Professional Documents
Culture Documents
DDOS PROFILE
Global Service Tech Summit, Seattle
Sep, 2015, v3
lior@f5.com
ASM DDoS Profile
DDOS - HTTP FLOODS ATTACKS DDOS - BOTS
F5 Networks, Inc 2
HTTP Floods facts: Legitimate Layer 7 requests
Wrong identification will prevent valid users from accessing the site (false positive )
User
Source IPs Unidentified User Web Site
Hacktivism
Servers Database
F5 Networks, Inc 3
HTTP Floods types Requests increase from or/and to URLs inside the web site
Hacktivism
Servers Database
F5 Networks, Inc 4
ASM Detection & Mitigation concept - HTTP Floods
ASM process:
Users Or Bots 1. Monitoring entities: RPS Latency IPs URLs
2. Detecting Increase
3. Activating Mitigation
Source IPs
User
Source IPs Unidentified User Web Site
RPS
Latency App URLs &
objects
Hacktivism
Servers Database
F5 Networks, Inc 5
ASM Detection & Mitigation concept DoS Profile
Location: Security DoS Protection DoS Profiles dos
F5 Networks, Inc 6
TPS Based Detection: Transaction Per Second based detection
and mitigation
Server
F5 Networks, Inc 7
TPS Based Detection
Monitoring Request Per Second increase form source IP, Geo, URL, Site Wide.
Then apply one of the mitigation policies: CSID, CAPTCHA, Rate limit
F5 Networks, Inc 8
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
2. Mitigation polices: c
3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking
4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 9
By Source IP: Detection Criteria
Detection: thresholds for determining DDoS attack - by source IP increase
Mitigation: which mitigation will apply on the offending source IP
Detection
Mitigation
F5 Networks, Inc 10
By Source IP: Detection Criteria
Detection Ratio
Long (History Interval): Measure the last 1 hour RPS averages every 10 seconds
Short (Detection Interval): Measure the last 10 seconds RPS averages every 10 seconds
F5 Networks, Inc 11
By Source IP: Detection Criteria
Detection Ratio
Example:
Long (History Interval): 50 TPS TPS increased by: ((370 - 50) /50)*100 = 640%
Short (Detection Interval): 370 TPS 640% > 500% = True
F5 Networks, Inc 12
By Source IP: Detection Criteria
At least X Transactions:
Detection Ratio A minimum condition to
prevent false positive
increase (source IP
starts browsing the site
and goes from 0 to 30
RPS)
F5 Networks, Inc 13
By Source IP: Detection Criteria
F5 Networks, Inc 14
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
c
2. Mitigation polices:
3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking 4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 15
Client Side Integrity Defense Concept
Server
User
ASM: ok, you are allowed. Here is the web
If a bot: page you asked for.
*^lkjdfg@#$
Web Bot
ASM: Bye Bye Blocked
F5 Networks, Inc 16
Client Side Integrity Defense Concept
F5 Networks, Inc 17
Client Side Integrity Defense - Flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Send JS test
Computational challenge
This is the flow and timeline
Solve challenge/
set cookie with time stamp of events.
Transparent to the user,
HTTP Request (cookie) Reconstruct request
done under the hood
Original HTTP Request
Note that request is held at
HTTP Response (main page)
HTTP Response (main page)
the ASM and not arriving the
app until checks are
More object requests (cookie)
satisfied
Validate cookie: format & time stamp
Not all checks are described
More object requests
here, some are internal IP.
More responses
Deliver page More responses
F5 Networks, Inc 18
Client Side Integrity Defense JavaScript sample
The JS is obfuscated
From user perceptive this
is transparent action.
F5 Networks, Inc 19
Client Side Integrity Defense Mitigation summary
If didnt solve the challenge but still sending request Block (RST)
If client access a resource (image) without getting the cookie first Block (RST)
F5 Networks, Inc 20
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
2. Mitigation polices: c
3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking
4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 21
CAPTCHA Challenge - Concept
Server
F5 Networks, Inc 22
CAPTCHA Challenge Completely Automated Public Turing test to tell
Computers and Humans Apart
F5 Networks, Inc 23
CAPTCHA customize response
Can be customize to the web site look and feel colors via css
Failure Response page is served if the first attempted fails
F5 Networks, Inc 24
CAPTCHA Challenge - Flow
User Browser DoS Profile App
Request mypage.php
GET /mypage.php (no cookie)
Send CAPTCHA
While the system is still in a
CAPTCHA HTML +JS response state of attack the offending
CAPTCHA rendered Cookie with time stamp source will be presented with
another CAPTCHA every 5 min.
