Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018

Partner Technical Training
Protecting Services: Protection Settings Deep Dive
Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Use Arbor APS to protect:
• L3 and L4 services
• Web Servers
• SSL secured services
• DNS Servers
• SIP Servers
• Other Servers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

PROTECTING FROM
L3 & L4 ATTACKS

Invalid Packets Protection
• Non-configurable, always-on, Protection designed to drop really
“wrong” packets

Invalid Packets Protection – IPv4
• IPv4 Invalid Packets Protection performs following checks:
• IPv4 header checks
• Malformed IP header
• Bad IP checksum
• Short packet
• Fragmentation checks
• Incomplete Fragment
• Duplicate Fragment
• Fragment too long
• Layer 4 checks
• Short TCP/UDP/ICMP Packet
• Bad TCP/UDP Checksum
• Invalid TCP Flags
• Invalid ACK Number
• Invalid packets is a Packet-blocking Protection
Invalid Packets Protection – IPv6
IPv6 Invalid Packets Protection performs following checks:
• IPv6 header checks • Fragmentation checks
• Malformed IP header • Incomplete Fragment
• Short packet • Duplicate Fragment
• Incorrect order of extension headers • Fragment too long
• Duplicate extension headers • Fragment overlap
• Layer 4 checks
• Short TCP/UDP/ICMP Packet • Incorrect packet length (not a multiple of 8 or
• Bad TCP/UDP Checksum wrong size of extension header)
• Invalid TCP Flags • Invalid Hop-by-Hop options (jumbo payload
• Invalid ACK Number option or invalid option length)
• Type 0 routing header
Note: Invalid packets is a Packet-blocking Protection

Multicast Blocking Protection
IPv4
• Drops all inbound and outbound traffic sourced from or destined to multicast
address space (224.0.0.0/4)
• Enable only for protection groups that must not receive any multicast traffic
• Make sure not to block routing protocols that use multicast for hello messages
• Whitelist small multicast address blocks that are active through Arbor APS

Private Address Blocking
IPv4
• Drops all inbound and outbound traffic sourced from or destined to:
• 0.0.0.0/8
• 10.0.0.0/8
• 127.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Disabled by default
• Enable if you suspect an attack from spoofed private IP addresses

UDP Flood Detection Protection
IPv4
• Blocks excessive amounts of UDP from a source

• Separate thresholds for bps and pps
• Hosts violating a threshold during medium or high protection level are blocked
for 60 seconds
• Hosts violating a threshold on low protection level are not blocked but traffic is
policed down to the configured threshold
• Disabled by default, except enabled by default for medium and high protection
levels for only Web Server server type and its derivatives

DNS Amplification Attack: UDP Flood
Source IP of Victim (v) spoofed when query sent
to resolver (r), resolver receives, responds to v.
55-byte query elicits 4200-byte response
Quer
y r
v
Attacker - a
nse
Respo Resolver - r
r v
A botnet with as few as 20 DSL-connect homes (1 Mbps
upstream each) can generate 1.5 Gbps of attack traffic
with DNS reflective amplification attack vectors such as
those employed for root server attacks in early 2006
Victim - v (1:76 amplification factor). Most enterprises have little
more than 155 Mbps Internet connectivity.
UDP Flood Attacks
• UDP is stateless, making it a common tool for flood attacks
• Generation of UDP packets is easy
• Stateless implies spoofing source IP addresses is possible
• BPS and PPS: packet sizes may range from 60 to 1500 bytes
• High volume of small packets can cause forwarding issues for routers and firewalls
and other inline devices
• 1Mpps @ 60bytes = 458Mbps
• 1Mpps @ 1400bytes = 10Gbps
• UDP Floods do not generally impact services (unless DNS) but do impact
the infrastructure causing collateral damage
• UDP Floods can cause jitter and latency, impacting other services like VoIP

Mitigating UDP Floods – Filter Lists
• DNS is the primary attack target with UDP floods
• DNS Amplification floods can generate a high rate of large UDP packets
• Filter List allows you to deal with UDP floods

• Example
drop proto udp dst 192.168.2.11
The above example will drop a UDP flood attack going to the victim
(192.168.2.11) but will not drop all UDP packets
• If that is a web server this approach is fine, if it is a DNS server it is not.
However we have specific Protections to handle attacks to DNS servers

TCP SYN Flood Detection Protection
IPv4
• All TCP Traffic from a single source is inspected

