leveraging the load balancer to fight ddos

1SANS Technology Institute - Candidate for Master of Science Degree 1

Leveraging the Load Balancer to Fight DDoS

Brough DavisSeptember 2010

GIAC GCIA, GPEN, GCIH, GCFW, GSEC

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

• DDoS Trends• Common Mitigating Methods• Load Balancing/ADC Features• Conclusion• Questions/Comments


DDoS Trends

Arbor Networks World Wide Infrastructure Security Report 2009


Fear of the Attack Intelligence

• Bot DDoS options• SYN/ICMP Floods, Frag Attacks, invalid header values• Application DDoS – HTTP recursive attacks

• Known Bots with DDoS options • Agobot, SDBot, UrxBot

• Agobot DDoS HTTP Recursive Attack

ddos.httpflood [url] [number] [referrer] [recursive = true||false]


Growing Fear is Slow Growing

Arbor Networks World Wide Infrastructure Security Report 2009


DDoS Vectors/Mitigation


DDoS Mitigation Options• DDoS Commercial Appliances • uRPF, RTBH, Backscatter Analysis• RFC1918/Bogon ACL’s, Rate Limiting• Only Allow Critical Services• Cloud Scale• TCP SYN Cookies, TCPCT• WAF/Reverse Proxy - HTTP(S) Applications• Reverse Turing Tests (Captcha, JavaScript, etc.)


The Load Balancing Device

• Brocade ServerIron • Citrix Netscaler • Cisco ACE • F5 BIGIP


TCP SYN Cookie/ProxyBrocade ServerIronServerIron(config)# ip tcp syn-proxyServerIron(config)#interface e 3/1ServerIron(config-if-3/1)# ip tcp syn-proxy in ServerIron(config)# server syn-cookie-check-vport

Citrix Netscaler SYN Cookies Enabled by Default

Cisco ACE host1/C1(config)# interface vlan 100 host1/C1(config-if)# syn-cookie 4096

F5 BIG-IPSYN Cookies triggered after 16,384 connections (Configurable)


Application Switchingcsw-rule "r1" version eq "1.0" csw-rule "r2" version eq "1.1" csw-rule "r3" nested-rule "r1 || r2" ! csw-policy p1 match r3 forward 1 default forward 0 ! server virtual-name VIP1 1.1.1.1 port http csw-policy p1 port http csw bind http RS1 http RS2 http ! server real RS1 2.2.2.1 port http port http url "HEAD /" port http group-id 1 1 ! server real RS2 2.2.2.2 port http port http url "HEAD /" port http group-id 1 1

Search for HTTP 1.0 or 1.1 Headers

Drop by default. Matched sent to group 1

Apply policy to virtual server service

Real servers in group 1

Application SwitchingReal World Example

• Before– Mixed traffic (large packets, frags, ICMP/UDP, SYN flood, raw tcp 80 full

connects)– 260+Mbps inbound traffic– 1 million current connections to ServerIron (100% CPU)

• Reaction– Upstream router filter all non TCP/80 traffic – ServerIron syn-pxy feature enabled– Layer 7 Content switching. Drop all TCP 80 traffic without valid HTTP

1.0/1.1 Header• Result

– ServerIron CPU reduced to 20% with 20,000 Current Connections < 5 minutes.

– Inbound traffic dropped to 8 Mbps



Cookie Manipulation

Citrix Netscaler• In the navigation pane, expand System, and

click Settings. The System Settings Overview page appears in the right pane.

• Click Advanced Features. The Configure Advanced Features dialog box appears.

• Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box.


Reverse Turing Tests


Feature Summary

Cisco Brocade F5 Netscaler

TCP SYN Cookie YES YES YES YES

HTTP inspection YES YES YES YES

HTTP Cookie Injection YES YES YES YES

'human' JS check NO NO YES YES


Summary

• Shortfalls – Overworking the Load Balancer/ADC– Finding Legitimate Traffic

• Future Planning– Know your traffic trends – Involve the developers– Use Everything (Tiered Defense)

leveraging the load balancer to fight ddos

Documents

future ddos attacks

past ddos attacks

type of ddos attacks

nature of ddos attacks

common ddos trends

future attacks

common load balancing

load balancer hardware