Uploaded by telecos_1

ilide.info-arbor-aps-stt-unit-11-protection-setting-details-25jan2018-pr ced2c87fc6ddb0f4fe3d1a374a9f29d8

advertisement
Partner Technical Training
Protecting Services: Protection Settings Deep Dive
Partner • Sales • Engineering
APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Use Arbor APS to protect:
• L3 and L4 services
• Web Servers
• SSL secured services
• DNS Servers
• SIP Servers
• Other Servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
2
PROTECTING FROM
L3 & L4 ATTACKS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
3
Invalid Packets Protection
• Non-configurable, always-on, Protection designed to drop really
“wrong” packets
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
4
Invalid Packets Protection – IPv4
• IPv4 Invalid Packets Protection performs following checks:
• IPv4 header checks
• Malformed IP header
• Bad IP checksum
• Short packet
• Fragmentation checks
• Incomplete Fragment
• Duplicate Fragment
• Fragment too long
• Layer 4 checks
• Short TCP/UDP/ICMP Packet
• Bad TCP/UDP Checksum
• Invalid TCP Flags
• Invalid ACK Number
• Invalid packets is a Packet-blocking Protection
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
5
Invalid Packets Protection – IPv6
IPv6 Invalid Packets Protection performs following checks:
• IPv6 header checks
• Fragmentation checks
• Incomplete Fragment
• Malformed IP header
• Duplicate Fragment
• Short packet
• Fragment too long
• Incorrect order of extension headers
• Fragment overlap
• Duplicate extension headers
• Layer 4 checks
• Short TCP/UDP/ICMP Packet
• Bad TCP/UDP Checksum
• Invalid TCP Flags
• Invalid ACK Number
• Type 0 routing header
• Incorrect packet length (not a multiple of 8 or
wrong size of extension header)
• Invalid Hop-by-Hop options (jumbo payload
option or invalid option length)
Note: Invalid packets is a Packet-blocking Protection
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
6
Multicast Blocking Protection
IPv4
• Drops all inbound and outbound traffic sourced from or destined to multicast
address space (224.0.0.0/4)
• Enable only for protection groups that must not receive any multicast traffic
• Make sure not to block routing protocols that use multicast for hello messages
• Whitelist small multicast address blocks that are active through Arbor APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
7
Private Address Blocking
IPv4
• Drops all inbound and outbound traffic sourced from or destined to:
• 0.0.0.0/8
• 10.0.0.0/8
• 127.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Disabled by default
• Enable if you suspect an attack from spoofed private IP addresses
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
8
UDP Flood Detection Protection
IPv4
• Blocks excessive amounts of UDP from a source
• Separate thresholds for bps and pps
• Hosts violating a threshold during medium or high protection level are blocked
for 60 seconds
• Hosts violating a threshold on low protection level are not blocked but traffic is
policed down to the configured threshold
• Disabled by default, except enabled by default for medium and high protection
levels for only Web Server server type and its derivatives
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
9
DNS Amplification Attack: UDP Flood
Source IP of Victim (v) spoofed when query sent
to resolver (r), resolver receives, responds to v.
55-byte query elicits 4200-byte response
Quer
y r
v
Attacker - a
nse
Respo
r
Victim - v
Resolver - r
v
A botnet with as few as 20 DSL-connect homes (1 Mbps
upstream each) can generate 1.5 Gbps of attack traffic
with DNS reflective amplification attack vectors such as
those employed for root server attacks in early 2006
(1:76 amplification factor). Most enterprises have little
more than 155 Mbps Internet connectivity.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
10
UDP Flood Attacks
• UDP is stateless, making it a common tool for flood attacks
• Generation of UDP packets is easy
• Stateless implies spoofing source IP addresses is possible
• BPS and PPS: packet sizes may range from 60 to 1500 bytes
• High volume of small packets can cause forwarding issues for routers and firewalls
and other inline devices
• 1Mpps @ 60bytes = 458Mbps
• 1Mpps @ 1400bytes = 10Gbps
• UDP Floods do not generally impact services (unless DNS) but do impact
the infrastructure causing collateral damage
• UDP Floods can cause jitter and latency, impacting other services like VoIP
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
11
Mitigating UDP Floods – Filter Lists
• DNS is the primary attack target with UDP floods
• DNS Amplification floods can generate a high rate of large UDP packets
• Filter List allows you to deal with UDP floods
• Example
drop proto udp dst 192.168.2.11
The above example will drop a UDP flood attack going to the victim
(192.168.2.11) but will not drop all UDP packets
• If that is a web server this approach is fine, if it is a DNS server it is not.