• If the number of SYN packets per second exceeds the SYN Rate
• If the SYN ACK Delta Rate is exceeded (number of SYN packets – number of
ACK packets)
• Traffic is dropped
• Source is temporarily blocked for 60 seconds
• TCP SYN Flood Detection can be used to detect and stop SYN floods which
can exhaust a servers resources forcing it to reject new/legitimate connections

SYN Flood Attacks
• SYN flood attacks attempt to exhaust the server side resources
for TCP connections
• Source(s) continuously send packets with just the SYN bit set
• Victim (Server) must open a connection and send a SYN-ACK back
to the source
• Connection is kept open
• Source ACK’s and then data is exchanged
• Source terminates connection
• Server times out the connection
• SYN packets are typically small in size

TCP Stack Attack – SYN Flood Attack

Spoofed SYN Flood Prevention
• Any TCP connection attempt will be inspected

• If the destination port is in the “Except on ports” list, the TCP traffic
is immediately allowed through
• TCP traffic to other ports is not allowed through until source is authenticated
by the protection
• TCP connections from non-authenticated sources are not allowed through
but their sources are not temporarily blocked either

Spoofed SYN Flood Prevention Operation (1/2)
Connection Reset Authentication
Client APS Server
1. Client sends first SYN to establish connection with
server
Flags [SYN], seq=4205432417
2. APS intercepts SYN and sends SYN ACK back to the client
with a valid ack number and a APS derived sequence number
Flags [SYN ACK], ack =4205432418 - seq=4785326538
3. Valid client responds with an ACK and the received sequence number+1
as the acknowledgement number
Flags [ACK], ack=4785326539 4. Client is authenticated
5. APS sends the client a RST ACK to close this connection
Flags [RST][ACK] ack=4205432418
6. Client re-sends SYN to establish connection with server
7. APS allows subsequent SYN through to original destination

Spoofed SYN Flood Prevention Operation (2/2)
Out of Sequence Authentication
Client APS Server
1. Client sends first SYN to establish connection with
server
2. APS intercepts SYN and sends ACK back to the Client with
matching APS derived invalid ack and sequence numbers
Flags [SYN ACK ], ack=253118415 - seq=253118415
3. Valid client responds to the invalid SYN-ACK with a RST
Flags [RST], seq=253118415
4. Client re-sends SYN to establish connection with server
Flags [SYN], seq=4205432417 5. Client is authenticated
6. APS allows SYN through to original destination
7. Server responds and normal TCP handshake completes

Automating Spoofed SYN Flood Prevention
• To automate Spoofed SYN Flood Prevention:

• Enable ”Spoofed SYN Flood Prevention Automation” setting
• Specify an automation threshold
• If the rate of SYN packets sent to any protected host in a protection group
exceeds the threshold
• APS performs TCP authentication or HTTP authentication as configured
• If all protected hosts in a protection group are receiving SYN packets below
the threshold
• APS does not perform configured authentication

Automation Threshold Example 1 of 2
Enable
Enter Rate PPS

Automation Threshold Example 1 of 2
Blocked SYN Traffic 5Kpps

Passed SYN Traffic 4Kpps
Blocked SYN Traffic 5Kpps
Spoofed SYN Prevention
Note: Automation Threshold set to 5000 pps

TCP Connection Limiting Protection
IPv4
• Limits the number of simultaneous connections from a single host

to a pre-configured value
• Simple connection counter is used to avoid session state table
• TCP SYN packets dropped for excess connection attempts

TCP Connection Limiting Protection
• TCP connection limiting settings are different for different server types
Default State
Protection Level Low Medium High
Generic and Web Disabled Enabled Enabled
Mail Server Enabled Enabled Enabled
File Server Enabled Enabled Enabled
Concurrent Connections Allowed

Generic and Web 100 60 30
Mail Server 16 5 3
File Server 5 3 2

TCP Connection Reset Protection
IPv4
• Any TCP connection from a source is intercepted

