ADF – Erhöhen der Verfügbarkeit von Anwendungen im

Transcription

ADF – Erhöhen der Verfügbarkeit von Anwendungen im
ADF – Erhöhen der Verfügbarkeit von Anwendungen im Internet
- Aktuelle Bedrohungsszenarien für Anwendungen und RZ
Peter Held
P.Held@F5.com
Advanced
threats
SDDC/Cloud
Mobility
© F5 Networks, Inc
“Software defined”
everything
Internet of
Things
HTTP is the
new TCP
2
Cyber-attacks in the News for 2014
Sampling of 2014 security incidents by attack type, time and impact
conjecture of relative breach
impact is based on publicly
disclosed information regarding
leaked records and financial
losses
Size of circle
estimates relative
impact of incident in
terms of cost to
business
© F5 Networks, Inc
IBM X-Force Threat Intelligence Quarterly - 1Q 2015
3
DDoS attacks ….
http://winfuture.de/special/dos-attacken/
© F5 Networks, Inc
4
Sipgate – DDoS in Deutschland
Wie hoch war der Schaden?
Der Schaden für unsere Kunden war erheblich. Fast alle Kunden waren kurzzeitig nicht
erreichbar und das teilweise sogar mehrfach. Das war für Privatkunden auf jeden Fall
unangenehm, aber für unsere Business-Kunden teilweise existenzbedrohend. Wir bieten mit
sipgate team eine Web-Telefonanlage mit Mobilfunkintegration an, die allein in Deutschland
mehr als 10.000 Unternehmen einsetzen. Daher war der indirekte Schaden vermutlich enorm.
Ein Spediteur schrieb, dass er seine Fahrer zeitweise nicht erreichen konnte und Aufträge
ablehnen musste. Eine andere Firma berichtete von einer verpassten Telefonkonferenz, bei der
Wenige
Tage Großauftrag
zuvor versendeten
Kriminelle
eine
Phishing-Mail
an Hunderttausende
E-Mail ist
es um einen
hätte gehen
sollen.
Den
gesamten Schaden
in Euro zu beziffern
Konten.
Diese
Mail gab
vor,
sipgate
zu stammen
lockteeine
die ziemlich
Opfer unter
einem
leider nicht
möglich,
aber
wirvon
gehen
davon
aus, dass und
es schon
hohe
Zahl wäre.
Vorwand auf eine präparierte Webseite. Ziel war es, die Zugangsdaten zu stehlen. Ob eine
Verbindung zwischen den beiden Taten besteht – und es sich vielleicht sogar um
dieselben Täter handelt – ist derzeit noch unklar.
https://medium.com/@sipgate/ddos-attacke-auf-sipgate-a7d18bf08c03
© F5 Networks, Inc
5
Real-time DDoS attacks in the World !
http://www.digitalattackmap.com
© F5 Networks, Inc
6
Layer 2-7 DDoS Mitigation
OSI stack
Increasing difficulty of attack detection
Application attacks
© F5 Networks, Inc
Application (7)
Presentation (6)
Session (5)
Transport (4)
Network (3)
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow
Post, HashDos, GET Floods
Session attacks
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods,
SSL Floods, SSL Renegotiation
Network attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
Data Link (2)
Physical (1)
7
Firewall Comparison
© F5 Networks, Inc
8
Introducing F5’s Application Delivery Firewall
Aligning applications with firewall security
One platform
Traffic
management
Network
firewall
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
EAL2+
EAL4+ (in process)
© F5 Networks, Inc
9
“Next generation” firewall
(users)
Characteristics
• 
• 
• 
• 
• 
Outbound user inspection
UserID and AppID
Who is doing what?
1K users to 10K web sites
Broad but shallow
© F5 Networks, Inc
BIFURCATION OF FIREWALLS
Corporate
F5 Application Delivery Firewall
Internet
Datacenter
(servers)
Characteristics
• 
• 
• 
• 
• 
Inbound application protection
Application delivery focus
1M users to 100 apps
Narrow but deep
12 protocols (HTTP, SSL, etc.)
