Silverline DDoS Protection Filip Verlaeckt f.verlaeckt@f5.com
The evolution of attackers September 1996 First high profile DDoS attack. NY ISP Panix.com that was nearly put out of business. January 2008 Anonymous executes a series of high-profile DDoS attacks against the Church of Scientology. December 2010 WikiLeaks supporters hit PayPal, Visa, Mastercard, and other financial sites with DDoS attacks. April 2011 Attackers use a DDoS attack against Sony to mask the theft of millions of customer records. April 2012 Anonymous knocks down the sites of the U.S. Dept. of Justice, the CIA, and the British Secret Intelligence Service. September 2012 Syrian Cyber Fighters launch Operation Ababil with DDoS attacks on 13 U.S. banks to protest an anti-muslim video. 1996 2008 2009 2010 2011 2012 2013 Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 2
The evolution of attackers Feb 05 Bitly Outage as result of DDoS attack Feb 11 Elance Freelance Job Site NTP Reflection Attack; temporary website disruption Feb 11 odesk Temporary website disruption as result of DDoS attack Feb 20 Namecheap Simultaneous attack on 300 websites it registers Mar 04 Meetup Event Planning NTP Amplification attack carried out by extortionists Mar 11 GitHub Code Host UDP based Amplification attack Mar 17 Royalty Free Stock Images DDoS attack by extortionists Mar 20 Hootsuite DDoS attack by extortionists Mar 24 Basecamp DDoS attack by extortionists Mar 27 SurveyGizmo DDoS attack; Site down 2 days; ISP abandoned recovery 2014 2014 Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 3
New Attack Vectors Emerge: Network Time Protocol (NTP) Attacks Zero to Huge in 3 months 350000 300000 Derp Trolling attacks against all major game sites where PhantomL0rd was trying to play FEB 14 325 Gbps 250000 200000 150000 100000 DEC 13 100 Gbps JAN 14 150 Gbps 50000 0 F5 Networks, Inc 4
How have attacks changed recently? Instead compromise 3,000 to 5,000 commercial servers in major data centers Not known bad IP addresses (purchased legitimate resources to launch attack) Big Iron with lots of CPU s creates more traffic Lots of 10 Gbps pipes are attached to those commercial servers Current attacks go beyond overwhelming the site and overwhelm the bandwidth pipe instead Largest single victim attacks 120 Gbps Largest concurrent attacks 190 Gbps (3 banks attacked simultaneously) Average attack size increased 16 Times Q2 2013 over Q2 2012 F5 Networks, Inc 5
More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 6
Current DDoS Solution Market Carriers and CDNs AT&T Verizon Akamai CloudFlare Customer on Premises Equipment (Appliances) F5 Networks, Arbor Networks, Radware, Narus, GenieNRM, Andrisoft, RioRey Cloud Services SMB: Neustar, BlackLotus, Corero, Imperva Enterprise: Prolexic, Verisign, F5 Silverline DDoS Protection Enterprise Secondary: F5 Silverline DDoS Protection F5 Networks, Inc 7
F5 cloud-based scrubbing with Hybrid defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 8
F5 cloud-based scrubbing with Hybrid defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Network Application Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b CLOUD KEY FEATURES Network attacks: ICMP flood, UDP flood, SYN flood Real-time Volumetric DDoS attack detection and mitigation in the cloud Multi-layered L3-L7 DDoS attack protection DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS 24x7 expert SOC services Transparent attack IPS reporting via F5 customer portal SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 9
What is Silverline DDoS?
The Silverline DDoS Protection Story Defense.net was founded by the pioneers of the commercial DDoS Mitigation Industry Designed to address customer frustrations of legacy cloud based DDoS providers Acquired by F5 in 2014 to be the first in a series of F5 as a Service product offerings AKA Silverline Enhanced through the addition of BIG IP technology and an increased global footprint F5 Networks, Inc 11
Hearing Challenges with Current Enterprise Options SCALE PER CUSTOMER CONCENTRATION RISK SOLUTION SIDE EFFECTS SLOW MITIGATION STARTUP FALSE POSITIVES NOT ENOUGH VISIBILITY INTO ATTACKS 12 F5 Networks, Inc 12
Global Coverage 24/7 Support F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes Seattle, WA US Global Coverage Fully redundant and globally distributed data centers world wide in each geographic region San Jose, CA US Ashburn, VA US Frankfurt, DE Singapore, SG Industry-Leading Bandwidth Attack mitigation bandwidth capacity over 2.0 Tbps Scrubbing capacity of over 1.0 Tbps Guaranteed bandwidth with Tier 1 carriers
How does F5 Silverline protect against DDoS attacks?
