Partner Technical Training Protecting Services: Protection Settings Deep Dive Partner • Sales • Engineering APS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12 Objectives At the conclusion of this unit you should understand how to: • Use Arbor APS to protect: • L3 and L4 services • Web Servers • SSL secured services • DNS Servers • SIP Servers • Other Servers ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2 PROTECTING FROM L3 & L4 ATTACKS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3 Invalid Packets Protection • Non-configurable, always-on, Protection designed to drop really “wrong” packets ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4 Invalid Packets Protection – IPv4 • IPv4 Invalid Packets Protection performs following checks: • IPv4 header checks • Malformed IP header • Bad IP checksum • Short packet • Fragmentation checks • Incomplete Fragment • Duplicate Fragment • Fragment too long • Layer 4 checks • Short TCP/UDP/ICMP Packet • Bad TCP/UDP Checksum • Invalid TCP Flags • Invalid ACK Number • Invalid packets is a Packet-blocking Protection ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5 Invalid Packets Protection – IPv6 IPv6 Invalid Packets Protection performs following checks: • IPv6 header checks • Fragmentation checks • Incomplete Fragment • Malformed IP header • Duplicate Fragment • Short packet • Fragment too long • Incorrect order of extension headers • Fragment overlap • Duplicate extension headers • Layer 4 checks • Short TCP/UDP/ICMP Packet • Bad TCP/UDP Checksum • Invalid TCP Flags • Invalid ACK Number • Type 0 routing header • Incorrect packet length (not a multiple of 8 or wrong size of extension header) • Invalid Hop-by-Hop options (jumbo payload option or invalid option length) Note: Invalid packets is a Packet-blocking Protection ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6 Multicast Blocking Protection IPv4 • Drops all inbound and outbound traffic sourced from or destined to multicast address space (224.0.0.0/4) • Enable only for protection groups that must not receive any multicast traffic • Make sure not to block routing protocols that use multicast for hello messages • Whitelist small multicast address blocks that are active through Arbor APS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7 Private Address Blocking IPv4 • Drops all inbound and outbound traffic sourced from or destined to: • 0.0.0.0/8 • 10.0.0.0/8 • 127.0.0.0/8 • 172.16.0.0/12 • 192.168.0.0/16 • Disabled by default • Enable if you suspect an attack from spoofed private IP addresses ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8 UDP Flood Detection Protection IPv4 • Blocks excessive amounts of UDP from a source • Separate thresholds for bps and pps • Hosts violating a threshold during medium or high protection level are blocked for 60 seconds • Hosts violating a threshold on low protection level are not blocked but traffic is policed down to the configured threshold • Disabled by default, except enabled by default for medium and high protection levels for only Web Server server type and its derivatives ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9 DNS Amplification Attack: UDP Flood Source IP of Victim (v) spoofed when query sent to resolver (r), resolver receives, responds to v. 55-byte query elicits 4200-byte response Quer y r v Attacker - a nse Respo r Victim - v Resolver - r v A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity. ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10 UDP Flood Attacks • UDP is stateless, making it a common tool for flood attacks • Generation of UDP packets is easy • Stateless implies spoofing source IP addresses is possible • BPS and PPS: packet sizes may range from 60 to 1500 bytes • High volume of small packets can cause forwarding issues for routers and firewalls and other inline devices • 1Mpps @ 60bytes = 458Mbps • 1Mpps @ 1400bytes = 10Gbps • UDP Floods do not generally impact services (unless DNS) but do impact the infrastructure causing collateral damage • UDP Floods can cause jitter and latency, impacting other services like VoIP ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11 Mitigating UDP Floods – Filter Lists • DNS is the primary attack target with UDP floods • DNS Amplification floods can generate a high rate of large UDP packets • Filter List allows you to deal with UDP floods • Example drop proto udp dst 192.168.2.11 The above example will drop a UDP flood attack going to the victim (192.168.2.11) but will not drop all UDP packets • If that is a web server this approach is fine, if it is a DNS server it is not. However we have specific Protections to handle attacks to DNS servers ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12 TCP SYN Flood Detection Protection IPv4 • All TCP Traffic from a single source is inspected • If the number of SYN packets per second exceeds the SYN Rate • If the SYN ACK Delta Rate