10
PROTECTING THE DATA CENTER
Use case
Network DDoS
Before f5
Application DDoS
Web Access
Management
Firewall
Load
Balancer & SSL
Load
Balancer
DNS Security
Web Application Firewall
with f5
• 
© F5 Networks, Inc
Consolidation of
• 
firewall, app security,
traffic management
Protection for data
centers and
application servers
• 
High scale for the
most common
inbound protocols
11
PROTECTING THE DATA CENTER
Use case
Network DDoS
Before f5
Application DDoS
Web Access
Management
Firewall
Load
Balancer & SSL
Load
Balancer
DNS Security
Web Application Firewall
with f5
• 
© F5 Networks, Inc
Consolidation of
• 
firewall, app security,
traffic management
Protection for data
centers and
application servers
• 
High scale for the
most common
inbound protocols
12
One Solu)on for Hacking Protec)on Hack Examples
© F5 Networks, Inc
Application
Application
Presentation
Standard Set of APIs
Form attack, Parameter change, Data obj. ref.
Client / Server
Programmable Platform
XSS, CSRF, SQL Injection,
Client / Server
Presentation
SSL/TLS BEAST
Session
DNS Poisoning, DNS Spoof
Protocol
IP spoof,
Network
MAC spoof, VLAN hoping
Data Link
Data Link
Physical
Physical
Session
Protocol
Network
13
Leading Web Attack Protection
BIG-IP Application Security Manager
Big-IP - Local Traffic Manager
Big-IP – Application Delivery Firewall
•  Protect from latest web threats
•  Meet PCI compliance
© F5 Networks, Inc
•  Out-of-the-box deployment
•  Quickly resolve vulnerabilities
•  Improve site performance
14
DNS Flood
DNS Performance
Synopsys
Many attackers or botnets flood an authoritative name server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
[Target Site]
Mitigation - DNS - Express
BIG-IP offers exceptional capacity, per appliance, to over 2M RPS and
to over 10M RPS per chassis. Big-IP can also identify unusually high
traffic patterns to specific clients via DNS DoS Profiles.
DNS Requests
© F5 Networks, Inc
DNS Responses
15
iRules with Security: Example - HashDos—Post of Doom
- React quickly to zero day threats
“HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
VIPRION
11.6 Deliver the strongest & most efficient zero-day attack protection -Richer iRules interaction that enable detection of L2-L4 attacks
© F5 Networks, Inc
16
Enable Simplified Application Access
with BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc
SaaS resources
17
Authentication All in One and Fast SSO
F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
© F5 Networks, Inc
18
One Access Solution – BIG-IP APM
Remote Access:
•  SSL VPN
–  Network Access
–  App Tunnels
–  Portal Access
–  Edge Client
–  Windows, Mac, Linux
–  SmartPhones
–  Tablets
Application Access Control:
•  Proxy to Non-HTTP apps
–  VDI
–  Citrix (ICA Proxy)
–  VMware View (PCoIP)
–  MS Terminal Services/RDS
–  Exchange
–  ActiveSync
–  Outlook Anywhere
© F5 Networks, Inc
Web Access Management:
All Access
Use Cases
BIG-IP
Access Policy Manager
•  Proxy to HTTP apps
–  Outlook Web Access
–  SharePoint
–  Custom
–  Single Sign On
–  Internal Applications
–  SaaS Applications (SAML)
Security:
–  Endpoint Scanning
–  Endpoint Cleanup
–  Multi-factor authentication with several
directories and methods
19
IP INTELLIGENCE
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices and
servers
© F5 Networks, Inc
20
© F5 Networks, Inc.
