The document discusses DDoS mitigation strategies presented by Aura Information Security. It outlines common DDoS threats like NTP amplification attacks and application layer attacks. It then discusses the limitations of traditional firewalls and how the TMOS platform can better mitigate attacks through TCP proxying, behavioral analysis and interaction. The presentation concludes with an overview of Aura's DDoS reference architecture using F5 technology and their managed security services.
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
DDoS Mitigation Strategies Explained
1. DDoS Mitigation on the
Front Line
Presenter:
Sam Pickles, CTO
Aura Information Security
2. Overview
• Why we’re here
– Who are Aura Information Security
• What we’re seeing in the wild
– DDoS Threats
• DDoS Mitigation Strategies
• DDoS Reference Architecture Extended
3. Aura RedShield
• Aura Information Security
• F5 Technology Alliance Partners
• NZ’s leading Information Security consulting company.
• Deloitte’s NZ Fast 50 + Fastest growing Tech in Wlg
• Deloitte APAC Tech Fast 500 2010, 2011, 2012
• Electra Business of the Year 2010 / 2011
• Finalists in NZ HiTech Awards 2014
• Customers across NZ Govt and private sector.
– NZDF Panel, All-of-Govt Panel, banking, telco, energy, health, hi-tech
• Services:
– Penetration Testing, InfoSec Training, Security Research, Security Architecture,
Code Reviews
• Aura RedEye
• Globally registered PCI ASV (Approved Scanning Vendor)
• Winner of the ANZIAs 2012 for Security and Privacy
10. NTP Amplification
• One small command sends a single UDP
request:
– ntpdc -c monlist 117.1x.1xx.1x
• Response is huge, sent to victim.
• Even a small botnet can trigger an avalanche
12. NTP Amplification Hits RedShield
• Large scale NTP attack hit Aura’s network on
March 16th 2014
• Target victim is a government sector org
• Source addresses = approximately 2500 NTP
servers identified
• TMOS scrubs by default
13. 200 x Amplification
• Each NTP request triggers a
large text stream to the victim
• Thousands of requests per
second
14. Meanwhile, keep your eyes on the
applications…
• Application Layer DDoS increasing in
popularity
• Malicious individuals with limited resources
can now cause outages
• These attacks work just as well over SSL
20. Issues - Weaponized Defenses
• Many defensive strategies can be turned
against the application
• Rate limiting SYNs by destination can cause
failed handshakes, even while pipe not full
• Blocking DNS or SYN attacks by source IP:
Spoofed origin packets cause blocking IP of
the attackers choice
21. Issues – Traditional Firewalls:
• Traditional Firewalls have limitations:
– Cannot tell spoofed origin traffic from real IP
– Limited to Dropping packets
• Such defenses can be turned against the app
– Max sessions tends to be easily reached
– Struggle with encrypted attacks, layer 7, low and
slow, and other behavioral attacks
22. Why TMOS?
• TCP inline, all the time
– Accelerates and mitigates from the first packet
• High capacity SSL, with iRules (see:
sslsqueeze)
• SSL cert management in one place
33. Test Driven Security
Vulnerability Scanning
Application Penetration Testing
Remediation and Retesting
Continuous Scanning and Analysis
Attack Monitoring and Reporting
Incident Response and Technical Support
34. Why not check out…
Aura Managed Services overview:
http://aurainfosec.com/managed-services.html - redshield
FAQ, knowledgebase and forums:
https://auraredeye.zendesk.com
Hinweis der Redaktion
F5 TMOS platforms present the opportunity to mitigate a wide variety of security threats from network, to application layer, in a consolidated architecture. In this talk, we’ll illustrate this by taking a look at what our F5s are picking up in the wild; and discuss our view of datacenter security for your critical applications.
This attack was launched against CDN provider Cloudflare and is claimed to be the worlds biggest DDoS so far (this record won’t last!)
All those byte ranges cause the server to produce a full copy of the large-file.pdf response, for each byte range. A PDF of 2MB can thus cause this single response to take up 50MB of memory while the server responds.
Multiply by thousands or more, and a single individual can cause a website outage without needing a botnet.
This example hit RedShield in March.
An average customer on RedShield currently receives around 100-200 L7 DoS reconnaissance probes per month. Each IP address tends to make 3-15 requests and tests one or two techniques to verify whether the server is a potential target.
Interestingly, these attacks almost never escalate against policies in blocking mode, but are more often seen during initial policy tuning phase before blocking is enabled. Monitoring ASM immediately after deployment is critical, as is progression towards blocking mode.
This type of attack doesn’t get picked up by network monitoring systems; bandwidth requirements are small. A few Mbps can completely disable a vulnerable service; much smaller than a smash-up style amplified Botnet. Most administrators would suspect application problems, try rebooting servers, read error logs etc. These attacks can be hard to troubleshoot as this is legitimate HTTP.
Attacks like this are also often launched over HTTPS in an effort to avoid detection. A favorite of Anonymous; particularly prevalent against government targets due to popularity with hacktivists.
This proportion of traffic is steadily rising. We see SSL attacks up ~30% from previous year.
These layers all actively mitigate different types of attacks, and cover the full spectrum from network to application, from DDoS to advanced hacking techniques. Each layer is naturally part of the infrastructure stack – not a bottleneck, but an accelerator. Each layer earns its permanent place in the application stack by offloading, accelerating, improving performance and reliability of applications. When attack traffic strikes, the infrastructure responds from the very first packet, whilst continuing its function and processing desirable user traffic.
Contrast this approach with a firewall, or other reactive device such as a DDoS mitigator; which needs to insert itself into suspicious sessions when attacks are detected. This requires another point of SSL certificate management, and another place to define your applications, and the device will generally cause performance degradation such as latency and additional TCP overhead.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.
Mode 0: Normal Operation.
- Clients query RedShield DNS to find your application and come to your datacenter; accessing applications hosted via on-premise F5 Big IP.
- Vulnerabilities in the application are found by Aura RedEye or third party scanners.
- Mitigation is deployed and managed by RedShield On-Premise service, delivering application security policies built on ASM and iRules.
- Security logs are sent via encrypted links into RedShield Cloud, where they are analysed by Aura’s Analyst team and incorporated into dashboards and reports.
- Vulnerabilities and Incidents are detected and mitigated.