• The source host is temporarily blocked for 60 seconds if the host exceeds the
number of consecutive violations threshold
• By default only works on destination ports 80, 443, 25
• Protection protects against the exhaustion of TCP resources when connection

tables on servers are full with idle connections
• TCP Connection Reset can protect against flood, slow HTTP post and protocol
attacks
TCP Connection Reset Protection
• TCP Connection Reset combines five main detection methods
• If the minimum amount of data (Initial timeout required data) is not sent within
a certain length of time (TCP connections initial timeout) after connection
was established
• If HTTP or SSL/TLS request is not sent with minimal speed (Minimum request
bit rate). Speed is computed using a token bucket with a depth of 60 seconds
• If HTTP header is not sent within 60 seconds
• Number of seconds the APS will wait before an idle connection is reset
or blocked (TCP Connection Idle Timeout)
• Enable protection “Track Connections After Initial State” to keep track
of connections after it leaves the initial state

Traffic Shaping Protection
• When all else fails, get the traffic down to a manageable rate
• Used to limit legal traffic like ICMP or to control situations like flash crowds
• All Traffic is inspected against the defined filter.
• If the packet matches (or no filter is defined) and the packet causes the forwarding
rate to exceed either of the bps/pps thresholds,
• The packet is dropped
• The source is not blocked
• This means both attack and
normal traffic will get through

PROTECTING
WEB SERVERS

Protecting Web Servers
IPv4
• Attack Protections for HTTP traffic

• Malformed HTTP Filtering
• Application Misbehavior
• Botnet Prevention
• Includes AIF signatures
• Spoofed SYN Flood Prevention
• HTTP Authentication option
• HTTP Rate Limiting
• HTTP Header Regular Expression
• Web Crawler Support

Malformed HTTP Filtering Protection
IPv4
• All HTTP requests are inspected and verified

• HTTP header conforms to RFC2616 Section 2.2 “Basic Rules”
• Exceptions to the RFC constraints on the space character are allowed
• Entire request is in a legal and consistent format
• Traffic not matching either of the two conditions are dropped and the source is
temporarily blocked for 60 seconds
• Malformed HTTP can be used to protect against attacks that attempt to exhaust
web server resources with invalid or blank HTTP requests
• Botnets commonly use this type of a vector

Application Misbehavior Protection
IPv4
• All HTTP Traffic from a single source is inspected

• If the request headers are interrupted by a TCP FIN from the source more than
the configured threshold
• Application Misbehavior stops botnets from sending multiple small HTTP

requests and terminating the connection before each request is complete
causing resource exhaustion on the destination server

Botnet Prevention Protection
IPv4
• All HTTP Traffic from a single source is inspected
• The Botnet Prevention protection settings allow Arbor APS to detect botnet
attacks based on known botnet behaviors

IPv4
Botnet Prevention Protection Options (1 of 2)
• Enable Basic Botnet Prevention

• Checks if the packet headers are incomplete
• On all protection levels Host header for HTTP 1.1 is required
• On High level Host, User-Agent, Connection headers are required

IPv4
Botnet Prevention Protection Options (2 of 2)
• Prevent Slow request attacks

• Checks if the HTTP requests contain < 500 bytes AND do not end with \n
(Indicative of a slow HTTP attack)

Application Attacks to Web Servers
• Get Floods
• Brute force use the server’s processing capacity – typically done using a Botnet
• Ex: Siege
• Slow GET
• Creates TCP sessions that never close and hold server resources (TCP table
space, process table, memory)
• Ex: Slowloris
• Slow POST
• Similar to Slow GET, focused on pages which have forms to be completed
(can’t be cached by CDNs)
• Ex: RUDY

Slowloris – Slow HTTP GET DDoS
• HTTP DDoS attack tool
• Allows a single machine to take down a web
server with minimal bandwidth and side effects
on unrelated services and ports
• Designed to hold open as many connections
as possible to the HTTP server.
• Exploits design flaws in the HTTP protocol

• Slowloris abuses handling of HTTP request headers ssslooowly…
• Each Slowloris process opens several connections to the target web server
and sends a partial request: one not ending with a “/n” line
• This tells the web server to hold on: the rest of the get request is on its
way…
• periodically, each slowloris process will send subsequent HTTP headers,
but never completing the request
• Affected servers will keep these connections open, filling their maximum
concurrent connection pool, eventually denying additional connection
attempts from clients
• Slowloris has high impact and relatively low bandwidth usage

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b
X-a: b

R.U.D.Y. – Slow HTTP POST DDoS
• Uses HTTP POST requests
• The HTTP Header portion is complete
and sent in full to the web server.
• R.U.D.Y.
• Abuses HTTP web form fields
• Iteratively injects one custom byte into a web
application post field and goes to sleep
• Application threads become zombies awaiting
ends of posts…until death lurks upon the
website