is exceeded (number of SYN packets – number of ACK packets) • Traffic is dropped • Source is temporarily blocked for 60 seconds • TCP SYN Flood Detection can be used to detect and stop SYN floods which can exhaust a servers resources forcing it to reject new/legitimate connections ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13 SYN Flood Attacks • SYN flood attacks attempt to exhaust the server side resources for TCP connections • Source(s) continuously send packets with just the SYN bit set • Victim (Server) must open a connection and send a SYN-ACK back to the source • Connection is kept open • Source ACK’s and then data is exchanged • Source terminates connection • Server times out the connection • SYN packets are typically small in size ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14 TCP Stack Attack – SYN Flood Attack ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15 Spoofed SYN Flood Prevention • Any TCP connection attempt will be inspected • If the destination port is in the “Except on ports” list, the TCP traffic is immediately allowed through • TCP traffic to other ports is not allowed through until source is authenticated by the protection • TCP connections from non-authenticated sources are not allowed through but their sources are not temporarily blocked either ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16 Spoofed SYN Flood Prevention Operation (1/2) Connection Reset Authentication Client APS Server 1. Client sends first SYN to establish connection with server Flags [SYN], seq=4205432417 2. APS intercepts SYN and sends SYN ACK back to the client with a valid ack number and a APS derived sequence number Flags [SYN ACK], ack =4205432418 - seq=4785326538 3. Valid client responds with an ACK and the received sequence number+1 as the acknowledgement number Flags [ACK], ack=4785326539 4. Client is authenticated 5. APS sends the client a RST ACK to close this connection Flags [RST][ACK] ack=4205432418 6. Client re-sends SYN to establish connection with server Flags [SYN], seq=4205432417 7. APS allows subsequent SYN through to original destination ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17 Spoofed SYN Flood Prevention Operation (2/2) Out of Sequence Authentication Client APS Server 1. Client sends first SYN to establish connection with server Flags [SYN], seq=4205432417 2. APS intercepts SYN and sends ACK back to the Client with matching APS derived invalid ack and sequence numbers Flags [SYN ACK ], ack=253118415 - seq=253118415 3. Valid client responds to the invalid SYN-ACK with a RST Flags [RST], seq=253118415 4. Client re-sends SYN to establish connection with server Flags [SYN], seq=4205432417 5. Client is authenticated 6. APS allows SYN through to original destination 7. Server responds and normal TCP handshake completes ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18 Automating Spoofed SYN Flood Prevention • To automate Spoofed SYN Flood Prevention: • Enable ”Spoofed SYN Flood Prevention Automation” setting • Specify an automation threshold • If the rate of SYN packets sent to any protected host in a protection group exceeds the threshold • APS performs TCP authentication or HTTP authentication as configured • If all protected hosts in a protection group are receiving SYN packets below the threshold • APS does not perform configured authentication ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19 Automation Threshold Example 1 of 2 Enable Enter Rate PPS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20 Automation Threshold Example 1 of 2 Passed SYN Traffic 4Kpps Blocked SYN Traffic 5Kpps Blocked SYN Traffic 5Kpps Spoofed SYN Prevention Note: Automation Threshold set to 5000 pps ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21 TCP Connection Limiting Protection IPv4 • Limits the number of simultaneous connections from a single host to a pre-configured value • Simple connection counter is used to avoid session state table • TCP SYN packets dropped for excess connection attempts ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22 TCP Connection Limiting Protection • TCP connection limiting settings are different for different server types Default State Protection Level Low Medium High Generic and Web Disabled Enabled Enabled Mail Server Enabled Enabled Enabled File Server Enabled Enabled Enabled Concurrent Connections Allowed Protection Level Low Medium High Generic and Web 100 60 30 Mail Server 16 5 3 File Server 5 3 2 ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23 TCP Connection Reset Protection IPv4 • Any TCP connection from a source is intercepted • The source host is temporarily blocked for 60 seconds if the host exceeds the number of consecutive violations threshold • By default only works on destination ports 80, 443, 25 • Protection protects against the exhaustion of TCP resources when connection tables on servers are full with idle