However we have specific Protections to handle attacks to DNS servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
12
TCP SYN Flood Detection Protection
IPv4
• All TCP Traffic from a single source is inspected
• If the number of SYN packets per second exceeds the SYN Rate
• If the SYN ACK Delta Rate is exceeded (number of SYN packets – number of
ACK packets)
• Traffic is dropped
• Source is temporarily blocked for 60 seconds
• TCP SYN Flood Detection can be used to detect and stop SYN floods which
can exhaust a servers resources forcing it to reject new/legitimate connections
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
13
SYN Flood Attacks
• SYN flood attacks attempt to exhaust the server side resources
for TCP connections
• Source(s) continuously send packets with just the SYN bit set
• Victim (Server) must open a connection and send a SYN-ACK back
to the source
• Connection is kept open
• Source ACK’s and then data is exchanged
• Source terminates connection
• Server times out the connection
• SYN packets are typically small in size
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
14
TCP Stack Attack – SYN Flood Attack
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
15
Spoofed SYN Flood Prevention
• Any TCP connection attempt will be inspected
• If the destination port is in the “Except on ports” list, the TCP traffic
is immediately allowed through
• TCP traffic to other ports is not allowed through until source is authenticated
by the protection
• TCP connections from non-authenticated sources are not allowed through
but their sources are not temporarily blocked either
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
16
Spoofed SYN Flood Prevention Operation (1/2)
Connection Reset Authentication
Client
APS
Server
1. Client sends first SYN to establish connection with
server
Flags [SYN], seq=4205432417
2. APS intercepts SYN and sends SYN ACK back to the client
with a valid ack number and a APS derived sequence number
Flags [SYN ACK], ack =4205432418 - seq=4785326538
3. Valid client responds with an ACK and the received sequence number+1
as the acknowledgement number
Flags [ACK], ack=4785326539
4. Client is authenticated
5. APS sends the client a RST ACK to close this connection
Flags [RST][ACK] ack=4205432418
6. Client re-sends SYN to establish connection with server
Flags [SYN], seq=4205432417
7. APS allows subsequent SYN through to original destination
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
17
Spoofed SYN Flood Prevention Operation (2/2)
Out of Sequence Authentication
Client
APS
Server
1. Client sends first SYN to establish connection with
server
Flags [SYN], seq=4205432417
2. APS intercepts SYN and sends ACK back to the Client with
matching APS derived invalid ack and sequence numbers
Flags [SYN ACK ], ack=253118415 - seq=253118415
3. Valid client responds to the invalid SYN-ACK with a RST
Flags [RST], seq=253118415
4. Client re-sends SYN to establish connection with server
Flags [SYN], seq=4205432417
5. Client is authenticated
6. APS allows SYN through to original destination
7. Server responds and normal TCP handshake completes
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
18
Automating Spoofed SYN Flood Prevention
• To automate Spoofed SYN Flood Prevention:
• Enable ”Spoofed SYN Flood Prevention Automation” setting
• Specify an automation threshold
• If the rate of SYN packets sent to any protected host in a protection group
exceeds the threshold
• APS performs TCP authentication or HTTP authentication as configured
• If all protected hosts in a protection group are receiving SYN packets below
the threshold
• APS does not perform configured authentication
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
19
Automation Threshold Example 1 of 2
Enable
Enter Rate PPS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
20
Automation Threshold Example 1 of 2
Passed SYN Traffic 4Kpps
Blocked SYN Traffic 5Kpps
Blocked SYN Traffic 5Kpps
Spoofed SYN Prevention
Note: Automation Threshold set to 5000 pps
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
21
TCP Connection Limiting Protection
IPv4
• Limits the number of simultaneous connections from a single host
to a pre-configured value
• Simple connection counter is used to avoid session state table
• TCP SYN packets dropped for excess connection attempts
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
22
TCP Connection Limiting Protection
• TCP connection limiting settings are different for different server types
Default State
Protection Level
Low
Medium
High
Generic and Web
Disabled
Enabled
Enabled
Mail Server
Enabled
Enabled
Enabled
File Server
Enabled
Enabled
Enabled
Concurrent Connections Allowed
Protection Level
Low
Medium
High
Generic and Web
100
60
30
Mail Server
16
5
3
File Server
5
3
2
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
23
TCP Connection Reset Protection
IPv4
• Any TCP connection from a source is intercepted
• The source host is temporarily blocked for 60 seconds if the host exceeds the
number of consecutive violations threshold
• By default only works on destination ports 80, 443, 25
• Protection protects against the exhaustion of TCP resources when connection
tables on servers are full with idle connections
• TCP Connection Reset can protect against flood, slow HTTP post and protocol
attacks
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
24
TCP Connection Reset Protection
• TCP Connection Reset combines five main detection methods
• If the minimum amount of data (Initial timeout required data) is not sent within
a certain length of time (TCP connections initial timeout) after connection
was established
• If HTTP or SSL/TLS request is not sent with minimal speed (Minimum request
bit rate). Speed is computed using a token bucket with a depth of 60 seconds
• If HTTP header is not sent within 60 seconds
• Number of seconds the APS will wait before an idle connection is reset
or blocked (TCP Connection Idle Timeout)
• Enable protection “Track Connections After Initial State” to keep track
of connections after it leaves the initial state
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
25
Traffic Shaping Protection
• When all else fails, get the traffic down to a manageable rate
• Used to limit legal traffic like ICMP or to control situations like flash crowds
• All Traffic is inspected against the defined filter.
