australia
8 TopicsProtecting Beyond DNS Flood & DDoS
The recent slate of cyber-attacks involving DNS and NTP systems has again prompted questions about the comprehensiveness of DNS infrastructure’s security protection. Besides mitigating volumetric attacks such as DNS flood & DDoS, many organizations have realized the need for a more comprehensive DNS security protection, which helps in preventing DNS-related security frauds and non-volumetric based attacks such as amplification and cache poisoning attacks. On DNS Amplification & DNS Reflection Attacks You might concur that increasing DNS performance with adequate DNS rate limiting mechanism is probably one of the best approaches to tackle the problem of overwhelming DNS traffic and DNS DoS attacks. However, this does not address the issue of DNS Amplification and DNS reflection attacks, which has been made popular through the Spamhaus-Cyberbunker attack incident. In this incident, CyberBunker took the advantage of open DNS resolvers to launch DNS amplification attacks, causing Spamhaus to be unreachable at times. DNS amplification and reflection attacks are typically sent to DNS servers as legitimate DNS request, in hope to receive large data size responses. The huge data size responses will eventually use up all the available bandwidth causing congestion to genuine DNS queries and responses. As such, DNS query rate limiting mechanism and higher QPS performance will not be able to counter the attack since the attacks typically come in small numbers of DNS requests. One of the ways to limit such attacks is to filter the request based on query type. Typically, DNS amplification and reflection attacks will request for ‘TXT’ or ‘ANY’ Query Type which tends to return responses with significant data size. By applying bandwidth rate limit to these query type request and large-data-size query responses, we will be able to prevent bandwidth congestion caused by these attacks. Worried about the complexity of the bandwidth rate limiting solution? Well, it only takes less than 10 lines of iRules (shown as below) on F5 DNS platform to get this enforced and implemented. when DNS_REQUEST { if { ([DNS::question type] eq "TXT") } { rateclass dns_rate_shape } } when DNS_RESPONSE { if { ([DNS::len] value > 512) } { rateclass dns_rate_shape } } Diagram 1: DNS Reflection attacks blocking genuine users from accessing LDNS server. Cache Poisoning Attacks DNSSEC is poised as the eventual and ultimate solution to counter DNS cache poisoning attacks. Though the adoption rate of DNSSEC is encouraging, it takes all parties to deploy DNSSEC signing and validation to fully protect against cache poisoning. While waiting for DNSSEC adoption rate to mature, is there any interim solution to reduce or prevent cache poisoning attacks? Based on DNS RFC standards, name servers are required to treat domain names request with case-insensitivity. In other words, the names www.foo.com and WWW.FOO.COM should resolve to the same IP address. However, most name servers will preserve the original case when echoing back the domain name in the response. Hence, by randomly varying the case of characters in domain names queried, we will be able to add entropy to requests. With this verification mechanism, the name server response must match the exact upper and lower case of every character in the name string; for instance, wWw.f5.CoM or WwW.f5.COm, which significantly reduces the success rate of cache poisoning attacks. With F5’s DNS solution, this mechanism can be enabled with just a check box on the management pane. The packet capture of the query case randomization process by F5 DNS is shown as below. As depicted in the diagram, for queries to www.google.com, F5 Cache DNS will randomize the character case of the query prior sending the query to Google’s authoritative DNS server. This greatly reduces the chances of unsolicited queries matching the domain name and DNS request transaction ID, which causes the poisoning of cached DNS records. Diagram 2: Character case randomizer in F5 DNS solution dramatically reduces the possibilities of DNS cache poisoning attacks DNS is among the hoariest of internet services that is still widely used today. Its usage continues to grow due to its simplicity and proliferation of smart devices. Hence, it is truly important that proper solution design and architecture approach are being put in place to protect the infrastructure. After all, the protection investment might be only a fraction of what you are paying for during an attack.702Views0likes5CommentsF5 opens Support Centre in Auckland