connections • TCP Connection Reset can protect against flood, slow HTTP post and protocol attacks ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24 TCP Connection Reset Protection • TCP Connection Reset combines five main detection methods • If the minimum amount of data (Initial timeout required data) is not sent within a certain length of time (TCP connections initial timeout) after connection was established • If HTTP or SSL/TLS request is not sent with minimal speed (Minimum request bit rate). Speed is computed using a token bucket with a depth of 60 seconds • If HTTP header is not sent within 60 seconds • Number of seconds the APS will wait before an idle connection is reset or blocked (TCP Connection Idle Timeout) • Enable protection “Track Connections After Initial State” to keep track of connections after it leaves the initial state ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25 Traffic Shaping Protection • When all else fails, get the traffic down to a manageable rate • Used to limit legal traffic like ICMP or to control situations like flash crowds • All Traffic is inspected against the defined filter. • If the packet matches (or no filter is defined) and the packet causes the forwarding rate to exceed either of the bps/pps thresholds, • The packet is dropped • The source is not blocked • This means both attack and normal traffic will get through ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26 PROTECTING WEB SERVERS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27 Protecting Web Servers IPv4 • Attack Protections for HTTP traffic • Malformed HTTP Filtering • Application Misbehavior • Botnet Prevention • Includes AIF signatures • Spoofed SYN Flood Prevention • HTTP Authentication option • HTTP Rate Limiting • HTTP Header Regular Expression • Web Crawler Support ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28 Malformed HTTP Filtering Protection IPv4 • All HTTP requests are inspected and verified • HTTP header conforms to RFC2616 Section 2.2 “Basic Rules” • Exceptions to the RFC constraints on the space character are allowed • Entire request is in a legal and consistent format • Traffic not matching either of the two conditions are dropped and the source is temporarily blocked for 60 seconds • Malformed HTTP can be used to protect against attacks that attempt to exhaust web server resources with invalid or blank HTTP requests • Botnets commonly use this type of a vector ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29 Application Misbehavior Protection IPv4 • All HTTP Traffic from a single source is inspected • If the request headers are interrupted by a TCP FIN from the source more than the configured threshold • Source is temporarily blocked for 60 seconds • Application Misbehavior stops botnets from sending multiple small HTTP requests and terminating the connection before each request is complete causing resource exhaustion on the destination server ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30 Botnet Prevention Protection IPv4 • All HTTP Traffic from a single source is inspected • The Botnet Prevention protection settings allow Arbor APS to detect botnet attacks based on known botnet behaviors ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31 Botnet Prevention Protection Options (1 of 2) IPv4 • Enable Basic Botnet Prevention • Checks if the packet headers are incomplete • On all protection levels Host header for HTTP 1.1 is required • On High level Host, User-Agent, Connection headers are required • Source is temporarily blocked for 60 seconds ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32 Botnet Prevention Protection Options (2 of 2) IPv4 • Prevent Slow request attacks • Checks if the HTTP requests contain < 500 bytes AND do not end with \n (Indicative of a slow HTTP attack) • Source is temporarily blocked for 60 seconds ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 33 Application Attacks to Web Servers • Get Floods • Brute force use the server’s processing capacity – typically done using a Botnet • Ex: Siege • Slow GET • Creates TCP sessions that never close and hold server resources (TCP table space, process table, memory) • Ex: Slowloris • Slow POST • Similar to Slow GET, focused on pages which have forms to be completed (can’t be cached by CDNs) • Ex: RUDY ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34 Slowloris – Slow HTTP GET DDoS • HTTP DDoS attack tool • Allows a single machine to take down a web server with minimal bandwidth and side effects on unrelated services and ports • Designed to hold open as many connections as possible to the HTTP server. • Exploits design flaws in the HTTP protocol ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35 Slowloris – Slow HTTP GET DDoS • Slowloris abuses handling of HTTP request headers ssslooowly… • Each Slowloris process opens several connections to the target web server and sends a