• If the packet matches (or no filter is defined) and the packet causes the forwarding
rate to exceed either of the bps/pps thresholds,
• The packet is dropped
• The source is not blocked
• This means both attack and
normal traffic will get through
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
26
PROTECTING
WEB SERVERS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
27
Protecting Web Servers
IPv4
• Attack Protections for HTTP traffic
• Malformed HTTP Filtering
• Application Misbehavior
• Botnet Prevention
• Includes AIF signatures
• Spoofed SYN Flood Prevention
• HTTP Authentication option
• HTTP Rate Limiting
• HTTP Header Regular Expression
• Web Crawler Support
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
28
Malformed HTTP Filtering Protection
IPv4
• All HTTP requests are inspected and verified
• HTTP header conforms to RFC2616 Section 2.2 “Basic Rules”
• Exceptions to the RFC constraints on the space character are allowed
• Entire request is in a legal and consistent format
• Traffic not matching either of the two conditions are dropped and the source is
temporarily blocked for 60 seconds
• Malformed HTTP can be used to protect against attacks that attempt to exhaust
web server resources with invalid or blank HTTP requests
• Botnets commonly use this type of a vector
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
29
Application Misbehavior Protection
IPv4
• All HTTP Traffic from a single source is inspected
• If the request headers are interrupted by a TCP FIN from the source more than
the configured threshold
• Source is temporarily blocked for 60 seconds
• Application Misbehavior stops botnets from sending multiple small HTTP
requests and terminating the connection before each request is complete
causing resource exhaustion on the destination server
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
30
Botnet Prevention Protection
IPv4
• All HTTP Traffic from a single source is inspected
• The Botnet Prevention protection settings allow Arbor APS to detect botnet
attacks based on known botnet behaviors
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
31
Botnet Prevention Protection Options (1 of 2)
IPv4
• Enable Basic Botnet Prevention
• Checks if the packet headers are incomplete
• On all protection levels Host header for HTTP 1.1 is required
• On High level Host, User-Agent, Connection headers are required
• Source is temporarily blocked for 60 seconds
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
32
Botnet Prevention Protection Options (2 of 2)
IPv4
• Prevent Slow request attacks
• Checks if the HTTP requests contain < 500 bytes AND do not end with \n
(Indicative of a slow HTTP attack)
• Source is temporarily blocked for 60 seconds
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
33
Application Attacks to Web Servers
• Get Floods
• Brute force use the server’s processing capacity – typically done using a Botnet
• Ex: Siege
• Slow GET
• Creates TCP sessions that never close and hold server resources (TCP table
space, process table, memory)
• Ex: Slowloris
• Slow POST
• Similar to Slow GET, focused on pages which have forms to be completed
(can’t be cached by CDNs)
• Ex: RUDY
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
34
Slowloris – Slow HTTP GET DDoS
• HTTP DDoS attack tool
• Allows a single machine to take down a web
server with minimal bandwidth and side effects
on unrelated services and ports
• Designed to hold open as many connections
as possible to the HTTP server.