21
One Solu)on for DDOS Protec)on DOS, DDOS, Examples
Application
Application
Presentation
Standard Set of APIs
Slowloris, XML DTD, External Ent., JSON
Client / Server
Programmable Platform
SLOW POST/GET, HTTP FLOOD, Large POST,
Client / Server
Presentation
SSL Re-negotiation
Session
Syn, ICMP, TCP, UDP Fragmentation (LOIC)
Protocol
SynFlood, IP flood,
Network
ARP, MAC flood
Data Link
Data Link
Physical
Physical
© F5 Networks, Inc
Session
Protocol
Network
22
AFM: DOS Detection & Mitigation 11.5
MITIGATE 50+ VECTORS
Flood
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
ARP Flood
DNS Response Flood
Ethernet Broadcast Packet
Ethernet Multicast Packet
ICMP Flood
IPV6 Fragment Flood
IP Fragment Flood
Routing Header Type 0
TCP ACK Flood
TCP RST Flood
TCP SYN ACK Flood
TCP SYN Flood
Fragmentation
• 
• 
• 
• 
• 
• 
• 
ICMP Fragment
IPV6 Fragment
IPV6 Fragment Overlap
IPV6 Fragment Too Small
IP Fragment
IP Fragment Overlap
IP Fragment Too Small
Bad Header – IPv4
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
Bad IP Option
Bad IP TTL Value
Bad IP Version
Header Length > L2 Length
Header Length Too Short
IP Error Checksum
IP Length > L2 Length
IP Option Frames
IP Source Address == Destination Address
L2 Length >> IP Length
No L4
TTL <= 1
Bad Header – IPv6
• 
• 
• 
• 
• 
• 
• 
• 
Bad IPV6 Hop Count
Bad IPV6 Version
IPV6 Extended Header Frames
IPV6 Length > L2 Length
IPV6 Source Address == Destination Address
Payload Length < L2 Length
Too Many Extended Headers
No L4 (Extended Headers Go To Or Past End of Frame)
Bad Header – L2
§ 
Ethernet MAC Source Address == Destination Address
Bad Header – TCP
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
Bad TCP Checksum
Bad TCP Flags (All Cleared and SEQ# == 0)
Bad TCP Flags (All Flags Set)
FIN Only Set
Option Present With Illegal Length
SYN && FIN Set
TCP Header Length > L2 Length
TCP Header Length Too Short (Length < 5)
TCP LAND
TCP Option Overruns TCP Header
Unknown TCP Option Type
Bad Header – UDP
§ 
§ 
§ 
Bad UDP Checksum
UDP LAND
Bad UDP Header (UDP Length > IP Length or L2 Length)
Other
Bad Header – ICMP
•  Host Unreachable
•  TIDCMP
§ 
§ 
Bad ICMP Frame
ICMP Frame Too Large
11.6 Ensure the most comprehensive highest performing DDoS protection -- 50 new vectors / 64 HW
based and a variety of enhancement that improve granularity and provide better context
© F5 Networks, Inc
23
DDoS protection reference architecture
Next-Generation
Firewall
Tier 2
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Multiple ISP
strategy
Corporate Users
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
E-Commerce
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Cloud
Scrubbing
Service
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Threat Feed Intelligence
Scanner
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
Botnet
Attackers
Strategic Point of Control
24
DDoS reference architecture
Next-Generation
Firewall
Corporate Users
TIER 1 KEY FEATURES
Tier 2
•  The first tier
at the
perimeter is layer 3
and 4 network firewall
services
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Multiple ISP
strategy
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Cloud
Scrubbing
Service
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
•  Simple load balancing
Application
to a second tier
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
•  IP reputation database
E-Commerce
Subscriber
•  Mitigates volumetric and
DNS DDoS attacks
IPS
Threat Feed Intelligence
Scanner
Network
and DNS
Financial
Services
Botnet
Attackers
Strategic Point of Control
25
DDoS reference architecture
Next-Generation
Firewall
Corporate Users
TIER 2 KEY FEATURES
•  The second tier is for
application-aware,
CPU-intensive defense
Legitimate
mechanisms
Users
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Attacker
Cloud
•  MitigateScrubbing
asymmetric
and
Service
SSL-based
DDoS attacks
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
E-Commerce
ISPa/b
•  SSL termination
•  DDoS
Web application firewall
Tier 2
Tier 1
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Threat Feed Intelligence
Scanner
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
Botnet
Attackers
Strategic Point of Control
26
DDoS Protection - SMB data center deployment
Next-Generation
Firewall
Customers
DDoS Attack
Employees
Protecting L3–7 and DNS
ISPa
DDoS Attack
Partners
Users leverage NGFW for
outbound protection
ISPb
Network Firewall Services
+ DNS Services
+ Web Application Firewall Services
+ Compliance Control
BIG-IP Platform
ISP provides
volumetric DDoS
service
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
Simplified Business Models
GOOD
BETTER
BEST
BIG-IP Application Security Manager
© F5 Networks, Inc
27
F5 Offers Comprehensive ‘Hybrid’ DDoS Protection
Threat Intelligence Feed
Strategic Point of Control
Next-Generation
Firewall
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Cloud
