The F5 DDoS Playbook Ten Steps for Combating DDoS in Real

The F5 Ddos Playbook Ten Steps For Combating Ddos In Real-PDF Download

  • Date:08 Mar 2020
  • Views:33
  • Downloads:0
  • Pages:23
  • Size:344.03 KB

Share Pdf : The F5 Ddos Playbook Ten Steps For Combating Ddos In Real

Download and Preview : The F5 Ddos Playbook Ten Steps For Combating Ddos In Real


Report CopyRight/DMCA Form For : The F5 Ddos Playbook Ten Steps For Combating Ddos In Real


Transcription:

RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Introduction 3,Preparing for a DDoS Attack 4,DDoS Mitigation Steps 5. Step 1 Verify the attack 6,Step 2 Confirm the DDOS attack 8. Step 3 Triage applications 9,Step 4 Protect partners with whitelists 10. Step 5 Identify the attack 11, Step 6 Evaluate source address mitigation options 12.
Step 7 Mitigate specific application layer attacks 14. Step 8 Increase application level security posture 15. Step 9 Constrain resources 17,Step 10 Manage public relations 18. Conclusion 18,Quick Reference 1 Contacts List 19,Quick Reference 2 Whitelists 20. Quick Reference 3 Triage Applications 21,Quick Reference 4 F5 Device Map 22. Quick Reference 5 Attack Log 23,RECOMMENDED PRACTICES. The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Introduction, Distributed denial of service DDoS attacks are a top concern for many organizations today.
A DDoS attack saturates a website renders its services inoperable and prevents legitimate. clients from being able to connect to it For the uninitiated this attack can be a scary and. stressful ordeal, DDoS attacks are usually coordinated across a large number of client computers which. may have been set up for that purpose Even more likely a client computer may have been. infected with a virus that allows an attacker to remotely control the computer making it. participate in the attack,DDoS attack frequency, Both financially and politically motivated DDoS attacks are becoming more prevalent. Although a first attack can happen randomly it often occurs when an attacker with specific. knowledge of your high value service decides to take it offline This can cause panic and. instigate costly decisions including the payment of ransom to triage and stop the attack. Dec 2013 Jan 2014 Feb 2014,100 Gbps 150 Gbps 325 Gbps. Figure 1 Volumetric attacks increased sharply in 2014. An objective DDoS combat method, Organizations that have defended against multiple DDoS attacks understand the importance. of having a procedural method to assist in combating them. What is their solution A DDoS Playbook This document can be the basis for a procedural. document that guides an operations team through DDoS attacks large or small frequent or. infrequent The five Quick Reference sheets enclosed when completed in advance will. assist you in repelling a DDoS attack,RECOMMENDED PRACTICES.
The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Quick Reference 1 Contact List Fill this out as you initiate contacts page 19. Quick Reference 2 Whitelists Map your partners users and services page 20. Quick Reference 3 Application Triage Know your own applications page 21. Quick Reference 4 Device Map Create a device map page 22. Quick Reference 5 Attack Log Note the attack details page 23. The completed references can be kept in your data center and used for documentation and. attack mitigation If you have not recorded this information prior to your first attack record it. as you collect it to better prepare for a future attack. Regulatory compliance, Your organization may be subject to regulatory statutes that require a level of reporting. around cyber attacks breaches or even DDoS attacks Quick Reference 5 the Attack Log. can assist you in this situation as you can track and refer to the log later during the. reporting process,Preparing for a DDoS Attack, If you are fortunate enough to be reading this document prior to being attacked there. are steps that you can take now to make your applications networks and processes. DDoS resilient,Study a DDoS resilient architecture. After you have filled out the quick reference sheets in this playbook obtain the F5 DDoS. Recommended Practices document so you can consider how to align your network. architecture defenses, F5 recommends a multi tiered approach where layer 3 and layer 4 DDoS attacks are. mitigated at the network tier with firewalls and IP reputation databases See Figure 2. The application tier handles high CPU security functions such as SSL termination. and web application firewall functionality, To combat DDoS modern organizations need a cloud based DDoS scrubbing tier.
These service offerings can scrub hundreds of gigabytes per second and return. clean traffic to the data center, DNS is handled in the DMZ and partially protected by the network tier. RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Threat Intelligence Feed,Next Generation,Firewall Corporate Users. Scanner Anonymous Anonymous Botnet Attackers,Proxies Requests. Cloud Network Tier Application Tier,Network attacks.
ICMP flood SSL attacks,UDP flood SSL renegotiation Financial. Multiple ISP SYN flood SSL flood Services,Legitimate. Cloud E Commerce,Scrubbing ISPa b,Network Application. DNS attacks and DNS HTTP attacks, DDoS Volumetric attacks and DNS amplification Slowloris. Attacker size floods operations query flood slow POST Subscriber. center experts L3 7 dictionary attack recursive POST GET. known signature attacks DNS poisoning,Strategic Point of Control.
Figure 2 F5 recommends a multi tiered DDoS approach to your architecture. This multi tiered approach can,Defeat TCP connection floods. Overcome SNAT port exhaustion,Turn back SSL floods. These are just a few of the recommended practices and considerations in the. comprehensive F5 DDoS Recommended Practices document. DDoS Mitigation Steps, If you appear to be suffering a volumetric attack it can help to have a historical sense of. your own traffic patterns Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack record the estimated start time. See Quick Reference 5 Attack Log, Monitor volumetric attacks Remember to keep a monitoring web page open to indicate. when the attack may be over or mitigated, You will need to follow up to 10 steps for your DDoS mitigation.
Step 1 Verify the attack,Step 2 Contact team leads. RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Step 3 Triage applications,Step 4 Identify the attack. Step 5 Protect remote users and partners,Step 6 Evaluate source address mitigation options. Step 7 Mitigate specific application attacks, Step 8 Increase application level security postures.
