SlideShare a Scribd company logo

F5 ASM v12 DDoS best practices

Lior Rotkovitch, profile picture
Lior Rotkovitch

The document discusses the implementation of DDoS protection profiles within the F5 BIG-IP Application Security Manager (ASM), focusing on detection and mitigation strategies for HTTP flood attacks, including the use of various methodologies such as transaction per second (TPS) monitoring, client-side integrity defense, CAPTCHA challenges, and request blocking. It outlines the types of DDoS attacks, detection criteria, and customizable mitigation policies, with emphasis on the importance of accurately distinguishing between legitimate users and malicious bots. Additionally, it touches on geolocation-based detection and the significance of monitoring site-wide traffic during attacks.

Technology
1 of 118
Downloaded 1,074 times
1
2
3
4
5
6
7
8
9
10
11
Most read
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Most read
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
BIG IP ASM V12 DDOS PROFILE Lior Rotkovitch, NPI ASM, L7 DDoS & Analytics Global Service Tech Summit, Seattle Sep, 2015, v3 lior@f5.com
© F5 Networks, Inc 2 ASM – DDoS Profile DDOS - HTTP FLOODS ATTACKS • From single IP to single URL • From multiple IP’s to single fixed URL • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s • From multiple IP’s from a specific country • Fine Tune your Thresholds & Reporting DDOS - BOTS • Simple bots • Impersonating Bots • Bots with cookies & JS capabilities • Bots acting as full browser • Reporting
© F5 Networks, Inc 3 HTTP Floods facts: Servers Database Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Site Web Bot • Legitimate Layer 7 requests • Asking a web page thousands of time instead of one (few) times • Exhausting backend servers resources: memory, CPU, Disk etc • Relatively easy to execute with simple tools • Not easy to detect the offending source nor to prevent it • Wrong identification will prevent valid users from accessing the site (false positive )
© F5 Networks, Inc 4 HTTP Floods types Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Requests increase from or/and to URL’s inside the web site • From single IP to single URL • From multiple IP’s to single fixed URL • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s • From multiple IP’s originating from a specific country Web Site Servers Database
© F5 Networks, Inc 5 ASM Detection & Mitigation concept - HTTP Floods Latency App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s ASM process: 1. Monitoring entities: RPS Latency IP’s URL’s 2. Detecting Increase 3. Activating Mitigation Web Site Servers Database
© F5 Networks, Inc 6 ASM Detection & Mitigation concept – DoS Profile Location: Security ›› DoS Protection ›› DoS Profiles ›› dos
© F5 Networks, Inc 7 TPS Based Detection: Transaction Per Second based detection and mitigation Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. You will have to • Answer CSID • Answer CAPTCHA • Be Rate Limited / Blocked Server
© F5 Networks, Inc 8 TPS Based Detection Monitoring Request Per Second increase form source IP, Geo, URL, Site Wide. Then apply one of the mitigation policies: CSID, CAPTCHA, Rate limit
© F5 Networks, Inc 9 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 10 By Source IP: Detection Criteria Detection Detection: thresholds for determining DDoS attack - by source IP increase Mitigation: which mitigation will apply on the offending source IP Mitigation
© F5 Networks, Inc 11 Ratio thresholds - measuring ratio with two time interval: • Long (History Interval): Measure the last 1 hour RPS averages every 10 seconds • Short (Detection Interval): Measure the last 10 seconds RPS averages every 10 seconds Detection – Ratio By Source IP: Detection Criteria
© F5 Networks, Inc 12 TPS increased by: ((370 - 50) /50)*100 = 640% 640% > 500% = True By Source IP: Detection Criteria Detection – Ratio Long (History Interval): 50 TPS Short (Detection Interval): 370 TPS Example:
© F5 Networks, Inc 13 By Source IP: Detection Criteria TPS increased by % AND minimum fix number of transactions 640% AND 40 = True Detection – Ratio Example: At least X Transactions: A minimum condition to prevent false positive increase (source IP starts browsing the site and goes from 0 to 30 RPS)
© F5 Networks, Inc 14 By Source IP: Detection Criteria (TPS increased by % AND minimum fix number of transactions) OR TPS reached 640% AND 40 OR 200 = True Detection – Ratio Fixed Example: TPS reached: Ratio thresholds OR’ed with fixed TPS or
© F5 Networks, Inc 15 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 16 Client Side Integrity Defense – Concept User Web Bot Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. Are you a browser ? if a browser: Yes, I’m a browser If a bot: *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Blocked Server
© F5 Networks, Inc 17 • Checking JavaScript capabilities • A client is considered legitimate if it meets the following criteria: • The client support JavaScript • The client support HTTP cookies • The client should calculate a challenge inside the JS • If satisfied = legitimate client that can access the site Client Side Integrity Defense – Concept
© F5 Networks, Inc 18 Client Side Integrity Defense - Flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page • This is the flow and timeline of events. • Transparent to the user, done under the hood • Note that request is held at the ASM and not arriving the app until checks are satisfied • Not all checks are described here, some are internal IP. Send JS test
© F5 Networks, Inc 19 Client Side Integrity Defense –JavaScript sample • The JS is obfuscated • From user perceptive this is transparent action.
© F5 Networks, Inc 20 • If no reply – No problem for us • If didn’t solve the challenge but still sending request – Block (RST) • If did solve the challenge but: • Cookie is wrong format – Block (RST) • Time stamp expired – Block (RST) • If client access a resource (image) without getting the cookie first – Block (RST) Client Side Integrity Defense – Mitigation summary
© F5 Networks, Inc 21 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 22 CAPTCHA Challenge - Concept User Web Bot Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. Please answer this CAPTCHA challenge, show me your human !: If a user: OK, I answered If none user: Ha ? *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Block him dood ! Server
© F5 Networks, Inc 23 CAPTCHA Challenge Ultimate solution for identifying human or bot Send challenge to every IP that reached IP detection criteria thresholds To CAPTCHA or not to CAPTCHA ? Some argues that CAPTCHA is not a good usability because an innocent user gets CAPTCHA and he will not know why. So, remember that a valid user should pass browser tests. i.e. if a user is blocked (or gets a CAPTCHA) there is a reason and maybe he is not innocent (infected ?) . “Completely Automated Public Turing test to tell Computers and Humans Apart”
© F5 Networks, Inc 24 CAPTCHA – customize response • Can be customize to the web site look and feel colors via css • Failure Response page is served if the first attempted fails
© F5 Networks, Inc 25 CAPTCHA Challenge - Flow User Browser DoS Profile App Request mypage.php GET /mypage.php (no cookie) CAPTCHA HTML +JS response Cookie with time stamp Solve CAPTCHA CAPTCHA rendered Submit CAPTCHA solution GET /mypage.php + CAPTCHA cookie Verify CAPTCHA solution Validate cookie GET /mypage.php HTML of mypage.phpHTML of mypage.php mypage.php rendered Send CAPTCHA • While the system is still in a state of attack the offending source will be presented with another CAPTCHA every 5 min. • Same as CSID, request is held at the ASM until CAPTCHA is solved
© F5 Networks, Inc 26 • If didn’t submit the challenge - no request DOSing us • If didn’t solve the challenge but still sending us attacks – Blocked • If did solve the challenge but: • Cookie is wrong format – RST • Time stamp expired 5 min– RST CAPTCHA – mitigation summary
© F5 Networks, Inc 27 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 28 Request Blocking / Rate limit Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. I’m limiting your requests sending rate While CSID and CAPTCHA try to understand who is the offending source (bots or browsers) request limiting is indifferent to the “identity” and limits the offending sources.
© F5 Networks, Inc 29 Request Blocking Request Blocking: • Blocking: block all IP’s from the offending source – if a source IP reached thresholds I don’t want him on my site at this point • Rate Limit: limit the amount of allowed request from the offending source – if reached thresholds I can sustain only some of the traffic at this point
© F5 Networks, Inc 30 Request Blocking – Mitigation Summary • Block all – blocking all traffic from the offending source (i.e. I don’t want to see any more traffic from this source) • Rate Limit – rate limit the offending source Example If long was 50 TPS And increase in short is 150 TPS Rate limit to 50 TPS Rate limit will limit to long (history) TPS rate
© F5 Networks, Inc 31 TPS based: by source IP – Summary Client Side Integrity Check CAPTCHA Challenge Request Blocking • Measuring source IP increase • All source IP’s that reached the thresholds will be presented with the enabled mitigation • If still increasing , fall back according to the order in the GUI (switching mitigation)
© F5 Networks, Inc 32 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 33 HTTP Floods – Geolocation detection and Mitigation Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site http floods type: From multiple source IP’s originating from a specific country
© F5 Networks, Inc 34 • Geolocation – Relative to the whole traffic of the site: 500 % request increase of the whole site from a specific country AND At least 10 % of the whole site traffic Geolocation - Detection
© F5 Networks, Inc 35 Geolocation – Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking All clients requests arriving from the specific country will be presented with mitigation: (note that blocking will block all users from this country)
© F5 Networks, Inc 36 Geolocation – Black n White listing • Allows access to the web site regardless of geolocation detection criteria thresholds only i.e. other thresholds still apply • Specifies the countries that the system always blocks whenever the system is in a state of DDoS detection. • Done regardless of the thresholds set in the DDoS profile
© F5 Networks, Inc 37 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 38 HTTP Floods – URL Detection and Mitigation App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s http://site.com/sell.php Servers Database Web Site • Measuring requests increase on a URL • Floods types: • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s
