Download presentation
Presentation is loading. Please wait.
Published byAnna McElroy Modified over 11 years ago
1
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA, GPEN, GCIH, GCFW, GSEC
2
SANS Technology Institute - Candidate for Master of Science Degree 2 Objective DDoS Trends Common Mitigating Methods Load Balancing/ADC Features Conclusion Questions/Comments
3
SANS Technology Institute - Candidate for Master of Science Degree 3 DDoS Trends Arbor Networks World Wide Infrastructure Security Report 2009
4
SANS Technology Institute - Candidate for Master of Science Degree 4 Fear of the Attack Intelligence Bot DDoS options SYN/ICMP Floods, Frag Attacks, invalid header values Application DDoS – HTTP recursive attacks Known Bots with DDoS options Agobot, SDBot, UrxBot Agobot DDoS HTTP Recursive Attack ddos.httpflood [url] [number] [referrer] [recursive = true||false]
5
SANS Technology Institute - Candidate for Master of Science Degree 5 Growing Fear is Slow Growing Arbor Networks World Wide Infrastructure Security Report 2009
6
SANS Technology Institute - Candidate for Master of Science Degree 6 DDoS Vectors/Mitigation
7
SANS Technology Institute - Candidate for Master of Science Degree 7 DDoS Mitigation Options DDoS Commercial Appliances uRPF, RTBH, Backscatter Analysis RFC1918/Bogon ACLs, Rate Limiting Only Allow Critical Services Cloud Scale TCP SYN Cookies, TCPCT WAF/Reverse Proxy - HTTP(S) Applications Reverse Turing Tests (Captcha, JavaScript, etc.)
8
SANS Technology Institute - Candidate for Master of Science Degree 8 The Load Balancing Device Brocade ServerIron Citrix Netscaler Cisco ACE F5 BIGIP
9
SANS Technology Institute - Candidate for Master of Science Degree 9 TCP SYN Cookie/Proxy Brocade ServerIron ServerIron(config)# ip tcp syn-proxy ServerIron(config)#interface e 3/1 ServerIron(config-if-3/1)# ip tcp syn-proxy in ServerIron(config)# server syn-cookie-check-vport Citrix Netscaler SYN Cookies Enabled by Default Cisco ACE host1/C1(config)# interface vlan 100 host1/C1(config-if)# syn-cookie 4096 F5 BIG-IP SYN Cookies triggered after 16,384 connections (Configurable)
10
SANS Technology Institute - Candidate for Master of Science Degree 10 Application Switching csw-rule "r1" version eq "1.0" csw-rule "r2" version eq "1.1" csw-rule "r3" nested-rule "r1 || r2" ! csw-policy p1 match r3 forward 1 default forward 0 ! server virtual-name VIP1 1.1.1.1 port http csw-policy p1 port http csw bind http RS1 http RS2 http ! server real RS1 2.2.2.1 port http port http url "HEAD /" port http group-id 1 1 ! server real RS2 2.2.2.2 port http port http url "HEAD /" port http group-id 1 1 Search for HTTP 1.0 or 1.1 Headers Drop by default. Matched sent to group 1 Apply policy to virtual server service Real servers in group 1
11
Application Switching Real World Example Before –Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full connects) –260+Mbps inbound traffic –1 million current connections to ServerIron (100% CPU) Reaction –Upstream router filter all non TCP/80 traffic –ServerIron syn-pxy feature enabled –Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP 1.0/1.1 Header Result –ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes. –Inbound traffic dropped to 8 Mbps SANS Technology Institute - Candidate for Master of Science Degree 11
12
SANS Technology Institute - Candidate for Master of Science Degree 12 Cookie Manipulation Citrix Netscaler In the navigation pane, expand System, and click Settings. The System Settings Overview page appears in the right pane. Click Advanced Features. The Configure Advanced Features dialog box appears. Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box.
13
SANS Technology Institute - Candidate for Master of Science Degree 13 Reverse Turing Tests
14
SANS Technology Institute - Candidate for Master of Science Degree 14 Feature Summary CiscoBrocadeF5Netscaler TCP SYN CookieYES HTTP inspectionYES HTTP Cookie InjectionYES 'human' JS checkNO YES
15
SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Shortfalls –Overworking the Load Balancer/ADC –Finding Legitimate Traffic Future Planning –Know your traffic trends –Involve the developers –Use Everything (Tiered Defense)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.