partial request: one not ending with a “/n” line • This tells the web server to hold on: the rest of the get request is on its way… • periodically, each slowloris process will send subsequent HTTP headers, but never completing the request • Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients • Slowloris has high impact and relatively low bandwidth usage ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36 Slowloris – Slow HTTP GET DDoS GET http://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 X-a: b X-a: b X-a: b X-a: b X-a: b X-a: b ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37 R.U.D.Y. – Slow HTTP POST DDoS • Uses HTTP POST requests • The HTTP Header portion is complete and sent in full to the web server. • R.U.D.Y. • Abuses HTTP web form fields • Iteratively injects one custom byte into a web application post field and goes to sleep • Application threads become zombies awaiting ends of posts…until death lurks upon the website ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 38 R.U.D.Y. – Slow HTTP POST DDoS POST http://victim.com/ Host: victim.com Connection: keep-alive Content-Length: 1000000 User-Agent: Mozilla/5.0 Cookie: __utmz=181569312.1294666144.1.1 username=AAAAAAAAAAAAAAAAAAAAAAAAA… ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39 Spoofed SYN Flood Prevention + HTTP (1 of 5) • Any TCP connection attempt will be inspected and tested • Click one of the following buttons to select the method that will be used to authenticate HTTP traffic on ports 80 and 8080 ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40 Spoofed SYN Flood Prevention + HTTP Authentication Summary (2 of 5) • Any TCP connection attempt will be inspected and tested • Click one of the following buttons to select the method that will be used to authenticate HTTP traffic on ports 80 and 8080 • APS replies to the client’s request with a 302 redirect. • If the client sends a redirected request it is authenticated • “Simplified Redirect” • APS replies to the client’s request asking it to resend it • If the client replies, it is authenticated. • APS replies to the client’s request with a small amount of Java Script, which is executed on the client, causing the client to reply with a redirect. • If the redirect is received the client is authenticated ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 41 Spoofed SYN Flood Prevention + HTTP HTTP Redirect Authentication (3 of 5) • If HTTP Redirect Authentication is enabled, after the TCP 3-way handshake, instead of sending a RST to the client, if HTTP traffic, respond to the client with a 302 re-direct message causing the web browser to retry the request seamlessly without the disruption of a connection reset: 1. 2. 3. 4. SYN Authentication of client passes Send client 302 re-direct: http://www.example.com/KmfPM Client requests new URL Send client 302 re-direct of the original URL http://www.example.com/myPage 5. Client success! ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 42 Spoofed SYN Flood Prevention + HTTP HTTP Soft Reset Authentication (4 of 5) • If HTTP Soft Reset Authentication is enabled, After the TCP 3-way handshake, instead of sending a RST to the client, if HTTP traffic, respond to the client with a 302 re-direct message to original destination: 1. SYN Authentication of client passes 2. Send client 302 re-direct of the original URL http://www.example.com/myPage 3. Client success! ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 43 Spoofed SYN Flood Prevention + HTTP Java Script Authentication (5 of 5) • Arbor APS replies to a client’s HTTP request with a small amount of Java Script, which is executed on the client causing the client to respond by sending a redirect. • If the redirect is received, the client is authenticated. Note: If you select the JavaScript option, legitimate clients that do not have JavaScript enabled will be unable to connect to protected hosts. ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 44 HTTP Rate Limiting Protection IPv4 • All HTTP requests are inspected and • The number of requests per second are compared to the configured request limit threshold. • The number of unique HTTP objects per second are compared to the configured URL limit threshold. • If the rate is higher than the threshold then the requests are blocked and the host is temporarily blocked for 60 seconds • HTTP Rate Limiting can be used to protect against flooding attacks against the HTTP application server overwhelming its resources ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 45 Web Crawlers are a Challenge • Search Engine web crawlers are a challenge for DDoS mitigation • Web crawlers act like bots because … they are bots! • Blocking web crawlers is often unacceptable • Blocking instantly leads to reduced web site visibility in search results and, consequently, decrease in search ranking • It is critical that web crawlers can still reach and