Documente Academic
Documente Profesional
Documente Cultură
DDOS PROFILE
Global Service Tech Summit, Seattle
Sep, 2015, v3
lior@f5.com
DDOS - BOTS
Simple bots
Impersonating Bots
F5 Networks, Inc
Reporting
Wrong identification will prevent valid users from accessing the site (false positive )
User
Source IPs
Unidentified User
Hacktivism
Web Site
Servers
Database
F5 Networks, Inc
User
Source IPs
Unidentified User
Hacktivism
Web Site
Servers
Database
F5 Networks, Inc
1.
2.
Detecting Increase
3.
Activating Mitigation
Source IPs
User
Source IPs
Unidentified User
Hacktivism
RPS
Web Site
Latency
Servers
Database
F5 Networks, Inc
F5 Networks, Inc
Server
F5 Networks, Inc
F5 Networks, Inc
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
Detection
Mitigation
F5 Networks, Inc
10
Detection Ratio
Long (History Interval): Measure the last 1 hour RPS averages every 10 seconds
Short (Detection Interval): Measure the last 10 seconds RPS averages every 10 seconds
F5 Networks, Inc
11
Detection Ratio
Example:
At least X Transactions:
Detection Ratio
A minimum condition to
prevent false positive
increase (source IP
starts browsing the site
and goes from 0 to 30
RPS)
TPS increased by %
Example:
F5 Networks, Inc
640%
AND
AND
40 =
True
13
Detection Ratio
or
Fixed
TPS reached:
Ratio thresholds
ORed with fixed TPS
(TPS increased by %
Example:
F5 Networks, Inc
640%
AND
AND
40
OR
200
True
14
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
15
Server
if a browser:
Yes, Im a browser
User
Web Bot
F5 Networks, Inc
If a bot:
*^lkjdfg@#$
16
F5 Networks, Inc
17
Browser
DoS Profile
App
Computational challenge
Solve challenge/
set cookie with time stamp
Reconstruct request
Original HTTP Request
HTTP Response (main page)
F5 Networks, Inc
More responses
More responses
18
The JS is obfuscated
From user perceptive this
is transparent action.
F5 Networks, Inc
19
If client access a resource (image) without getting the cookie first Block (RST)
F5 Networks, Inc
20
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
21
Server
If a user:
OK, I answered
User
If none user:
Ha ? *^lkjdfg@#$
Web Bot
F5 Networks, Inc
22
CAPTCHA Challenge
23
Can be customize to the web site look and feel colors via css
Failure Response page is served if the first attempted fails
F5 Networks, Inc
24
Browser
DoS Profile
App
Send CAPTCHA
Solve CAPTCHA
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
mypage.php
rendered
F5 Networks, Inc
HTML of mypage.php
25
F5 Networks, Inc
26
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
27
While CSID and CAPTCHA try to understand who is the offending source (bots or browsers)
request limiting is indifferent to the identity and limits the offending sources.
F5 Networks, Inc
28
Request Blocking
Request Blocking:
Blocking: block all IPs from the offending source if a source IP reached thresholds I dont
want him on my site at this point
Rate Limit: limit the amount of allowed request from the offending source if reached
thresholds I can sustain only some of the traffic at this point
F5 Networks, Inc
29
F5 Networks, Inc
30
All source IPs that reached the thresholds will be presented with the enabled mitigation
If still increasing , fall back according to the order in the GUI (switching mitigation)
F5 Networks, Inc
31
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
32
User
Source IPs
Unidentified User
Hacktivism
Web Site
Servers
Database
F5 Networks, Inc
33
Geolocation - Detection
Geolocation Relative to the whole traffic of the site:
500 % request increase of the whole site from a specific country
AND
At least 10 % of the whole site traffic
F5 Networks, Inc
34
Geolocation Mitigation
All clients requests arriving from the specific country will be presented with mitigation:
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
35
F5 Networks, Inc
36
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
37
Floods types:
Users Or Bots
Unidentified User
RPS
Web Site
Servers
Database
http://site.com/sell.php
Google Web Bot
Web Bot
F5 Networks, Inc
38
OR TPS reached
39
All clients that access the URL: Client Side Integrity Check
CAPTCHA Challenge
40
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
41
Users Or Bots
Source IPs
User
Source IPs
Unidentified User
RPS
Web Site
Database
F5 Networks, Inc
42
Detection:
Ratio
Fixed
OR TPS reached
F5 Networks, Inc
43
Prevention polices
F5 Networks, Inc
2.