© F5 Networks, Inc 39 TPS increase by* AND at least X TPS ** OR TPS reached URL Detection Criteria Collecting RPS on URL’s Calculation: *Ration of long and short **Minimum TPS thresholds for detection
© F5 Networks, Inc 40 URL Detection Criteria– Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking – Rate limit (No block all) All clients that access the URL:
© F5 Networks, Inc 41 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 42 HTTP Floods – Site Wide Detection and Mitigation App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s Monitoring: all entities Servers Database Web Site Floods types: • From multiple IP’s to multiple random URL’s • Cases where DDoS attack is under the radar
© F5 Networks, Inc 43 *TPS increase by AND Minimum TPS thresholds for detection OR TPS reached Site-Wide Detection Criteria • Collecting RPS on the entire website (all entities – URL’s, IP’s) • In some cases the floods will avoid thresholds for IP based or URL based. • Site wide provide another layer of detection and prevention Detection: Ratio Fixed
© F5 Networks, Inc 44 Site-Wide Detection Criteria – Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking - only rate limit no blocking All clients that access the site: Prevention polices
© F5 Networks, Inc 45 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
© F5 Networks, Inc 46 Prevention duration • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking De escalate - start from the top Every 7200 seconds Escalate top down every 120 second if thresholds are still increasing
© F5 Networks, Inc 47 Stress Based detection • Predictive Latency – predict how long it will take to serve a new incoming request Server: I’m fine, keep on sending them ASM: Hey server, how many more requests can you handle ? I’m the server
© F5 Networks, Inc 48 Stress Based Detection and prevention concept Client: Hey server , can I get the web page ? ASM: mmm let me check. The Server can take additional incoming requests. you are allowed ASM: no, my backend latency is now too high and you are sending too many request. You will have to: • Answer CSID or • Answer CAPTCHA or • Be rate limit Client: Hey server, can I get web pages again now ? I‘m the server ……. ……. After a while
© F5 Networks, Inc 49 Stress Based – GUI • Same concept as TPS based: source IP, Geo, URL, Site wide and their mitigation policies. • Addition condition of backend latency. i.e. only when the two conditions reach thresholds, then apply mitigation policy. Note: Can work together (operate in parallel) with TPS based and act as layers of protection (e.g. TPS based does only CSID in alert mode and Stress based does request blocking in case of latency increase)
© F5 Networks, Inc 50 Stress Based Detection & Mitigation • Similar to TPS based, Quiz yourself, what each item means ? 1. By Source IP a) CSID b) CAPTCHA c) Request Blocking 2. By Geolocation 3. By URL 4. Site Wide
© F5 Networks, Inc 51 Stress Based Detection – thresholds condition Latency threshold exceeded? TPS threshold exceeded? AND Then: Activate Mitigation Policy • Mitigation Is activated when two types of thresholds are reached : Latency thresholds AND TPS thresholds
© F5 Networks, Inc 52 Stress Based Detection – thresholds condition • in order to apply a prevention policy, both TPS and Latency thresholds must be exceeded, then the enabled prevention policy is activated. • Latency thresholds are not visible in the GUI, they are part of automatic detection. Example: Automatic stress detection enters a state of exceeding thresholds. This by itself will not active the prevention. Only when the TPS thresholds will exceed then the prevention policy is activated. prevention TPS thresholds stress detection
© F5 Networks, Inc 53 TPS based VS Stress based • Quick way to protect against DDoS. I’m in trouble and I want to block now ! • Fixed number on the TPS reached is very easy and useful. Also easy to detect offending sources • Allows the option to activate the Mitigation only when the backed experiencing latency AND RPS increase (I only want to block when the attack is causing backend latency) • Provide Layers of defense and notify about backend issues (not just DDoS) Conclusion: TPS based is quick while latency based allows more granular approach
© F5 Networks, Inc 54 Heavy URL’s Not all URL’s are equal Some are more attractive than others
© F5 Networks, Inc 55 Heavy URL’s • Heavy URL’s are URL’s that consume more processing resources from the server • Are good application DoS point - Even few requests can DoS the app • Typical heavy URLs are search box, product ID’s Heavy URL Servers Database http://site.com/serach.php?q=a Ho wow, this will take a while… …… Searching … ….. hold on… ….. Almost there….
© F5 Networks, Inc 56 Heavy URL’s concept • Automatically measures latency on URL’s for 48 hours and decide who is heavy • When any URL based mitigation is active, the heavy URL’s that was detected as heavy will also “get” the active mitigation
© F5 Networks, Inc 57 Heavy URL’s concept Heavy URL is another detection capability. Once it is reached the thresholds AND one of the By URL detection thresholds are reached Then the URL’s that consider heavy URL’s will be applied with the active mitigation policy
© F5 Networks, Inc 58 Heavy URL’s configuration Example: By URL TPS reached 1000 TPS and is currently applying CSID mitigation. Heavy URL is enabled
© F5 Networks, Inc 59 Heavy URL’s Configuration 1. Automatic Detection - Automatically add URL that will be considered as heavy 2. Manual Heavy URLs – Manually add URL that will be considered as heavy 3. Ignored URL – Exclude those URL from “heaviness” 4. Latency Threshold – Above this threshold -> heavy URL 1 2 3 4
© F5 Networks, Inc 60 Heavy URL – Reporting If search.php is defined as heavy and if index URL is currently being mitigated with CSID because it exceeded the thresholds of URL reached (or fixed) then every source IP that is accessing search.php will also get the CSID check. Security ›› Reporting ›› DoS ›› Application ›› URL Latencies Example:
© F5 Networks, Inc 61 • Reporting first • Fine Tune your thresholds BeforeDDoS Attack During DDoS Attack Remember, security is a process
© F5 Networks, Inc 62 First rule of detection - AVR Reporting • AVR graphs help you understand the site metrics: Statistics ›› Analytics ›› Overview Statistics ›› Analytics ›› Transactions ›› View by • AVR graphs inside ASM tab: Security ›› Reporting ›› DoS ›› Overview Security ›› Reporting ›› DoS ›› Application ›› Transaction outcome Know your web site metrics • Sources • IP’s • URL’s • Site Wide • Geolocation • RPS • TPS • Latency L7 DDoS measurements
© F5 Networks, Inc 63 • Out of the box thresholds are good for most web sites • Depending on the web site traffic fine tuning thresholds might be needed. • Fine tuning thresholds can be divided into: • Before DDoS Attack • During DDoS Attack Why Fine Tune Thresholds ? Good for me ??
© F5 Networks, Inc 64 Process: Pre requisite: Enable DDoS Profile on the desired virtual 1) White list IP’s, geolocations countries, URL’s (admin) etc 2) Get visibility with transparent mode – write down metrics* 3) Test and decide which prevention will apply thresholds exceeds (TPS bases/ Latency based , heavy URL config etc) 4) Fine tune thresholds for fixed and ratio based 5) Switch to blocking – When needed Fine Tune Thresholds Before attack *good list for L7 DDoS metrics
© F5 Networks, Inc 65 Fine Tune Thresholds Before DDoS for Source IP • View by: Client IP address • List top TPS Avg IP’s Go to Statistics ›› Analytics ›› HTTP ›› Transaction
© F5 Networks, Inc 66 Fine Tune Thresholds Before DDoS for Source IP • By examining the client IP Address you can conclude the averages of “normal” traffic you expect to see from the top source IPs. • Knowing “normal” averages can help defining the TPS increase by ratio. • The idea is that you can determine how much traffic is allowed until assumed a ddos attack.
© F5 Networks, Inc 67 Fine Tune Thresholds Before DDoS for Geolocation The same concept works for the geolocation thresholds graph. From the drilldown choose Countries on AVR reports “Which countries you expect to see traffic ? Go to Security ›› Reporting ›› dos ››Application ›› transaction outcome
© F5 Networks, Inc 68 Fine Tune Thresholds Before DDoS for URL The same idea applies to URL’s. Sort graph by URL’s “Which URL should have to highest RPS ?
© F5 Networks, Inc 69 Fine Tune Thresholds Before DDoS for URL
© F5 Networks, Inc 70 Fine Tune Thresholds Before DDoS for Site Wide On the drilldown choose Virtual Server “This will help us understand the over all traffic load that we have when there is no DDoS attack.
© F5 Networks, Inc 71 Fine Tune Thresholds Before DDoS for Site Wide The overall traffic should be much higher than the other thresholds. The values reflect the total amount of TPS that the virtual can handle. Site wide = Virtual server
© F5 Networks, Inc 72 Fine Tune Thresholds During attack Process: 1) Fine tune white list source – if needed 2) Identify sources that exceed thresholds (source IP’s, URL’s, Geo, SiteWide) by looking at reporting. 3) Determine the attack type: from fixed/random source IP to fixed/ random URL. Conclude which of the detection types you need (source IP only ? Source IP and URL based only ? etc. ) 4) Fine tune thresholds according to the exceeding sources (ratio / fixed) 5) Apply mitigation and decide what is working and what is not. Uncheck the mitigations that are not effective 6) Go to step 1 and repeat
© F5 Networks, Inc 73 Fine Tune Thresholds During attack – Source IP • Security ›› Reporting ›› dos ››Application ›› transaction outcome • On the drilldown choose Client IP Address
© F5 Networks, Inc 74 Fine Tune Thresholds During attack – Geolocation • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose Countries
© F5 Networks, Inc 75 Fine Tune Thresholds During attack – URL’s • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose URL’s
© F5 Networks, Inc 76 Fine Tune Thresholds During attack - Site Wide • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose Virtual Servers
© F5 Networks, Inc 77 AVR reports and graphs Mitigation type – can help understand which of the mitigation is effective and when switching mitigation occurred Time line Attack start / end Host IP Number of TPS Attack ID : Clicking will show graph Security ›› Event Logs ›› DoS ›› Application Events
© F5 Networks, Inc 78 AVR reports and graphs impact is the latency on the backend for all entities. The higher the latency the higher the impact is. High, medium and low impact allow to filter high impact attacks and deal with them first Security ›› Reporting ›› DoS ›› Application ›› Transaction Outcomes
© F5 Networks, Inc 79 AVR reports and graphs Start and End points - red flags indicate the start of an attack and the green flags indicate the end of an attack. Switching mitigation can occure several time over the DDoS attack. Security ›› Reporting ›› DoS ›› Application ›› Transaction Outcomes