Silverline DDoS Protection Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 16
DDoS Architecture Scrubbing Center Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects blackhole routes and steers traffic Inspection Toolsets Traffic Actioner Route Management Scrubbing Center Inspection Plane Flow Collection Flow collection aggregates attack data from all sources Visibility Portal Portal provides real-time reporting and configuration Cloud Signaling Management Legitimate Users Cloud Scrubbing Service Switching Copied traffic for inspection BGP signaling Routing/ACL Netflow Network Mitigation Data Plane Proxy Mitigation Netflow Routing (Customer VRF) GRE Tunnel Proxy IP Reflection X-Connect Customer DDoS Attackers Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and blackholes traffic Network Mitigation removes advanced L4 attacks Proxy Mitigation removes L7 Application attacks Egress Routing returns good traffic back to customer F5 Networks, Inc 17
Multiple Ways to Direct Traffic to our Massive Scrubbing Centers BGP (BORDER GATEWAY PROTOCOL) ANYCAST DNS / ANYCAST Multiple Ways to Return Clean Traffic GRE TUNNELS PROXY IP REFLECTION L2VPN F5 Networks, Inc 18
Routed Configuration F5 Silverline DDoS Protection Engaged Data Center TCP Connection: SYN-ACK SRC: 1.2.3.4:80 DST: 86.75.30.9:27182 1.2.3.4 BGP Route Advertisement: F5 route for 1.2.3.0/24 becomes preferred F5 Silverline DDoS Protection 86.75.30.9 TCP Connection: SYN SRC: 86.75.30.9:27182 DST: 1.2.3.4:80 F5 Router F5 Router Internet ISP Router GRE Tunnel Customer/IS P Transit Network Customer Router 1.2.3.5 1.2.3.6 69.86.73.76 TCP Connection: SRC: 69.86.73.76:4243 DST: 1.2.3.4:80 Clean traffic is returned via GRE Tunnel to customer s data center 1.2.3.7 BGP Configuration Change: withdraw advertisement for 1.2.3.0/24 Customer Admin F5 Networks, Inc 19
Proxy Configuration F5 Silverline DDoS Protection Engaged DNS Configuration Change #www.abc.com 1.2.3.4 www.abc.com 5.6.7.8 DNS Query: www.abc.com DNS Query: www.abc.com DNS Query: www.abc.com Data Center DNS Response: www.abc.com 5.6.7.8 Local DNS DNS Response: www.abc.com 5.6.7.8 Public DNS Servers F5 Silverline DDoS Protection DNS Response: www.abc.com 5.6.7.8 Authoritative DNS Customer Admin TCP Connection: SRC: 86.75.30.9:27182 DST: 5.6.7.8:80 TCP Connection: SRC: 6.6.6.18:31415 DST: 1.2.3.4:80 86.75.30.9 TCP Connection: SRC: 69.86.73.76:4243 DST: 5.6.7.8:80 5.6.7.8 Proxy NAT Pool 6.6.6.0/24 ISP Router Customer Router 1.2.3.4 69.86.73.76 TCP Connection: SRC: 69.86.73.76:4242 DST: 1.2.3.4:80 ISP Router ACL permit: 6.6.6.0/24 1.2.3.4/32 deny: any 1.2.3.4/32 F5 Networks, Inc 20
F5 Silverline AttackView Portal Unprecedented Transparency Attack Data Instant inspection on the filters and countermeasures used for mitigation Detailed timeline analysis on type, size, origin, and attack vector Configuration and Provisioning Configure/ review/ modify settings for both Proxy and GRE mode through the portal Detailed Communication Real time attack communications Detailed events showing attack attributes and SOC mitigations applied F5 Networks, Inc 21
Portal: Timeline of Events Timeline of events Event Detail Real time customer portal shows: Type of attack IP origin Mitigation process Flagged annotations of SOC communications F5 Networks, Inc 22
Portal: Real-Time Information SOC Chat: Coordinate directly with the F5 SOC Share attack details Define exact mitigations needed Directly chat with the F5 SOC Application Fluency & Detail Application View: Protocol inspection and statistics Mitigation actions Flagged annotations of SOC communications F5 Networks, Inc 23
Portal: Configuration and Provisioning Directly manage configuration via customer portal Configure Proxy and Routing attributes Manage SSL Certificates Update White and Black List information Check health status of GRE tunnels Administer users and roles Download reports and view audit history F5 Networks, Inc 24
Current Integration Single Vendor; Complete Protection Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 25
F5 Silverline DDoS Protection - Service Options Always On Primary protection as the first line of defense The Always On subscription stops bad traffic from ever reaching your network by continuously processing all traffic through the cloudscrubbing service and returning only legitimate traffic to your network. Always Available Primary protection available on-demand The Always Available subscription runs on stand-by and can be initiated when under attack. F5 Networks, Inc 26
Q and A? F5 Networks, Inc 27