTION WEB ACCESS MANAGEMENT WAF IDENTITY ACCESS MGMT IAM DDoS Hybrid Defender Advanced WAF Access Management SSL Orchestrator