R.U.D.Y. – Slow HTTP POST DDoS
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA…

Spoofed SYN Flood Prevention + HTTP (1 of 5)
• Any TCP connection attempt will be inspected and tested

• Click one of the following buttons to select the method that will be used
to authenticate HTTP traffic on ports 80 and 8080

Spoofed SYN Flood Prevention + HTTP
Authentication Summary (2 of 5)
• Any TCP connection attempt will be inspected and tested

• Click one of the following buttons to select the method that will be used
to authenticate HTTP traffic on ports 80 and 8080
• APS replies to the client’s • “Simplified Redirect”
request with a 302 redirect. • APS replies to the client’s request
• If the client sends a asking it to resend it
redirected request it is • If the client replies, it is authenticated.
authenticated
• APS replies to the client’s request with a small

amount of Java Script, which is executed on the
client, causing the client to reply with a redirect.
• If the redirect is received the client is authenticated
HTTP Redirect Authentication (3 of 5)
• If HTTP Redirect Authentication is enabled, after the TCP 3-way

handshake, instead of sending a RST to the client, if HTTP traffic, respond
to the client with a 302 re-direct message causing the web browser to retry
the request seamlessly without the disruption of a connection reset:
1. SYN Authentication of client passes

2. Send client 302 re-direct: http://www.example.com/KmfPM
3. Client requests new URL
4. Send client 302 re-direct of the original URL
http://www.example.com/myPage
5. Client success!

HTTP Soft Reset Authentication (4 of 5)
• If HTTP Soft Reset Authentication is enabled, After the TCP 3-way

handshake, instead of sending a RST to the client, if HTTP traffic, respond
to the client with a 302 re-direct message to original destination:
1. SYN Authentication of client passes

2. Send client 302 re-direct of the original
URL http://www.example.com/myPage
3. Client success!

Java Script Authentication (5 of 5)
• Arbor APS replies to a client’s HTTP request with a small amount of Java
Script, which is executed on the client causing the client to respond by
sending a redirect.
• If the redirect is received, the client is authenticated.
Note: If you select the JavaScript option, legitimate clients that do not have JavaScript enabled
will be unable to connect to protected hosts.

HTTP Rate Limiting Protection
IPv4
• All HTTP requests are inspected and

• The number of requests per second are compared to the configured request
limit threshold.
• The number of unique HTTP objects per second are compared to the
configured URL limit threshold.
• If the rate is higher than the threshold then the requests are blocked and
the host is temporarily blocked for 60 seconds
• HTTP Rate Limiting can be used to protect against flooding attacks against
the HTTP application server overwhelming its resources
Web Crawlers are a Challenge
• Search Engine web crawlers are a challenge for DDoS mitigation
• Web crawlers act like bots because … they are bots!
• Blocking web crawlers is often unacceptable
• Blocking instantly leads to reduced web site visibility in search results and,
consequently, decrease in search ranking
• It is critical that web crawlers can still reach and index protected resources
even when those are under attack and need protection

Web Crawler Support in Arbor APS
IPv4
• Protection group settings select whether known web crawlers can bypass
some protections for destinations within that protection group
• Enabled – Web crawler protection bypass is allowed
• Disabled – Web crawler traffic has normal protections
• Single enable / disable Web Crawler setting for each protection group
protection level
• Individual search engines can be chosen globally

Web Crawler Support
• Globally enable or disable individual
search engines
• All web crawlers are enabled by default
• Disable search engines that are not
relevant to you

Web Crawler Support – How it works
Protections Low Medium High
• Web Crawlers Invalid Packets, TCP SYN Flood Detection Checked Checked Checked
can be exempted Filter List, Multicast Blocking, Private Address Blocking Whitelisted Checked Checked
from different Rate-based Blocking, DNS Rate Limiting, DNS NXDomain Rate Limiting,
HTTP Rate Limiting, ICMP Flood Detection, UDP Flood Detection, Fragment
Protections Flood Detection
Whitelisted Whitelisted Checked
depending on Payload Regular Expression, DNS Regular Expression, HTTP Header

protection level Regular Expression, AIF Botnet Signatures Whitelisted Checked Checked
Spoofed SYN Flood Prevention, DNS Authentication Whitelisted Whitelisted Whiteliste

d
TCP Connection Limiting, TCP Connection Reset Whitelisted Whitelisted Checked
Block Malformed DNS Traffic Whitelisted Whitelisted Checked
Malformed HTTP Filtering, Basic Botnet prevention Whitelisted Checked Checked
TLS Attack Prevention Whitelisted Checked Checked
Traffic Shaping Whitelisted Whitelisted Checked
Application Misbehavior Whitelisted Whitelisted Checked