Attackers
Network
Multiple ISP
strategy
Corporate Users
Application
Network attacks:
ICMP flood,
UDP flood,
SYN flood
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
Legitimate
Users
Silverline
DDoS
Scrubbing
DDoS
Attackers
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
E-Commerce
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
F5 Silverline subscrip0on service © F5 Networks, Inc
LTM, AFM, DNS & IP Intelligence subscrip0on service LTM, ASM 28
Cloud-Based Scrubbing with On-Premises Defenses
Threat Intelligence Feed
Next-Generation
Firewall
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Cloud
Attackers
Network
• 
Legitimate
Users
Cloud
Scrubbing
Service
DDoS
Attackers
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
• 
• 
• 
© F5 Networks, Inc
Application
CLOUD KEY FEATURES
Multiple ISP
strategy
Corporate Users
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Real-time volumetric DDoS
attack detection and
mitigation in the cloud
Multi-layered L3-L7 DDoS
Network
attack
DNS
attacks: protection
and DNS
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
24x7 expert Security
Operations Center services
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Transparent attack reporting
via customer portal
Strategic Point of Control
29
Cloud-Based Scrubbing with On-Premises Defenses
Threat Intelligence Feed
Next-Generation
Firewall
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Cloud
Attackers
Network
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Application
NETWORK KEY FEATURES
• 
Legitimate
Users
Cloud
Scrubbing
Service
DDoS
Attackers
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
Network
and DNS
• 
SSL attacks:
SSL renegotiation,
SSL flood
The network tier at the
perimeter is L3 and L4
network firewall services
Simple load balancing
to a second
tier Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Financial
Services
E-Commerce
Subscriber
• 
IP reputation database
• 
Mitigation of transient and
low-volume attacks
Strategic Point of Control
IPS
© F5 Networks, Inc
Corporate Users
30
Cloud-Based Scrubbing with On-Premises Defenses
Threat Intelligence Feed
Next-Generation
Firewall
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Cloud
Network
Legitimate
Users
Cloud
Scrubbing
Service
DDoS
Attackers
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
Attackers
Application
APPLICATION KEY FEATURES
Multiple ISP
strategy
ISPa/b
Corporate Users
Network attacks:
ICMP flood,
UDP flood,
SYN flood
• 
Application-aware, CPUintensive defense mechanisms
• 
SSL termination
• 
Network
Web application firewall
• 
Mitigation of asymmetric and
SSL-based DDoS attacks
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Application
and DNS
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Strategic Point of Control
© F5 Networks, Inc
31
Global Coverage
24/7 Support
F5 Security Operations Center
(SOC) is available 24/7 with
security experts ready to
respond to DDoS attacks within
minutes
– 
Seattle, WA US
Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
– 
– 
– 
– 
San Jose, CA US
Ashburn, VA US
Frankfurt, DE
Singapore, SG
Industry-Leading Bandwidth
• 
• 
• 
Attack mitigation bandwidth
capacity over 2.0 Tbps
Scrubbing capacity of over 1.0
Tbps
Guaranteed bandwidth with
Tier 1 carriers
Multiple Ways to Direct
Traffic to our Massive
Scrubbing Centers
BGP (BORDER GATEWAY PROTOCOL)
ANYCAST
DNS / ANYCAST
Multiple Ways to Return
Clean Traffic
GRE TUNNELS
PROXY
IP REFLECTION ™
AMAZON (AWS) DIRECT CONNECT
FIBER INTERCONNECT
© F5 Networks, Inc
33
DDoS Architecture Scrubbing Center
Inspection Tools
provide input on
attacks for Traffic
Actioner & SOC
Traffic Actioner
injects blackhole
routes and steers
traffic
Flow collection
aggregates attack
data from all
sources
Scrubbing Center
Inspection Plane
Inspection
Toolsets
Traffic Actioner
Route Management
Flow
Collection
Portal provides
real-time reporting
and configuration
Portal
Visibility
Signaling
Cloud
Management
Data Plane
Copied traffic
for inspection
Netflow
Netflow
GRE Tunnel
BGP signaling
Legitimate
Users
Proxy
Cloud
Scrubbing
Service
DDoS
Attackers
IP Reflection
Switching
Routing/ACL
Network
Mitigation
Proxy
Mitigation
Routing
(Customer VRF)
X-Connect
Customer
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
Switching mirrors
traffic to
Inspection Toolsets
and Routing layer
© F5 Networks, Inc
Ingress Router
applies ACLs and
blackholes traffic
Network Mitigation
removes advanced
L4 attacks
Proxy Mitigation
removes L7
Application attacks
Egress Routing
returns good traffic
back to customer
34
F5 Silverline DDoS Protection - Service Options
Always On
Always Available
Ready Defense
Primary protection as the
first line of defense
The Always On subscription
stops bad traffic from ever
reaching your network by
continuously processing all
traffic through the cloudscrubbing service and
returning only legitimate
traffic to your network.