index protected resources even when those are under attack and need protection ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 46 Web Crawler Support in Arbor APS IPv4 • Protection group settings select whether known web crawlers can bypass some protections for destinations within that protection group • Enabled – Web crawler protection bypass is allowed • Disabled – Web crawler traffic has normal protections • Single enable / disable Web Crawler setting for each protection group protection level • Individual search engines can be chosen globally ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 47 Web Crawler Support • Globally enable or disable individual search engines • All web crawlers are enabled by default • Disable search engines that are not relevant to you ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 48 Web Crawler Support – How it works Protections • Web Crawlers can be exempted from different Protections depending on protection level Low Medium High Invalid Packets, TCP SYN Flood Detection Checked Checked Checked Filter List, Multicast Blocking, Private Address Blocking Whitelisted Checked Checked Rate-based Blocking, DNS Rate Limiting, DNS NXDomain Rate Limiting, HTTP Rate Limiting, ICMP Flood Detection, UDP Flood Detection, Fragment Flood Detection Whitelisted Whitelisted Checked Payload Regular Expression, DNS Regular Expression, HTTP Header Regular Expression, AIF Botnet Signatures Whitelisted Checked Checked Spoofed SYN Flood Prevention, DNS Authentication Whitelisted Whitelisted Whiteliste d TCP Connection Limiting, TCP Connection Reset Whitelisted Whitelisted Checked Block Malformed DNS Traffic Whitelisted Whitelisted Checked Malformed HTTP Filtering, Basic Botnet prevention Whitelisted Checked Checked TLS Attack Prevention Whitelisted Checked Checked Traffic Shaping Whitelisted Whitelisted Checked Application Misbehavior Whitelisted Whitelisted Checked ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 49 Web Crawler Reporting for Protection Groups • Web Crawlers traffic widget for protection groups of Generic, Web, and DNS Server Types Hover on mini-graph to see expanded graph ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 50 PROTECTING SSL-SECURED SERVICES ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 51 SSL Protocol Attack Protection SSL-Targeted Attacks Arbor APS SSL • SYN-Floods against SSL protocols • Malformed SSL Attacks • Sending garbage packets the force crypto-work on the server • Examples: Hello Msg DoS (PushDo Botnet) • SSL Re-negotiation Attacks • Force renegotiation of SSL within a single stream • Require crypto-work, re-key exchanges, to be done on the server side • Can be done using ‘Secure Renegotiation’ which is encrypted • Examples: http://orchilles.com/2011/03/ssl-renegotiationdos.html • SSL Exhaustion (Single Source / Distributed Sources) • Create many requests from a host or many hosts simply establishing SSL connections • Often coupled with above attacks (SSL Renegotiation, etc.) • Examples: THC DDoS (http://www.thc.org/thc-ssl-dos/) ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 52 SSL Protocol Overview 1. Client opens TCP connection to server 2. SSL Handshake (shown at right, not encrypted) 3. Exchange encrypted data ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 53 Known Attacks: Pushdo • Sends garbage packets to port 443 • Can quickly exhaust CPU on HTTPS server How to Mitigate: • TLS Attack Prevention protection will flag and blacklist Pushdo senders ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 54 TLS Attack Prevention Operation IPv4 • Detects malformed and unreasonably extended TLS / SSL protocol headers • Detects rate-based and connection exhaustion attacks against TLS / SSL protocol • Works on both HTTPS and non-HTTP TLS / SSL • Is a Host-blocking Protection In order to mitigate THC SSL attack you need to disable early whitelisting. / services aps protection set tls.earlywhitelist '<server type>’ <protection_level> no ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 55 TLS Attack Prevention Protection • Provides protection from common attacks against SSL • Attacks that try to force many crypto operations on the targeted server • Protects SSL Servers and SSL accelerators • Protect from attacks against the SSL protocol – regardless of port (HTTPS, POP3S, SMTPS) • Focus on attacks against the protocol directly • Attacks that are pre-encryption • Do not require that we handle any private key’s or do SSL offloading • Enforces correct usage of the SSL protocol / key exchange • Block malformed SSL attacks such as PushDo Botnet attacks • Enforce specific Algorithm Usage ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 56 TLS Attack Prevention - Scope • What it does: • SSL Message Validation • Slow Attack Protection • Handshake Validation • Connection Flooding Protection ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 