Step 9 Constrain resources,Step 10 Manage public relations. Step 1 Verify the attack, Not all outages are caused by a DDoS attack DNS misconfiguration upstream routing. issues and human error are also common causes of network outages You must first rule. out these types of non DDoS attacks and distinguish the attack from a common outage. Rule out common outages, The faster you can verify the outage is a DDoS attack the faster you can respond Even if. the outage was not caused by a misconfiguration or other human error there may still be. other explanations that resemble a DDoS attack, For instance the Slashdot Effect occurs when a particular page on your site is featured on. a very popular forum or blog Your investigation must rule out such possibilities. Check outbound connectivity, Is there outbound connectivity If not then the attack is so severe that it is congesting all.
inbound and outbound traffic Check with your usual diagnostic tools such as traceroute. ping and dig and rule out all such possibilities,Rule out global issues. Check the following Internet weather reports to determine if the attack is a global issue. Internet Health Report,Internet Traffic Report,RECOMMENDED PRACTICES. The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Check external network access, Attempt to access your application from an external network Services and products that. can perform this kind of monitoring include,Keynote testing and monitoring. HP SiteScope agentless monitoring,SolarWinds NetFlow Traffic Analyzer.
Downforeveryoneorjustme com,Confirm DNS response, Check to see if DNS is responding for your website The following UNIX command resolves. a name against the OpenDNS project server,dig 208 67 222 222 yourdomain com. RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Step 2 Confirm the DDOS attack,Contact team leads, Once the attack is verified contact the leads of the relevant teams If you have not. previously filled out Quick Reference 1 Contacts List fill it out now. When an outage occurs your organization may hold a formal conference call including. various operations and applications teams If your organization has such a process use the. meeting to officially confirm the DDoS attack with team leads. Contact your bandwidth service provider, One of the most important calls you can make is to the bandwidth service provider The.
number for your service provider should be listed in Quick Reference 1 Contacts List The. service provider can likely confirm your attack provide information about other customers. who might be under attack and sometimes offer remediation. Contact your fraud team, It is especially important to invoke the fraud team as soon as the attack is verified DDoS. attacks can be used as cover to hide an infiltration Logs that would normally show a. penetration may get lost during a DDoS attack This is why high speed off box logging. is so important,RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Step 3 Triage applications, Once the attack is confirmed triage your applications. When faced with an intense DDoS attack and limited resources organizations have to. make triage decisions High value assets typically generate high value online revenue. These are the applications you will want to keep alive. Low value applications regardless of the level of legitimate traffic should be purposefully. disabled so their CPU and network resources can be put to the aid of higher value. applications You may need the input of team leads to do this. Ultimately these are financial decisions Make them appropriately. Quick Reference 3 Application Triage takes only a few minutes to fill out and it will greatly. assist you in making tough application decisions while combating an actual DDoS event. If you have not done this yet now is the time, Decide which applications are low priority and can be disabled during the attack This may. include internal applications,Record your choices in Quick Reference 3.
RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Step 4 Protect partners with whitelists,Whitelist partner addresses. Very likely you have trusted partners who must have access to your applications or network. If you have not already done so collect the IP addresses that must always be allowed. access and maintain that list Quick Reference 2 Whitelists includes a template for your. whitelist collection, You may have to populate the whitelist in several places throughout the network including. at the firewall the Application Delivery Controller ADC and perhaps even with the service. provider to guarantee that traffic to and from those addresses is unhindered. Protect VPN users, Modern organizations will whitelist or provide quality of service for remote SSL VPN users. Typically this is done at an integrated firewall VPN server which can be important if you. have a significant number of remote employees,RECOMMENDED PRACTICES.
The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time. Step 5 Identify the attack,Determine the nature of the attack. Now is the time to gather technical intelligence about the attack The first question you. need to answer is What are the attack vectors,Four DDoS attack types. You are trying to determine the nature of the attack Is it. Volumetric flood based attacks that can be at layers 3 4 or 7. Asymmetric designed to invoke timeouts or session state changes. Computational designed to consume CPU and memory, Vulnerability based designed to exploit software vulnerabilities. By now you should have called your bandwidth service provider with the information on. Quick Reference 1 Contacts List If the attack is solely volumetric in nature the service. provider will have informed you and may have already taken steps at DDoS remediation. Even though well equipped organizations use existing monitoring solutions such as. NetScout for deep packet captures you may encounter cases where you have to use. packet captures from other devices such as the ADC to assist in diagnosing the problem. These cases include, SSL attack vectors If the attack is launched over SSL there may be no other way to. diagnose it other than at the ADC Capture the packet streams either at the ADC or. elsewhere and then use the ssldump utility to decrypt the stream file. FIPS 140 If your ADC is using a FIPS 140 hardware security module HSM then you. can often still use ssldump to decode the file capture. Use of a mirror port or clone pool One way to capture packets is to mirror them. from the ADC This high performance method allows data to flow through the ADC. and also to an external device without interruption. RECOMMENDED PRACTICES, The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time.
Step 6 Evaluate source address mitigation options,If Step 5 has identified that the ca. The F5 DDoS Playbook Ten Steps for Combating DDoS in Real Time 9 Step 3 Triage applications Once the attack is confirmed triage your applications When faced with an intense DDoS attack and limited resources organizations have to make triage decisions High value assets typically generate high value online revenue

Related Books