Archive for DoS attack

Mitigate L7 DDoS with BIG-IP ASM

Posted in security, f5, big-ip, application security, silva, DoS attack, devcentral, infrastructure, waf, ddos by psilva on November 28th, 2017

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

l7d2.png

 

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

l7d34.png

 

We can also record traffic packet captures during attacks for post analysis.

l7d5.png

 

When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

l7d6.png

 

And JavaScript incapable clients never make it through.

l7d7.png

 

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

l7d8a.png

 

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

l7d8b.png

 

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

l7d8c.png

 

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

l78de.png

 

..then if they’re still not listening, you can instantly transform into a Honeypot.

pot.png

 

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don't stop. The traffic you recorded will be found in the, now populated, PCAP folders.

dvwa_logs_full.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 




Lightboard Lessons: What is DDoS?

Posted in security, f5, application security, lightboard, DoS attack, basics, scams, devcentral, 0day, botnet, ddos by psilva on November 1st, 2017

Over the last quarter, there were approximately 500 DDoS attacks daily around the world with some lasting as long as 300 hours. In this Lightboard Lesson I light up some #basics about DoS and DDoS attacks. 

ps

Related:

 

Watch Now:



The Top 10, Top 10 Predictions for 2017

2017.jpgThe time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

8 Predictions About How the Security Industry Will Fare in 2017 – An eWeek slideshow looking at areas like IoT, ransomware, automated attacks and the security skills shortage in the industry. Chris Preimesberger (@editingwhiz), who does a monthly #eweekchat on twitter, covers many of the worries facing organizations.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyber attacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Catastrophic botnet to smash social media networks in 2017 – At the halfway point the Mirai botnet rears its ugly head and ZDNet explains how Mirai is far from the end of social media disruption due to botnets. With botnets-for-hire now available, there will be a significant uptick in social media botnets which aim not only to disrupt but also to earn money for their operators in 2017. Splendid.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 security predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!

Bonus Prediction!

Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

ps




The Roadblock for Malicious Traffic

Posted in security, f5, big-ip, silva, network, DoS attack, infrastructure, risk by psilva on March 8th, 2016

products-afm-architecture.png

I am sure you are aware, the business computing environment is evolving. From all of us and the multitude of devices we now carry and interact with, along with the various ways we access information…to all of the applications and the interdependency among those applications that we request information from…to the infrastructure needed to secure those applications and information being delivered to us. Maintaining security throughout is a challenge.

In a business environment, security is all about risk: Assessment, analysis, management and mitigation. The many IT security trends like IoT, cloud, device proliferation, disappearing perimeter, and so forth are all potential risks to the business. To reduce their risk, organizations need to ensure they can scale to meet the global workforce’s and customer’s data demand; they need to secure their data from targeted attacks, unauthorized access, inadvertent leakage or to comply with regulatory rules; and they need to keep their operational infrastructure simple and efficient.

The BIG-IP platform offers the scale and capacity to meet the deluge, the full proxy security to protect the applications and infrastructure and the operational efficiency to consolidate functions within an application centric security model. The BIG-IP platform is a full proxy architecture – establishing a TCP connection with the client to the BIG-IP and a separate TCP connection from the BIG-IP to the resources themselves. It is able to apply policies on both ends, anywhere along the stack. This allows organizations to inspect, manipulate or simply drop traffic – on the way in or on the way out - if it does not adhere to the policy. Plus, iRules extensibility gives you the power to do almost anything with the traffic.

BIG-IP Advanced Firewall Manager (AFM) is a stateful, full-proxy, ICSA-certified firewall and brings additional network firewall capabilities at a fine granular level allowing administrators to easily protect their infrastructure and understand what types of attacks are infiltrating the network. Logging and reporting are built-in. BIG-IP AFM can be added to any BIG-IP platform and can help reduce those business risks.

Bringing together security and deep application fluency, BIG-IP AFM delivers the most effective network-level security for enterprises and service providers alike. Whether on-premises or in the cloud, BIG-IP AFM tracks the state of network sessions, maintains application awareness, and mitigates threats based on attack details that most traditional network firewalls simply do not have. It helps you respond to threats quickly and with a full understanding of your security posture. In addition, AFM protects your organization from the most aggressive DDoS attacks before they ever reach your data center.

