PeeringRouter
Internet
PeeringRouter
Internet
CloudScrubbing
Service
Silverline
EdgeRouter
EdgeRouter
PGW
Radio
Access
GiFW/L4 DDOS
BNG
CMTS
DSL/FTTH
Cable IP/MPLS
Backbone
EnterpriseData Center
CPE
L4-L7 inline DDOS
Mobile Broadband
Fixed Broadband
Enterprise
Data Center (control, mgmt, apps)
L4-L7 inline DDOS
1
4
4
2
1
2
3
4
Protect international transit
links
Inline L4-L7 DDOS for control plane
elements and application servers
Gi Firewall with L4 DDoS, GiFW
and optional CGNAT, DNS, …
EdgeRouter
CGFW/L4 DDOS
3
CG Firewall with L4 DDoS and
optional CGNAT, DNS …
Service Provider DDoS solutions overview
DNS Demand
AVERAGE DAILY QUERY LOAD FOR DNS (.COM/.NET)
DNSSEC DEPLOYMENT EXPANDING
100+ DNS QUERIES FOR SINGLE WEB PAGE
ONE OF MOST ATTACKED PROTOCOLS
GLOBAL MOBILE DATA = DNS GROWTH
DISTRIBUTED, HIGH-PERFORMANCE NEEDS
18X Growth 2011-20164G LTE
2.4GB/mo
Non-4G LTE
86MB/mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total app and service availability
Geographically dispersed
DNS capacity close to clients
82
‘15‘14‘13‘12‘111
20
11
0
57 7
7
82
In Billions
Denial of Service Attacks - DNS
Why DNS is popular for DDoS?
• Widely used protocol, open on FWs, open recursion
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Large Amplification Factor (100x) - using open resolvers or ANY type to an authoritative NS
Traditional mitigations are failing
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and standard tools can not provide adequate response to mitigate it without inhibiting the ability of DNS to do its job
DNS Flood
SynopsysMany attackers or botnets flood an authoritative name server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation – PERFORMANCE, PERFORMANCE, ….• F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
• Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles - ICSA–certified FW with support for 30+ DDoS vectors
• Use DNS Anycast to distribute the load between regional DCsDNS Requests DNS Responses
Target DNS
infrastructure
DNS Amplification Attack
DNS Requests Large DNS Responses
SynopsysBy spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation• DNS request type validation– force TCP in case of type ANY
• BIG-IP supports DNS type ACLs - filters for acceptable DNS query types
• Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoS Profiles and apply mitigations
• Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]
Random Sub-domain / NXDOMAIN
Attackers Web bots Open Resolvers
<randomstring>.www.example.com
<anotherstring>.www.example.comDoes not exist | Exists
Increased outbound NXDOMAIN
and SERVFAIL responses
[Target DNS]
NXDOMAIN DDoS: DMARC
• Domain-based message authentication, reporting, and conformance (DMARC) is a mechanism for improving mail handling by mail-receiving organizations.
• The _dmarc DDoS attack vector is interesting in that it makes use of Google’s and Yahoo’s legitimate DNS servers to launch a DDoS attack on another entity’s DNS infrastructure
https://devcentral.f5.com/d/a-new-twist-on-dns-nxdomain-ddos-dmarc-attack-vector-analysis
DNS the F5 Way
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Hidden Master
DNS
Internal
FirewallInternet
DMZ
Master DNS
InfrastructureInternet
• Traditional DNS servers with
vulnerabilities
• Adding performance = DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
Datacenter
F5 DNS Delivery Reimagined
Conventional DNS Thinking
DNS Firewall
DNS DDoS Protection
Protocol Validation
Authoritative DNS
Caching Resolver
Transparent Caching
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
BIG-IP DNS
• Massive performance over 20M RPS!
• Double query max responses in Rapid Res. Mode
• Consolidation: LDNS integration for higher scale
• DoS / DDoS Protection included
• Less CAPEX and OPEX
Mitigate Malicious Communication
• Prevent malware and sites hosting malicious content from ever communicating with a client
• Inhibit the threat at the earliest
opportunity ‒ Internet activity starts
with a DNS request
Domain
Reputation
• Mitigate DNS threats by blocking access to malicious IPs
• Reduce malware and virus infections
Response Policy Zone (RPZ) Feed IP Intelligence / URL categories Feed
IP Reputation
URL Categorisation
DNS
Complete DNS Protection & Performance with F5
BIG-IP
DNS Firewall Apps
DNS
Servers
LDNSInternet
Devices DMZ Data Center
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality.
