Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,

Published byAnna McElroy Modified over 11 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,"— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA, GPEN, GCIH, GCFW, GSEC

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective DDoS Trends Common Mitigating Methods Load Balancing/ADC Features Conclusion Questions/Comments

3 SANS Technology Institute - Candidate for Master of Science Degree 3 DDoS Trends Arbor Networks World Wide Infrastructure Security Report 2009

4 SANS Technology Institute - Candidate for Master of Science Degree 4 Fear of the Attack Intelligence Bot DDoS options SYN/ICMP Floods, Frag Attacks, invalid header values Application DDoS – HTTP recursive attacks Known Bots with DDoS options Agobot, SDBot, UrxBot Agobot DDoS HTTP Recursive Attack ddos.httpflood [url] [number] [referrer] [recursive = true||false]

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Growing Fear is Slow Growing Arbor Networks World Wide Infrastructure Security Report 2009

6 SANS Technology Institute - Candidate for Master of Science Degree 6 DDoS Vectors/Mitigation

7 SANS Technology Institute - Candidate for Master of Science Degree 7 DDoS Mitigation Options DDoS Commercial Appliances uRPF, RTBH, Backscatter Analysis RFC1918/Bogon ACLs, Rate Limiting Only Allow Critical Services Cloud Scale TCP SYN Cookies, TCPCT WAF/Reverse Proxy - HTTP(S) Applications Reverse Turing Tests (Captcha, JavaScript, etc.)

8 SANS Technology Institute - Candidate for Master of Science Degree 8 The Load Balancing Device Brocade ServerIron Citrix Netscaler Cisco ACE F5 BIGIP

9 SANS Technology Institute - Candidate for Master of Science Degree 9 TCP SYN Cookie/Proxy Brocade ServerIron ServerIron(config)# ip tcp syn-proxy ServerIron(config)#interface e 3/1 ServerIron(config-if-3/1)# ip tcp syn-proxy in ServerIron(config)# server syn-cookie-check-vport Citrix Netscaler SYN Cookies Enabled by Default Cisco ACE host1/C1(config)# interface vlan 100 host1/C1(config-if)# syn-cookie 4096 F5 BIG-IP SYN Cookies triggered after 16,384 connections (Configurable)

10 SANS Technology Institute - Candidate for Master of Science Degree 10 Application Switching csw-rule "r1" version eq "1.0" csw-rule "r2" version eq "1.1" csw-rule "r3" nested-rule "r1 || r2" ! csw-policy p1 match r3 forward 1 default forward 0 ! server virtual-name VIP1 1.1.1.1 port http csw-policy p1 port http csw bind http RS1 http RS2 http ! server real RS1 2.2.2.1 port http port http url "HEAD /" port http group-id 1 1 ! server real RS2 2.2.2.2 port http port http url "HEAD /" port http group-id 1 1 Search for HTTP 1.0 or 1.1 Headers Drop by default. Matched sent to group 1 Apply policy to virtual server service Real servers in group 1

11 Application Switching Real World Example Before –Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full connects) –260+Mbps inbound traffic –1 million current connections to ServerIron (100% CPU) Reaction –Upstream router filter all non TCP/80 traffic –ServerIron syn-pxy feature enabled –Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP 1.0/1.1 Header Result –ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes. –Inbound traffic dropped to 8 Mbps SANS Technology Institute - Candidate for Master of Science Degree 11

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Cookie Manipulation Citrix Netscaler In the navigation pane, expand System, and click Settings. The System Settings Overview page appears in the right pane. Click Advanced Features. The Configure Advanced Features dialog box appears. Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box.

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Reverse Turing Tests

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Feature Summary CiscoBrocadeF5Netscaler TCP SYN CookieYES HTTP inspectionYES HTTP Cookie InjectionYES 'human' JS checkNO YES

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Shortfalls –Overworking the Load Balancer/ADC –Finding Legitimate Traffic Future Planning –Know your traffic trends –Involve the developers –Use Everything (Tiered Defense)

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,"

Similar presentations

What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.

09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Access Control List (ACL)

Access Control List (ACL)
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.23-1 Frame-Mode MPLS Implementation on Cisco IOS Platforms Troubleshooting Frame-Mode MPLS on Cisco.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Frame-Mode MPLS Implementation on Cisco IOS Platforms Troubleshooting Frame-Mode MPLS on Cisco.
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Chapter 2 Static Routing – Part 2 CIS 82 Routing Protocols and Concepts Rick Graziani Cabrillo College Last Updated: 2/22/2009.

Chapter 2 Static Routing – Part 2 CIS 82 Routing Protocols and Concepts Rick Graziani Cabrillo College Last Updated: 2/22/2009.
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13.

1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

Similar presentations

Ads by Google