• Exploits design flaws in the HTTP protocol
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
35
Slowloris – Slow HTTP GET DDoS
• Slowloris abuses handling of HTTP request headers ssslooowly…
• Each Slowloris process opens several connections to the target web server
and sends a partial request: one not ending with a “/n” line
• This tells the web server to hold on: the rest of the get request is on its
way…
• periodically, each slowloris process will send subsequent HTTP headers,
but never completing the request
• Affected servers will keep these connections open, filling their maximum
concurrent connection pool, eventually denying additional connection
attempts from clients
• Slowloris has high impact and relatively low bandwidth usage
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
36
Slowloris – Slow HTTP GET DDoS
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
37
R.U.D.Y. – Slow HTTP POST DDoS
• Uses HTTP POST requests
• The HTTP Header portion is complete
and sent in full to the web server.
• R.U.D.Y.
• Abuses HTTP web form fields
• Iteratively injects one custom byte into a web
application post field and goes to sleep
• Application threads become zombies awaiting
ends of posts…until death lurks upon the
website
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
38
R.U.D.Y. – Slow HTTP POST DDoS
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA…
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
39
Spoofed SYN Flood Prevention + HTTP (1 of 5)
• Any TCP connection attempt will be inspected and tested
• Click one of the following buttons to select the method that will be used
to authenticate HTTP traffic on ports 80 and 8080
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
40
Spoofed SYN Flood Prevention + HTTP
Authentication Summary (2 of 5)
• Any TCP connection attempt will be inspected and tested
• Click one of the following buttons to select the method that will be used
to authenticate HTTP traffic on ports 80 and 8080
• APS replies to the client’s
request with a 302 redirect.
• If the client sends a
redirected request it is
authenticated
• “Simplified Redirect”
• APS replies to the client’s request
asking it to resend it
• If the client replies, it is authenticated.
• APS replies to the client’s request with a small
amount of Java Script, which is executed on the
client, causing the client to reply with a redirect.
• If the redirect is received the client is authenticated
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
41
Spoofed SYN Flood Prevention + HTTP
HTTP Redirect Authentication (3 of 5)
• If HTTP Redirect Authentication is enabled, after the TCP 3-way
handshake, instead of sending a RST to the client, if HTTP traffic, respond
to the client with a 302 re-direct message causing the web browser to retry
the request seamlessly without the disruption of a connection reset:
1.
2.
3.
4.
SYN Authentication of client passes
Send client 302 re-direct: http://www.example.com/KmfPM
Client requests new URL
Send client 302 re-direct of the original URL
http://www.example.com/myPage
5. Client success!
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
42
Spoofed SYN Flood Prevention + HTTP
HTTP Soft Reset Authentication (4 of 5)
• If HTTP Soft Reset Authentication is enabled, After the TCP 3-way
handshake, instead of sending a RST to the client, if HTTP traffic, respond
to the client with a 302 re-direct message to original destination:
1. SYN Authentication of client passes
2. Send client 302 re-direct of the original
URL http://www.example.com/myPage
3. Client success!
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
43
Spoofed SYN Flood Prevention + HTTP
Java Script Authentication (5 of 5)
• Arbor APS replies to a client’s HTTP request with a small amount of Java
Script, which is executed on the client causing the client to respond by
sending a redirect.
• If the redirect is received, the client is authenticated.
Note: If you select the JavaScript option, legitimate clients that do not have JavaScript enabled
will be unable to connect to protected hosts.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
44
HTTP Rate Limiting Protection
IPv4
• All HTTP requests are inspected and
• The number of requests per second are compared to the configured request
limit threshold.
• The number of unique HTTP objects per second are compared to the
configured URL limit threshold.
• If the rate is higher than the threshold then the requests are blocked and
the host is temporarily blocked for 60 seconds
• HTTP Rate Limiting can be used to protect against flooding attacks against
the HTTP application server overwhelming its resources
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
45
Web Crawlers are a Challenge
• Search Engine web crawlers are a challenge for DDoS mitigation
• Web crawlers act like bots because … they are bots!
