Citrix Netscaler - SANS Technology Institute

Report
Leveraging the Load Balancer to Fight DDoS
Brough Davis
September 2010
GIAC GCIA, GPEN, GCIH, GCFW, GSEC
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
•
•
•
•
•
DDoS Trends
Common Mitigating Methods
Load Balancing/ADC Features
Conclusion
Questions/Comments
SANS Technology Institute - Candidate for Master of Science Degree
2
DDoS Trends
Arbor Networks World Wide Infrastructure Security Report 2009
SANS Technology Institute - Candidate for Master of Science Degree
3
Fear of the Attack Intelligence
• Bot DDoS options
• SYN/ICMP Floods, Frag Attacks, invalid header values
• Application DDoS – HTTP recursive attacks
• Known Bots with DDoS options
• Agobot, SDBot, UrxBot
• Agobot DDoS HTTP Recursive Attack
ddos.httpflood [url] [number] [referrer] [recursive = true||false]
SANS Technology Institute - Candidate for Master of Science Degree
4
Growing Fear is Slow Growing
Arbor Networks World Wide Infrastructure Security Report 2009
SANS Technology Institute - Candidate for Master of Science Degree
5
DDoS Vectors/Mitigation
SANS Technology Institute - Candidate for Master of Science Degree
6
DDoS Mitigation Options
•
•
•
•
•
•
•
•
DDoS Commercial Appliances
uRPF, RTBH, Backscatter Analysis
RFC1918/Bogon ACL’s, Rate Limiting
Only Allow Critical Services
Cloud Scale
TCP SYN Cookies, TCPCT
WAF/Reverse Proxy - HTTP(S) Applications
Reverse Turing Tests (Captcha, JavaScript, etc.)
SANS Technology Institute - Candidate for Master of Science Degree
7
The Load Balancing Device
•
•
•
•
Brocade ServerIron
Citrix Netscaler
Cisco ACE
F5 BIGIP
SANS Technology Institute - Candidate for Master of Science Degree
8
TCP SYN Cookie/Proxy
Brocade ServerIron
ServerIron(config)# ip tcp syn-proxy
ServerIron(config)#interface e 3/1
ServerIron(config-if-3/1)# ip tcp syn-proxy in
ServerIron(config)# server syn-cookie-check-vport
Citrix Netscaler
SYN Cookies Enabled by Default
Cisco ACE
host1/C1(config)# interface vlan 100
host1/C1(config-if)# syn-cookie 4096
F5 BIG-IP
SYN Cookies triggered after 16,384 connections (Configurable)
SANS Technology Institute - Candidate for Master of Science Degree
9
Application Switching
csw-rule "r1" version eq "1.0"
csw-rule "r2" version eq "1.1"
csw-rule "r3" nested-rule "r1 || r2"
!
csw-policy p1
match r3 forward 1
default forward 0
!
server virtual-name VIP1 1.1.1.1
port http csw-policy p1
port http csw
bind http RS1 http RS2 http
!
server real RS1 2.2.2.1
port http
port http url "HEAD /"
port http group-id 1 1
!
server real RS2 2.2.2.2
port http
port http url "HEAD /"
port http group-id 1 1
Search for HTTP 1.0
or 1.1 Headers
Drop by default.
Matched sent to group 1
Apply policy to
virtual server service
Real servers in group 1
SANS Technology Institute - Candidate for Master of Science Degree
10
Application Switching
Real World Example
• Before
– Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full connects)
– 260+Mbps inbound traffic
– 1 million current connections to ServerIron (100% CPU)
• Reaction
– Upstream router filter all non TCP/80 traffic
– ServerIron syn-pxy feature enabled
– Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP 1.0/1.1
Header
• Result
– ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes.
– Inbound traffic dropped to 8 Mbps
SANS Technology Institute - Candidate for Master of Science Degree
11
Cookie Manipulation
Citrix Netscaler
• In the navigation pane, expand System, and click
Settings. The System Settings Overview page
appears in the right pane.
• Click Advanced Features. The Configure
Advanced Features dialog box appears.
• Select HTTP DoS Protection check box, click OK,
and click Yes on the Enable/Disable Feature(s) dialog
box.
SANS Technology Institute - Candidate for Master of Science Degree
12
Reverse Turing Tests
SANS Technology Institute - Candidate for Master of Science Degree
13
Feature Summary
Cisco
Brocade
F5
Netscaler
TCP SYN Cookie
YES
YES
YES
YES
HTTP inspection
YES
YES
YES
YES
HTTP Cookie Injection YES
YES
YES
YES
'human' JS check
NO
YES
YES
NO
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Shortfalls
– Overworking the Load Balancer/ADC
– Finding Legitimate Traffic
• Future Planning
– Know your traffic trends
– Involve the developers
– Use Everything (Tiered Defense)
SANS Technology Institute - Candidate for Master of Science Degree
15

similar documents