1 / 15

Leveraging the Load Balancer to Fight DDoS

Leveraging the Load Balancer to Fight DDoS. Brough Davis September 2010 GIAC GCIA, GPEN, GCIH, GCFW, GSEC. Objective. DDoS Trends Common Mitigating Methods Load Balancing/ADC Features Conclusion Questions/Comments. DDoS Trends.

kevlyn
Download Presentation

Leveraging the Load Balancer to Fight DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA, GPEN, GCIH, GCFW, GSEC SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • DDoS Trends • Common Mitigating Methods • Load Balancing/ADC Features • Conclusion • Questions/Comments SANS Technology Institute - Candidate for Master of Science Degree

  3. DDoS Trends Arbor Networks World Wide Infrastructure Security Report 2009 SANS Technology Institute - Candidate for Master of Science Degree

  4. Fear of the Attack Intelligence • Bot DDoS options • SYN/ICMP Floods, Frag Attacks, invalid header values • Application DDoS – HTTP recursive attacks • Known Bots with DDoS options • Agobot, SDBot, UrxBot • Agobot DDoS HTTP Recursive Attack ddos.httpflood [url] [number] [referrer] [recursive = true||false] SANS Technology Institute - Candidate for Master of Science Degree

  5. Growing Fear is Slow Growing Arbor Networks World Wide Infrastructure Security Report 2009 SANS Technology Institute - Candidate for Master of Science Degree

  6. DDoS Vectors/Mitigation SANS Technology Institute - Candidate for Master of Science Degree

  7. DDoS Mitigation Options • DDoS Commercial Appliances • uRPF, RTBH, Backscatter Analysis • RFC1918/Bogon ACL’s, Rate Limiting • Only Allow Critical Services • Cloud Scale • TCP SYN Cookies, TCPCT • WAF/Reverse Proxy - HTTP(S) Applications • Reverse Turing Tests (Captcha, JavaScript, etc.) SANS Technology Institute - Candidate for Master of Science Degree

  8. The Load Balancing Device • Brocade ServerIron • Citrix Netscaler • Cisco ACE • F5 BIGIP SANS Technology Institute - Candidate for Master of Science Degree

  9. TCP SYN Cookie/Proxy Brocade ServerIron ServerIron(config)# ip tcp syn-proxy ServerIron(config)#interface e 3/1 ServerIron(config-if-3/1)# ip tcp syn-proxy in ServerIron(config)# server syn-cookie-check-vport Citrix Netscaler SYN Cookies Enabled by Default Cisco ACE host1/C1(config)# interface vlan 100 host1/C1(config-if)# syn-cookie 4096 F5 BIG-IP SYN Cookies triggered after 16,384 connections (Configurable) SANS Technology Institute - Candidate for Master of Science Degree

  10. Application Switching Search for HTTP 1.0 or 1.1 Headers csw-rule "r1" version eq "1.0" csw-rule "r2" version eq "1.1" csw-rule "r3" nested-rule "r1 || r2" ! csw-policy p1 match r3 forward 1 default forward 0 ! server virtual-name VIP1 1.1.1.1  port http csw-policy p1  port http csw  bind http RS1 http RS2 http ! server real RS1 2.2.2.1  port http  port http url "HEAD /"  port http group-id 1 1 ! server real RS2 2.2.2.2  port http  port http url "HEAD /"  port http group-id 1 1 Drop by default. Matched sent to group 1 Apply policy to virtual server service Real servers in group 1 SANS Technology Institute - Candidate for Master of Science Degree

  11. Application SwitchingReal World Example • Before • Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full connects) • 260+Mbps inbound traffic • 1 million current connections to ServerIron (100% CPU) • Reaction • Upstream router filter all non TCP/80 traffic • ServerIron syn-pxy feature enabled • Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP 1.0/1.1 Header • Result • ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes. • Inbound traffic dropped to 8 Mbps SANS Technology Institute - Candidate for Master of Science Degree

  12. Citrix Netscaler In the navigation pane, expand System, and click Settings. The System Settings Overview page appears in the right pane. Click Advanced Features. The Configure Advanced Features dialog box appears. Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box. Cookie Manipulation SANS Technology Institute - Candidate for Master of Science Degree

  13. Reverse Turing Tests SANS Technology Institute - Candidate for Master of Science Degree

  14. Feature Summary SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Shortfalls • Overworking the Load Balancer/ADC • Finding Legitimate Traffic • Future Planning • Know your traffic trends • Involve the developers • Use Everything (Tiered Defense) SANS Technology Institute - Candidate for Master of Science Degree

More Related