Taking the Fear out of WAF

© F5 Networks, Inc 2
Who is this guy?
• Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks
• 9 years at F5, focused on application security solutions
• Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com
• Follow me on twitter @bamchenry

Who Owns the WAF?
Network Team App Dev TeamSecurity Team

My kingdom for a WAF admin!
WAF Administrator

With Great Power…
• Each web application is a snowflake!
• Application deploys can be too frequent for WAF policy tweaks to
keep up.
• In DevOps environments, continuous delivery enables rapid vuln
fixes in code.
WAF Administrator

Automated Traffic Consumes 50% of Resources
Typical Web Traffic
Humans Good Bots Bad Bots
https://www.incapsula.com/blog/bot-traffic-report-
2015.html
• Roughly 50% of traffic is
human
• About 20% is good bots
• Remaining 30% is
malicious bots

What’s a Heavy URI?
• Any URI inducing greater server load upon request
• Requests that take a long time to complete
• Requests that yield large response sizes

© F5 Networks, Inc 10CONFIDENTIAL
• Attackers are proficient at network
reconnaissance
• They obtain a list of site URIs
• Sort by time-to-complete (CPU cost)
• Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate
• Though they are often known by the security
community
• Can be executed with a simple wget script, or
OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks

Exploiting POST for Fun & DoS
•Determine:
• URL’s accepting POST
• Max size for POST
•Bypass CDN protections (POST isn’t
cache-able)
•Fingerprint both TCP & app at the
origin
Attackers work to identify weaknesses
in application infrastructure
Network Reconnaissance Example

Detection and Mitigation Challenges
• Source IP address mostly ineffective
for detection
• Geo-fencing impractical for most
sites
• Recent brute force attack sourced
from 1M IP addresses
• Endless supply of IP addresses
• Compromised routers, cable
modems, proxies, and more.
Web
Application

DETECTING &
STOPPING AUTOMATED
TRAFFIC

Classifying the Bad BOTS…
• Most attacks are automated, whether DoS, Brute Force, or data breach
• Many reconnaissance tools available
• WGET, SQLMap, etc.
• Headless browsers (e.g. Phantom.js, et al)
• Attackers must automate to find weaknesses for manual probing

…from the Good BOTS
• Search-bots have unique capabilities
• Reverse lookup should tell you if the IP is from the search provider
• Other bots, such as scrapers and aggregators may need to be allowed.
• Determine unique characteristics
• Signature-based bypass
• Still may need to throttle benign bots

Bot Signatures
Known malicious
bots, blocked by
default
Known “safe”
bots, no action by
default

Behavioral Analysis & Fingerprinting
• Detect GET flood attacks against Heavy URI’s
• Identify non-human surfing patterns
• Fingerprinting to identify beyond IP address
• Identify fake User Agents
• Track fingerprinted sessions
• Assign risk scores to sessions
• Detect known malicious browser extensions
• https://PanOpticlick.eff.org for a primer on the topic

• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie
• Requests with valid signed cookie are then passed
through to the server
• Invalidated requests are dropped or terminated
• Cookie expiration and client IP address are enforced –
no replay attacks
• Prevented attacks will be reported and logged w/o
detected attack
1st
time
request to web
server
JavaScript-based Bot Detection
Internet
Web
Application
Legitimate browser
verification
No challenge
response from bots
BOTS ARE
DROPPED
WAF responds with
injected JS challenge.
Request is not passed
to server
1
JS challenge placed
in browser
2
- WAF verifies
response
authenticity
- Cookie is signed,
time stamped
and finger printed
4
Valid requests are
passed to the
server
5
Browser
responds to
challenge &
resends request
3
Continuous invalid bot
attempts are blocked
Valid browser requests
bypass challenge w/
future requests

• When checked, ASM will fingerprint and score the browser and check multiple
variables to determine if it is a bot
Detecting bots and blocking
HIGH
SCORE
AVERAGE
SCORE
WORST
SCORE
Fingerprint
PASS! EVALUATE BLOCK
CAPTCHA
OR
JS CHALLENGE

Detecting bots and blocking
CAPTCHA
OR
CHALLENGE
If “Block Suspicious Browsers” is unchecked à send CS challenge (like 11.6)
If “Block Suspicious Browsers” is checked à send Client Capabilities Challenge
and if average score returned, send CAPCHA
If “CAPTCHA Challenge” is unchecked à Block

Charts and Graphs
The following slides are examples of how to present statistics and
data in visual formats.
ASM’s unique Proactive Bot Defense and L7 DoS
Mitigating 30-40% across entire airline booking site
Two- to three-line summary of findings. Further detail in the right hand column below.