Did you hear about the opening of our latest Support Centre in Auckland?! This is our latest global expansion to provide our customers with the most convenient access to our technical support operations. The decision to launch the support centre in Auckland was driven by strong demand we have been experiencing for F5’s Application Delivery Networking solutions and services, as well as our growing partner ecosystem in Asia Pacific. Can’t say how much we are honoured with Local Dignitaries and ICT representatives in New Zealand gracing our Opening! The Hon. Nikki Kaye and the Mayor of Auckland Len Brown delivered short addresses to the attendees about the significance of the new support centre for the local market, highlighting Auckland as a strategic business and innovation hub for the APAC region, as well as the opportunities F5’s investment is creating for the local economy. Kaye also tweeted about the opening live from the event. Among our very own F5 executives involved in the proceedings included Julian Eames, Executive Vice President of Business Operations, Mark Kramer, Senior Vice President of Global Customer Support, and Tony Bill, Managing Director for Australia & New Zealand. The establishment of this new Support Centre is critical to our partners and key in being closer to our customers in terms of geography and time zones. For example, being able to offer the convenience of multi-language and regional support, means we can be more responsive to ensuring the satisfaction and success of our customers. At the same time, the move has also added to F5’s robust ‘Follow the Sun’ customer support concept, which essentially serves to ensure better coverage, and more efficient and localised support for our fast growing customer base across the Asia Pacific region. This is F5’s 5th and newest Support Centre in Asia Pacific and Japan, after Singapore, Beijing, Shanghai and Tokyo, in addition to five other support centres across the globe. When the formalities of the official ribbon cutting ceremony came to a close, our guests were invited to celebratory refreshments and canapés.206Views0likes0CommentsIT security isn’t one size fits all
The security landscape today is highly complex, which can largely be attributed to the increasingly sophisticated nature of cyber attacks, particularly from an execution perspective. For example, DDoS attacks are now reaching speeds of up to 400Gbps, targeting both the network and application layer. Evidently, attackers are progressing towards other methods to bypass traditionalsecurity defenses, including the firewall. In this particular scenario, the challenge for organisations with application-layer DDoS attacks is to differentiate human traffic from bot traffic. In addition, the motivation behind attacks is becoming more complex especially from a political and economic standpoint. The NSA leaks by Edward Snowden, which revealed classified information from governments including the US, UK, Australia, Canada, and New Zealand is a recent example of a high profile hacking incident that certainly reminds us of this fact. Moreover, one of the biggest threats to IT security is now organsied cyber theft and fraud, as the smartest criminals in the world are increasingly realising the substantial financial gains that can be made via online crime. Hence, the need for an enterprise to ensure it is adequately protected against cyber attacks is becoming increasingly critical. An effective security strategy will cover all devices, applications and networks accessed by employees, beyond the enterprise infrastructure itself. Traditional security methods such as next generation firewalls and reactive security measures are losing the fight of being effective against the new breed of attacks. Security is now very much about the protection of the application, enforcement of encryption and the protection of the users identity, and less about the supporting network infrastructure. This is because it has become far less static in recent times and has truly proven to be nothing more of a commodity transport vehicle for the complex applications that run on top of it. What organisations need is a security strategy that is flexible and comprehensive, with the ability to combine DNS security and DDoS protection, network firewall, access management, and application security with intelligent traffic management. Developments in the market which has seen theintegration of WebApplication Firewalls (WAFs) with Application Delivery Controller (ADC) platforms, as recognised by a recent study by Frost & Sullivan (the Frost Industry Quotient), has driven F5 to create a new vision / architecture called F5 Synthesis for the application delivery market. This vision offers a high performance network fabric to protect fundamental elements of an application (network, DNS, SSL, HTTP) against sophisticated DDoS attacks. F5 Synthesis, through the use of tested reference architectures, ensures that applications are kept secure and available as customers make the journey toward software defined data centres (SDDS). Moreover, F5’s DDoS protection solution delivers the most comprehensive attack protection available on the market to date. While the average DDoS attacks reach 2.64 Gbps, upgrades to F5’s BIG-IP platform allow servers to handle attacks as large as 470 Gbps. Not only is there enough bandwidth to mitigate a DDoS attack, the extra capacity allows online companies to continue normal business - even while under attack. Security won’t be one size fits all during 2014. End users will expect high performance, however organisations must ensure they deploy security solutions that don’t become a bottleneck. This year, we can expect to see a rise in a multi-dimensional or 'cocktail' style attacks: DDoS attacks combined with application layer attacks and SQL vulnerabilities. As such, the traditional firewall is no longer a viable security defense, and organisations need to have a multi-stack security approach, combined with a process to handle internal control. With attacks from multiple angles on different devices, single-purpose security machines will be phased out in favour of sophisticated multi-purpose machines.245Views0likes0CommentsTackling Cyber Attacks From Within