Primary protection
available on-demand
The Always Available
subscription runs on stand-by
and can be initiated when
under attack.
Secondary protection
for additional capacity
The Ready Defense service
runs on stand-by and can be
initiated when under attack
as a secondary line of
defense in addition to
a primary DDoS
mitigation solution.
© F5 Networks, Inc
35
F5 Silverline AttackView Portal
Unprecedented Transparency
Attack Data
•  Instant inspection on the filters and
countermeasures used for mitigation
•  Detailed timeline analysis on type, size,
origin, and attack vector
Configuration and Provisioning
•  Configure/ review/ modify settings for both
Proxy and GRE mode through the portal
Detailed Communication
•  Real time attack communications
• 
© F5 Networks, Inc
Detailed events showing attack attributes and
SOC mitigations applied
36
Portal Customer Configuration Status
In the portal you can:
•  see current IP Configurations
•  Quickly configure new services
•  Manage whitelist and blacklist IPs
•  Etc
Proxy and GRE configuration and provisioning are available within the portal for ease of management.
© F5 Networks, Inc
37
Unparalleled Visibility and Reporting Before, During, and
After a DDoS Attack
Securely set up and manage SOC services, configure proxy and routing, and receive unparalleled
visibility and reporting of attack mitigation in real time with the F5 Customer Portal. Get Instant Details As An Attack Occurs
• 
• 
• 
• 
• 
• 
© F5 Networks, Inc
Type and size of the attack
IP origin
Attack vectors
Mitigation process
Yellow-flagged comments of the SOC
communications
Packet capture reports (PCAPs) available for
download
38
Portal: F5 customer portal™
Timeline
of events
Event Detail
Real time “F5 customer portal” shows:
•  Type of attack
•  IP origin
•  Mitigation process
•  Yellow flagged annotations of SOC communications
© F5 Networks, Inc
39
Portal: Real-Time Information
SOC Chat:
•  Coordinate directly with the F5 SOC
•  Share attack details
•  Define exact mitigations needed
Directly chat
with the F5 SOC
Application
Fluency & Detail
Application View:
•  Protocol inspection and statistics
•  Mitigation actions
•  Flagged annotations of SOC communications
© F5 Networks, Inc
40
F5 Silverline DDoS Protection Attack Reporting
Downloadable PDFs for internal
reporting
© F5 Networks, Inc
41
Current DDoS Solution Market
http://ddos-protection-services-review.toptenreviews.com/
© F5 Networks, Inc
42
“The attacks are definitely getting larger and we know
that trend will continue as the number of websites
we support increases. That is why we are working
with F5. When the big attacks come, we’ll be ready.”
F5 Silverline DDoS Protection
-- Chris Fanini, Co-Founder and CTO, Weebly
Key benefits of F5
• 
• 
• 
• 
Protection against the largest attacks
Advanced and unique DDoS mitigation techniques
Team of industry expert DDoS fighters
Simple installation process
F5 Reference Architectures
•  DDoS Protection
View on F5.com
© F5 Networks, Inc
43
“We chose F5 Silverline DDoS Protection because of
the breakthrough new technology developed by
Barrett Lyon and its ability to provide DDoS
mitigation without the damaging side effects of
legacy mitigation solutions.”
F5 Silverline DDoS Protection
-- Tim Turner, CIO of the Afisha Rambler SUP Holding
Key benefits of F5
• 
• 
• 
• 
Simple installation process
No upfront investment in on-premise equipment
Continuous DDoS mitigation and analysis
Advanced and unique DDoS mitigation techniques
F5 Reference Architectures
•  DDoS Protection
View on F5.com
© F5 Networks, Inc
44
Silverline
- Web Application Firewall
Silverline Web Application Firewall
Proven security effectiveness as a convenient cloud-based service
Protect web applications and data from layer 7 attacks, and enable compliance, such
as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP
Application Security Manager and backed by 24x7x365 support from F5 experts.
Cloud
L7 Protection:
Geolocation attacks, DDoS, SQL
injection, OWASP Top Ten
attacks, zero-day threats, AJAX
applications, JSON payloads
Legitimate
User
Attackers
Private Cloud
Hosted Web App
Web Application Firewall
Services
WAWAF
F
F5 Silverline
Physical Hosted
Web App
VA/DAST Scans
Policy can be built
from 3rd Party DAST
© F5 Networks, Inc
Public Cloud
Hosted Web App
46
Key benefits
Leverage proven
security efficacy
Reduce operating
costs
Protect web apps,
anywhere
Protect against critical web
attacks with an enterprisegrade service built on BIG-IP
ASM which is recommended by
NSS Labs with 99.89% overall
security effectiveness*.