57 TLS Attack Prevention – Scope • What it does not do: • Decrypt session • Inspect encrypted traffic • Check extension semantics • Enforce acceptable protocol versions • Although it can parse SSL3/TLS1.1/TLS1.2 ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 58 TLS Attack Prevention – Settings (1 of 2) • Protection limits get more severe with higher protection levels Default TLS Handshake Settings Protection Level Low Medium High Enable State Disabled Enabled Enabled Cipher Limit 512 256 64 Extension Limit 32 24 16 Compression Limit 8 4 2 Max Hello Length 2048 1024 768 8 8 8 Pending connections per source limit ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 59 TLS Attack Prevention – Settings (2 of 2) • TCP Ports Protected by Default Port Description 443 HTTP over TLS (HTTPS) 465 SMTP over TLS - Officially URL Rendezvous Directory for SSM 563 NNTP over TLS 587 SMTP mail submission (may be TLS) 636 992 LDAP over TLS FTP data over TLS - FTP control over TLS (port 990) is not protected (?) TELNET over TLS 993 IMAP4 over TLS 994 IRC over TLS 995 POP3 over TLS 5061 SIP over TLS 989 ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 60 TLS / SSL Protocol Attack Visibility • Attack details shows breakdown of specific TLS / SSL protocol violations • Each violation type has more details ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 61 PROTECTING DNS SERVERS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 62 DNS Server Protections • Protect DNS Servers and services with the following Protections: • Block Malformed DNS Traffic • DNS Authentication • DNS Rate Limiting • DNS NXDomain Rate Limiting • DNS Regular Expression ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 63 Block Malformed DNS Traffic Protection IPv4 • Traffic with a destination port of UDP/53 is inspected • For compliance with the RFC specification for DNS (RFC1035) • That the payload of the packet could be a valid DNS message • Packets are dropped • Hosts are not blocked • DNS Malformed protect against DNS attacks that attempt to exhaust the resources of DNS servers ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 64 Phishing Servers DNS Resolvers Hacker Server-Side Reflective Attacks DNS Servers DNS Application Layer Attacks DNS Cache Poisoning Attack Client-Side Attacks Common DNS Attacks DNS Servers Attack Target "Root Queries" DNS Servers "Random Queries" "Multiple Queries per Packet" "NX Domain Reflective" • Multiple threat vectors against DNS whose impacts include loss of service availability, reduced customer satisfaction, and hurt profitability ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 65 DNS Dictionary Attacks DNS Cache DB Server DB Server overwhelmed with lookups Attacker requests entries that do not exist in the DNS Cache: Query: abcd.somedomain.com Query: efgh.somedomain.com Query: ijkl.somedomain.com . . ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY NXDomain: abcd.somedomain.com NXDomain: efgh.somedomain.com NXDomain: ijkl.somedomain.com . . . 66 DNS Authentication Protection IPv4 • Any source that sends UDP DNS request is forced to switch to TCP • If the source does not change from a UDP to TCP DNS request the source is considered invalid • Any unverified requests are dropped, source hosts are not blocked • DNS Authentication protects against DNS attacks that originate from sources that are not valid hosts ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 67 DNS Rate Limiting Protection IPv4 • Arbor APS inspects all of the DNS traffic that originates from a single source and records the number of queries per second • Any traffic that exceeds the thresholds is blocked • The source host is temporarily blocked for 60 seconds • DNS Rate Limiting protects against DNS attacks that attempt to flood DNS servers ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 68 DNS Flood S N D s e i er u Q Recursive Name Server Attacker ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 69 DNS NXDomain Rate Limiting Protection IPv4 • Arbor APS monitors DNS response packets for sources that send requests that might cause the generation of a non-existent domain (NXDomain) • Any source that sends more consecutive failed DNS requests than the threshold is blocked for 60 seconds • For this Protection to work, Arbor APS MUST be able to see the DNS response traffic from the DNS server • DNS NXDomain Rate Limiting protects against DNS cache poisoning and dictionary attacks on DNS servers only ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 70 DNS NXDomain Rate Limiting Protection Basic NXDOMAIN Attack How the Attack Works NOT FOUND! S DN Q s rie e u Recursive Name Server NX DO M AIN ! Attacker FULL! Cache • For this Protection to work, Arbor APS MUST be able to see the DNS response traffic from the DNS server ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 71 PROTECTING SIP SERVERS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 