14. DDoS attacks are easy to launch
hping3 nmap Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
15. Source: Securelist, Kaspersky Lab, March 2017
Low sophistication, high accessibility
• Accessible
Booters/stressers easy to find
• Lucrative
Profit margins of up to 95%
• Effective
Many DDoS victims pay up
16. 1.2 Tbps1 Tbps620 Gbps
Mirai DDoS attacks
Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
17. Critical info on threat source
and attack type trends
Application
Threat
Intelligence
23. Use Case - DDoS Attacks
DDOS Managed Service
Hacker Bots
Silverline Cloud Services
Users
Layer 3 DDOS Protection
On-Premises
Layer 7 DDOS Protection
Core
DDoS Hybrid
Defender
Advanced
WAF
Users
Option: consolidate into a single layer 3-7 solution
Silverline
Always
On
under
attack
Communication
(signaling)
Problem:
• DDOS attacks are growing, but your
resources are not
• DDoS mitigation time is slow due to
manual initiation and difficult policy
tuning
Benefits:
• On-premise hardware acts immediately
and automatically to mitigate attacks.
• Silverline cloud services minimizes the
risk of larger attacks crippling your site
or applications
Solution:
• Always-on protection with on-premises
hardware
• Mitigate with layered defense strategy and
cloud services
• F5 SOC monitoring with portal
• Protect against all attacks with granular
control
• Eliminate time-consuming manual
tuning with machine learning
24.
25. of Internet traffic
is automated
of 2016 web application
breaches involved
the use of bots
98.6M bots observed
Source: Internet Security Threat Report, Symantec, April 2017
26. Client-Side Attacks
Malware
Ransomware
Man-in-the-browser
Session hijacking
Cross-site request forgery
Cross-site scripting
DDoS Attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplification
Heavy URL
App Infrastructure Attacks
Man-in-the-middle
Key disclosure
Eavesdropping
DNS cache poisoning
DNS spoofing
DNS hijacking
Protocol abuse
Dictionary attacks
Web Application Attacks
API attacks
Cross-site scripting
Injection
Cross-site request forgery
Malware
Abuse of functionality
Man-in-the-middle
Credential theft
Credential stuffing
Phishing
Certificate spoofing
Protocol abuse
Acommon
source of
many threat
vectors
Malware
Ransomware
Man-in-the-browser
Cross-site scripting
Dictionary attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplication
Heavy URL
API attacks
Cross-site scripting
Injection
Malware
Abuse of functionality
Credential stuffing
Phishing
29. Shortcomings of Today’s Approach
Code-level
security
Difficultly differentiating between
humans and modern bots
Lags behind rapid pace
of bot evolution
IP
blocking
Sheer volume of IPs
difficult to track and block
Ineffective at blocking
TOR-based bots
Traditional
WAF
Designed to protect against
OWASP Top 10
Rely solely on captcha for
bot protection
30. What is Required for Accurate Bot Detection?
Bot Signatures
+ DNS Checks
JS Challenge
+ Browser
Fingerprinting
Browser
Capabilities Human
Detection
Optional
CAPTCHA Anomalies
Server should not receive traffic
35. Detect GET flood
attacks against
Heavy URIs
Identify non-human
surfing patterns
Fingerprint to
identify beyond
IP address
Operating system
Geolocation
Browser
• Screen size and colour depth
• Plugin details
• Time zone
• HTTP_ACCEPT headers
• Language
• System fonts
• Touch support
• Extensions
Behavioural Analysis and Fingerprinting
41. • No prior breach
• Dozens of account takeovers left users picking up food bills they
never ordered
• Unsuspecting victims received receipts via email, after it was too late
Fraudsters eat for free as Deliveroo
accounts hit by mystery breach
42. 70
MILLION
427
MILLION
150
MILLION
3
BILLION
In the last 8 years more than 7.1 billion identities have been exposed in data breaches1
1) Symantec Internet Security Threat Report, April 2017
2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media
117
MILLION
“Nearly 3 out of 4 consumers use duplicate passwords,
many of which have not been changed in five years or more”2
3 out of 4
43. USERNAME Credit Card
Data
USERNAME Intellectual
Property
USERNAME Healthcare
Data
USERNAME Passport
Data
USERNAME Financial
Data
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
44. Info on emerging threats
What is it?
Who does it affect?
Protection strategy recommendations
Application
Threat
Intelligence
47. In the first quarter
of 2017, a new
specimen of
malware emerged
every 4.2 seconds
1 in every 131
emails included
malware in 2016
of all breaches in
2016 involved
some form of
malware
Sources:
1) Malware trends 2017, G DATA Software
2) Symantec Internet Security Threat Report, April 2017
3) WannaCry Update, Rapid7 Blog, May 2017
4.2 seconds
1 in every 131
Over half (51%)
48. Use our research to
learn about new types
of malware
Application
Threat
Intelligence
49. Injects into running processes
Hooks functions inside Windows DLLs
MitM – sends credentials to command
and control center
55. F5 Advanced WAF
Protect against bots, credential attacks, and app-layer DoS
Key Benefits:
• Protects Web and mobile apps from
exploits, bots, theft, app-layer DoS
• Prevent malware from stealing data
and credentials
• Prevent Brute Force attacks that
use stolen credentials
• Eliminate time-consuming manual
tuning for App-layer DoS protection
Defend against bots
• Proactive bot defense
• Anti-bot mobile SDK
• Client and server monitoring
Protect apps from DoS
• Auto-tuning
• Behavioral analytics
• Dynamic signatures
Prevent Account Takeover
• App-level encryption
• Mobile app tampering
• Brute Force protection
Mobile
Bot Mitigation
Credential Protection
App-Layer DoS
Hacker
Anti-bot
Mobile SDK
Bots
F5 Advanced WAF
Users
credentials
57. F5 Advanced WAF
L7 DDoS
(BaDos Limited)
Base ADC
Anti Bot
ASM
DataSafe
BaDoS
Unlimited
Credential
Stuffing (S)
(A) Anti. Bot
Mobile
(S)ubscription License (A)dd On License(I)ncluded in the AWAF
Threat
Campaigns (S)
(A) API
Security
Upstream
Signaling
C. Device ID
(S)
58. What are LTM features available on ASM?
Starting with BIG-IP ASM version 13.1.0.1
The following LB capabilities have been added to ASM (with no need for LTM
license)
• Up to 3 Pool Members
• LB Methods Supported
• Round Robin
• Ratio (member)
• Ratio (Node)
59. What are LTM features available on AWAF?
Starting with BIG-IP version 13.1.0.2 the following LTM features are part of
AWAF (Advanced WAF) license:
Load Balancing
• No limit on IP Pool Members number
• LB Methods Supported
• Round Robin
• Ratio (member)
• Least Connections (member)
• Ratio (node)
• Least Connections (node)
• Weighted Least Connection (member)
• Weighted Least Connection (node)
• Ratio Least Connection (member)
• Ratio Least Connection (node)
Persistency
• Cookie Persistency
• Source Address
• Host
• Destination Address