ASM dos profile includes five major mitigations. – v13.x
Each of the mitigations options has a different approach to identify the ddos attack
Anomaly (TPS based) – identify RPS increase at the source OR destination prevention policy on it
Anomaly Behavioral (stress based) - identify TSP anomaly (typically increase) at the source OR destination prevention policy on it
Anti bot – classify the attack agent as a valid user using a browser OR a bot and apply prevention policy on it
Source IP reputation – decide if the traffic is arriving from IP with bad reputation and block it
Signature – identify a pattern of the exploit or the attack agent in the payload and apply prevention policy on it
7. Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Source IP’s
IP:X.X.X.X
Servers Database
Web Site
IP:X.Y.Z.A
IP:A.B.C.D
ASM measures requests increase from Source IP’s
12. Unidentified User
User
Users Or Bots
Web Bot
IP:X.X.X.X
Servers Database
Web Site
• Measuring requests increase on a Device ID’s
ASM: fingerprint source
and give the Device ID’s
ID:LK142
ID:LQ87A
ID:N/A
15. Measuring requests increase from a specific country
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Servers Database
Web Site
21. Source IP’s
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Servers Database
Web Site
App URL’s &
objects
• Measuring requests increase on both IP’s and URL’s
24. User
Client: Hey server, can I get the web page ?
ASM: first show me that you are a browser ?
if a browser:
Yes, I’m a browser
If a bot:
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the
web page you asked for.
ASM: Bye Bye – Blocked
Server
Web Bot
25. Client Side Integrity Defense - Flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
Valid source:
• The client support JavaScript
• The client support HTTP cookies
• The client calculate a JS challenge
Not valid:
• Didn’t pass the above
• Cookie is wrong format – Block (RST)
• Time stamp expired – Block (RST)
Send JS test
28. User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, first answer a CAPTCHA
challenge and show me your human !If a user:
OK, I answered
If none user:
Ha ? *^lkjdfg@#$
ASM: ok, you are allowed. Here is the
web page you asked for.
ASM: Bye Bye – Block him dude !
Server
29. User Browser DoS Profile App
Request login.php
GET / mypage.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.php
HTML of mypage.php
mypage.php
rendered
Send
CAPTCHA
• While the system is still in a
state of attack the offending
source will be presented with
another CAPTCHA every 5
min.
• Same as CSID, request is
held at the ASM until
CAPTCHA is solved
30. Ultimate solution for identifying human or bot
Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability…
But it works well !
32. Client: Hey server, can I get the web page ?
ASM: (a) no, I’m limiting your requests sending rate
Server
Just 1 request per minute ?
ASM: (b) no, I’m totally blocking your
33. While CSID and CAPTCHA try to understand who is the offending source (bots or human)
request limiting is indifferent to the “identity” and limits / blocks the offending sources.
Request Blocking:
•Blocking: will block all IP’s from the offending source
•Rate Limit: limit the amount of allowed request from the offending source
35. ASM: yes, I have your signature.
Sorry mate you are blocked.
I’m a simple Bot
Simple bot can be any command line tool such as:
curl , wget , ab
Server
40. Gohogle
I’m a google Bot
ha ha ha
ASM: let’s see if you are. I’m doing
Reverse DNS lookup.
DNS Server
Gohogle
Bummer
ASM: you are not google bot
Bye Bye -> block this creature !
ASM: Hey DNS, who’s this guy ?
DNS: no one important
Server
DNS Server
Googlebot/2.1 (+http://www.google.com/bot.html)
Google
I’m a google Bot
41.
42.
43. I’m a Bot that
simulate a browser
ASM: ok, what are your capability ? If you will not
answer right you will have to answer a CAPTCHA
or / and be blocked
You are not human, byyyye -> block this unhuman !
Bummer
Capability ?
CAPTCHA ?
Server
44.
45. • If Block Suspicious Browsers is unchecked send CS Challenge
• If Block Suspicious Browsers is checked and CAPTCHA is checked send Client Capabilities
challenge and give it a score: If score in doubt send a CAPTCHA for human verification
• If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked do not
send CAPTCHA and only block if the score is more than a human
46. User Browser DoS Profile App
First request GET /sell.php
GET /sell.php (no cookie)
Client Capabilities Challenge response
Return Client Capabilities
verification
Reconstruct request
HTTP Response (cookie)
HTTP Response
GET /img.png (cookie)
Blank page & Set cookie
Original HTTP Request + cookie
Authenticate and decrypted JS results,
Compute browser score based on result
Determine an action based on score
GET /img.png (cookie)
Validate cookie:
format & time stamp
47. Capabilities script
Evaluating request
0 – 59 – browser
60 – 99 – Unknown
100 – Bot
• If the score is from 0 to 59 it is assumed to be a browser and the request can pass through.
• If the score is between 60 to 99 it is declared unknown and a CAPTCHA is sent to unknown sources. If
the CAPTCHA challenge is solved the client is allowed in. A failed CAPTCHA challenge results in a
connection reset.
• If the score is 100 then the request is reset
The characteristics by which the score is
set are F5 internal intellectual property,
but in general a browser should own
certain features that are expected from a
browser. Missing headers, obsolete User
Agents, or badly formed URLs are a few
indicators of bot activity.
51. # EXAMPLE: enable client-side challenges on a specific URL
when BOTDEFENSE_REQUEST {
if {[HTTP::uri] eq "/login.php"} {
BOTDEFENSE::cs_allowed true
}
}
https://devcentral.f5.com/wiki/iRules.BOTDEFENSE.ashx
# EXAMPLE: allow CSID actions on URLs with the .html extension
when BOTDEFENSE_REQUEST {
if {[HTTP::uri] ends_with ".html"} {
BOTDEFENSE::cs_allowed true
}
}
Hinweis der Redaktion
This training is provided by the F5 Security Incident Response Team (SIRT)
Creator – Lior Rotkovitch https://twitter.com/Rotkovitch
Please E-mail any security related inquiries to <CLICK> f5sirt@f5.com
ASM dos profile includes five major mitigations. – v13.x
Each of the mitigations options has a different approach to identify the ddos attack
Anomaly (TPS based) – identify RPS increase at the source OR destination prevention policy on it
Anomaly Behavioral (stress based) - identify TSP anomaly (typically increase) at the source OR destination prevention policy on it
Anti bot – classify the attack agent as a valid user using a browser OR a bot and apply prevention policy on it
Source IP reputation – decide if the traffic is arriving from IP with bad reputation and block it
Signature – identify a pattern of the exploit or the attack agent in the payload and apply prevention policy on it
The second section in the bot defense is the benign categories that includes bot signatures that are welcome on the web site however they can also be blocked if needed.
Benign bot signatures can also be configured to none, report or block.
The final section in the bot signature page is the bot signature list where a specific signature can be disabled and excluded from the configured action.
For any question or feedback please send an email to lior@f5.com or the f5sirt@f5.com
https://twitter.com/Rotkovitch