摘自:https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology

Mitigating Application Attacks

At the top of the OSI stack is the application layer. This is the area where it's most difficult to detect or defend against malicious behavior, and in particular, conventional firewalls provide little defensive value. Consequently, the application layer is being targeted by most of today's attackers.

Figure 6: Application attacks are the most prevalent today.

An application attack is different from a network attack in that it is specific to the application being targeted. Whereas a SYN flood can be launched against an IP address, an application attack will usually exploit properties specific to the victim, such as the repeated downloading of a single PDF file on the website. To lower-level security devices such as firewalls, the attack connections are indistinguishable from normal traffic.

BIG-IP ASM brings together a variety of anti-attack and DDoS prevention technologies specifically designed to mitigate application layer attacks, including the majority of the OWASP Top 10. BIG-IP ASM learns the expected input for every page in the site it protects and generates a security policy to protect that page. Because BIG-IP ASM is application-aware, it can foil application-layer attacks that abuse the application, the database, or the business logic.

BIG-IP ASM can distinguish between humans and robots as the sources of traffic and use this information during an attack to block non-human visitors. It can also inject JavaScript redirect code into the stream to foil the majority of botnet slaves while allowing access to legitimate browsers. Finally, BIG-IP ASM can also rate-limit traffic to specific application servers when it detects that an attack may be underway.

Mitigating Specific Application Attacks

Today's DDoS attack tools often use multiple attack vectors, mixing flood types. As attacks against the application layer increasingly grow multi-pronged, they've sometimes earned the name diverse distributed denial-of-service (3DoS) attacks. Whether they use high- or low-bandwidth approaches or both, these attacks can be very difficult to identify and defeat.

A solution that can provide early warning about the attack vectors and defend against multiple, simultaneous vectors is therefore the most effective. The combination of BIG-IP LTM, appropriate iRules, and BIG-IP ASM defeats a large number of application-layer attacks.

OSI Layer Attack BIG IP LTM + iRule BIG-IP ASM
Application (Layers 6–7) Slowloris (Nuclear DDoSer, Slowhttptest)
Keep-Dead
Slow POST (R-U-Dead-Yet, Tor Hammer, Nuclear DDoSer, Slowhttptest)
HashDoS
Apache Killer (Slowhttptest)
HTTP GET Flood, Recursive GET Flood (Web Scraping), Dirt Jumper (HTTP Flood)
#RefRef (exploits SQLi / OWASP Top 10 vulnerability as entry)  
XML Bomb (DTD Attack), XML External Entity DoS  

Figure 7: Multiple attack vectors can be defeated by BIG-IP technologies and products working together.

Simple GET floods

One of the most common application layer attacks is a GET flood that simply requests static URLs. BIG-IP LTM can mitigate these attacks with an iRule that filters on the requested URL, and BIG-IP ASM can rate-limit requests based on server performance, client requests per IP address, and increases in requests from specific URIs.

Recursive GET floods

Recursive GET floods are GET flood attacks that iterate through the website, retrieving every object that can be requested. Unlike simple GET floods, recursive floods cannot be filtered with a URL-matching iRule.

BIG-IP ASM can mitigate these attacks from a different angle, however, by monitoring the application's response time (which is by itself the most accurate detection method) and then sequentially applying three different countermeasures:

  1. A smart JavaScript injection that will verify that the user is indeed using a browser. Most attacking tools are not browser-based, since browsers are not designed to send a lot of requests per second. In addition, this countermeasure can deal even with an attacker using a website behind a proxy without affecting the traffic of legitimate users connecting through the same proxy. In either case, the identified attacker's connection is dropped.
  2. If the JavaScript injection doesn't solve the problem, (for example, when it doesn't effect a positive change in latency), then BIG-IP ASM will rate-limit GET requests from even the chattiest IP addresses.
  3. If neither the first nor the second countermeasures solves the issue, BIG-IP ASM escalates to rate-limiting per URL.

Malicious POST floods

POST floods are gaining momentum as attackers have figured out that this technique is a good way to get around various intermediaries, such as content delivery networks (CDNs) and caching services. Typically POST floods bypass these and go straight to the origin servers. Sending a POST, which is nearly as easy for a client as sending a GET, has a much greater chance of tying up valuable resources on the origin server.