© F5 Networks, Inc 80 AVR reports and graphs • Incomplete – Indicates traffic that was dropped by the server because the connection was incomplete or the server did not respond. • Blocked – Indicates traffic that was blocked as a result of the mitigation policy (any of the prevention policies including bots blocking) • Proactive Mitigation – Indicates the amount of time that the proactive bot defense mechanism was severed • CAPTCHA mitigation – Indicates the amount of time that the CAPTCHA challenge was severed to offending sources • CS integrity mitigation –Indicates the amount of time that the client-side integrity defense challenge was severed to offending sources • BIG IP Response – Indicates traffic that is a response to the client from the BIG-IP system. • Cache by BIG IP – Indicates traffic that is served from cache configured (WA, RamCache) • Whitelisted – Indicates traffic from IP Address that are in the whitelist of the DoS profile • Pass through - Indicates traffic that is pass to the application trough ASM to the server
© F5 Networks, Inc 81 AVR reports and graphs The AVR DoS graph now shows the thresholds that are set in the TPS detection tab. The Display Thresholds check box will display them or clear them from the graph.
© F5 Networks, Inc 82 Before DDoS: • Write the “normal” thresholds for the web site: (IP’s, Geolocation, URL’s, Site Wide) • Set the ratio and the fix threshold for each of the above detection criteria (How much the web site can take 2 times the traffic , 5 times etc…) • Test the configuration and the prevention policy, then conclude which one is good for you During DDoS: • Identify the source IP’s, URL’s and entire site traffic increase and determine the attack type • Set the fixed TPS number in each of the above criteria and apply mitigation • Verify the results in the Transaction outcome graph Fine Tune Thresholds– Summary
© F5 Networks, Inc 83 DDoS Bots - Detection & Mitigation
© F5 Networks, Inc 84 Layers of defense against Bots Simple Bots Impersonating Bots Bots with cookies / JS capabilities Bots acting as full browser Gohogle This bot section is mostly about bots that DoS / DDoS. However, Bots detection and prevention can be used for various bot problems the site is experiencing.
© F5 Networks, Inc 85 DDoS Bots Servers Database Google Web Bot Unidentified User User Users Or Bots Web Site Web Bot Bots can be classify in many ways, mostly there are: 1. Simple bots 2. Impersonating Bots 3. Bots with cookies & JS capabilities 4. Bots acting as full browser
© F5 Networks, Inc 86 Enabling Bot signatures protection
© F5 Networks, Inc 87 Bots – Simple Bot Server ASM: yes, I have your signature. Sorry mate you are blocked. I’m a simple Bot Simple bot can be any command line tool such as: curl , wget , ab
© F5 Networks, Inc 88 Categorizing Bots Bad Bots Good Bots Bad Bots aka Malicious are well know command line tools – we want them out Good Bots aka Benign are well know search engine and monitoring tools – we want them in
© F5 Networks, Inc 89 Bot Signatures - None Report Block None Report Block Each categories include: • None – ignore • Report – report only – used for monitoring • Block – block
© F5 Networks, Inc 90 Excluding specific bot signatures from category settings • Specific signature can be excluded from the category setting • Search the signature in Available signature list and move it to the left pane. • In this example ab tool will not be blocked even if the category that includes it is in blocking mode
© F5 Networks, Inc 91 First - White list good Bots Web Server Google I’m a google Bot ASM: let’s see if you really are. I’m doing Reverse DNS lookup. Yes, I see that, please continue. DNS Server Google Thanks  1 2 3 4
© F5 Networks, Inc 92 White list good Bots - with their domain name User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 1. Request arrive with User Agent : Googlebot/2.1 DNS Server Web Server 2. ASM search the google bot signature 3. The signature includes domain name. ASM issue Reverse DNS query to verify the origin of the request 4. Once approved ASM will allow the google bot to access the web site
© F5 Networks, Inc 93 Bot Signature Repository • Bot Signature repository for the entire system is under Options. • Bot signatures repository is update with the ASM signature update Security ›› Options ›› DoS Protection ›› Bot Signatures List
© F5 Networks, Inc 94 Bot Signature List: general signatures repository Signatures can be sort by: • Signature Category • Signature Type: Malicious / Benign • User Define signatures Yes / No • Partition: signature can be assign to a specific partition Clicking on any of the sorting will change the order.
© F5 Networks, Inc 95 Sorting the Bot Signature Repository Various filtering Create new Bot Signature
© F5 Networks, Inc 96 Bot Signature Categories Creating new category for Malicious or Benign
© F5 Networks, Inc 97 Create a new bot signature: simple edit mode Simple edit mode: inside a user agent header or in a URL. Category Domain name – execute reverser DNS query to verify origin. Add the domain if the Bot has one Bot Signature name Create when done
© F5 Networks, Inc 98 Create a new bot signature - advanced edit mode Signature syntax example: headercontent: "sample_text"; useragentonly; Advanced Edit Mode - rule granularity For full details consult F5 document
© F5 Networks, Inc 99 • Signatures associated with a domain name are validated with reverse DNS lookup. • Blocking and reporting : • Block flag - resets the connection and reports the action as "bot signature block" with the bot signature name. • Report flag - Report bot name and categories (AVR) • Updating bot signature as part of the ASM signature update Bot signature facts
© F5 Networks, Inc 100 Bots – Impersonating Bot Web Server Gohogle I’m a google Bot ha ha ha ASM: let’s see if you are. I’m doing Reverse DNS lookup. DNS Server Gohogle Bummer ASM: you are not google bot Bye Bye -> block this creature ! ASM: Hey DNS, who’s this guy ? DNS: no one important
© F5 Networks, Inc 101 Bots – Impersonating Bot 1 Request arrive with User Agent : Googlebot/2.1 DNS Server Web Server 2 ASM search the google bot signature 3 The real google bot includes domain name. ASM issue Reverse DNS query to verify the origin of the request 4 If the source IP is not the expected one according to the DNS query ASM will block the impersonating bot
© F5 Networks, Inc 102 Bots with cookies & JS capability Web ServersI’m a bot that can understand JS and support cookies ASM: prove it, answer my challenges No you are not, bye bye -> block this bot. Bummer Ha ?
© F5 Networks, Inc 103 Proactive Bot Defense PBD is good for: • Bots that can handle JS • Bots that can handle JS and cookies • Bots floods • Under the radar bots • Block any bot accessing the site (humans only web site)
© F5 Networks, Inc 104 Proactive Bot Defense and Bot Signature Proactive Bot Defense is now integrated with the bot signatures. When enabling proactive bot defense the bot signature feature will be enabled as well
© F5 Networks, Inc 105 • Send Client side challenges to ALL client and thus mitigate bots all the time • Various challenges are sent and then validate by PBD – blocked or allowed Proactive Bot Defense
© F5 Networks, Inc 106 PBD - Client side integrity defense - flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page
© F5 Networks, Inc 107 • Always – sending CS all the time • During attack – only if other component of the dos profile is in dos mode PBD will send the CS challenge (acting as two layers of mitigation) This allows second layer of protection (rate limit and PBD) • Grace period - cookie expiration time 300 = 5min • White list – exclude PBD on those IP’s Proactive Bot Defense – configuration
© F5 Networks, Inc 108 Bots acting as full browser Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA You are not human, byyyye -> block this unhuman ! DNS Server Bummer Capability ? CAPTCHA ?
© F5 Networks, Inc 109 PBD – Additional bots identification with capabilities script Bots: Bots acting as full browsers - Browser Simulation
© F5 Networks, Inc 110 How bots that simulate browsers are evaluated ? Block Suspicious Browsers – addition tests are done to understand if this is a bot or a browser. ASM will evaluate the source and will give it a score: if the score indicates that the source is a bot it will block it. If the score indicate uncertainty and if CAPTCHA challenge is checked, then CAPTCHA will be presented to the source. If answer it is a human if not, blocked.
© F5 Networks, Inc 111 Block Suspicious Browsers • If Block Suspicious Browsers is unchecked  send CS Challenge • If Block Suspicious Browsers is checked and CAPTCHA is checked  send Client Capabilities challenge and give it a score: If score in doubt send a CAPTCHA for human verification • If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked  do not send CAPTCHA and only block if the score is more than a human
© F5 Networks, Inc 112 Client Capabilities -challenge script flow User Browser DoS Profile App First request GET /sell.php GET /sell.php (no cookie) Client Capabilities Challenge response Return Client Capabilities verification Reconstruct request HTTP Response (cookie) HTTP Response GET /img.png (cookie) Blank page & Set cookie Original HTTP Request + cookie 1. Authenticate and decrypted JS results, 2. Verify capabilities and set a score 3. Determine an action based on score GET /img.png (cookie) Validate cookie: format & time stamp
© F5 Networks, Inc 113 DoS Bots Reporting
© F5 Networks, Inc 114 Bot signatures simulation Reporting ›› dos ›› Application ›› Transaction outcomes Transaction outcomes is very useful for monitoring traffic and indicates various measurements
© F5 Networks, Inc 115 Bot signatures simulation Analytics ›› HTTP ›› throughput ›› request throughput AVR will provide details on DoS bot signatures (use drill downs )
© F5 Networks, Inc 116 • Simple bots can easily be detected and blocked • White listing of bots = visibility to bot access and keep other bots out • Impersonating bots can be monitored / blocked • Bots that support JavaScript and cookies can now be noticed and be blocked • Reporting on the visiting bots to your web site is available via AVR • Custom bots signature is powerful tool to deal with bots • Bots signature is updating via the ASM signatures update Summary
© F5 Networks, Inc 117 Resources Our documentation is free for all. Read and learn more: BIG-IP Application Security Manager: Getting Started BIG-IP Application Security Manager Operations Guide BIG-IP Application Security Manager: Implementations BIG-IP Application Security Manager: Custom Signature Reference BIG-IP Analytics: Implementations
F5 ASM v12 DDoS best practices