An increasing number of organizations face serious security threats that are socially, politically and economically motivated. Conventional firewalls are no longer enough to prevent complex and frequent cyber attacks such as multi-layer distributed denial-of-service (DDoS)/application layer attacks and SQL injection vulnerabilities. In the past year, the number of DDoS attacks targeting vulnerable spots in web applications has risen and attackers are using increasingly complicated methods to bypass defenses. Meanwhile, 75% of CISOs aware external attacks had increased – 70% of CISOs noticed that web applications represent an area of risk higher than the network infrastructure. The challenge with application-layer attacks is to differentiate human traffic from bot traffic. DDoS mitigation providers frequently utilize browser fingerprinting techniques like cookie tests and JavaScript tests to verify if requests are coming from real browsers. However, most recently, it’s become apparent that cybercriminals have launched DDoS attacks from hidden, but real browser instances running on infected computers. This type of complex cyber attack is incredibly hard to detect. What organizations need is a security strategy that is flexible and comprehensive, much like F5’s web application firewall (WAF) and security solution. F5 recently received the 2013 Frost & Sullivan Asia Pacific Web Application Firewall Market Share Leadership Award. This recognition demonstrates excellence in capturing the highest market share for WAF solutions in the region and its achievement in remarkable year-on-year revenue growth – a true testimony to the execution of F5’s security strategy. Christian Hentschel, (SVP, APJ) noted that cyber-attacks often result in the loss or theft of intellectual property, money, sensitive corporate information, and identity. An effective security strategy encompasses not only the enterprise infrastructure but also the devices, the applications, and even the networks through which users access mobile and web applications. F5’s ICSA-certified WAF and policy-based web application security address cyber-threats at the application level. In September 2013, F5 strengthened its security portfolio with the acquisition of Versafe Ltd. – a web anti-fraud, anti-phishing, and anti-malware solutions provider. The acquisition reinforces F5’s commitment to provide organizations with holistic, secure access to data and applications any time, from any device. F5’s comprehensive security solutions combine DNS security and DDoS protection, network firewall, access management, and application security with intelligent traffic management. Its flexibility to provide WAF both as a standalone solution and as an integrated offering on its BIG-IP® Application Delivery Controller platform provides customers with options that best suit their businesses. F5’s ability to provide end-to-end application protection, advanced monitoring, and centralized management without comprising performance make their WAF solutions the number one choice throughout the Asia Pacific region.222Views0likes0CommentsAPAC market research points to WAF being integrated with application delivery
We entered 2014 on a fillip. Frost & Sullivan had just named us the vendor leading WAF market in Asia Pacific and Japan. The Frost Industry Quotient, put F5 and nine other companies under their analytical magnifying glass, examining our market performance for CY 2012 as well as key business strategies. They left no strategy unturned it would seem. Product and service strategy, people and skills strategy, business and even the ecosystem strategy were all held up to scrutiny. But the real scoop wasn’t that we were No 1 but that Frost IQ had discerned developments in the market that point towards WAF being integrated with application delivery. The researchers noted that the convergence would lead to a more intelligent and holistic way for organizations to protect their web applications. The market is validating what we said a year ago when we launched BIG-IP Advanced firewall Manager, the first in the industry to unify a network firewall with traffic management, application security, user access management and DNS security capabilities within an intelligent services framework. Every day, publicly known or otherwise, organizations grapple with attacks that target their applications in addition to those that threaten the network. Because F5 solutions occupy strategic points of control within the infrastructure, they are ideally suited to combine traditional application delivery with firewall capabilities and other advanced security services. The bell tolls for the traditional firewall. Eventually it will be replaced by intelligent security. F5’s integrated