Arbor APS STT - Unit 06 - Tuning Under Attack - 07feb2018 PDF

Partner Technical Training
Tuning Under Attack
Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Change Protection Levels to mitigate more complex attacks
• Block Traffic based on geographic location
• Avoid undesired side effects of higher protection levels
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

SCENARIO:
NEW ATTACK IS
NOT BLOCKED BY
OUT-OF-THE-BOX OPTIONS

Issue & Context
• When the previous attack is mitigated, the attacker realizes it and,
the next day, a different attack emerges
• This time the firewall is ok but the servers stop working
• Arbor APS is installed, inline, active, with its out-of-the-box configuration.
It sees higher traffic but blocks none
• Network/Server monitoring is triggering alerts

Issue: A New Attack, Service Down
• Arbor APS sees higher traffic but blocks none
DATA
ISP 1 CENTER
ISP
ISP 2
IPS
Firewall
Load
Balancer
Target
Applications
ISP ‘n’ Attack Traffic
Arbor APS & Services
Good Traffic

Solution: Investigate & Mitigate Attack
• Raise Arbor APS’ Protection Level enforcing more strict attack
detection rules
DATA
ISP 1 CENTER
ISP
ISP 2
IPS
Firewall
Load
Balancer
Target
Applications
ISP ‘n’ Attack Traffic
Arbor APS & Services
Good Traffic

TUNING ATTACK
DETECTION
& MITIGATION

Attack Identification
• Below is a list of tasks to complete
• Look at the Summary page
• Summary page shows no significant changes in traffic
• Look at Protection Group details
• Check for blocked traffic
• Check attack categories
• Raise the Protection Level
• Check for mitigation effectiveness
• Check for valid hosts and services blocked
• Whitelist to reestablish service

Seeing the Attack Traffic
Arbor APS is Active, but the attack is not being blocked…

Protection Levels
• Protection Protection Use Case
levels Level
allow easy
Low Normal conditions. Low-risk protection and blocking is
risk / done. No tolerance for false positives
benefit
choices Medium Significant attack. Stricter Protection settings. Unusual
good traffic may be dropped
High Heavy attack. Ok to drop some normal traffic as long as
most traffic to hosts is protected
Click to change
protection level

Protection Level - Associated Parameters
• Each “Server
Type” has
separate
settings for
each of the
three protection
levels
Low Medium High

Inbound Protection Settings
• Protection settings are configurable
• Default setting comes from factory and can be reset
• When bps / pps settings are blank they are disabled
• Enable / Disable buttons are set for each protection level (on/off)

Protection Level – Tuning
• For each of the protection settings, you can specify different values for the
low, medium, and high protection levels.
• The current protection level determines which of the settings are used at any
given time.
• For example, you might set conservative thresholds for the low protection level
and more aggressive thresholds for the medium and high protection levels.
• You can also leave protection settings empty or disabled for one or more
of the protection levels.
• For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.

Balancing Protection & Risk
• The risk of blocking legitimate traffic increases with the level of protection
• Generally, you should set the protection level to low
• Reserve the medium and high levels for use during attack conditions
• Arbor recommends that you experiment with different protection levels
during normal operations, so that you can identify any potential problems
before an attack occurs
• When you test the protection levels, be sure to change the protection mode
to inactive to avoid blocking traffic unintentionally

Why Tune Protection Levels
• Proper tuning of protection levels for the individual network is important
• Having properly tuned protection levels allows operators to easily increase the
level of protection to mitigate bad traffic while limiting the impact on good traffic
• For example, Tier 1 operators can follow a play book that would describe under
what circumstances they to move the protection levels from low to medium
or high and what the impact of doing that would be
• Designed to allow easy reaction to an attack during what is normally
a chaotic event
• Proper network tuning processes need to be managed on a continual basis