BIG-IP ASM can use its techniques for identifying human vs. robotic connections to foil POST attacks. As with recursive GET floods, it can also rate-limit based on the URI, server performance, or the number of requests per client.

Mitigating Low Bandwidth HTTP Attacks

Low-bandwidth attacks are a specific form of application-layer attack that are often undetectable by conventional means because they use very little incoming bandwidth.

Slowloris attacks

The Slowloris and PyLoris attack tools achieve denial of service by feeding an HTTP header to a server in an extremely slow fashion. Slowloris starts by probing the target service to determine its inactivity timeout—usually about five minutes or 300 seconds. Once the interval is known, Slowloris opens connections that emulate a simple browser and sends a bogus HTTP header just ahead of the timeout (for instance, every 299 seconds):

 HTTP/1.1
GET /
X: a <299 second pause> X: a <299 second pause> X: a <299 second pause>

The connections will go on like this forever. When enough of them have engaged a specific web server, that server will no longer have enough connections to accept new requests, resulting in a denial of service.

BIG-IP LTM, as a standard, layer 7, full-proxy virtual server for HTTP, mitigates these attacks in its TMOS high-performance traffic management microkernel or simply dilutes the attack with the PVA. It will never pass along Slowloris and Pyloris requests because it will be waiting for the final double carriage return that marks the end of the headers. Since the attack tools never send that token, BIG-IP LTM does not consider the connections valid. Eventually they will be discarded without ever consuming resources behind the ADC.

For distributed Slowloris attacks, where millions of Slowloris connections may pile up at the BIG-IP device, a Slowloris iRule takes a more proactive approach to dealing with the attack.

Slow POST attacks

The slow POST attack is similar to the Slowloris attack but can only be mitigated with the BIG-IP ASM module. Slow POST works by starting an HTTP POST operation (like an upload) and then feeding the upload data in very slowly:

 HTTP/1.1
POST /target-url
Content-Length: 1048576
Host: a a <pause> b <pause> c <pause>

BIG-IP ASM mitigates this and other low-bandwidth attacks by cataloging the performance of each request and then limiting the number of very slow connections per CPU core.

By establishing and enforcing a limit on these kinds of attacks, BIG-IP ASM allows access to legitimate clients with poor connections while defending the resources from malicious overloading.

HashDoS

All major web services platforms (e.g., Java, ASP.NET, and Apache) use the same fast hash algorithm for the dictionary tables. Their reliance on the same hash function made all of these platforms vulnerable to a clever attack released in late 2011 called the HashDoS attack. It worked by sending a single large POST filled with thousands of tailored form variables that overwhelmed the hashing function of any single target server. A single POST message, pre-computed and sent over a 33 K connection by a client as weak as a handset, could tie up a server for over an hour.

BIG-IP LTM mitigates this HashDoS attack through the application of a public iRule that drops any POST that contains an excessive number of form variables or an excessively large payload. By mitigating the problem at the ADC, organizations protect all back-end web server platforms at the same time. BIG-IP ASM mitigates this attack by using a signature and limiting the total number of parameters that can be sent on a single request.

Figure 8: F5 solutions protect all web service platforms against HashDoS attacks.

f5 ddos cc——Mitigating DDoS Attacks with F5 Technology的更多相关文章

  1. Iptables DDOS/CC 自动屏蔽脚本

    Iptables DDOS/CC 自动屏蔽脚本 May 20, 2013 最近不停地被 CC (DDOS的一种)频繁干扰,分享一个 iptables 屏蔽 DDOS 的脚本.让 crond 每分钟运行 ...

  2. Linux+DDoS deflate 预防DDoS攻击

    使用DDoS脚本防止DDoS攻击   使用DDoS脚本防止DDoS攻击: DDoS概述: 分布式拒绝服务(DDoS:Distributed Denial of Service)攻击,指借助于客户/服务 ...

  3. 网站遭遇CC及DDOS攻击紧急处理方案

    检测访问是否是CC攻击的命令: 80口为网站的访问端口,可以根据实际情况进行修改 # netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: ' ...