• DNS DDoS mitigation with DNS Express
• Protocol inspection and validation
• DNS record type ACL*
• Block access to Malicious IPs
• High performance DNS cache
• RPZ – Outbound Domain Filtering
• Stateful – Never accepts unsolicited responses
• ICSA Certified - deployment in the DMZ
• Scale across devices – IP Anycast
• Secure responses – DNSSEC
• Complete DNS control – iRules
• DDoS threshold alerting*
• DNS logging and reporting
• Hardened F5 DNS code – NOT BIND
F5 DNS Firewall Services
F5 Carrier Class Network Firewall
Provides Multi-Layer
Security Protection
Comprehensive Purpose-built & Virtual Appliances
Standards & Protocol Support
Highly Scalable & Manageable
Consolidation of Network Functions
HIGH PERFORMANCE / SCALABLE / HIGH AVAILABILITY / PROGRAMMABLE / CONSOLIDATION OF NETWORK FUNCTIONS
• Protects from malformed and malicious traffic at scale
• L2-L4 DoS Vectors• Malformed/bad, suspicious, and volumetric attack vectors
• Hardware accelerated on many platforms
• Per-endpoint limits (src & dst)
• Includes also protocol specific DoS detection and mitigation
(DNS+SIP)
DOS capabilities throughout the product• Purpose-built hardware
• SYN cookies in hardware to protect CPS resources
• Per source CPS limits on virtual servers
• Sweeper to protect connection table
• Various timer and protocol knobs
AFM DDoS detection and mitigation
IMS & VoLTE Security Threat - Signaling Storm
SGi LAN
PGW PEeNodeB SecuritySGW
Internet APN
IMS APN
Internet APN
IMS APN
User Equipment
P-CSCF
Signaling (SIP)*
Legend
Symptom = DOS attack / Signaling Storm
Impact = Disruption of Service
Cause = Fault (PGW Down) / Bad Software / Mis-configuration / DDoS using mobiles
Remedy = Per Prefix (/64) Rate Limiting*
*implement on SGi Firewall or P-CSCF Firewall (or both) with SIP DDoS capabilities
*High PPS
*Aggressive retries
*Multiple UEs
IMS & IMS & VoLTE Security Threat - Unsolicited Scan
SGi LAN
PGW PEeNodeB SecuritySGW
Internet APN
IMS APN
Internet APN
IMS APN
User Equipment
P-CSCF
Symptom = DOS attack / Prefix Scan / Unsolicited Packets
Impact = Disruption of Service / Excessive Signaling
Cause = Virus / Worm / Malicious User
Remedy = Firewall Policy with SIP ALG
IP Packets*
Legend
*High PPS
*Increment per /64
*Multiple UEs
Leveraging the F5 Carrier Class Firewall for High-Scale DDoS Mitigation on the Gi-LAN
• Internet or mobile device-based DDoS attacks, such as TCP/ICMP/UDP/SYN floods, impacting network resources, resulting in service outages or degradation
• Internet-based IP port sweeps causing RAN exhaustion and battery drain
• Malware/botnets infecting mobile devices
DDoS Threats
• Use a powerful and flexible network firewall with policy rules, DDoS vectors, and scripting to protect AN and device resources
• Use IP intelligence and dynamically updateable list of blocked IP addresses (temporarily)
Solution
PGW/GGSN
BNG AFM
Internet
Attacker
Web bot
Dynamically updateable list of blocked IP addresses for a period of time
Sources of “shunned” IPs
• Internal: Explicit (CLI/GUI), Auto Sweep/flood, Behavioral DNS DoS, WAF
• External (via API): SIEM, IDS/IPS, other security management system
Sub-second mitigation, thousands of entries
SIEM / IDP
PGW/GGSN
BNGAFM
Internet
Attacker
Web bot
Sweep/Flood, DNS, WAFINTERNAL SHUN
EXTERNAL SHUN
Leveraging the F5 Carrier Class Firewall for Dynamic Security Enforcement
Solving the Full-Pipe Problem (RTBH rfc5635)
• Volumetric DDoS Attack fills Datacenter’s Upstream
Bandwidth “Full-Pipe Problem”
• Availability is suffering; Attack traffic must be stopped
further upstream then Datacenter
• AFM signals to upstream network to drop specific
source or destination traffic using BGP
• Specific traffic is dropped on Network Edge
• The network can be sectioned into multiple
communities -> an ability to drop in specific parts of
their network.
Data Center
ISP Router
Customer/ISP Transit Network
AFM
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
AFM Signals Upstream Networkto Drop Attack
Traffic
IPv6 traffic does not pass through CGNAT• Need to avoid unsolicited traffic from Internet (back to basics)
ICMPv6: Essential for network operations• Neighbour discovery - Replaces router advertisement
• Essential for hacking IPv6 networks
Tunneling• Used as transition path from v4 to v6
• Hide attack/malware traffic from security devices
Capacities• Dual-stack IPv4/IPv6 will require higher CPS and higher connection count
How IPv6 Changes Security
Integrated Firewall + CGNAT on the Gi-LAN
NAT44
Gi-FW Internet
Private
IPv4
Public
IPv6
Public
IPv6
Public
IPv4 IPv4
CGNAT
IPv6
Gi-FW
Time
Traffic
distribution
UNPRECEDENTED SCALE ANDPERFORMANCE
NAT44 → NAT64
PGW / BNG
GRADUAL TRANSITION FROM IPV4 CGNAT TO IPV6 GI-FW
INVESTMENT PROTECTION
Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
LoadBalancer & SSL
Application DDoS
Web Application Firewall
Web AccessManagement
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
LoadBalancer & SSL
Application DDoS
Web Application Firewall
Web AccessManagement
Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management
Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI, Parental
Control, …CG-NAT
Consolidating SP’s service functions
Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI CG-NAT
PGW/
GGSN
FirewallDPI CG-NAT
Consolidating SP’s service functions