DETECTION & MITIGATION
OPTIONS: INBOUND
PROTECTION SETTINGS

Inbound Protections
Arbor APS Protections
• Identify attacks by a specific traffic pattern or behavior
…then…
• Determine how Arbor APS will deal with the traffic or the host that generated
the traffic (by source IP)
• Are defined and configurable for each Server Type

• Can be divided into:
• L3-L4 Protections
• Application-Level Protections

L3-L4 Protections
L3-L4 AIF Category
• Filter List • Email Threats
• Invalid packets
• Location Based Threats
• ATLAS Threat Categories
• Targeted Attacks
• Multicast Blocking
• Private Address Blocking • Command & Control
• Payload Regular Expression • DDoS Reputation
• Rate-based Blocking • Malware
• Fragment Flood Detection • Mobile
• ICMP Flood Detection
• UDP Flood Detection
• TCP SYN Flood Detection
• Spoofed SYN Flood Prevention
• TCP Out-of-Sequence Authentication
• TCP Connection Limiting
• TCP Connection Reset
• Traffic Shaping

Application-Level Protections
Web Servers - HTTP DNS Servers
• Malformed HTTP Filtering • ATLAS Threat Categories
• Application Misbehavior • DNS Authentication
• HTTP Rate Limiting • Malformed DNS Traffic
• Botnet Prevention • DNS Rate Limiting
• Spoofed SYN Flood Prevention • DNS NXDomain Rate Limiting
• HTTP Authentication option • DNS Regular Expression
• JavaScript Authentication
option
• HTTP Header Regular Expression
SSL Secured Services

• TLS Attack Prevention
SIP Servers
• Block Malformed SIP Traffic
• SIP Request Limiting

How Inbound Protections Drop Bad Traffic
• Protection behavior types:
Packet-blocking: Individual packets are dropped by
• Service-based Protections that track host behavior and will discard
packets for unexpected events
• Signature-based Protections that recognize malicious data in packet
contents
• Additionally, for “TCP Connection Reset” and Layer 7 Protections
the relevant TCP connection is reset on behalf of the host
Host-blocking: All packets for a host are dropped
• Triggered when a Protection detects that host actions is a part of the attack
• Additionally, established TCP connections are reset on behalf of the host
Note: In both cases the host will be

reported in the Blocked Hosts page!

Inbound Host-Blocking Protection Types
• Host-Blocking can be
• Permanent: Created by the administrator (Blacklist)
• Temporary: Created by Protections
• Host-Blocking created by Protections is Temporary

• Initially, offending host is blocked for 60 seconds
• If the host repeats offensive actions, they are blocked for 300 seconds

Inbound Host-Blocking Protections
• Inbound Host-Blocking Protections include:
• Filter lists • TCP Connection Reset • Block Malformed SIP Traffic
• ICMP Flood Detection* • DNS Query Rate Limiting • SIP Request Limiting
• Fragment Flood Detection* • DNS NXDomain Rate Limiting • TLS Negotiation
• UDP Flood Detection* • Malformed HTTP Filtering • Botnet Prevention
• Rate Based Limiting • HTTP Rate Limiting • Application Misbehavior
• If “CDN and Proxy Detection” is enabled in the Protection Group, some

Protections do not block a host that was identified as a CDN or Proxy
* Not always. See specific Protection information for details

Filter List – Your Flexible Mitigation Option
• An easy solution to ICMP Reflection attacks is provided by using Filter Lists
• Filter List allows you to write an FCAP expression and assign an action
(drop, pass) to it
drop proto icmp dst host 71.72.3.4

will drop all ICMP packets going to the IP 71.72.3.4
• You can have different Filter Lists for each Protection Level

Filter List Protection
• Packets are tested sequentially on each of the list commands until
one of them matches
• The Filter list
– is a list of fingerprint expression filters that acts on every packet
– Hence, it is NOT Host-Blocking
– Immediately drops any packet that matches a drop statement.
– No further Protection processing occurs
– Immediately passes any packet that matches a pass statement.
– No further Protection processing occurs
– Passes all traffic that does not match either drop or pass for further processing
– Can serve as black/white list specific per Protection Level (for a Server Type)
as Blacklists and Whitelists across Protection Levels (but can be restricted
to a set of Protection Groups)