Mitigation polices:
a)
b)
CAPTCHA challenge
c)
Request Blocking
3.
4.
5.
6.
Prevention Duration
a
2b
c
3
6
F5 Networks, Inc
45
Prevention duration
Escalate top down every 120 second if thresholds are still increasing
Client Side Integrity Check
CAPTCHA Challenge
Request Blocking
F5 Networks, Inc
46
F5 Networks, Inc
47
Im the server
.
.
After a while
48
49
1. By Source IP
a) CSID
b) CAPTCHA
c) Request Blocking
2. By Geolocation
3. By URL
4. Site Wide
F5 Networks, Inc
50
TPS
Latency
threshold AND threshold
exceeded?
exceeded?
Then:
Activate
Mitigation Policy
F5 Networks, Inc
TPS thresholds
51
TPS thresholds
stress detection
prevention
Example:
Automatic stress detection enters a
state of exceeding thresholds. This by
itself will not active the prevention.
Only when the TPS thresholds will
exceed then the prevention policy is
activated.
52
TPS based
VS
Stress based
Allows the option to activate the Mitigation only
when the backed experiencing latency AND RPS
increase (I only want to block when the attack is
causing backend latency)
Provide Layers of defense and notify about backend
issues (not just DDoS)
Conclusion:
TPS based is quick while latency based
allows more granular approach
F5 Networks, Inc
53
Heavy URLs
Not all URLs are equal
Some are more attractive than others
F5 Networks, Inc
54
Heavy URLs
Heavy URLs are URLs that consume more processing resources
from the server
Are good application DoS point - Even few requests can DoS the app
Typical heavy URLs are search box, product IDs
http://site.com/serach.php?q=a
Heavy URL
Servers
Database
Searching
..
hold on
..
Almost there.
F5 Networks, Inc
55
F5 Networks, Inc
56
Heavy URL is another detection capability. Once it is reached the thresholds AND one of the By URL detection
thresholds are reached Then the URLs that consider heavy URLs will be applied with the active mitigation policy
F5 Networks, Inc
57
Example: By URL TPS reached 1000 TPS and is currently applying CSID mitigation.
Heavy URL is enabled
F5 Networks, Inc
58
F5 Networks, Inc
59
Example:
If search.php is defined as heavy and if index URL is currently being mitigated with CSID because it exceeded the
thresholds of URL reached (or fixed) then every source IP that is accessing search.php will also get the CSID check.
F5 Networks, Inc
60
Reporting first
F5 Networks, Inc
61
F5 Networks, Inc
Sources
IPs
URLs
Site Wide
Geolocation
RPS
TPS
Latency
L7 DDoS measurements
62
Good for me ??
F5 Networks, Inc
63
64
F5 Networks, Inc
65
66
67
F5 Networks, Inc
68
F5 Networks, Inc
69
F5 Networks, Inc
70
The overall traffic should be much higher than the other thresholds.
The values reflect the total amount of TPS that the virtual can handle.
F5 Networks, Inc
71
3) Determine the attack type: from fixed/random source IP to fixed/ random URL.
Conclude which of the detection types you need (source IP only ? Source IP and URL
based only ? etc. )
4) Fine tune thresholds according to the exceeding sources (ratio / fixed)
5) Apply mitigation and decide what is working and what is not. Uncheck the
mitigations that are not effective
72
F5 Networks, Inc
73
F5 Networks, Inc
74
F5 Networks, Inc
75
F5 Networks, Inc
76
Host IP
Time line
F5 Networks, Inc
Number
of TPS
Attack ID : Clicking
will show graph
77
78
Start and End points - red flags indicate the start of an attack and the green flags indicate the end of
an attack. Switching mitigation can occure several time over the DDoS attack.