Solve CAPTCHA
Same as CSID, request is held
Submit CAPTCHA
solution
at the ASM until CAPTCHA is
solved
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
mypage.php
HTML of mypage.php HTML of mypage.php
rendered
F5 Networks, Inc 25
CAPTCHA mitigation summary
F5 Networks, Inc 26
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
2. Mitigation polices: c
3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking
4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 27
Request Blocking / Rate limit
While CSID and CAPTCHA try to understand who is the offending source (bots or browsers)
request limiting is indifferent to the identity and limits the offending sources.
F5 Networks, Inc 28
Request Blocking
Request Blocking:
Blocking: block all IPs from the offending source if a source IP reached thresholds I dont
want him on my site at this point
Rate Limit: limit the amount of allowed request from the offending source if reached
thresholds I can sustain only some of the traffic at this point
F5 Networks, Inc 29
Request Blocking Mitigation Summary
Example
If long was 50 TPS And increase in short is 150 TPS
Rate limit to 50 TPS
F5 Networks, Inc 30
TPS based: by source IP Summary
All source IPs that reached the thresholds will be presented with the enabled mitigation
If still increasing , fall back according to the order in the GUI (switching mitigation)
F5 Networks, Inc 31
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
c
2. Mitigation polices: 3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking 4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 32
HTTP Floods Geolocation detection and Mitigation
Users Or Bots
http floods type: From multiple source
IPs originating from a specific country
User
Source IPs Unidentified User Web Site
Hacktivism
Servers Database
F5 Networks, Inc 33
Geolocation - Detection
AND
F5 Networks, Inc 34
Geolocation Mitigation
All clients requests arriving from the specific country will be presented with mitigation:
F5 Networks, Inc 35
Geolocation Black n White listing
F5 Networks, Inc 36
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
2. Mitigation polices: c
3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking
4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 37
HTTP Floods URL Detection and Mitigation
Measuring requests increase on a URL
Users Or Bots
Floods types:
From multiple IPs to multiple fixed URLs
From multiple IPs to multiple random URLs
Source IPs
User
Source IPs Unidentified User RPS Web Site
Hacktivism
Servers Database
http://site.com/sell.php
F5 Networks, Inc 38
URL Detection Criteria
Collecting RPS on URLs
F5 Networks, Inc 39
URL Detection Criteria Mitigation
All clients that access the URL: Client Side Integrity Check
CAPTCHA Challenge
Request Blocking Rate limit (No block all)
F5 Networks, Inc 40
1
TPS Based Detection
1. BY Source IP (Detection & Mitigation Polices) a
2b
c
2. Mitigation polices: 3
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking 4
3. By Geolocation (Detection & Mitigation Polices)
6. Prevention Duration
6
F5 Networks, Inc 41
HTTP Floods Site Wide Detection and Mitigation
User
Source IPs Unidentified User RPS Web Site
Hacktivism
Database
Servers
F5 Networks, Inc 42
Site-Wide Detection Criteria
Collecting RPS on the entire website (all entities URLs, IPs)
In some cases the floods will avoid thresholds for IP based or URL based.
Site wide provide another layer of detection and prevention
Detection: Ratio
Fixed
Prevention polices
All clients that access the site: Client Side Integrity Check
CAPTCHA Challenge
Request Blocking - only rate limit no blocking
F5 Networks, Inc 44
1
TPS Based Detection
a
2b
1. BY Source IP (Detection & Mitigation Polices) c
3
2. Mitigation polices:
a) Client Side Integrity Defense
b) CAPTCHA challenge
c) Request Blocking
4
3. By Geolocation (Detection & Mitigation Polices)
4. By URL (Detection & Mitigation Polices)
5. By Site Wide (Detection & Mitigation Polices)
5
6. Prevention Duration
6
F5 Networks, Inc 45
Prevention duration
Escalate top down every 120 second if thresholds are still increasing
F5 Networks, Inc 46
Stress Based detection
Im the server
F5 Networks, Inc 47
Stress Based Detection and prevention concept
Im the server
F5 Networks, Inc 48
Stress Based GUI
F5 Networks, Inc 49
Stress Based Detection & Mitigation
2. By Geolocation
3. By URL
4. Site Wide
F5 Networks, Inc 50
Stress Based Detection thresholds condition
Latency TPS
threshold AND threshold
exceeded? exceeded? Mitigation Is activated when
two types of thresholds are
reached :
Latency thresholds
AND
Then: TPS thresholds
Activate
Mitigation Policy
F5 Networks, Inc 51
Stress Based Detection thresholds condition
TPS thresholds
stress detection
prevention
Example:
in order to apply a prevention policy, both TPS and
Automatic stress detection enters a
Latency thresholds must be exceeded, then the enabled
state of exceeding thresholds. This by
prevention policy is activated.
itself will not active the prevention.
Latency thresholds are not visible in the GUI, they are part Only when the TPS thresholds will
of automatic detection. exceed then the prevention policy is
activated.