Rapidly deploy WAF
protections and drive
operational and cost
efficiencies by outsourcing
WAF policy management to F5
security experts.
Protect web apps, no matter
where they reside with
consistent policies across
hybrid environments in
conjunction with BIG-IP
deployments.
Source: NSS Labs Web Application Firewall Product Analysis. F5 BIG-IP ASM 10200 V11.4.0. https://interact.f5.com/2015ALLF-NSS-Web-App-Firewall--Analysis-for-BIG-IP-ASM_2---Reg.html
© F5 Networks, Inc
47
Complete DDoS Protection Solution
On-premises and cloud-based services for comprehensive DDoS Protection
Network firewall
Web application firewall
SSL inspection
DNS security
ON-PREMISES DDOS PROTECTION AND CLOUD SCRUBBING
© F5 Networks, Inc
48
Networkworld
- F5 Firewall test
http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html
© F5 Networks, Inc
49
F5 DDoS Protection –
Recommended Practices
https://f5.com/solutions/architectures/ddos-protection/ddos-exclusive
https://f5.com/solutions/architectures/ddos-protection
Application Delivery Firewall
Network
firewall
Traffic
management
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
Products
Advanced Firewall
Manager
Local Traffic
Manager
Application Security
Manager
• 
Stateful full-proxy
firewall
• 
#1 application
delivery controller
• 
Leading web
application firewall
• 
Flexible logging and
reporting
• 
Application fluency
• 
PCI compliance
• 
App-specific health
monitoring
• 
Virtual patching for
vulnerabilities
• 
• 
Native TCP, SSL and
HTTP proxies
Network and
Session anti-DDoS
• 
HTTP anti-DDoS
• 
IP protection
• 
• 
• 
Access Policy
Manager
Global Traffic Manager
& DNSSEC
Dynamic, identitybased access
control
• 
Huge scale DNS
solution
• 
Context-aware
security
• 
Global server load
balancing
• 
IP address
categorization
• 
Signed DNS
responses
• 
IP address
geolocation
• 
Offload DNS crypto
Simplified
authentication
infrastructure
Endpoint security,
secure remote
access
IP Intelligence
iRules extensibility everywhere
© F5 Networks, Inc
51
We’re built for speed
Concurrent user sessions
© F5 Networks, Inc
100K
Concurrent
logins
1,500/second
Throughput
320 Gbps
Concurrent connections
192 million
Connections
per second
5.6 million
SSL (1K keys)
600,000/second
DNS query response
6 million/second
52
Hardware-based DDoS Protection
Newest platforms
•  BIG-IP 5000s: 20 Million SYN Cookies per second
•  BIG-IP 5250s: 40 Million SYN Cookies per second
•  BIG-IP 7000s: 20 Million SYN Cookies per second
•  BIG-IP 7250v: 40 Million SYN Cookies per second
•  BIG-IP 10000s: 40 Million SYN Cookies per second
•  BIG-IP 10250v: 80 Million SYN Cookies per second
•  VIPRION 2250 Blade: 60 Million SYN Cookies per second
•  VIPRION 2150 Blade: 40 Million SYN Cookies per second
•  VIPRION 4300 Blade: 80 Million SYN Cookies per second
•  8xVIPRION 4300 Blade:
© F5 Networks, Inc
640 Million SYN Cookies per second!
53
Key customer benefits
Maintain application
availability
Safeguard your
brand reputation
Protect network
infrastructure
Defend against
targeted attacks
Stay one
step ahead
Save money for
your company
ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES
DDoS MITIGATION
Use case
Increasing difficulty of attack detection
Physical (1)
Data Link (2)
Network (3)
Transport (4)
Session (5)
F5 mitigation technologies
Network attacks
Presentation (6)
Session attacks
Application (7)
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
Slowloris, Slow Post,
HashDos, GET Floods
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
• 
© F5 Networks, Inc
Protect against DDoS
• 
at all layers – 38 vectors
covered
Withstand the
largest attacks
• 
Gain visibility and
detection of SSL
encrypted attacks
OSI stack
F5 Mitigation Technologies
OSI stack
56