Web Crawler Reporting for Protection Groups
• Web Crawlers traffic widget for protection groups of Generic, Web, and DNS
Server Types
Hover on mini-graph
to see expanded
graph

PROTECTING SSL-SECURED
SERVICES

SSL Protocol Attack Protection
SSL-Targeted Attacks
• SYN-Floods against SSL protocols
• Malformed SSL Attacks
• Sending garbage packets the force crypto-work
on the server
• Examples: Hello Msg DoS (PushDo Botnet)
• SSL Re-negotiation Attacks
• Force renegotiation of SSL within a single stream
• Require crypto-work, re-key exchanges, to be done
on the server side
Arbor APS
• Can be done using ‘Secure Renegotiation’ which
is encrypted
• Examples: http://orchilles.com/2011/03/ssl-renegotiation-
dos.html
• SSL Exhaustion (Single Source / Distributed Sources)
• Create many requests from a host or many hosts simply
establishing SSL connections
• Often coupled with above attacks (SSL Renegotiation, etc.)
SSL
• Examples: THC DDoS (http://www.thc.org/thc-ssl-dos/)
SSL Protocol Overview
1. Client opens TCP
connection to server
2. SSL Handshake
(shown at right,
not encrypted)
3. Exchange
encrypted data

Known Attacks: Pushdo
• Sends garbage packets to port 443
• Can quickly exhaust CPU on HTTPS server
How to Mitigate:
• TLS Attack Prevention protection will flag

and blacklist Pushdo senders

TLS Attack Prevention Operation
IPv4
• Detects malformed and unreasonably extended TLS / SSL protocol headers

• Detects rate-based and connection exhaustion attacks against TLS / SSL
protocol
• Works on both HTTPS and non-HTTP TLS / SSL
• Is a Host-blocking Protection
In order to mitigate THC SSL attack you need to disable early whitelisting.
/ services aps protection set tls.earlywhitelist '<server type>’ <protection_level> no

TLS Attack Prevention Protection
• Provides protection from common attacks against SSL
• Attacks that try to force many crypto operations on the targeted server
• Protects SSL Servers and SSL accelerators
• Protect from attacks against the SSL protocol – regardless of port (HTTPS,
POP3S, SMTPS)
• Focus on attacks against the protocol directly
• Attacks that are pre-encryption
• Do not require that we handle any private key’s or do SSL offloading
• Enforces correct usage of the SSL protocol / key exchange
• Block malformed SSL attacks such as PushDo Botnet attacks
• Enforce specific Algorithm Usage

TLS Attack Prevention - Scope
• What it does:
• SSL Message Validation
• Slow Attack Protection
• Handshake Validation
• Connection Flooding Protection

TLS Attack Prevention – Scope
• What it does not do:
• Decrypt session
• Inspect encrypted traffic
• Check extension semantics
• Enforce acceptable protocol versions
• Although it can parse SSL3/TLS1.1/TLS1.2

TLS Attack Prevention – Settings (1 of 2)
• Protection limits get more severe with higher protection levels

Default TLS Handshake Settings
Enable State Disabled Enabled Enabled
Cipher Limit 512 256 64
Extension Limit 32 24 16
Compression Limit 8 4 2
Max Hello Length 2048 1024 768
Pending connections 8 8 8
per source limit

TLS Attack Prevention – Settings (2 of 2)
• TCP Ports Protected by Default
Port Description
443 HTTP over TLS (HTTPS)
465 SMTP over TLS - Officially URL Rendezvous Directory for SSM
563 NNTP over TLS
587 SMTP mail submission (may be TLS)
636 LDAP over TLS
FTP data over TLS - FTP control over TLS (port 990) is not protected
989
(?)
992 TELNET over TLS
993 IMAP4 over TLS
994 IRC over TLS
995 POP3 over TLS
5061 SIP over TLS
TLS / SSL Protocol Attack Visibility
• Attack details shows breakdown of specific TLS / SSL protocol violations
• Each violation type has more details