F5 Networks, Inc
79
Blocked Indicates traffic that was blocked as a result of the mitigation policy (any of the
prevention policies including bots blocking)
Proactive Mitigation Indicates the amount of time that the proactive bot defense mechanism
was severed
CAPTCHA mitigation Indicates the amount of time that the CAPTCHA challenge was severed
to offending sources
CS integrity mitigation Indicates the amount of time that the client-side integrity defense
challenge was severed to offending sources
BIG IP Response Indicates traffic that is a response to the client from the BIG-IP system.
Cache by BIG IP Indicates traffic that is served from cache configured (WA, RamCache)
Whitelisted Indicates traffic from IP Address that are in the whitelist of the DoS profile
Pass through - Indicates traffic that is pass to the application trough ASM to the server
F5 Networks, Inc
80
F5 Networks, Inc
81
During DDoS:
Identify the source IPs, URLs and entire site traffic increase and determine the attack type
Set the fixed TPS number in each of the above criteria and apply mitigation
Verify the results in the Transaction outcome graph
F5 Networks, Inc
82
F5 Networks, Inc
83
Simple Bots
Gohogle
Impersonating Bots
Bots with cookies / JS capabilities
F5 Networks, Inc
84
DDoS Bots
Users Or Bots
Web Bot
Unidentified
User
Servers
Database
User
F5 Networks, Inc
85
F5 Networks, Inc
86
Im a simple Bot
Server
F5 Networks, Inc
87
Categorizing Bots
Bad Bots aka Malicious
are well know command
line tools we want
them out
F5 Networks, Inc
Bad Bots
Good Bots
88
Bot Signatures -
None
Report
Block
None
Report
Block
F5 Networks, Inc
89
90
Google
1
Im a google Bot
Web Server
2
ASM: lets see if you really are. Im doing
Reverse DNS lookup.
Google
Thanks
F5 Networks, Inc
91
DNS Server
Web Server
92
F5 Networks, Inc
93
F5 Networks, Inc
94
F5 Networks, Inc
95
F5 Networks, Inc
96
97
F5 Networks, Inc
98
F5 Networks, Inc
99
DNS Server
Im a google Bot
ha ha ha
Gohogle
Bummer
F5 Networks, Inc
Web Server
100
DNS Server
Web Server
F5 Networks, Inc
101
Web Servers
Bummer
F5 Networks, Inc
102
F5 Networks, Inc
103
F5 Networks, Inc
104
Various challenges are sent and then validate by PBD blocked or allowed
F5 Networks, Inc
105
Browser
DoS Profile
App
Reconstruct request
Original HTTP Request
HTTP Response (main page)
More responses
More responses
106
F5 Networks, Inc
107
Im a Bot that
simulate browser
Web Server
Bummer
F5 Networks, Inc
108
109
Block Suspicious Browsers addition tests are done to understand if this is a bot or a browser. ASM
will evaluate the source and will give it a score:
if the score indicates that the source is a bot it will block it.
If the score indicate uncertainty and if CAPTCHA challenge is checked, then CAPTCHA will be presented
to the source. If answer it is a human if not, blocked.
F5 Networks, Inc
110
111
Browser
DoS Profile
App
1.
2.
3.
Reconstruct request
HTTP Response (cookie)
HTTP Response
GET /img.png (cookie)
F5 Networks, Inc
112
F5 Networks, Inc
113
Transaction outcomes
is very useful for
monitoring traffic and
indicates various
measurements
F5 Networks, Inc
114
AVR will provide details on DoS bot signatures (use drill downs )
F5 Networks, Inc
115
Summary
Simple bots can easily be detected and blocked
White listing of bots = visibility to bot access and keep other bots out
Impersonating bots can be monitored / blocked
Bots that support JavaScript and cookies can now be noticed and be blocked
Reporting on the visiting bots to your web site is available via AVR
Custom bots signature is powerful tool to deal with bots
Bots signature is updating via the ASM signatures update
F5 Networks, Inc
116
Resources
117