Proactive Bot Detection
Consistently protecting applications from another 30%
of bot requests across airline booking site

• The following slides are examples of how to present statistics
and
data in visual formats.
Two- to three-line summary of findings. Further detail in the right hand column below.
Mitigated over 90% of bot traffic during peak times for target URL.
As bot activity rises, Server Latency decreases with valid requests

Imagine: an Internet free of Bots.

Deep Thoughts
• Eliminating 30% of web traffic has serious impact
• Capacity and performance improvements are measurable
• Budget is always more available than for a security project
• Bot detection requires less per-application customization
• Increases operational scale for application security
• Reduces threat model by eliminating most opportunistic attackers
• Focus other defenses on vectors for directed attackers

Greatly Improve App Security Posture,
Quickly and Easily…
Block Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
Web Application Security can be complicated.
However a well-designed Web Application Firewall, such as ASM, can
provide substantial security benefit “out of the box”.
By making the simple things simple, ASM enables the security team to
focus energy on critical tasks.

Block Known Bad RequestsBlock Known Bad Requests1
Even with a very simple-to deploy-policy ASM can block a host of
known bad traffic:
• SQL Injection
• CMD Injection
• Cross-Site Scripting
• Known Evasions and Encoded Attacks
• Malformed Requests
• Directory Traversal
• Cookie Manipulation
• Buffer Overflows
• HPP Tampering
• Parameter Tampering
• Security Misconfiguration Attacks
• Cross-Site Request Forgery
• And much, much more….

Stop Talking to (Bad) BotsBlock Known Bad Requests1
Google, Bing, Yahoo, Ask, a couple others are ‘Friendly’… and
whitelisted.
You don’t want to talk to any other bots:
• Scrapers
• DDoS Botnets
• Scanners
• Recon Bots
• Malware Droppers & Worms
ASM Identifies Bots and Blocks Them:
• Blocking Malformed Requests
• Blocking ‘Friendly’ Bot Imposters
• Blocking the Exploits that enable Malware Droppers
• Bot Identification
• Proactive Bot Defense
Bots are bad, M’kay?
THE VAST
MAJORITY OF
HITS ON THE
AVERAGE
WEBSITE ARE
BOTS
>90%

Stop Talking to Bad IPsBlock Known Bad Requests1
There are millions of IP addresses in use on the Internet that produce
nothing but hostile requests, all day long:
• Scanners
• Botnets
• Malware Hosts
• Compromised Hosts
• Phishing Sites
• Recent Hacking Activity
• DoS Activity
• Cloud Hosting Networks
• Anonymous Proxies
Additionally, many organizations will have known geo-locations that
they have no reason to interact with—or for whom they would like to
escalate visibility and inspection.
Block or track these in ASM with built-in Geo-Location enforcement
and integration with F5’s IP Intelligence Services subscription.

Hide Details Nobody NeedsBlock Known Bad Requests1

Mask Sensitive DataBlock Known Bad Requests1
Using ASM’s DataGuard™ scan and automatically mask or block:
• Credit Card Numbers
• Account Numbers
• Social Security Numbers
• Custom Defined Fields (for example: PHI detaisl)
• Accidental Leakage of Office Documents

See the Hostile TrafficBlock Known Bad Requests1

Defend Against L7 DDoS AttacksBlock Known Bad Requests1
ASM Website
Application
Security
Web Bot
User
These are the hardest attacks to identify and mitigate without blocking
the good traffic that drives your business.
• ASM tracks app performance all the time: it knows when you
are being attacked.
• It tracks URLs for utilization and resource requirements.
• It can block the bots and let your users through.
• Run the DoS protection continuously, or flip it on during an
attack.

Change the Way We Deploy WAF
Traditional WAF
• Signatures (OWASP Top 10)
• DAST Integration
• Site Learning
• File/URL/Parameter/Header/Cookie
Enforcement
• Protocol Enforcement
• Login Enforcement / Session Tracking
• Data Leak Prevention
• Flow Enforcement
Advanced WAF
• BOT Detection
• Web scraping Prevention
• Brute Force Mitigation
• L7 DDoS Protection
• Heavy URL Detection & Protection
• Captcha Challenges
• CSRF Token Injection
• Client fingerprinting

Web Firewall on BIG-IP is strong. Because, full proxy…
And a fully
programmable
data plane at all
layers with f5
iRules™ TCP
SSL
HTTP
TCP
SSL
HTTP
ICMP flood
SYN flood
SSL renegotiation
Data
leakageSlowloris attackXSS
Network
Firewall
WAF WAF

THANK YOU!
@bamchenry
http://www.slideshare.net/bamchenry
https://www.linkedin.com/in/bamchenry

Taking the Fear out of WAF

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Taking the Fear out of WAF (20)

Recently uploaded (20)

Taking the Fear out of WAF