F5 Friday: Multi-Layer Security for Multi-Layer Attacks

Modern DoS attacks are distributed, diverse and cross the chasm that divides network components from application infrastructure. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.

The WikiLeaks attacks have taught us that information security strategies must evolve to keep up with the ever-changing attack vectors leveraged against web applications and web sites across the Internet. It’s no longer enough to protect against attack X or Y; it’s now necessary to protect against both – simultaneously.

Because of the role F5 BIG-IP solutions play in application delivery (application delivery controllers didn’t go through a phase of wanting to be called “application front-ends” for no reason) they are always “in the line of fire” and as such they are the first line of defense against such attacks. In some architectures they are the only line of defense. Sound crazy? It's not. During this last round of attacks by Anonymous we've seen firewalls unable to handle the load in the field and subsequently they've been replaced entirely with BIG-IPs, thus enabling the protected site to recover availability and go on about its business. We've been the primary defense against Anonymous' attacks at a number of targeted sites and no, you haven't heard about them because they remained available despite the attack.

This is a heady responsibility and means that BIG-IP must not only protect the applications it delivers from the deleterious impact of any denial of service attack, but it must also itself be hardened against such attacks.

BIG-IP systems are designed to bridge the gap that exists between the network and the application, and that means it has visibility into both. As a result, the core BIG-IP platform is capable of detecting and preventing a wide variety of network and application-focused attacks, many of which have been leveraged by Anonymous in its attacks. BIG-IP ASM (Application Security Manager) further detects and prevents many application-specific attacks. And for zero-day attacks or those which have no “industry” solution, the network-side scripting capabilities (iRules) enables security and network professionals to craft one – as fast as they can type.

But enough high-level markety type speak. Let’s get down to nuts and bolts, shall we?

BIG-IP PLATFORM PROTECTIONS

The BIG-IP® platform contains several features and configurations that provide the ability to create a configuration that contributes to the security of your network. In particular, the BIG-IP system is in a unique position to mitigate some types of denial-of-service (DoS) attacks that try to consume system resources in order to deny service to the intended recipients.

The following features of the BIG-IP system help it resist many types of DoS attacks:

Hardened and dedicated kernel
The BIG-IP kernel has a mechanism built in to protect against SYN Flood attacks by limiting simultaneous connections, and tearing down connections that have unacknowledged SYN/ACK packets after some time period as passed. (A SYN/ACK packet is a packet that is sent as part of the TCP three-way handshake).
High performance
BIG-IP platform can handle tens of thousands of Layer 4 (L4) connections per second. It would take a very determined attack to affect either the BIG-IP platform itself, or the site, if sufficient server resources and bandwidth are available.
Large amount of available memory
SYN floods, or denial-of-service (DoS) attacks, can consume all available memory. The BIG-IP platform supports a large amount of
memory to help it resist DoS attacks.

NETWORK AND TRANSPORT LAYER ATTACK PROTECTION

Additionally, BIG-IP is capable of connection reaping, a technique in which connections are removed when the connection load uses enough memory to trigger the start of aggressive reaping. To prevent denial-of-service attacks, a low- and high-water mark threshold can be specified that controls this reaping process. The low-water mark threshold determines at what point adaptive reaping becomes more aggressive while the high-water mark threshold determines when new (unestablished) connections through the BIG-IP will no longer be allowed.

Additional options to assist in defeating DoS attacks include rate classes, which limit the rate at which clients may make requests, and connection limits on the virtual server (which represents the web site/application under attack). To calculate a connection limit for an application you can use the following formula:

Connection Limit = Approximate Amount of RAM in KB * 0.8.

For example, if you have 256 MB of RAM, the calculation looks like this: 256,000 * 0.8 = 204800. In this case, you set the connection limit to 204800.

The reason it is important that BIG-IP protect itself against these attacks is that its position in the data center is such that it acts as an intermediary. As a full-proxy solution its ability to offload TCP connections from servers is often leveraged as a means to improve performance and capacity of web/application servers. This means that BIG-IP bears the brunt of the connection load on a high volume web site/application and must be able to handle high volumes and protect itself as the pools of servers it manages are inherently protected from connection overload.

Customers are encouraged to read more about configuring BIG-IP to mitigate denial of service (and other attacks) in the BIG-IP LTM Implementations manual.

APPLICATION-SPECIFIC ATTACK PREVENTION

One of the reasons Anonymous has been so successful thus far in disrupting service is that its DoS strategy goes beyond the more easily detectable (and preventable) network and transport layer attacks, i.e. SYN flood, ICMP flood, etc…, and into the more hazy area of application-layer attacks such as HTTP GET flooding and SlowLoris. These attacks are more difficult to detect because they make legitimate requests. It is nearly impossible for most network components (and applications) to determine whether a legitimate request is part of an attack or a normal user session. This is because most network components and applications lack the visibility and context required to make such a determination. An application delivery controller, however, has both because it sees all requests and request patterns and monitors communications between clients and the applications.

Because of this especial visibility and awareness, BIG-IP and its security-focused modules – such as ASM (Application Security Manager) – can detect attacks against applications that take the form of legitimate requests. Application Security Manager considers traffic to be a DoS attack based on calculations for transaction rate (TPS-based) or latency (latency-based) as configured by the customer.

DoS attacks are often carried out by scripts, and as such can often be detected using intelligent inspection of requests and, if necessary, by requiring the client to prove it is, in fact, a “real” client. ASM can be configured to determine whether a client is a legal browser or offensive script by injecting JavaScript into responses. Legal browsers process the JavaScript and respond properly, whereas illegal scripts cannot. Such script-based determination of veracity of requests can be triggered by the requests of certain URLs or the behavior of the client.

Additionally, innovative solutions to detecting and preventing attacks may be implemented by customers themselves by leveraging iRules. There are myriad attacks against which such a network-side scripting solution can be – and have been - used. A few examples:

Customers are encouraged to explore the variety of protections and options in the Configuration Guide to ASM.

MULTI-LAYER PROTECTION against MULTI-LAYER ATTACKS

I could go on (and on and on) about all the ways in which BIG-IP products can mitigate multi-layer distributed denial of service attacks but what I want folks to walk away with from this post is that traditional security strategies comprising single points of security, chained together across the infrastructure, are no longer enough to stop the increasingly complex and highly varied attacks that we will see thanks to Anonymous. What’s required is an integrated solution that spans both the network and application layers and has the visibility to detect and the means to subsequently prevent such attacks from negatively impacting the application and network infrastructure.

These attacks are targeting applications, and the implications of a successful attack are profound and, in some cases, potentially expensive. New tactics to protect against these attacks are necessary – one that is as comprehensive in covering the entire network stack from top to bottom as the attacks it must detect and stop. A unified application delivery platform like BIG-IP provides the comprehensive coverage and visibility necessary to assure availability in the face of a multi-layered attack.

Published Dec 17, 2010

Version 1.0