More Related Content

PDF
F5 DDoS Protection
MarketingArrowECS_CZ
 
PDF
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
PPTX
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
 
PDF
Web Application Security
MarketingArrowECS_CZ
 
PPTX
F5 - BigIP ASM introduction
Jimmy Saigon
 
PDF
F5 Web Application Security
MarketingArrowECS_CZ
 
PDF
CISSP Cheatsheet.pdf
shyedshahriar
 
PPTX
In-depth Troubleshooting on NetScaler using Command Line Tools
David McGeough
 
F5 DDoS Protection
MarketingArrowECS_CZ
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
 
Web Application Security
MarketingArrowECS_CZ
 
F5 - BigIP ASM introduction
Jimmy Saigon
 
F5 Web Application Security
MarketingArrowECS_CZ
 
CISSP Cheatsheet.pdf
shyedshahriar
 
In-depth Troubleshooting on NetScaler using Command Line Tools
David McGeough
 

What's hot (20)

PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
PDF
F5 BIG-IP Misconfigurations
Denis Kolegov
 
PPTX
F5's IP Intelligence Service
F5 Networks
 
PPTX
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
 
PDF
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov
 
PDF
F5 TLS & SSL Practices
Brian A. McHenry
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PDF
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 
PDF
HTTP Request Smuggling via higher HTTP versions
neexemil
 
PPTX
Xss attack
Manjushree Mashal
 
PPTX
Rest API Security
Stormpath
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PDF
Ace Up the Sleeve
Will Schroeder
 
DOCX
Type of DDoS attacks with hping3 example
Himani Singh
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PDF
FortiWeb
Alireza Akrami
 
PPT
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
F5 BIG-IP Misconfigurations
Denis Kolegov
 
F5's IP Intelligence Service
F5 Networks
 
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov
 
F5 TLS & SSL Practices
Brian A. McHenry
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Xss attack
Manjushree Mashal
 
Rest API Security
Stormpath
 
Pentesting ReST API
Nutan Kumar Panda
 
Api security-testing
n|u - The Open Security Community
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Ace Up the Sleeve
Will Schroeder
 
Type of DDoS attacks with hping3 example
Himani Singh
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
FortiWeb
Alireza Akrami
 
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Ad

Viewers also liked (20)

PDF
Configuration F5 BIG IP ASM v12
Sassan Saharkhiz_ CRISC
 
PPTX
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks
 
PPT
BIG IP F5 GTM Presentation
PCCW GLOBAL
 
PPTX
F5 BIG-IP Web-based Customer Training
F5 Networks
 
PPTX
F5 Solutions for Service Providers
BAKOTECH
 
PDF
Presentation f5 – beyond load balancer
xKinAnx
 
PDF
הדרכה מבוססת אינטרנט Wbt - Web based training
Lior Rotkovitch
 
PPTX
F5’s VMware Horizon View Reference Architecture
F5 Networks
 
PPTX
LTM essentials
bharadwajv
 
PDF
F5 study guide
shimera123
 
PPTX
All 50 Ways to Use BIG-IP
F5 Networks
 
PDF
Using Docker container technology with F5 Networks products and services
F5 Networks
 
PPTX
F5 Certified! Program Overview and Update
F5 Networks
 
PPTX
BIG-IP ADCs and ADF
F5 Networks
 
PPTX
F5 Application Services Reference Architecture
F5 Networks
 
PDF
Taking the Fear out of WAF
Brian A. McHenry
 
PPTX
F5 Application Services Reference Architecture (Audio)
F5 Networks
 
PDF
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
F5 Networks
 
PDF
F5 Networks APAC: Defending your perimeter today!
F5NetworksAPJ
 
PPT
Media Advanced Production
gmorgan1996
 
Configuration F5 BIG IP ASM v12
Sassan Saharkhiz_ CRISC
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks
 
BIG IP F5 GTM Presentation
PCCW GLOBAL
 
F5 BIG-IP Web-based Customer Training
F5 Networks
 
F5 Solutions for Service Providers
BAKOTECH
 
Presentation f5 – beyond load balancer
xKinAnx
 
הדרכה מבוססת אינטרנט Wbt - Web based training
Lior Rotkovitch
 
F5’s VMware Horizon View Reference Architecture
F5 Networks
 
LTM essentials
bharadwajv
 
F5 study guide
shimera123
 
All 50 Ways to Use BIG-IP
F5 Networks
 
Using Docker container technology with F5 Networks products and services
F5 Networks
 