F5 DevCentral has a whole AFM series coming your way over the next few weeks! The schedule includes:

  • March 15th: Foundational / Provisioning – This will kick of the series, taking what John tackled in AFM Provisioning and Policy Building and fleshing out more of the finer details in provisioning and basic policy functionality.
  • March 17th: Architectural Context – We’ll dive deep into the architecture to define global and local contexts, work through precedence decision trees, and introduce the programmability entrance points.
  • March 22nd: Policy Building – Harder, stronger, balanced and more flexible policies to combat all those bad actors out there! Lessons learned and best practices will help you wield a more powerful weapon in the battle.
  • March 24th: DDoS Capabilities: AFM shines with DDoS mitigation. You’ll see the many attack vectors handled auto-magically for you, as well as walk through some demos of attack mitigations in action.
  • March 29th: Blacklisting Magic - As the title says...
  • March 31st: IP Intelligence - Blocking bad actors at the core.
  • April 5th: Attack Mitigation Approaches (zero-window / udp flood / Christmas tree / etc.) - We’ll take a look at some of these attacks and show you how to combat them.
  • April 7th: Full stack protection – Where does AFM end and ASM begin? You’ll see how these two modules complement each other and provide synergistic protection for all layers of your application and delivery infrastructure.
  • April 12th: iRules extensions - Programmability to help stop those tricky attacks.
  • April 14th: DNS firewall deployments - We'll show you how to make one mighty powerful firewall for your DNS infrastructure.

Stay tuned for more insight on how to protect your critical infrastructure.

ps




MWC 2015 – Threats to Mobile Carrier Networks (feat George)

Posted in security, f5, silva, video, DoS attack, mobile, malware, infrastructure, dns by psilva on March 2nd, 2015

Jonathan George, Sr. Product Marketing Manager, talks about the various threats that can occur on a carrier network. Mobile devices are becoming a hot target for malicious attacks and users may not be aware that they have potentially become part of a botnet. And it is not just mobile devices, as IoT grows, your refrigerator could potentially participate in a DDoS attack. Jonathan focuses on some of the DNS solutions available that can help mitigate DNS DDoS attacks and malicious communications on a service provider network.

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Watch Now:



Uncle DDoS’d, Talking TVs and a Hug

Posted in security, f5, application security, silva, privacy, DoS attack, cybercrime, identity theft, RFID, iot by psilva on May 14th, 2014

Information security is one of those areas where a lot is always happening. From breaches to vulnerabilities to scams to anything else that's designed to store, protect or even attack and pilfer our sensitive information, information security encompasses a lot of things. A Three Ring Circus, Three Little Pigs, The Three Stooges and when three different stories grab my attention, well I just gotta share.

SCMagazine.com had an interesting story yesterday talking about how two servers designed to prevent DDoS attacks were, themselves, used in a DDoS attack. Incapsula reported that it had to fend off a sizable DDoS attack that was launched using high-capacity servers hijacked from a DDoS protection services provider. The attack itself was against an online gaming site and the attackers actually hijacked and commandeered two high capacity servers from a DDoS protection service provider to spearhead the attack. The service provider was so focused on incoming traffic, they had to be notified to take a look at the massive outgoing traffic being sent. While the DDoS protection market has grown with many outsourcing solutions, it is still a shared service. Remember the old tiered-hosting-separated-by-a-partition days? Even if you are not the target, you still might be caught up in it if your neighbor is.

Next up is security experts at NCC Group said SmartTVs with built-in microphones and storage can be turned into bugging devices by malware and used to record conversations. Not to mention remotely turning on the TV camera at will. They did need physical access to the TV to install the malware but as more TV apps get developed, it is conceivable that a malicious app could be downloaded to the TV for the same purpose. They demonstrated how they could capture 30 seconds of buffered mic audio but could have also manipulated more to use internal storage and send the audio files to an awaiting server. NCC engineers wanted to highlight the security shortcomings on the home front of the Internet of Things. Start to get used to no privacy in the privacy of your home.

And last but certainly not least, Thieves steal ID and credit card data with a hug. OK, I'm Hawaiian and we are a bunch of huggers so this is interesting. Apparently a Georgia woman was approached at a gas station by another woman begging for some money so she could put gas in her car. The kind, generous woman gave the crooked lady $20. With a full Oscar nominated performance, the crooked lady wept with joy and wanted to thank the generous one with a hug. Embrace ensued. So touched by the gesture, the man with the crooked lady got out of the car and also wanted to physically thank the Samaritan. The next morning she realized why they wanted to hug her when she discovered that $3000 was gone from her bank account. $2400 from a grocery store and another $200 plus from ATMs. The thieves got close so they could scan her for RFID enabled cards. She had her credit cards in her front pocket and was scanned during the not so loving embrace. Well that sucks. The cool thing is that the woman is not jaded and will continue to help others. Nice.

And to those I know: If we typically hug when we see each other, I promise won't be scanning your pockets.

ps

Related

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



A Decade of Breaches

Posted in , security, f5, application security, silva, DoS attack, banking, cybercrime, hackers, breach, data loss, family by psilva on April 24th, 2014

Whales Not Included

Megaptera_novaeanglia_jumping.jpgBeing from the Hawaiian Islands, the annual gathering of the Kohola (humpback whales) is always a spectacular view. They can get over half their body out of the water and administer a cannonball body slam splash like you've never seen before. Most of the internet thinks they breach to either see what's up (so to speak), let other whales know they are around (if the haunting squeal isn't doing it) and most common, to relieve the body of lice, parasites and barnacles.

While nature's breaches are unmatched, many internet security breaches are run of the mill leakages.