PROTECTING
DNS SERVERS

DNS Server Protections
• Protect DNS Servers and services with the following Protections:
• Block Malformed DNS Traffic
• DNS Authentication
• DNS Rate Limiting
• DNS NXDomain Rate Limiting
• DNS Regular Expression

Block Malformed DNS Traffic Protection
IPv4
• Traffic with a destination port of UDP/53 is inspected

• For compliance with the RFC specification for DNS (RFC1035)
• That the payload of the packet could be a valid DNS message
• Packets are dropped
• Hosts are not blocked
• DNS Malformed protect against DNS attacks that attempt to exhaust

the resources of DNS servers

Common DNS Attacks
Client-Side Attacks
Reflective Attacks
Server-Side
DNS Servers
DNS Servers Attack
Target
Poisoning Attack
Phishing
DNS Application
Layer Attacks
Servers
DNS Cache
"Root Queries" DNS Servers

"Random Queries"
DNS Resolvers "Multiple Queries per Packet"
Hacker "NX Domain Reflective"
• Multiple threat vectors against DNS whose impacts include loss of service
availability, reduced customer satisfaction, and hurt profitability

DNS Dictionary Attacks
DNS Cache DB Server
DB Server overwhelmed
with lookups
NXDomain: abcd.somedomain.com
NXDomain: efgh.somedomain.com
Attacker requests entries that do NXDomain: ijkl.somedomain.com
not exist in the DNS Cache: .
.
Query: abcd.somedomain.com .
Query: efgh.somedomain.com
Query: ijkl.somedomain.com
.
.

DNS Authentication Protection
IPv4
• Any source that sends UDP DNS request is forced to switch to TCP
• If the source does not change from a UDP to TCP DNS request the source
is considered invalid
• Any unverified requests are dropped, source hosts are not blocked
• DNS Authentication protects against DNS attacks that originate from

sources that are not valid hosts

DNS Rate Limiting Protection
IPv4
• Arbor APS inspects all of the DNS traffic that originates from a single source
and records the number of queries per second
• Any traffic that exceeds the thresholds is blocked
• The source host is temporarily blocked for 60 seconds
• DNS Rate Limiting protects against DNS attacks that attempt to flood
DNS servers

DNS Flood
ies Recursive
uer Name Server
Q
NS
D
Attacker

DNS NXDomain Rate Limiting Protection
IPv4
• Arbor APS monitors DNS response packets for sources that send requests
that might cause the generation of a non-existent domain (NXDomain)
• Any source that sends more consecutive failed DNS requests than
the threshold is blocked for 60 seconds
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server
• DNS NXDomain Rate Limiting protects against DNS cache poisoning

and dictionary attacks on DNS servers only

DNS NXDomain Rate Limiting Protection
Basic NXDOMAIN Attack
How the Attack Works
NOT FOUND!
NX
s Recursive DO
rie M AIN
u e Name Server
Q
S
DN
! FULL!
Attacker Cache
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server

PROTECTING
SIP SERVERS

SIP Server Protections
• Protect VoIP (SIP) Servers and services with the

following Protections:
• Block Malformed SIP Traffic
• SIP Request Rate Limiting

Block Malformed SIP Traffic Protection
IPv4
• All traffic destined to a SIP ports is inspected

• If the payload of the packet is empty, or is not part of a SIP request
• If the headers are not properly formatted and/or do not have reasonable values
• SIP Malformed prevents attacks against the VoIP infrastructure by blocking

invalid or blank SIP requests

SIP Request Rate Limiting Protection
IPv4
• All Traffic destined to SIP ports is measured

• If the rate of SIP requests per second exceed the threshold
• SIP Request Limiting prevents SIP floods against the VoIP infrastructure

SIP Flood
Session Initiation • Standard protocol for VoIP telephony
• Text-based protocol with a syntax
Protocol (SIP) Flood DNS
Server similar to that of HTTP • A single SIP Invite
• Two types of SIP messages: triggers considerable
Requests & responses
resource consumption
Returns IP
address of Bob’s
proxy server
3 2 on the SIP Proxy
INTERNET
DNS Query:
Server
Biloxi.com
INVITE: sip:bob@biloxi.com
Proxy
Server • Numerous Invites
Proxy
Server
From: sip:alice@atlanta.com
4 consume Proxy
Server’s resources
LAN 1
5
• Call receivers are
Wireless
Network
flooded with
incoming calls
User Agent
Alice User Agent
Bob