F5 Certified! Program Overview and Update
F5 Networks
 
BIG-IP ADCs and ADF
F5 Networks
 
F5 Application Services Reference Architecture
F5 Networks
 
Taking the Fear out of WAF
Brian A. McHenry
 
F5 Application Services Reference Architecture (Audio)
F5 Networks
 
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
F5 Networks
 
F5 Networks APAC: Defending your perimeter today!
F5NetworksAPJ
 
Media Advanced Production
gmorgan1996
 
Ad

Similar to F5 ASM v12 DDoS best practices (20)

PDF
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
PPTX
Advance WAF bot mitigations V13.1
Lior Rotkovitch
 
PDF
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
 
PDF
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
 
PDF
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
PDF
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
PPT
HTTP Server Push Techniques
Folio3 Software
 
PDF
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
Patrick Chanezon
 
PPTX
Browser Security 101
Stormpath
 
PDF
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
PPTX
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB
 
PDF
Micro-service architectures with Gilmour
Aditya Godbole
 
PPTX
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Pat Patterson
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Design and Configure Azure App Service Web Apps
Roy Kim
 
PDF
www.webre24h.com - Ajax security
webre24h
 
PPTX
Content Devilery Network
Sanjiv Pradhan
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PDF
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
Advance WAF bot mitigations V13.1
Lior Rotkovitch
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
 
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
HTTP Server Push Techniques
Folio3 Software
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
Patrick Chanezon
 
Browser Security 101
Stormpath
 
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB
 
Micro-service architectures with Gilmour
Aditya Godbole
 
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Pat Patterson
 
Hacking Client Side Insecurities
amiable_indian
 
Design and Configure Azure App Service Web Apps
Roy Kim
 
www.webre24h.com - Ajax security
webre24h
 
Content Devilery Network
Sanjiv Pradhan
 
Token Authentication for Java Applications
Stormpath
 
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 

More from Lior Rotkovitch (12)

PDF
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
 
PDF
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
 
PDF
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Lior Rotkovitch
 
PDF
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
 
PDF
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Lior Rotkovitch
 
PDF
The WAF book (Web App Firewall )
Lior Rotkovitch
 
PDF
The waf book intro waf elements v1.0 lior rotkovitch
Lior Rotkovitch
 
PDF
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
 
PDF
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
 
PDF
Bots mitigations overview with advance waf anti bot engine
Lior Rotkovitch
 
PDF
Html cors- lior rotkovitch
Lior Rotkovitch
 
PDF
פיתוח הדרכה מתוקשבת
Lior Rotkovitch
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Lior Rotkovitch
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Lior Rotkovitch
 
The WAF book (Web App Firewall )
Lior Rotkovitch
 
The waf book intro waf elements v1.0 lior rotkovitch
Lior Rotkovitch
 
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
 
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Lior Rotkovitch
 
Html cors- lior rotkovitch
Lior Rotkovitch
 
פיתוח הדרכה מתוקשבת
Lior Rotkovitch
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