F5 Networks, Inc 52
TPS based VS Stress based
Quick way to protect against DDoS. Im in trouble Allows the option to activate the Mitigation only
and I want to block now ! when the backed experiencing latency AND RPS
increase (I only want to block when the attack is
Fixed number on the TPS reached is very easy causing backend latency)
and useful. Also easy to detect offending sources
Provide Layers of defense and notify about backend
issues (not just DDoS)
Conclusion:
TPS based is quick while latency based
allows more granular approach
F5 Networks, Inc 53
Heavy URLs
F5 Networks, Inc 54
Heavy URLs
Heavy URLs are URLs that consume more processing resources
from the server
Are good application DoS point - Even few requests can DoS the app
Typical heavy URLs are search box, product IDs
http://site.com/serach.php?q=a
Heavy URL
Servers Database
F5 Networks, Inc 56
Heavy URLs concept
Heavy URL is another detection capability. Once it is reached the thresholds AND one of the By URL detection
thresholds are reached Then the URLs that consider heavy URLs will be applied with the active mitigation policy
F5 Networks, Inc 57
Heavy URLs configuration
Example: By URL TPS reached 1000 TPS and is currently applying CSID mitigation.
Heavy URL is enabled
F5 Networks, Inc 58
Heavy URLs Configuration
F5 Networks, Inc 59
Heavy URL Reporting Security Reporting DoS Application URL Latencies
Example:
If search.php is defined as heavy and if index URL is currently being mitigated with CSID because it exceeded the
thresholds of URL reached (or fixed) then every source IP that is accessing search.php will also get the CSID check.
F5 Networks, Inc 60
Remember, security is a process
Reporting first
Fine Tune your thresholds
Before DDoS Attack
During DDoS Attack
F5 Networks, Inc 61
First rule of detection - AVR Reporting
Know your web site metrics
L7 DDoS measurements
Security Reporting DoS Overview
Security Reporting DoS Application Transaction outcome
F5 Networks, Inc 62
Why Fine Tune Thresholds ?
Out of the box thresholds are good for most web sites
Depending on the web site traffic fine tuning thresholds might be needed.
Fine tuning thresholds can be divided into:
Before DDoS Attack
Good for me ??
F5 Networks, Inc 63
Fine Tune Thresholds Before attack
Process:
Pre requisite: Enable DDoS Profile on the desired virtual
1) White list IPs, geolocations countries, URLs (admin) etc
2) Get visibility with transparent mode write down metrics*
3) Test and decide which prevention will apply thresholds exceeds (TPS bases/
Latency based , heavy URL config etc)
4) Fine tune thresholds for fixed and ratio based
5) Switch to blocking When needed
F5 Networks, Inc 65
Fine Tune Thresholds Before DDoS for Source IP
F5 Networks, Inc 66
Fine Tune Thresholds Before DDoS for Geolocation
Go to Security Reporting dos Application transaction outcome
F5 Networks, Inc 67
Fine Tune Thresholds Before DDoS for URL
F5 Networks, Inc 68
Fine Tune Thresholds Before DDoS for URL
F5 Networks, Inc 69
Fine Tune Thresholds Before DDoS for Site Wide
F5 Networks, Inc 70
Fine Tune Thresholds Before DDoS for Site Wide
Site wide = Virtual server
The overall traffic should be much higher than the other thresholds.
The values reflect the total amount of TPS that the virtual can handle.
F5 Networks, Inc 71
Fine Tune Thresholds During attack
Process:
1) Fine tune white list source if needed
2) Identify sources that exceed thresholds (source IPs, URLs, Geo, SiteWide) by
looking at reporting.
3) Determine the attack type: from fixed/random source IP to fixed/ random URL.
Conclude which of the detection types you need (source IP only ? Source IP and URL
based only ? etc. )
4) Fine tune thresholds according to the exceeding sources (ratio / fixed)
5) Apply mitigation and decide what is working and what is not. Uncheck the
mitigations that are not effective
6) Go to step 1 and repeat
F5 Networks, Inc 72
Fine Tune Thresholds During attack Source IP
F5 Networks, Inc 73
Fine Tune Thresholds During attack Geolocation
F5 Networks, Inc 74
Fine Tune Thresholds During attack URLs
F5 Networks, Inc 75
Fine Tune Thresholds During attack - Site Wide
F5 Networks, Inc 76
AVR reports and graphs
Security Event Logs DoS Application Events
Number
Host IP of TPS
F5 Networks, Inc 77
AVR reports and graphs
Security Reporting DoS Application Transaction Outcomes
F5 Networks, Inc 78
AVR reports and graphs Security Reporting DoS Application Transaction Outcomes
Start and End points - red flags indicate the start of an attack and the green flags indicate the end of
an attack. Switching mitigation can occure several time over the DDoS attack.