• Blocking web crawlers is often unacceptable
• Blocking instantly leads to reduced web site visibility in search results and,
consequently, decrease in search ranking
• It is critical that web crawlers can still reach and index protected resources
even when those are under attack and need protection
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
46
Web Crawler Support in Arbor APS
IPv4
• Protection group settings select whether known web crawlers can bypass
some protections for destinations within that protection group
• Enabled – Web crawler protection bypass is allowed
• Disabled – Web crawler traffic has normal protections
• Single enable / disable Web Crawler setting for each protection group
protection level
• Individual search engines can be chosen globally
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
47
Web Crawler Support
• Globally enable or disable individual
search engines
• All web crawlers are enabled by default
• Disable search engines that are not
relevant to you
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
48
Web Crawler Support – How it works
Protections
• Web Crawlers
can be exempted
from different
Protections
depending on
protection level
Low
Medium
High
Invalid Packets, TCP SYN Flood Detection
Checked
Checked
Checked
Filter List, Multicast Blocking, Private Address Blocking
Whitelisted
Checked
Checked
Rate-based Blocking, DNS Rate Limiting, DNS NXDomain Rate Limiting,
HTTP Rate Limiting, ICMP Flood Detection, UDP Flood Detection, Fragment
Flood Detection
Whitelisted
Whitelisted
Checked
Payload Regular Expression, DNS Regular Expression, HTTP Header
Regular Expression, AIF Botnet Signatures
Whitelisted
Checked
Checked
Spoofed SYN Flood Prevention, DNS Authentication
Whitelisted
Whitelisted
Whiteliste
d
TCP Connection Limiting, TCP Connection Reset
Whitelisted
Whitelisted
Checked
Block Malformed DNS Traffic
Whitelisted
Whitelisted
Checked
Malformed HTTP Filtering, Basic Botnet prevention
Whitelisted
Checked
Checked
TLS Attack Prevention
Whitelisted
Checked
Checked
Traffic Shaping
Whitelisted
Whitelisted
Checked
Application Misbehavior
Whitelisted
Whitelisted
Checked
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
49
Web Crawler Reporting for Protection Groups
• Web Crawlers traffic widget for protection groups of Generic, Web, and DNS
Server Types
Hover on mini-graph
to see expanded
graph
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
50
PROTECTING SSL-SECURED
SERVICES
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
51
SSL Protocol Attack Protection
SSL-Targeted Attacks
Arbor APS
SSL
• SYN-Floods against SSL protocols
• Malformed SSL Attacks
• Sending garbage packets the force crypto-work
on the server
• Examples: Hello Msg DoS (PushDo Botnet)
• SSL Re-negotiation Attacks
• Force renegotiation of SSL within a single stream
• Require crypto-work, re-key exchanges, to be done
on the server side
• Can be done using ‘Secure Renegotiation’ which
is encrypted
• Examples: http://orchilles.com/2011/03/ssl-renegotiationdos.html
• SSL Exhaustion (Single Source / Distributed Sources)
• Create many requests from a host or many hosts simply
establishing SSL connections
• Often coupled with above attacks (SSL Renegotiation, etc.)
• Examples: THC DDoS (http://www.thc.org/thc-ssl-dos/)
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
52
SSL Protocol Overview
1. Client opens TCP
connection to server
2. SSL Handshake
(shown at right,
not encrypted)
3. Exchange
encrypted data
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
53
Known Attacks: Pushdo
• Sends garbage packets to port 443
• Can quickly exhaust CPU on HTTPS server
How to Mitigate:
• TLS Attack Prevention protection will flag
and blacklist Pushdo senders
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
54
TLS Attack Prevention Operation
IPv4
• Detects malformed and unreasonably extended TLS / SSL protocol headers
• Detects rate-based and connection exhaustion attacks against TLS / SSL
protocol
• Works on both HTTPS and non-HTTP TLS / SSL
• Is a Host-blocking Protection
In order to mitigate THC SSL attack you need to disable early whitelisting.