F5 ASM v12 DDoS best practices

  • 1. BIG IP ASM V12 DDOS PROFILE Lior Rotkovitch, NPI ASM, L7 DDoS & Analytics Global Service Tech Summit, Seattle Sep, 2015, v3 lior@f5.com
  • 2. © F5 Networks, Inc 2 ASM – DDoS Profile DDOS - HTTP FLOODS ATTACKS • From single IP to single URL • From multiple IP’s to single fixed URL • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s • From multiple IP’s from a specific country • Fine Tune your Thresholds & Reporting DDOS - BOTS • Simple bots • Impersonating Bots • Bots with cookies & JS capabilities • Bots acting as full browser • Reporting
  • 3. © F5 Networks, Inc 3 HTTP Floods facts: Servers Database Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Site Web Bot • Legitimate Layer 7 requests • Asking a web page thousands of time instead of one (few) times • Exhausting backend servers resources: memory, CPU, Disk etc • Relatively easy to execute with simple tools • Not easy to detect the offending source nor to prevent it • Wrong identification will prevent valid users from accessing the site (false positive )
  • 4. © F5 Networks, Inc 4 HTTP Floods types Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Requests increase from or/and to URL’s inside the web site • From single IP to single URL • From multiple IP’s to single fixed URL • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s • From multiple IP’s originating from a specific country Web Site Servers Database
  • 5. © F5 Networks, Inc 5 ASM Detection & Mitigation concept - HTTP Floods Latency App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s ASM process: 1. Monitoring entities: RPS Latency IP’s URL’s 2. Detecting Increase 3. Activating Mitigation Web Site Servers Database
  • 6. © F5 Networks, Inc 6 ASM Detection & Mitigation concept – DoS Profile Location: Security ›› DoS Protection ›› DoS Profiles ›› dos
  • 7. © F5 Networks, Inc 7 TPS Based Detection: Transaction Per Second based detection and mitigation Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. You will have to • Answer CSID • Answer CAPTCHA • Be Rate Limited / Blocked Server
  • 8. © F5 Networks, Inc 8 TPS Based Detection Monitoring Request Per Second increase form source IP, Geo, URL, Site Wide. Then apply one of the mitigation policies: CSID, CAPTCHA, Rate limit
  • 9. © F5 Networks, Inc 9 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 10. © F5 Networks, Inc 10 By Source IP: Detection Criteria Detection Detection: thresholds for determining DDoS attack - by source IP increase Mitigation: which mitigation will apply on the offending source IP Mitigation
  • 11. © F5 Networks, Inc 11 Ratio thresholds - measuring ratio with two time interval: • Long (History Interval): Measure the last 1 hour RPS averages every 10 seconds • Short (Detection Interval): Measure the last 10 seconds RPS averages every 10 seconds Detection – Ratio By Source IP: Detection Criteria
  • 12. © F5 Networks, Inc 12 TPS increased by: ((370 - 50) /50)*100 = 640% 640% > 500% = True By Source IP: Detection Criteria Detection – Ratio Long (History Interval): 50 TPS Short (Detection Interval): 370 TPS Example:
  • 13. © F5 Networks, Inc 13 By Source IP: Detection Criteria TPS increased by % AND minimum fix number of transactions 640% AND 40 = True Detection – Ratio Example: At least X Transactions: A minimum condition to prevent false positive increase (source IP starts browsing the site and goes from 0 to 30 RPS)
  • 14. © F5 Networks, Inc 14 By Source IP: Detection Criteria (TPS increased by % AND minimum fix number of transactions) OR TPS reached 640% AND 40 OR 200 = True Detection – Ratio Fixed Example: TPS reached: Ratio thresholds OR’ed with fixed TPS or
  • 15. © F5 Networks, Inc 15 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 16. © F5 Networks, Inc 16 Client Side Integrity Defense – Concept User Web Bot Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. Are you a browser ? if a browser: Yes, I’m a browser If a bot: *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Blocked Server
  • 17. © F5 Networks, Inc 17 • Checking JavaScript capabilities • A client is considered legitimate if it meets the following criteria: • The client support JavaScript • The client support HTTP cookies • The client should calculate a challenge inside the JS • If satisfied = legitimate client that can access the site Client Side Integrity Defense – Concept
  • 18. © F5 Networks, Inc 18 Client Side Integrity Defense - Flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page • This is the flow and timeline of events. • Transparent to the user, done under the hood • Note that request is held at the ASM and not arriving the app until checks are satisfied • Not all checks are described here, some are internal IP. Send JS test
  • 19. © F5 Networks, Inc 19 Client Side Integrity Defense –JavaScript sample • The JS is obfuscated • From user perceptive this is transparent action.
  • 20. © F5 Networks, Inc 20 • If no reply – No problem for us • If didn’t solve the challenge but still sending request – Block (RST) • If did solve the challenge but: • Cookie is wrong format – Block (RST) • Time stamp expired – Block (RST) • If client access a resource (image) without getting the cookie first – Block (RST) Client Side Integrity Defense – Mitigation summary
  • 21. © F5 Networks, Inc 21 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 22. © F5 Networks, Inc 22 CAPTCHA Challenge - Concept User Web Bot Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. Please answer this CAPTCHA challenge, show me your human !: If a user: OK, I answered If none user: Ha ? *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Block him dood ! Server
  • 23. © F5 Networks, Inc 23 CAPTCHA Challenge Ultimate solution for identifying human or bot Send challenge to every IP that reached IP detection criteria thresholds To CAPTCHA or not to CAPTCHA ? Some argues that CAPTCHA is not a good usability because an innocent user gets CAPTCHA and he will not know why. So, remember that a valid user should pass browser tests. i.e. if a user is blocked (or gets a CAPTCHA) there is a reason and maybe he is not innocent (infected ?) . “Completely Automated Public Turing test to tell Computers and Humans Apart”
  • 24. © F5 Networks, Inc 24 CAPTCHA – customize response • Can be customize to the web site look and feel colors via css • Failure Response page is served if the first attempted fails
  • 25. © F5 Networks, Inc 25 CAPTCHA Challenge - Flow User Browser DoS Profile App Request mypage.php GET /mypage.php (no cookie) CAPTCHA HTML +JS response Cookie with time stamp Solve CAPTCHA CAPTCHA rendered Submit CAPTCHA solution GET /mypage.php + CAPTCHA cookie Verify CAPTCHA solution Validate cookie GET /mypage.php HTML of mypage.phpHTML of mypage.php mypage.php rendered Send CAPTCHA • While the system is still in a state of attack the offending source will be presented with another CAPTCHA every 5 min. • Same as CSID, request is held at the ASM until CAPTCHA is solved
  • 26. © F5 Networks, Inc 26 • If didn’t submit the challenge - no request DOSing us • If didn’t solve the challenge but still sending us attacks – Blocked • If did solve the challenge but: • Cookie is wrong format – RST • Time stamp expired 5 min– RST CAPTCHA – mitigation summary
  • 27. © F5 Networks, Inc 27 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 28. © F5 Networks, Inc 28 Request Blocking / Rate limit Client: Hey server, can I get the web page ? ASM: no, you are sending too many requests. I’m limiting your requests sending rate While CSID and CAPTCHA try to understand who is the offending source (bots or browsers) request limiting is indifferent to the “identity” and limits the offending sources.
  • 29. © F5 Networks, Inc 29 Request Blocking Request Blocking: • Blocking: block all IP’s from the offending source – if a source IP reached thresholds I don’t want him on my site at this point • Rate Limit: limit the amount of allowed request from the offending source – if reached thresholds I can sustain only some of the traffic at this point
  • 30. © F5 Networks, Inc 30 Request Blocking – Mitigation Summary • Block all – blocking all traffic from the offending source (i.e. I don’t want to see any more traffic from this source) • Rate Limit – rate limit the offending source Example If long was 50 TPS And increase in short is 150 TPS Rate limit to 50 TPS Rate limit will limit to long (history) TPS rate
  • 31. © F5 Networks, Inc 31 TPS based: by source IP – Summary Client Side Integrity Check CAPTCHA Challenge Request Blocking • Measuring source IP increase • All source IP’s that reached the thresholds will be presented with the enabled mitigation • If still increasing , fall back according to the order in the GUI (switching mitigation)
  • 32. © F5 Networks, Inc 32 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 33. © F5 Networks, Inc 33 HTTP Floods – Geolocation detection and Mitigation Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site http floods type: From multiple source IP’s originating from a specific country
  • 34. © F5 Networks, Inc 34 • Geolocation – Relative to the whole traffic of the site: 500 % request increase of the whole site from a specific country AND At least 10 % of the whole site traffic Geolocation - Detection
  • 35. © F5 Networks, Inc 35 Geolocation – Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking All clients requests arriving from the specific country will be presented with mitigation: (note that blocking will block all users from this country)
  • 36. © F5 Networks, Inc 36 Geolocation – Black n White listing • Allows access to the web site regardless of geolocation detection criteria thresholds only i.e. other thresholds still apply • Specifies the countries that the system always blocks whenever the system is in a state of DDoS detection. • Done regardless of the thresholds set in the DDoS profile
  • 37. © F5 Networks, Inc 37 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 38. © F5 Networks, Inc 38 HTTP Floods – URL Detection and Mitigation App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s http://site.com/sell.php Servers Database Web Site • Measuring requests increase on a URL • Floods types: • From multiple IP’s to multiple fixed URL’s • From multiple IP’s to multiple random URL’s
  • 39. © F5 Networks, Inc 39 TPS increase by* AND at least X TPS ** OR TPS reached URL Detection Criteria Collecting RPS on URL’s Calculation: *Ration of long and short **Minimum TPS thresholds for detection
  • 40. © F5 Networks, Inc 40 URL Detection Criteria– Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking – Rate limit (No block all) All clients that access the URL:
  • 41. © F5 Networks, Inc 41 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 42. © F5 Networks, Inc 42 HTTP Floods – Site Wide Detection and Mitigation App URL’s & objects Hacktivism Google Web Bot Unidentified User User RPSSource IP‘s Users Or Bots Web Bot Source IP’s Monitoring: all entities Servers Database Web Site Floods types: • From multiple IP’s to multiple random URL’s • Cases where DDoS attack is under the radar