The Verizon 2014 Data Breach Investigation Report (DBIR) found that over the last 10 years, 92% of the 100,000 security incidents analyzed can be traced to nine basic attack patterns. The patterns identified are:

  • Miscellaneous errors like sending an email to the wrong person
  • Crimeware (malware aimed at gaining control of systems)
  • Insider/privilege misuse
  • Physical theft or loss
  • Web app attacks
  • Denial of service attacks
  • Cyberespionage
  • Point-of-sale intrusions
  • Payment card skimmers

The really cool thing about the 9 attack patterns is that Verizon has also charted the frequency of incident classification patterns per industry vertical. For instance, in financial services 75% of the incidents come from web application attacks, DDoS and card skimming while retail, restaurants and hotels need to worry about point-of-sale intrusions. Utilities and manufacturing on the other hand get hit with cyber-espionage. Overall across all industries, only three threat patterns cover 72 percent of the security incidents in any industry.

figure19_DBIR.jpg

Once again, no one is immune from a breach and while media coverage often focuses on the big whales, the bad guys are not targeting organizations because of who they are but because a vulnerability was found and the crooks decided to see if they could get more. This means that companies are not doing some of the basics to stay protected. For the 2014 analysis, there were 1,367 confirmed data breaches and 63,437 security incidents from 50 global companies.

For the most part, the fixes are fairly basic: Use strong authentication, patch vulnerabilities quickly and encrypt devices that contain sensitive information. I've barely scratched the surface of the report and highly suggest a through reading.

ps

Related

Photo: Protected Resources Division, Southwest Fisheries Science Center, La Jolla, California.

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



RSA 2014: DDoS Protection (feat Bocchino)

Posted in security, f5, big-ip, application security, silva, video, DoS attack, cybercrime, hackers, rsa, infrastructure, 0day, access by psilva on February 25th, 2014

F5 Sr. Systems Architect Ken Bocchino shows me a live demonstration of how F5’s protects the fundamental elements of an application (network, DNS, SSL and HTTP) against aggressively evolving DDoS attacks. Ken is always a fun and interesting guest.

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



GartnerDC 2013: DDoS Reference Architecture

I meet with Sr. TMM David Holmes to get the scoop on F5’s DDoS Reference Architecture. David has circled the globe talking to customers about their security concerns and shares some of that insight along with explaining how F5 can mitigate those attacks.

 

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]





The Top 10, Top 10 Predictions for 2014

This time of year the crystal balls get a viewing and many pundits put out their annual predictions for the coming year.  Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.


Cybersecurity in 2014: A roundup of predictions: ZDNet might have picked up that I have done this for the past two years and Charles McLellan put together his own collection.  This is a good place to start with lists from Symantec, Websense, FireEye, Fortinet and others.  Mobile malware, zero-days, encryption, 'Internet of Things,' and a personal favorite, The Importance of DNS are amongst many predictions.

Eyes on the cloud: Six predictions for 2014: Kent Landry - Senior Consultant at Windstream focuses on Cloud futures in this Help Net Security piece.  Hybrid cloud, mobility and that pesky Internet of Everything make the list.

5 key information security predictions for 2014: InformationWeek has Tarun Kaura, Director, Technology Sales, Symantec discuss the coming enterprise threats for 2014.  Social Networking, targeted attacks, cloud and yet again, The Internet of Things finds a spot.

Top 10 Security Threat Predictions for 2014: This is essentially a slide show of Fortinet's predictions on Channel Partners Telecom but good to review.  Android malware, increased encryption, and a couple botnet predictions are included.

2014 Cyber Security Forecast: Significant healthcare trends: HealthITSecurity drops some security trends for healthcare IT security professionals in 2014.  Interesting take on areas like standards, audit committees, malicious insiders and supply chain are detailed.

14 IT security predictions for 2014: RealBusiness covers 10 major security threats along with four ways in which defenses will evolve.  Botnets, BYOD, infrastructure attacks and of course, the Internet of Things.

4 Predictions for 2014 Networks: From EETimes, this short list looks at the carrier network concerns.   Mobile AAA, NFV, 5G and once again, the Internet of Things gets exposure.

8 cyber security predictions for 2014: InformationAge goes full cybercriminal with exploits, data destruction, weakest links along with some 'offensive' or retaliatory attack information.

Verizon's 2014 tech predictions for the enterprise: Another ZDNet article covering the key trends Verizon believes will brand technology.  Interest includes the customer experience, IT decentralization, cloud and machine-to-machine solutions. 

Research: 41 percent increasing IT security budget in 2014: While not a list of predictions, this article covers a recent Tech Pro Research survey findings focused on IT security.  The report, IT Security: Concerns, budgets, trends and plans, noted that 41 percent of survey respondents said they will increase their IT security budget next year.  Probably to counter all the dire predictions.

A lot to consider as you toast the new year with the Internet of Things making many lists.  The key is to examine your own business and determine your own risks for 2014 and tackle those first.

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]




« Older episodes ·