/ services aps protection set tls.earlywhitelist '<server type>’ <protection_level> no
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
55
TLS Attack Prevention Protection
• Provides protection from common attacks against SSL
• Attacks that try to force many crypto operations on the targeted server
• Protects SSL Servers and SSL accelerators
• Protect from attacks against the SSL protocol – regardless of port (HTTPS,
POP3S, SMTPS)
• Focus on attacks against the protocol directly
• Attacks that are pre-encryption
• Do not require that we handle any private key’s or do SSL offloading
• Enforces correct usage of the SSL protocol / key exchange
• Block malformed SSL attacks such as PushDo Botnet attacks
• Enforce specific Algorithm Usage
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
56
TLS Attack Prevention - Scope
• What it does:
• SSL Message Validation
• Slow Attack Protection
• Handshake Validation
• Connection Flooding Protection
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
57
TLS Attack Prevention – Scope
• What it does not do:
• Decrypt session
• Inspect encrypted traffic
• Check extension semantics
• Enforce acceptable protocol versions
• Although it can parse SSL3/TLS1.1/TLS1.2
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
58
TLS Attack Prevention – Settings (1 of 2)
• Protection limits get more severe with higher protection levels
Default TLS Handshake Settings
Protection Level
Low
Medium
High
Enable State
Disabled
Enabled
Enabled
Cipher Limit
512
256
64
Extension Limit
32
24
16
Compression Limit
8
4
2
Max Hello Length
2048
1024
768
8
8
8
Pending connections
per source limit
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
59
TLS Attack Prevention – Settings (2 of 2)
• TCP Ports Protected by Default
Port
Description
443
HTTP over TLS (HTTPS)
465
SMTP over TLS - Officially URL Rendezvous Directory for SSM
563
NNTP over TLS
587
SMTP mail submission (may be TLS)
636
992
LDAP over TLS
FTP data over TLS - FTP control over TLS (port 990) is not protected
(?)
TELNET over TLS
993
IMAP4 over TLS
994
IRC over TLS
995
POP3 over TLS
5061
SIP over TLS
989
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
60
TLS / SSL Protocol Attack Visibility
• Attack details shows breakdown of specific TLS / SSL protocol violations
• Each violation type has more details
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
61
PROTECTING
DNS SERVERS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
62
DNS Server Protections
• Protect DNS Servers and services with the following Protections:
• Block Malformed DNS Traffic
• DNS Authentication
• DNS Rate Limiting
• DNS NXDomain Rate Limiting
• DNS Regular Expression
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
63
Block Malformed DNS Traffic Protection
IPv4
• Traffic with a destination port of UDP/53 is inspected
• For compliance with the RFC specification for DNS (RFC1035)
• That the payload of the packet could be a valid DNS message
• Packets are dropped
• Hosts are not blocked
• DNS Malformed protect against DNS attacks that attempt to exhaust
the resources of DNS servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
64
Phishing
Servers
DNS Resolvers
Hacker
Server-Side
Reflective Attacks
DNS Servers
DNS Application
Layer Attacks
DNS Cache
Poisoning Attack
Client-Side Attacks
Common DNS Attacks
DNS Servers
Attack
Target
"Root Queries"
DNS Servers
"Random Queries"
"Multiple Queries per Packet"
"NX Domain Reflective"
• Multiple threat vectors against DNS whose impacts include loss of service
availability, reduced customer satisfaction, and hurt profitability
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
65
DNS Dictionary Attacks
DNS Cache
DB Server
DB Server overwhelmed
with lookups
Attacker requests entries that do
not exist in the DNS Cache:
Query: abcd.somedomain.com
Query: efgh.somedomain.com
Query: ijkl.somedomain.com
.
.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
NXDomain: abcd.somedomain.com
NXDomain: efgh.somedomain.com
NXDomain: ijkl.somedomain.com
.
.
.
66
DNS Authentication Protection
IPv4
• Any source that sends UDP DNS request is forced to switch to TCP
• If the source does not change from a UDP to TCP DNS request the source
is considered invalid
• Any unverified requests are dropped, source hosts are not blocked
• DNS Authentication protects against DNS attacks that originate from
sources that are not valid hosts
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
67
DNS Rate Limiting Protection
IPv4
• Arbor APS inspects all of the DNS traffic that originates from a single source
and records the number of queries per second
• Any traffic that exceeds the thresholds is blocked
• The source host is temporarily blocked for 60 seconds
• DNS Rate Limiting protects against DNS attacks that attempt to flood
DNS servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
68
DNS Flood
S
N
D
s
e
i
er
u
Q
Recursive
Name Server
Attacker
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
69
DNS NXDomain Rate Limiting Protection
IPv4
• Arbor APS monitors DNS response packets for sources that send requests
that might cause the generation of a non-existent domain (NXDomain)
• Any source that sends more consecutive failed DNS requests than
the threshold is blocked for 60 seconds
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server
• DNS NXDomain Rate Limiting protects against DNS cache poisoning
and dictionary attacks on DNS servers only
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
70
DNS NXDomain Rate Limiting Protection
Basic NXDOMAIN Attack
How the Attack Works
NOT FOUND!
S
DN
Q
s
rie
e
u
Recursive
Name Server
NX
DO
M
AIN
!
Attacker
FULL!