Filter List Protection Examples
drop udp and port 53
drop tcp and port ssh
pass src 198.168.1.0/24
drop dst port 22 or dst port 23 or dst port 25
pass dst 198.168.1.0/24
drop dst 1.2.3.4 and (dst port 22 or dst port 80)
pass udp and not (src 1.2.3.4)
drop !(proto TCP and (dst port 80 or dst port 443))

helps optimize performance if applied to Web Server PGs

Filter List Protection Examples
• In order to drop all traffic except
• ICMP
• TCP to port 80
• TCP from ports 53, 80 or 443
• UDP from port 53
Use the following simple filter list:
drop not (proto 1 or proto 6 or proto 17)

drop proto 6 not (dst port 80 or src port 53 or src port 80 or src port 443)
drop proto 17 not src port 53

Filter List Protection Notes
• Limit of 85k rules per PG and Master Filter List
• Be very careful with “pass” commands
• Traffic “passed” is considered “safe” and will not be passed through any further
inspection
• Example: suppose you have a DNS server at 1.2.3.4 and want to block all UDP
traffic except when it is directed to it.
The following rules
pass dst 1.2.3.4
drop udp
means that we will NOT be able to protect 1.2.3.4 from any attacks
Instead use:
drop udp and !(dst 1.2.3.4)
In this case we will still be able to protect 1.2.3.4 from attacks

Master Filter Lists for all Protection Groups
Master Filter Lists are drop and pass FCAP expressions
• Two Master Filter Lists
• IPv4 Protection Groups
• IPv6 Protection Groups
• APS applies Master Filter Lists to
• All active protection groups
• All protection levels
• Inbound traffic only

Master Filter Lists for all Protection Groups
New Protection Groups inherit Master Filter Lists

• Protection Group filter list processing order:
• Host Whitelists and Blacklist
• Master Filter Lists
• Server-type Filter Lists
• Blacklists for Countries, URLs, and Domains
• Settings are on Configure Master Filter List page

Master Filter Lists Edit
IPv4 FCAP Expressions
IPv6 FCAP Expressions

Master Filter Lists Attack Category
Master filter list shows as ”Filter List” under attack categories, just like any
other filter list from individual Protection Groups

Master Filter Lists – APS Console
For APS devices managed by APS Console
• Configure Master Filter Lists in APS Console
• APS Console will propagate lists to all managed APS devices
• Master filter lists on APS Console replace master filter lists on the APS
Caution: Do not edit a Master Filter List on an APS device that is connected to
an APS Console
• Local changes to Master Filter Lists on an APS device are not copied to the APS console
• Local changes will be lost upon next update from APS console

Reputation-based Detection for DDoS
Campaigns & Advanced Threats
ASERT
AIF DATA
ISP 1 Reputation CENTER
Feed
ISP
ISP 2
Arbor APS IPS
Load
Balancer
Target
Attack Traffic Applications
ISP ‘n’ Good Traffic & Services
• Active DDoS Campaigns • Advanced Threats

