Beruflich Dokumente
Kultur Dokumente
• Drops all inbound and outbound traffic sourced from or destined to multicast
address space (224.0.0.0/4)
• Enable only for protection groups that must not receive any multicast traffic
• Make sure not to block routing protocols that use multicast for hello messages
• Whitelist small multicast address blocks that are active through Arbor APS
• Drops all inbound and outbound traffic sourced from or destined to:
• 0.0.0.0/8
• 10.0.0.0/8
• 127.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Disabled by default
• Enable if you suspect an attack from spoofed private IP addresses
Attacker - a
nse
Respo Resolver - r
r v
A botnet with as few as 20 DSL-connect homes (1 Mbps
upstream each) can generate 1.5 Gbps of attack traffic
with DNS reflective amplification attack vectors such as
those employed for root server attacks in early 2006
Victim - v (1:76 amplification factor). Most enterprises have little
more than 155 Mbps Internet connectivity.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10
UDP Flood Attacks
• UDP is stateless, making it a common tool for flood attacks
• Generation of UDP packets is easy
• Stateless implies spoofing source IP addresses is possible
• BPS and PPS: packet sizes may range from 60 to 1500 bytes
• High volume of small packets can cause forwarding issues for routers and firewalls
and other inline devices
• 1Mpps @ 60bytes = 458Mbps
• 1Mpps @ 1400bytes = 10Gbps
• UDP Floods do not generally impact services (unless DNS) but do impact
the infrastructure causing collateral damage
• UDP Floods can cause jitter and latency, impacting other services like VoIP
• TCP SYN Flood Detection can be used to detect and stop SYN floods which
can exhaust a servers resources forcing it to reject new/legitimate connections
3. Valid client responds with an ACK and the received sequence number+1
as the acknowledgement number
2. APS intercepts SYN and sends ACK back to the Client with
matching APS derived invalid ack and sequence numbers
Enable
Enter Rate PPS
• Malformed HTTP can be used to protect against attacks that attempt to exhaust
web server resources with invalid or blank HTTP requests
• Botnets commonly use this type of a vector
• The Botnet Prevention protection settings allow Arbor APS to detect botnet
attacks based on known botnet behaviors
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
username=AAAAAAAAAAAAAAAAAAAAAAAAA…
• Arbor APS replies to a client’s HTTP request with a small amount of Java
Script, which is executed on the client causing the client to respond by
sending a redirect.
• If the redirect is received, the client is authenticated.
Note: If you select the JavaScript option, legitimate clients that do not have JavaScript enabled
will be unable to connect to protected hosts.
• HTTP Rate Limiting can be used to protect against flooding attacks against
the HTTP application server overwhelming its resources
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 45
Web Crawlers are a Challenge
• Search Engine web crawlers are a challenge for DDoS mitigation
• Web crawlers act like bots because … they are bots!
• Blocking web crawlers is often unacceptable
• Blocking instantly leads to reduced web site visibility in search results and,
consequently, decrease in search ranking
• It is critical that web crawlers can still reach and index protected resources
even when those are under attack and need protection
• Protection group settings select whether known web crawlers can bypass
some protections for destinations within that protection group
• Enabled – Web crawler protection bypass is allowed
• Disabled – Web crawler traffic has normal protections
• Single enable / disable Web Crawler setting for each protection group
protection level
• Individual search engines can be chosen globally
• Web Crawlers Invalid Packets, TCP SYN Flood Detection Checked Checked Checked
can be exempted Filter List, Multicast Blocking, Private Address Blocking Whitelisted Checked Checked
from different Rate-based Blocking, DNS Rate Limiting, DNS NXDomain Rate Limiting,
HTTP Rate Limiting, ICMP Flood Detection, UDP Flood Detection, Fragment
Protections Flood Detection
Whitelisted Whitelisted Checked
• Web Crawlers traffic widget for protection groups of Generic, Web, and DNS
Server Types
Hover on mini-graph
to see expanded
graph
How to Mitigate:
In order to mitigate THC SSL attack you need to disable early whitelisting.
/ services aps protection set tls.earlywhitelist '<server type>’ <protection_level> no
Client-Side Attacks
Reflective Attacks
Server-Side
DNS Servers
DNS Servers Attack
Target
Poisoning Attack
Phishing
DNS Application
Layer Attacks
Servers
DNS Cache
• Multiple threat vectors against DNS whose impacts include loss of service
availability, reduced customer satisfaction, and hurt profitability
DB Server overwhelmed
with lookups
NXDomain: abcd.somedomain.com
NXDomain: efgh.somedomain.com
Attacker requests entries that do NXDomain: ijkl.somedomain.com
not exist in the DNS Cache: .
.
Query: abcd.somedomain.com .
Query: efgh.somedomain.com
Query: ijkl.somedomain.com
.
.
• Any source that sends UDP DNS request is forced to switch to TCP
• If the source does not change from a UDP to TCP DNS request the source
is considered invalid
• Any unverified requests are dropped, source hosts are not blocked
• Arbor APS inspects all of the DNS traffic that originates from a single source
and records the number of queries per second
• Any traffic that exceeds the thresholds is blocked
• The source host is temporarily blocked for 60 seconds
• DNS Rate Limiting protects against DNS attacks that attempt to flood
DNS servers
ies Recursive
uer Name Server
Q
NS
D
Attacker
• Arbor APS monitors DNS response packets for sources that send requests
that might cause the generation of a non-existent domain (NXDomain)
• Any source that sends more consecutive failed DNS requests than
the threshold is blocked for 60 seconds
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server
NX
s Recursive DO
rie M AIN
u e Name Server
Q
S
DN
! FULL!
Attacker Cache
• For this Protection to work, Arbor APS MUST be able to see the DNS
response traffic from the DNS server
• SIP Request Limiting prevents SIP floods against the VoIP infrastructure
INVITE: sip:bob@biloxi.com
Proxy
Server • Numerous Invites
Proxy
Server
From: sip:alice@atlanta.com
4 consume Proxy
Server’s resources
LAN 1
INVITE: sip:bob@biloxi.com
From: sip:alice@atlanta.com
INVITE: sip:bob@biloxi.com
From: sip:alice@atlanta.com
5
• Call receivers are
Wireless
Network
flooded with
incoming calls
User Agent
Alice User Agent
Bob
PASS
• Arbor APS has special handling for sources that are proxies and CDN
servers
• Only Arbor APS setting is to enable or disable
• Operation is not visible in Arbor APS GUI
• Enable setting is only exposed element
https://portal.training.arbor.net