72 SIP Server Protections • Protect VoIP (SIP) Servers and services with the following Protections: • Block Malformed SIP Traffic • SIP Request Rate Limiting ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 73 Block Malformed SIP Traffic Protection IPv4 • All traffic destined to a SIP ports is inspected • If the payload of the packet is empty, or is not part of a SIP request • If the headers are not properly formatted and/or do not have reasonable values • Traffic is dropped • Source is temporarily blocked for 60 seconds • SIP Malformed prevents attacks against the VoIP infrastructure by blocking invalid or blank SIP requests ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 74 SIP Request Rate Limiting Protection IPv4 • All Traffic destined to SIP ports is measured • If the rate of SIP requests per second exceed the threshold • Traffic is dropped • Source is temporarily blocked for 60 seconds • SIP Request Limiting prevents SIP floods against the VoIP infrastructure ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 75 SIP Flood Session Initiation Protocol (SIP) Flood Returns IP address of Bob’s proxy server 3 • Standard protocol for VoIP telephony DNS Server 2 • Text-based protocol with a syntax similar to that of HTTP • Two types of SIP messages: Requests & responses INTERNET DNS Query: Biloxi.com Proxy Server LAN 1 INVITE: sip:bob@biloxi.com From: sip:alice@atlanta.com INVITE: sip:bob@biloxi.com From: sip:alice@atlanta.com Proxy Server 4 INVITE: sip:bob@biloxi.com From: sip:alice@atlanta.com 5 Wireless Network User Agent Alice • A single SIP Invite triggers considerable resource consumption on the SIP Proxy Server • Numerous Invites consume Proxy Server’s resources • Call receivers are flooded with incoming calls User Agent Bob ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 76 PROTECTING OTHER SERVERS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 77 Protecting Other Servers Types • Arbor APS also has Server Types pre-configured for: • Mail Server • VPN Server • RLogin Server • File Server • Generic • It is recommended that you create a separate Protection Group for each of the services you want to protect, assigning the corresponding Server Type that best fits • Generic Server Type is the “catch-all” providing flexibility to accommodate specific server types ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 78 Inbound Protection Processing Sequence PASS ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 79 CDN & PROXY SUPPORT ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 80 CDN & Proxy Support • Proxy servers and Content Delivery Network servers have special needs • Proxy server forwards traffic from many user clients or cached content from many servers • CDN server forwards content on behalf of many websites • Proxies and CDNs may behave like entire multi-host networks and can overwhelm Protections designed for single hosts ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 81 CDN & Proxy Support IPv4 • Arbor APS has special handling for sources that are proxies and CDN servers • Only Arbor APS setting is to enable or disable • Operation is not visible in Arbor APS GUI • Enable setting is only exposed element ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 82 CDN & Proxy Support • For any source host that is detected to be a CDN or proxy server • All rate limiting Protections are disabled • All Host-blocking Protections will not block hosts but will instead block flows • A “flow” is traffic matching a five-tuple of IP addresses, IP protocol, and TCP/UDP ports • All other Protections operate normally ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 83 Disabled Protections • For sources identified as CDN or Proxy, the following Rate Limiting Protections are disabled: • Rate-based blocking detection • HTTP Rate Limiting • DNS Rate Limiting • DNS NXDomain Rate Limiting • SIP Rate Limiting • TCP Connection Reset • TCP SYN Flood Detection • ICMP Flood Detection ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 84 Changed Behaviors • For sources identified as CDN or Proxy, some Protections change the behavior from Host-blocking to Packet-Blocking: • DNS malformed • HTTP malformed • SIP malformed • SSL/TLS attack prevention • HTTP regex • Botnet Protection • DNS regex • Application Misbehavior ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 85 Lab Exercise • Preview Lab 8 • Multi-Vector Attack • Perform Lab 8 • Estimated Time 30 Minutes • Review Lab Questions https://portal.training.arbor.net ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 86 Unit Summary In this unit we have learned how to: • Use Arbor APS to protect: • L3 and L4 services • Web Servers • SSL secured services • DNS Servers • SIP Servers • Other Servers ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 87 Q&A / THANK YOU ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 88