  • 43. © F5 Networks, Inc 43 *TPS increase by AND Minimum TPS thresholds for detection OR TPS reached Site-Wide Detection Criteria • Collecting RPS on the entire website (all entities – URL’s, IP’s) • In some cases the floods will avoid thresholds for IP based or URL based. • Site wide provide another layer of detection and prevention Detection: Ratio Fixed
  • 44. © F5 Networks, Inc 44 Site-Wide Detection Criteria – Mitigation • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking - only rate limit no blocking All clients that access the site: Prevention polices
  • 45. © F5 Networks, Inc 45 TPS Based Detection 1. BY Source IP (Detection & Mitigation Polices) 2. Mitigation polices: a) Client Side Integrity Defense b) CAPTCHA challenge c) Request Blocking 3. By Geolocation (Detection & Mitigation Polices) 4. By URL (Detection & Mitigation Polices) 5. By Site Wide (Detection & Mitigation Polices) 6. Prevention Duration 1 a b c 3 4 5 2 6
  • 46. © F5 Networks, Inc 46 Prevention duration • Client Side Integrity Check • CAPTCHA Challenge • Request Blocking De escalate - start from the top Every 7200 seconds Escalate top down every 120 second if thresholds are still increasing
  • 47. © F5 Networks, Inc 47 Stress Based detection • Predictive Latency – predict how long it will take to serve a new incoming request Server: I’m fine, keep on sending them ASM: Hey server, how many more requests can you handle ? I’m the server
  • 48. © F5 Networks, Inc 48 Stress Based Detection and prevention concept Client: Hey server , can I get the web page ? ASM: mmm let me check. The Server can take additional incoming requests. you are allowed ASM: no, my backend latency is now too high and you are sending too many request. You will have to: • Answer CSID or • Answer CAPTCHA or • Be rate limit Client: Hey server, can I get web pages again now ? I‘m the server ……. ……. After a while
  • 49. © F5 Networks, Inc 49 Stress Based – GUI • Same concept as TPS based: source IP, Geo, URL, Site wide and their mitigation policies. • Addition condition of backend latency. i.e. only when the two conditions reach thresholds, then apply mitigation policy. Note: Can work together (operate in parallel) with TPS based and act as layers of protection (e.g. TPS based does only CSID in alert mode and Stress based does request blocking in case of latency increase)
  • 50. © F5 Networks, Inc 50 Stress Based Detection & Mitigation • Similar to TPS based, Quiz yourself, what each item means ? 1. By Source IP a) CSID b) CAPTCHA c) Request Blocking 2. By Geolocation 3. By URL 4. Site Wide
  • 51. © F5 Networks, Inc 51 Stress Based Detection – thresholds condition Latency threshold exceeded? TPS threshold exceeded? AND Then: Activate Mitigation Policy • Mitigation Is activated when two types of thresholds are reached : Latency thresholds AND TPS thresholds
  • 52. © F5 Networks, Inc 52 Stress Based Detection – thresholds condition • in order to apply a prevention policy, both TPS and Latency thresholds must be exceeded, then the enabled prevention policy is activated. • Latency thresholds are not visible in the GUI, they are part of automatic detection. Example: Automatic stress detection enters a state of exceeding thresholds. This by itself will not active the prevention. Only when the TPS thresholds will exceed then the prevention policy is activated. prevention TPS thresholds stress detection
  • 53. © F5 Networks, Inc 53 TPS based VS Stress based • Quick way to protect against DDoS. I’m in trouble and I want to block now ! • Fixed number on the TPS reached is very easy and useful. Also easy to detect offending sources • Allows the option to activate the Mitigation only when the backed experiencing latency AND RPS increase (I only want to block when the attack is causing backend latency) • Provide Layers of defense and notify about backend issues (not just DDoS) Conclusion: TPS based is quick while latency based allows more granular approach
  • 54. © F5 Networks, Inc 54 Heavy URL’s Not all URL’s are equal Some are more attractive than others
  • 55. © F5 Networks, Inc 55 Heavy URL’s • Heavy URL’s are URL’s that consume more processing resources from the server • Are good application DoS point - Even few requests can DoS the app • Typical heavy URLs are search box, product ID’s Heavy URL Servers Database http://site.com/serach.php?q=a Ho wow, this will take a while… …… Searching … ….. hold on… ….. Almost there….
  • 56. © F5 Networks, Inc 56 Heavy URL’s concept • Automatically measures latency on URL’s for 48 hours and decide who is heavy • When any URL based mitigation is active, the heavy URL’s that was detected as heavy will also “get” the active mitigation
  • 57. © F5 Networks, Inc 57 Heavy URL’s concept Heavy URL is another detection capability. Once it is reached the thresholds AND one of the By URL detection thresholds are reached Then the URL’s that consider heavy URL’s will be applied with the active mitigation policy
  • 58. © F5 Networks, Inc 58 Heavy URL’s configuration Example: By URL TPS reached 1000 TPS and is currently applying CSID mitigation. Heavy URL is enabled
  • 59. © F5 Networks, Inc 59 Heavy URL’s Configuration 1. Automatic Detection - Automatically add URL that will be considered as heavy 2. Manual Heavy URLs – Manually add URL that will be considered as heavy 3. Ignored URL – Exclude those URL from “heaviness” 4. Latency Threshold – Above this threshold -> heavy URL 1 2 3 4
  • 60. © F5 Networks, Inc 60 Heavy URL – Reporting If search.php is defined as heavy and if index URL is currently being mitigated with CSID because it exceeded the thresholds of URL reached (or fixed) then every source IP that is accessing search.php will also get the CSID check. Security ›› Reporting ›› DoS ›› Application ›› URL Latencies Example:
  • 61. © F5 Networks, Inc 61 • Reporting first • Fine Tune your thresholds BeforeDDoS Attack During DDoS Attack Remember, security is a process
  • 62. © F5 Networks, Inc 62 First rule of detection - AVR Reporting • AVR graphs help you understand the site metrics: Statistics ›› Analytics ›› Overview Statistics ›› Analytics ›› Transactions ›› View by • AVR graphs inside ASM tab: Security ›› Reporting ›› DoS ›› Overview Security ›› Reporting ›› DoS ›› Application ›› Transaction outcome Know your web site metrics • Sources • IP’s • URL’s • Site Wide • Geolocation • RPS • TPS • Latency L7 DDoS measurements
  • 63. © F5 Networks, Inc 63 • Out of the box thresholds are good for most web sites • Depending on the web site traffic fine tuning thresholds might be needed. • Fine tuning thresholds can be divided into: • Before DDoS Attack • During DDoS Attack Why Fine Tune Thresholds ? Good for me ??
  • 64. © F5 Networks, Inc 64 Process: Pre requisite: Enable DDoS Profile on the desired virtual 1) White list IP’s, geolocations countries, URL’s (admin) etc 2) Get visibility with transparent mode – write down metrics* 3) Test and decide which prevention will apply thresholds exceeds (TPS bases/ Latency based , heavy URL config etc) 4) Fine tune thresholds for fixed and ratio based 5) Switch to blocking – When needed Fine Tune Thresholds Before attack *good list for L7 DDoS metrics
  • 65. © F5 Networks, Inc 65 Fine Tune Thresholds Before DDoS for Source IP • View by: Client IP address • List top TPS Avg IP’s Go to Statistics ›› Analytics ›› HTTP ›› Transaction
  • 66. © F5 Networks, Inc 66 Fine Tune Thresholds Before DDoS for Source IP • By examining the client IP Address you can conclude the averages of “normal” traffic you expect to see from the top source IPs. • Knowing “normal” averages can help defining the TPS increase by ratio. • The idea is that you can determine how much traffic is allowed until assumed a ddos attack.
  • 67. © F5 Networks, Inc 67 Fine Tune Thresholds Before DDoS for Geolocation The same concept works for the geolocation thresholds graph. From the drilldown choose Countries on AVR reports “Which countries you expect to see traffic ? Go to Security ›› Reporting ›› dos ››Application ›› transaction outcome
  • 68. © F5 Networks, Inc 68 Fine Tune Thresholds Before DDoS for URL The same idea applies to URL’s. Sort graph by URL’s “Which URL should have to highest RPS ?
  • 69. © F5 Networks, Inc 69 Fine Tune Thresholds Before DDoS for URL
  • 70. © F5 Networks, Inc 70 Fine Tune Thresholds Before DDoS for Site Wide On the drilldown choose Virtual Server “This will help us understand the over all traffic load that we have when there is no DDoS attack.
  • 71. © F5 Networks, Inc 71 Fine Tune Thresholds Before DDoS for Site Wide The overall traffic should be much higher than the other thresholds. The values reflect the total amount of TPS that the virtual can handle. Site wide = Virtual server
  • 72. © F5 Networks, Inc 72 Fine Tune Thresholds During attack Process: 1) Fine tune white list source – if needed 2) Identify sources that exceed thresholds (source IP’s, URL’s, Geo, SiteWide) by looking at reporting. 3) Determine the attack type: from fixed/random source IP to fixed/ random URL. Conclude which of the detection types you need (source IP only ? Source IP and URL based only ? etc. ) 4) Fine tune thresholds according to the exceeding sources (ratio / fixed) 5) Apply mitigation and decide what is working and what is not. Uncheck the mitigations that are not effective 6) Go to step 1 and repeat
  • 73. © F5 Networks, Inc 73 Fine Tune Thresholds During attack – Source IP • Security ›› Reporting ›› dos ››Application ›› transaction outcome • On the drilldown choose Client IP Address
  • 74. © F5 Networks, Inc 74 Fine Tune Thresholds During attack – Geolocation • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose Countries
  • 75. © F5 Networks, Inc 75 Fine Tune Thresholds During attack – URL’s • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose URL’s
  • 76. © F5 Networks, Inc 76 Fine Tune Thresholds During attack - Site Wide • Security ›› Reporting ›› dos ›› Application ›› transaction outcome • On the drilldown choose Virtual Servers
  • 77. © F5 Networks, Inc 77 AVR reports and graphs Mitigation type – can help understand which of the mitigation is effective and when switching mitigation occurred Time line Attack start / end Host IP Number of TPS Attack ID : Clicking will show graph Security ›› Event Logs ›› DoS ›› Application Events
  • 78. © F5 Networks, Inc 78 AVR reports and graphs impact is the latency on the backend for all entities. The higher the latency the higher the impact is. High, medium and low impact allow to filter high impact attacks and deal with them first Security ›› Reporting ›› DoS ›› Application ›› Transaction Outcomes
  • 79. © F5 Networks, Inc 79 AVR reports and graphs Start and End points - red flags indicate the start of an attack and the green flags indicate the end of an attack. Switching mitigation can occure several time over the DDoS attack. Security ›› Reporting ›› DoS ›› Application ›› Transaction Outcomes