Cache
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
71
PROTECTING
SIP SERVERS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
72
SIP Server Protections
• Protect VoIP (SIP) Servers and services with the
following Protections:
• Block Malformed SIP Traffic
• SIP Request Rate Limiting
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
73
Block Malformed SIP Traffic Protection
IPv4
• All traffic destined to a SIP ports is inspected
• If the payload of the packet is empty, or is not part of a SIP request
• If the headers are not properly formatted and/or do not have reasonable values
• Traffic is dropped
• Source is temporarily blocked for 60 seconds
• SIP Malformed prevents attacks against the VoIP infrastructure by blocking
invalid or blank SIP requests
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
74
SIP Request Rate Limiting Protection
IPv4
• All Traffic destined to SIP ports is measured
• If the rate of SIP requests per second exceed the threshold
• Traffic is dropped
• Source is temporarily blocked for 60 seconds
• SIP Request Limiting prevents SIP floods against the VoIP infrastructure
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
75
SIP Flood
Session Initiation
Protocol (SIP) Flood
Returns IP
address of Bob’s
proxy server
3
• Standard protocol for VoIP telephony
DNS
Server
2
• Text-based protocol with a syntax
similar to that of HTTP
• Two types of SIP messages:
Requests & responses
INTERNET
DNS Query:
Biloxi.com
Proxy
Server
LAN 1
INVITE: sip:bob@biloxi.com
From: sip:alice@atlanta.com
INVITE: sip:bob@biloxi.com
From: sip:alice@atlanta.com
Proxy
Server
4
INVITE: sip:bob@biloxi.com
From: sip:alice@atlanta.com
5
Wireless
Network
User Agent
Alice
• A single SIP Invite
triggers considerable
resource consumption
on the SIP Proxy
Server
• Numerous Invites
consume Proxy
Server’s resources
• Call receivers are
flooded with
incoming calls
User Agent
Bob
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
76
PROTECTING
OTHER SERVERS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
77
Protecting Other Servers Types
• Arbor APS also has Server Types pre-configured for:
• Mail Server
• VPN Server
• RLogin Server
• File Server
• Generic
• It is recommended that you create a separate Protection Group for each of
the services you want to protect, assigning the corresponding Server Type
that best fits
• Generic Server Type is the “catch-all” providing flexibility to accommodate
specific server types
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
78
Inbound Protection Processing Sequence
PASS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
79
CDN & PROXY SUPPORT
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
80
CDN & Proxy Support
• Proxy servers and Content Delivery Network servers have special needs
• Proxy server forwards traffic from many user clients or cached content from
many servers
• CDN server forwards content on behalf of many websites
• Proxies and CDNs may behave like entire multi-host networks and can
overwhelm Protections designed for single hosts
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
81
CDN & Proxy Support
IPv4
• Arbor APS has special handling for sources that are proxies and CDN
servers
• Only Arbor APS setting is to enable or disable
• Operation is not visible in Arbor APS GUI
• Enable setting is only exposed element
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
82
CDN & Proxy Support
• For any source host that is detected to be a CDN or proxy server
• All rate limiting Protections are disabled
• All Host-blocking Protections will not block hosts but will instead block flows
• A “flow” is traffic matching a five-tuple of
IP addresses, IP protocol, and TCP/UDP ports
• All other Protections operate normally
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
83
Disabled Protections
• For sources identified as CDN or Proxy, the following Rate Limiting
Protections are disabled:
• Rate-based blocking detection
• HTTP Rate Limiting
• DNS Rate Limiting
• DNS NXDomain Rate Limiting
• SIP Rate Limiting
• TCP Connection Reset
• TCP SYN Flood Detection
• ICMP Flood Detection
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
84
Changed Behaviors
• For sources identified as CDN or Proxy, some
Protections change the behavior from Host-blocking to Packet-Blocking:
• DNS malformed
• HTTP malformed
• SIP malformed
• SSL/TLS attack prevention
• HTTP regex
• Botnet Protection
• DNS regex
• Application Misbehavior
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
85
Lab Exercise
• Preview Lab 8
• Multi-Vector Attack
• Perform Lab 8
• Estimated Time 30 Minutes
• Review Lab Questions
https://portal.training.arbor.net
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
86
Unit Summary
In this unit we have learned how to:
• Use Arbor APS to protect:
• L3 and L4 services
• Web Servers
• SSL secured services
• DNS Servers
• SIP Servers
• Other Servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
87
Q&A / THANK YOU
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY
88
Download