approach to security is key in mitigating DDoS attacks, helping to identify malicious actions, prioritize how requests from specific locations are handled and focus on addressing properly qualified requests. Enabling security services on our ADCs makes it possible to consolidate multiple security appliances into one single device. This consolidation includes a WAF that analyses traffic and can propose rules to automatically protect the enterprise. I caught up quickly with Christian Hentschel, SVP Asia Pacific and Japan, on his views of the new accolade. Aside from being very proud to be recognized as the leading WAF vendor in APJ, a testimony of our strategy and the team’s focus, he noted that customers view traditional firewall less relevant with the sophistication in cyber-attacks on layer 4-7 today.252Views0likes0CommentsHello to the F5 APJ Blog
Thanks for joining us on the F5 Blog! Here‘s where you can access the latest news and views on the tech industry in the APJ region – from insights and trends to commentaries. F5’s team of subject matter experts will be explaining, discussing and pondering the issues affecting enterprises across all industries. We are ready to kick-off 2014 with our ‘F5 predictions’ series. This will cover our F5 experts’ perspectives and predictions for the year ahead. With Gartner predicting that IT spending will hit $3.8 trillion in 2014 - an increase of 3.6 per cent compared to last year. The question many of us will be asking is what are the priorities? New devices and technologies will dominate our personal and business lives and ‘social intelligence’ will become more important. More on this will follow shortly. So bookmark our F5 blog to keep with the latest technology trends from across the region. And of course, we encourage you to engage with our posts and share your input. We’d further love to get your feedback on what you want to see discussed in the future. We look forward to hearing from you! For more information on F5, our partners, and technologies please check out our Twitter page.199Views0likes0CommentsSecurity is a process
A newspaper report recently warned that many IT products and applications, including payment systems, lack adequate security. The reasons cited are that firstly, security is treated as an afterthought, and secondly, because trained practitioners are not involved in the design and implementation. F5 views security as a process. It should be managed as such. There’s an important role for the security experts who build the policies that ensure security and compliance within the organization. And, there’s an equally important role for the programmers who develop the software. But the two are quite distinct from each other. Business applications are the critical assets of an enterprise. Its security should not be just left to the software engineers to decide because they are not security professionals. Therefore, the prudent approach is to offload the burden of coding security policies from the software programmers onto credible security solutions professionals. Viewed from that perspective, security is as an end-to-end process, with policies to govern the various areas wherever there is user interaction with the enterprise – device, access, network, application and storage. Given the complexities of the different moving parts, it sometimes makes sense to combine several of the point security concerns into a converged solution. In short, this is akin to process simplification not too different from what consultants would call “BPR" in the business world. However way, you see it, from a CFO perspective, this represents immense cost savings boh operationally as well as in capital costs. For example, when it comes to application security, the trend is to build it into the application delivery controllers. ADCs are designed to natively deliver applications securely to end users. In today’s context, ADCs act as secured gatekeepers to the applications; they prevent unauthorised access and are able to add-on capabilities to mitigate complex application level attacks such as those defined by OWASP. However, the situation is growing more complex. CIOs are increasingly faced with the task of balancing the needs of a younger, empowered and demanding Gen Y workforce who want the freedom to work from their device of choice as well as the ability to switch seamlessly between their social and enterprise networks. The CIO challenge is how to protect the company’s business assets in the face of increasing and more complex threats. Add to this the desire to leverage the cloud for cost control and scale and the security considerations can potentially spiral out of control. The situation calls for innovative security solutions that can understand the behaviour of enterprise applications as well as user behaviour, and be able to enforce corporate security policies effectively with minimum impact on user experience. F5 believes that security is a trust business. Having the right process and policies trumps choosing a vendor. It is the policies and process that determine the required solution, not vice versa. For a Japanese version of this post, please go here.305Views0likes0Comments