F5 Networks, Inc 79
AVR reports and graphs
Incomplete Indicates traffic that was dropped by the server because the connection was
incomplete or the server did not respond.
Blocked Indicates traffic that was blocked as a result of the mitigation policy (any of the
prevention policies including bots blocking)
Proactive Mitigation Indicates the amount of time that the proactive bot defense mechanism
was severed
CAPTCHA mitigation Indicates the amount of time that the CAPTCHA challenge was severed
to offending sources
CS integrity mitigation Indicates the amount of time that the client-side integrity defense
challenge was severed to offending sources
BIG IP Response Indicates traffic that is a response to the client from the BIG-IP system.
Cache by BIG IP Indicates traffic that is served from cache configured (WA, RamCache)
Whitelisted Indicates traffic from IP Address that are in the whitelist of the DoS profile
Pass through - Indicates traffic that is pass to the application trough ASM to the server
F5 Networks, Inc 80
AVR reports and graphs
The AVR DoS graph now
shows the thresholds
that are set in the TPS
detection tab.
F5 Networks, Inc 81
Fine Tune Thresholds Summary
Before DDoS:
Write the normal thresholds for the web site: (IPs, Geolocation, URLs, Site Wide)
Set the ratio and the fix threshold for each of the above detection criteria (How much the web
site can take 2 times the traffic , 5 times etc)
Test the configuration and the prevention policy, then conclude which one is good for you
During DDoS:
Identify the source IPs, URLs and entire site traffic increase and determine the attack type
Set the fixed TPS number in each of the above criteria and apply mitigation
Verify the results in the Transaction outcome graph
F5 Networks, Inc 82
DDoS Bots - Detection & Mitigation
F5 Networks, Inc 83
Layers of defense against Bots
Simple Bots
Gohogle
Impersonating Bots This bot section is mostly about
bots that DoS / DDoS. However,
Bots detection and prevention
Bots with cookies / JS capabilities can be used for various bot
problems the site is experiencing.
F5 Networks, Inc 84
DDoS Bots
Bots can be classify in many ways, mostly there are:
Users Or Bots
1. Simple bots
2. Impersonating Bots
3. Bots with cookies & JS capabilities
4. Bots acting as full browser
Google Web Bot
Web Site
Web Bot
User
F5 Networks, Inc 85
Enabling Bot signatures protection
F5 Networks, Inc 86
Bots Simple Bot
Im a simple Bot
Server
F5 Networks, Inc 87
Categorizing Bots
F5 Networks, Inc 88
Bot Signatures - Each categories include:
None ignore
Report report only used for monitoring
Block block
None
Report
Block
None
Report
Block
F5 Networks, Inc 89
Excluding specific bot signatures from category settings
F5 Networks, Inc 90
First - White list good Bots
3
DNS Server
2
ASM: lets see if you really are. Im doing
Google Reverse DNS lookup.
4
Thanks Yes, I see that, please continue.
F5 Networks, Inc 91
White list good Bots -
with their domain name
DNS Server
3. The signature includes domain name.
ASM issue Reverse DNS query to verify
the origin of the request
1. Request arrive with User 4. Once approved ASM will allow the
Agent : Googlebot/2.1 2. ASM search the
google bot to access the web site
google bot signature
Web Server
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
F5 Networks, Inc 92
Bot Signature Repository
Security Options DoS Protection Bot Signatures List
F5 Networks, Inc 93
Bot Signature List: general signatures repository
F5 Networks, Inc 94
Sorting the Bot Signature Repository
Various filtering
F5 Networks, Inc 95
Bot Signature Categories
F5 Networks, Inc 96
Create a new bot signature: simple edit mode
Bot Signature name
Category
F5 Networks, Inc 98
Bot signature facts
F5 Networks, Inc 99
Bots Impersonating Bot
DNS Server
3 The real google bot includes domain
name. ASM issue Reverse DNS query to
verify the origin of the request
1 Request arrive with User 4 If the source IP is not the expected one
Agent : Googlebot/2.1 2 ASM search the according to the DNS query ASM will block
google bot signature the impersonating bot
Web Server
understand JS and
support cookies
Bummer
Proactive Bot
Defense is now
integrated with
the bot
signatures.
When enabling
proactive bot
defense the
bot signature
feature will be
enabled as
well
Solve challenge/
set cookie with time stamp
DNS Server
Im a Bot that
Web Server
simulate browser
Bummer
Block Suspicious Browsers addition tests are done to understand if this is a bot or a browser. ASM
will evaluate the source and will give it a score:
if the score indicates that the source is a bot it will block it.
If the score indicate uncertainty and if CAPTCHA challenge is checked, then CAPTCHA will be presented
to the source. If answer it is a human if not, blocked.
Transaction outcomes
is very useful for
monitoring traffic and
indicates various
measurements
AVR will provide details on DoS bot signatures (use drill downs )