  4. ddos cc攻击简单介绍(转)

    何为syn flood攻击: SYN Flood是一种广为人知的DoS(拒绝服务攻击)是DDoS(分布式拒绝服务攻击)的方式之一,这是一种利用TCP协议缺陷,发送大量伪造的TCP连接请求,从而使得被攻 ...

  5. iptables防护CC和DDos和PPTP穿透脚本

    一.iptables优化脚本案例 #!/bin/bash #脚本下载地址:#wget www.mrliangqi.com/pack/shell/iptables.sh #脚本使用:#bash ipta ...

  6. ddos,cc 攻击特征研究

    a.关于DDos攻击的常见方法 1. SYN Flood:利用TCP协议的原理,这种攻击方法是经典最有效的DDOS方法,可通杀各种系统的网络服务,主要是通过向受害主机发送大量伪造源IP和源端口的SYN ...

  7. https ddos攻击——由于有了认证和加解密 后果更严重 看绿盟的产品目前对于https的ddos cc攻击需要基于内容做检测

    如果web服务器支持HTTPS,那么进行HTTPS洪水攻击是更为有效的一种攻击方式,一方面,在进行HTTPS通信时,web服务器需要消耗更多的资源用来进行认证和加解密,另一方面,一部分的防护设备无法对 ...

  8. 缓解DDoS && cc 的最佳Linux内核设置 (转)

    https://javapipe.com/blog/iptables-ddos-protection/ kernel.printk = 4 4 1 7 kernel.panic = 10 kernel ...

  9. 什么是DDoS攻击?DDoS防御的11种方针详解

    对于遭受DDOS攻击的情况是让人很尴尬的,如果我们有良好的DDoS防御方法,那么很多问题就将迎刃而解,我们来看看我们有哪些常用的有效地方法来做好DDoS防御呢. 对于DDoS防御的理解: 对付DDOS ...

随机推荐

  1. win64系统丢失d3dx9d_40.dll问题

    在Win64系统中,安装了DXSDK.DX9,却一直显示如上对话框,导致程序运行不起来. 于是我在网上找到了一个d3dx9d_40.dll,覆盖到C:\Windows\System32中,但是问题依然 ...

  2. python进程间数据不共享(示例演示)

    import multiprocessing data_list = [] def task(arg): data_list.append(arg) print(data_list) def run( ...

  3. 自定义ActionBar图标

    <style name="Theme.glTheme" parent="android:Theme.Holo"> <item name=&qu ...

  4. jsp创建cookie

    <jsp:include flush="true" page="header.jsp" /> <script type="text/ ...

  5. (转) latch 入门

    原链接:http://www.itpub.net/thread-1424719-1-1.html (入门1)一直想点文章关于Latch的,又一直没写,一是因为懒,二是一直觉得现在关于Latch的书那么 ...

  6. Rare But Powerful Vim Commands.

    @1: We all know about :wq, but we usually ignore :x. :x和:wq都是保存当前文件并退出. 这两个命令实际上并不完全等价,当文件被修改时两个命令时相 ...

  7. webservice -- cxf客户端调用axis2服务端

    背景: 有个项目, 需要由第三方提供用户信息, 实现用户同步操作, 对方给提供webservice接口(axis2实现)并也使用axis2作主客户端调用我方提供的webservice接口 起初, 由于 ...

  8. C++模板专门化与重载

    最近在复习C++有关知识,又重新看<<Effective C++>>,收获颇丰.原来以前看这边书,好多地方都是浅尝辄止.<<Effective C++>> ...

  9. javaEE中的hibernate配置笔记

    0 从web.xml出发 项目中用Spring整合Hibernate,Spring贯穿整个项目,所以先看看Spring在哪一步整合了Hibernate.先看部分web.xml. 在context-pa ...

  10. Spring中的定时调度(Scheduling)和线程池(Thread Pooling)

    使用triggers和SchedulerFactoryBean来包装任务 我们已经创建了job details,jobs.我们同时回顾了允许你调用特定对象上某一个方法的便捷的bean. 当然我们仍需要 ...