• Reputation feed includes • Reputation feed includes IP and DNS information
IP address, protocol • Separate IP reputation for inbound and outbound traffic
ranges and port ranges • DNS reputation applied bi-directionally
• DNS reputation includes hostnames in DNS requests
• IP & DNS reputation filters are packet dropping protections
AIF Category - Standard Policies
Arbor Availability Protection System - Standard
Category Sub-Category of Threats Utilizes IP and DNS
• Identifies DDoS attackers based upon IP address indicators from ATLAS Reputation data to
DDoS Threats • Identifies DDoS targets based on indicators from ATLAS identify attacks
• HTTP Flooder
• Identify location by country for sources of inbound
based on
IP Geo-Location
• Identify location by country for destinations of outbound traffic • Signature matching
Web Crawler
Identification
• Identify inbound connections to web services from known search engines) • Geo-IP data
Command & Control • Peer-to-Peer • HTTP • IRC • Web Crawler
Identification
Malware • Webshell • DDoS Bot
• Ransomware • Dropper • Command &
• RAT • Ad Fraud Control
• Fake Anti Virus • Worm
• Banking • Credential Theft • Malware
• Virtual Currency • Backdoor
• Spyware • Other
• Drive By • Exploit Kit
• Social Network • Point of Sale

AIF Category - Advanced Policies
Arbor Availability Protection System - Advanced • Block incoming attacks

based on ASERT
Category Sub-Category of Threats confidence level
• Traffic Anonymization • Sinkholes
Location-Based Services • Scanner
• Confidence level
Threats • TOR • Other determined by events
• Proxy are reflective of active
Email Threats • Spam • Phishing malware, botnets, &
• APT • Watering Hole campaigns in real time
Targeted Attacks • Hacktivism • Rootkit
• RAT • NOT based on a one time
• Mobile C&C
analysis of a threat with
Mobile • Malicious App the only outcome being a
• Spyware
signature

Confidence Index
• ATLAS threat categories (IP & DNS reputation) block incoming attacks based on
ASERT’s Confidence Index
• Confidence Index is reflective of active malware, botnets, & campaigns in real-time
• Per-Protection Level setting
• When ASERT spots malware and creates a rule, confidence is set to 100
• Value can range from 1 – 100
• Measure of ASERT’s confidence that traffic matching a particular rule is not a false-positive
• If malware is spotted less frequently over time, the Confidence Index is decreased
• If malware frequency increases again, the Confidence Index increases

Inbound Reputation-Based Protection
Use AIF Default or

provide your own
Custom value
• Inbound protection for DDoS using ATLAS IP and DNS Reputation

• Delivered as part of ATLAS Intelligence Feed – for all customers

Threat Categories on Summary Page
Radio button
selection
ATLAS Threat Categories - Summary Page

ATLAS Threat Categories - View PG Page
Detail View
& Statistics

Drill-down Within Blocked Host log

ATTACK DETECTION
& MITIGATION

Arbor APS Sees Attack - Partially
Increase Protection Level to Medium

More of the Attack Is Identified
Some bad traffic blocked, but not all of it yet

Still Not Enough, Let’s Crank It Up
Increase Protection Level to High

Attack Is Fully Identified & Mitigated
More traffic is blocked, traffic volume passing is now “normal”

Arbor APS Mitigated the Attack

Reports Show Attack Details
Click “Details” on a Protection widget to see

how much is being blocked on by each type
Attack Is Over, Normal Life Is Back
Once attack is over, reset Protection Level to Low

Really? Check Blocked Hosts
• At higher protection levels there is a chance that valid hosts and services
may be flagged as attackers
• Ex: E-mail servers, DNS servers, Database Servers, VPNs
• Once identified and confirmed, you should Whitelist those valid hosts
Best Practice: It is highly recommended that you experiment taking service levels to
Medium and High during normal operations (when not under attack) so that you can identify
potential issues in advance. When you do this make sure you start in the Inactive sub-mode
and, after adjustments based on what you learned, do it again later in the Active sub-mode.