  • 80. © F5 Networks, Inc 80 AVR reports and graphs • Incomplete – Indicates traffic that was dropped by the server because the connection was incomplete or the server did not respond. • Blocked – Indicates traffic that was blocked as a result of the mitigation policy (any of the prevention policies including bots blocking) • Proactive Mitigation – Indicates the amount of time that the proactive bot defense mechanism was severed • CAPTCHA mitigation – Indicates the amount of time that the CAPTCHA challenge was severed to offending sources • CS integrity mitigation –Indicates the amount of time that the client-side integrity defense challenge was severed to offending sources • BIG IP Response – Indicates traffic that is a response to the client from the BIG-IP system. • Cache by BIG IP – Indicates traffic that is served from cache configured (WA, RamCache) • Whitelisted – Indicates traffic from IP Address that are in the whitelist of the DoS profile • Pass through - Indicates traffic that is pass to the application trough ASM to the server
  • 81. © F5 Networks, Inc 81 AVR reports and graphs The AVR DoS graph now shows the thresholds that are set in the TPS detection tab. The Display Thresholds check box will display them or clear them from the graph.
  • 82. © F5 Networks, Inc 82 Before DDoS: • Write the “normal” thresholds for the web site: (IP’s, Geolocation, URL’s, Site Wide) • Set the ratio and the fix threshold for each of the above detection criteria (How much the web site can take 2 times the traffic , 5 times etc…) • Test the configuration and the prevention policy, then conclude which one is good for you During DDoS: • Identify the source IP’s, URL’s and entire site traffic increase and determine the attack type • Set the fixed TPS number in each of the above criteria and apply mitigation • Verify the results in the Transaction outcome graph Fine Tune Thresholds– Summary
  • 83. © F5 Networks, Inc 83 DDoS Bots - Detection & Mitigation
  • 84. © F5 Networks, Inc 84 Layers of defense against Bots Simple Bots Impersonating Bots Bots with cookies / JS capabilities Bots acting as full browser Gohogle This bot section is mostly about bots that DoS / DDoS. However, Bots detection and prevention can be used for various bot problems the site is experiencing.
  • 85. © F5 Networks, Inc 85 DDoS Bots Servers Database Google Web Bot Unidentified User User Users Or Bots Web Site Web Bot Bots can be classify in many ways, mostly there are: 1. Simple bots 2. Impersonating Bots 3. Bots with cookies & JS capabilities 4. Bots acting as full browser
  • 86. © F5 Networks, Inc 86 Enabling Bot signatures protection
  • 87. © F5 Networks, Inc 87 Bots – Simple Bot Server ASM: yes, I have your signature. Sorry mate you are blocked. I’m a simple Bot Simple bot can be any command line tool such as: curl , wget , ab
  • 88. © F5 Networks, Inc 88 Categorizing Bots Bad Bots Good Bots Bad Bots aka Malicious are well know command line tools – we want them out Good Bots aka Benign are well know search engine and monitoring tools – we want them in
  • 89. © F5 Networks, Inc 89 Bot Signatures - None Report Block None Report Block Each categories include: • None – ignore • Report – report only – used for monitoring • Block – block
  • 90. © F5 Networks, Inc 90 Excluding specific bot signatures from category settings • Specific signature can be excluded from the category setting • Search the signature in Available signature list and move it to the left pane. • In this example ab tool will not be blocked even if the category that includes it is in blocking mode
  • 91. © F5 Networks, Inc 91 First - White list good Bots Web Server Google I’m a google Bot ASM: let’s see if you really are. I’m doing Reverse DNS lookup. Yes, I see that, please continue. DNS Server Google Thanks  1 2 3 4
  • 92. © F5 Networks, Inc 92 White list good Bots - with their domain name User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 1. Request arrive with User Agent : Googlebot/2.1 DNS Server Web Server 2. ASM search the google bot signature 3. The signature includes domain name. ASM issue Reverse DNS query to verify the origin of the request 4. Once approved ASM will allow the google bot to access the web site
  • 93. © F5 Networks, Inc 93 Bot Signature Repository • Bot Signature repository for the entire system is under Options. • Bot signatures repository is update with the ASM signature update Security ›› Options ›› DoS Protection ›› Bot Signatures List
  • 94. © F5 Networks, Inc 94 Bot Signature List: general signatures repository Signatures can be sort by: • Signature Category • Signature Type: Malicious / Benign • User Define signatures Yes / No • Partition: signature can be assign to a specific partition Clicking on any of the sorting will change the order.
  • 95. © F5 Networks, Inc 95 Sorting the Bot Signature Repository Various filtering Create new Bot Signature
  • 96. © F5 Networks, Inc 96 Bot Signature Categories Creating new category for Malicious or Benign
  • 97. © F5 Networks, Inc 97 Create a new bot signature: simple edit mode Simple edit mode: inside a user agent header or in a URL. Category Domain name – execute reverser DNS query to verify origin. Add the domain if the Bot has one Bot Signature name Create when done
  • 98. © F5 Networks, Inc 98 Create a new bot signature - advanced edit mode Signature syntax example: headercontent: "sample_text"; useragentonly; Advanced Edit Mode - rule granularity For full details consult F5 document
  • 99. © F5 Networks, Inc 99 • Signatures associated with a domain name are validated with reverse DNS lookup. • Blocking and reporting : • Block flag - resets the connection and reports the action as "bot signature block" with the bot signature name. • Report flag - Report bot name and categories (AVR) • Updating bot signature as part of the ASM signature update Bot signature facts
  • 100. © F5 Networks, Inc 100 Bots – Impersonating Bot Web Server Gohogle I’m a google Bot ha ha ha ASM: let’s see if you are. I’m doing Reverse DNS lookup. DNS Server Gohogle Bummer ASM: you are not google bot Bye Bye -> block this creature ! ASM: Hey DNS, who’s this guy ? DNS: no one important
  • 101. © F5 Networks, Inc 101 Bots – Impersonating Bot 1 Request arrive with User Agent : Googlebot/2.1 DNS Server Web Server 2 ASM search the google bot signature 3 The real google bot includes domain name. ASM issue Reverse DNS query to verify the origin of the request 4 If the source IP is not the expected one according to the DNS query ASM will block the impersonating bot
  • 102. © F5 Networks, Inc 102 Bots with cookies & JS capability Web ServersI’m a bot that can understand JS and support cookies ASM: prove it, answer my challenges No you are not, bye bye -> block this bot. Bummer Ha ?
  • 103. © F5 Networks, Inc 103 Proactive Bot Defense PBD is good for: • Bots that can handle JS • Bots that can handle JS and cookies • Bots floods • Under the radar bots • Block any bot accessing the site (humans only web site)
  • 104. © F5 Networks, Inc 104 Proactive Bot Defense and Bot Signature Proactive Bot Defense is now integrated with the bot signatures. When enabling proactive bot defense the bot signature feature will be enabled as well
  • 105. © F5 Networks, Inc 105 • Send Client side challenges to ALL client and thus mitigate bots all the time • Various challenges are sent and then validate by PBD – blocked or allowed Proactive Bot Defense
  • 106. © F5 Networks, Inc 106 PBD - Client side integrity defense - flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page
  • 107. © F5 Networks, Inc 107 • Always – sending CS all the time • During attack – only if other component of the dos profile is in dos mode PBD will send the CS challenge (acting as two layers of mitigation) This allows second layer of protection (rate limit and PBD) • Grace period - cookie expiration time 300 = 5min • White list – exclude PBD on those IP’s Proactive Bot Defense – configuration
  • 108. © F5 Networks, Inc 108 Bots acting as full browser Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA You are not human, byyyye -> block this unhuman ! DNS Server Bummer Capability ? CAPTCHA ?
  • 109. © F5 Networks, Inc 109 PBD – Additional bots identification with capabilities script Bots: Bots acting as full browsers - Browser Simulation
  • 110. © F5 Networks, Inc 110 How bots that simulate browsers are evaluated ? Block Suspicious Browsers – addition tests are done to understand if this is a bot or a browser. ASM will evaluate the source and will give it a score: if the score indicates that the source is a bot it will block it. If the score indicate uncertainty and if CAPTCHA challenge is checked, then CAPTCHA will be presented to the source. If answer it is a human if not, blocked.
  • 111. © F5 Networks, Inc 111 Block Suspicious Browsers • If Block Suspicious Browsers is unchecked  send CS Challenge • If Block Suspicious Browsers is checked and CAPTCHA is checked  send Client Capabilities challenge and give it a score: If score in doubt send a CAPTCHA for human verification • If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked  do not send CAPTCHA and only block if the score is more than a human
  • 112. © F5 Networks, Inc 112 Client Capabilities -challenge script flow User Browser DoS Profile App First request GET /sell.php GET /sell.php (no cookie) Client Capabilities Challenge response Return Client Capabilities verification Reconstruct request HTTP Response (cookie) HTTP Response GET /img.png (cookie) Blank page & Set cookie Original HTTP Request + cookie 1. Authenticate and decrypted JS results, 2. Verify capabilities and set a score 3. Determine an action based on score GET /img.png (cookie) Validate cookie: format & time stamp
  • 113. © F5 Networks, Inc 113 DoS Bots Reporting
  • 114. © F5 Networks, Inc 114 Bot signatures simulation Reporting ›› dos ›› Application ›› Transaction outcomes Transaction outcomes is very useful for monitoring traffic and indicates various measurements
  • 115. © F5 Networks, Inc 115 Bot signatures simulation Analytics ›› HTTP ›› throughput ›› request throughput AVR will provide details on DoS bot signatures (use drill downs )
  • 116. © F5 Networks, Inc 116 • Simple bots can easily be detected and blocked • White listing of bots = visibility to bot access and keep other bots out • Impersonating bots can be monitored / blocked • Bots that support JavaScript and cookies can now be noticed and be blocked • Reporting on the visiting bots to your web site is available via AVR • Custom bots signature is powerful tool to deal with bots • Bots signature is updating via the ASM signatures update Summary
  • 117. © F5 Networks, Inc 117 Resources Our documentation is free for all. Read and learn more: BIG-IP Application Security Manager: Getting Started BIG-IP Application Security Manager Operations Guide BIG-IP Application Security Manager: Implementations BIG-IP Application Security Manager: Custom Signature Reference BIG-IP Analytics: Implementations