PROTECTING
OTHER SERVERS

Protecting Other Servers Types
• Arbor APS also has Server Types pre-configured for:
• Mail Server
• VPN Server
• RLogin Server
• File Server
• Generic
• It is recommended that you create a separate Protection Group for each of
the services you want to protect, assigning the corresponding Server Type
that best fits
• Generic Server Type is the “catch-all” providing flexibility to accommodate
specific server types

Inbound Protection Processing Sequence
PASS

CDN & PROXY SUPPORT

CDN & Proxy Support
• Proxy servers and Content Delivery Network servers have special needs
• Proxy server forwards traffic from many user clients or cached content from
many servers
• CDN server forwards content on behalf of many websites
• Proxies and CDNs may behave like entire multi-host networks and can
overwhelm Protections designed for single hosts

CDN & Proxy Support
IPv4
• Arbor APS has special handling for sources that are proxies and CDN
servers
• Only Arbor APS setting is to enable or disable
• Operation is not visible in Arbor APS GUI
• Enable setting is only exposed element

CDN & Proxy Support
• For any source host that is detected to be a CDN or proxy server
• All rate limiting Protections are disabled
• All Host-blocking Protections will not block hosts but will instead block flows
• A “flow” is traffic matching a five-tuple of
IP addresses, IP protocol, and TCP/UDP ports
• All other Protections operate normally

Disabled Protections
• For sources identified as CDN or Proxy, the following Rate Limiting
Protections are disabled:
• Rate-based blocking detection
• HTTP Rate Limiting
• DNS Rate Limiting
• DNS NXDomain Rate Limiting
• SIP Rate Limiting
• TCP Connection Reset
• TCP SYN Flood Detection
• ICMP Flood Detection

Changed Behaviors
• For sources identified as CDN or Proxy, some
Protections change the behavior from Host-blocking to Packet-Blocking:
• DNS malformed
• HTTP malformed
• SIP malformed
• SSL/TLS attack prevention
• HTTP regex
• Botnet Protection
• DNS regex
• Application Misbehavior

Lab Exercise
• Preview Lab 8
• Multi-Vector Attack
• Perform Lab 8
• Estimated Time 30 Minutes
• Review Lab Questions
https://portal.training.arbor.net

Unit Summary
In this unit we have learned how to:
• Use Arbor APS to protect:
• L3 and L4 services
• Web Servers
• SSL secured services
• DNS Servers
• SIP Servers
• Other Servers

Q&A / THANK YOU

Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018

Hochgeladen von

Copyright:

Verfügbare Formate

Partner Technical Training

Protecting Services: Protection Settings Deep Dive

Partner • Sales • Engineering

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Note: Invalid packets is a Packet-blocking Protection

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

• Blocks excessive amounts of UDP from a source

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

• Filter List allows you to deal with UDP floods

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

• All TCP Traffic from a single source is inspected

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

• Any TCP connection attempt will be inspected

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

Flags [SYN ACK], ack =4205432418 - seq=4785326538

Flags [ACK], ack=4785326539 4. Client is authenticated

5. APS sends the client a RST ACK to close this connection

Flags [RST][ACK] ack=4205432418

6. Client re-sends SYN to establish connection with server

Flags [SYN], seq=4205432417

7. APS allows subsequent SYN through to original destination

Flags [SYN ACK ], ack=253118415 - seq=253118415

3. Valid client responds to the invalid SYN-ACK with a RST

Flags [RST], seq=253118415

4. Client re-sends SYN to establish connection with server

Flags [SYN], seq=4205432417 5. Client is authenticated

6. APS allows SYN through to original destination

7. Server responds and normal TCP handshake completes

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

• To automate Spoofed SYN Flood Prevention:

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

Blocked SYN Traffic 5Kpps

Blocked SYN Traffic 5Kpps

Spoofed SYN Prevention

Note: Automation Threshold set to 5000 pps

• Limits the number of simultaneous connections from a single host

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Concurrent Connections Allowed

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

• Any TCP connection from a source is intercepted

• Protection protects against the exhaustion of TCP resources when connection

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

• Attack Protections for HTTP traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

• All HTTP requests are inspected and verified

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

• All HTTP Traffic from a single source is inspected

• Application Misbehavior stops botnets from sending multiple small HTTP

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

• All HTTP Traffic from a single source is inspected

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

• Enable Basic Botnet Prevention

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32