Attack Successfully Mitigated
• This attack really did get blocked with default settings
• It was necessary to go to higher Protection Levels
• Pre-defined settings make reaction during attack easier

SCENARIO:
UNKNOWN BOTNET
ATTACK

Issue & Context
• A few weeks later the site service level is reported to be significantly
affected
• This time all we see in Arbor APS is that HTTP inbound traffic has
gone up from the average 50 Mbps to 150 Mbps
• We can see that the web servers have handled those new requests
well but the outbound link is reporting 300 Mbps, which is its capacity
• More investigation shows that the router is dropping outbound traffic.
Other than the higher traffic, nothing is detected by Arbor APS even
when we crank up the protection level to high

A New Attack Takes Down the Service
• HTTP inbound traffic has gone up from the average 50 Mbps to 150 Mbps,
Outbound link is reporting 300 Mbps, and dropping packets
DATA
ISP 1 CENTER
ISP
ISP 2
IPS
Firewall
Load
Balancer
Target
Applications
ISP ‘n’ Attack Traffic Arbor APS & Services
Good Traffic

Solution: Investigate & Mitigate Attack
• We need to find out what is happening by looking at the Protection
Group page.
• We notice that about 100 Mbps of the HTTP traffic is being reported as
coming from Iran in the “Top Countries” section of the Protection Group
page.
• Looking at traffic in the last few weeks shows us that there is normally
no traffic from Iran. Chances are this is a new botnet that is not yet
defined in the ATLAS database
• We decide to block traffic coming from Iran temporarily. Those 100
Mbps of traffic are dropped and the issue goes away with service
reestablished to normal levels

Solution: Block Traffic by Geo Location
• We decide to temporarily block traffic coming from Iran
DATA
ISP 1 CENTER
ISP
ISP 2
IPS
Firewall
Load
Balancer
Target
Applications
ISP ‘n’ Attack Traffic Arbor APS & Services
Good Traffic

LOCATING THE ATTACK

Top Sources / Destinations
• Arbor APS collects
information on
• Top Inbound Sources
• Top Inbound Destinations
• Yet, if attack sources are

well distributed, this does
not help much…

Top Countries List in the Summary Page
• Countries
ranked by
total traffic

Country Traffic Details
Click to expand
or collapse
country details
information Country
details by
protection
group

Blacklisting Country from Summary Page
• You have
a choice of
blacklisting
a country for
either for the
selected
Protection
Group or for
all Protection
Groups

Blacklisting Country from Summary Page
• Once the
country is
blacklisted,
you can
unblock it

Protection Group View – IP Location
• Click
buttons
to block
country
sources

IP Location Blocking
• Some
countries
are now
blocked

Lab Exercise
• Preview Lab 4
• UI Workflow and Protection Settings
• Perform Lab 4
• Estimated Time 30 Minutes
• Review Lab Questions
https://portal.training.arbor.net

Unit Summary
In this unit we have learned how to:
• Change Protection Levels to mitigate more complex attacks
• Block Traffic based on geographic location
• Avoid undesired side effects of higher protection level

Q&A / THANK YOU

Arbor APS STT - Unit 06 - Tuning Under Attack - 07feb2018 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Arbor APS STT - Unit 06 - Tuning Under Attack - 07feb2018 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Partner Technical Training

Tuning Under Attack

Partner • Sales • Engineering

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

Arbor APS is Active, but the attack is not being blocked…

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

Low Medium High

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

• When bps / pps settings are blank they are disabled

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

• Are defined and configurable for each Server Type

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

SSL Secured Services

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

Note: In both cases the host will be

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

• Host-Blocking created by Protections is Temporary

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

• If “CDN and Proxy Detection” is enabled in the Protection Group, some

* Not always. See specific Protection information for details

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

drop proto icmp dst host 71.72.3.4

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

drop !(proto TCP and (dst port 80 or dst port 443))

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

Use the following simple filter list:

drop not (proto 1 or proto 6 or proto 17)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

New Protection Groups inherit Master Filter Lists

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

IPv4 FCAP Expressions

IPv6 FCAP Expressions

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32

• Active DDoS Campaigns • Advanced Threats

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34

Arbor Availability Protection System - Advanced • Block incoming attacks

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36

Use AIF Default or

• Inbound protection for DDoS using ATLAS IP and DNS Reputation

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 41

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 42

Increase Protection Level to Medium