WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Contents Concept 3 The Five Worksheets 4 Preparing for a DDoS Attack 5 DDos-Resilient Architecture 5 DDoS Mitigation Steps 7 STEP 1–VERIFY THE ATTACK 8 STEP 2–CONFIRM DDOS ATTACK 9 STEP 3–TRIAGE APPLICATIONS 10 STEP 4–PROTECT PARTNERS WITH WHITELISTS 11 STEP 5–IDENTIFY THE ATTACK 12 STEP 6–EVALUATE SOURCE ADDRESSES MITIGATION OPTIONS 13 STEP 7–MITIGATE SPECIFIC APPLICATION LAYER ATTACK 15 STEP 8–INCREASE APPLICATION-LEVEL SECURITY 16 STEP 9–CONSTRAIN RESOURCES 18 STEP 10–MANAGE YOUR PUBLIC RELATIONS 19 Conclusion 20 Worksheet 1: Contacts List 21 Worksheet 2: Whitelists 22 Worksheet 3: Triage Applications 23 Worksheet 4: F5 Device Map 24 Worksheet 5: Attack Log 25 2 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Concept Distributed Denial-of-Service (DDoS) attacks are a top concern for many DDoS organizations today. A DDoS attack creates a security breach with a website, saturates the server’s connections, renders its services inoperable, and prevents legitimate clients from being able to connect to it. For the uninitiated, it can be a scary and stressful ordeal! DDoS attacks are usually coordinated across a large number of client computers (which may have been set up for that purpose), or more likely, have been infected with a virus that allows someone to remotely control the computer, making it participate in the attack. Both financially and politically motivated, DDoS attacks are becoming more 2014 prevalent. Although a first attack can happen randomly, it often occurs when DDoS an attacker with specific knowledge of your high-value service, decides to Attack Frequency take it off-line. This can cause panic, and instigate costly “ransom-like” decisions to triage and stop the attack. Figure 1. Volumetric Attacks Increase in 2014 Organizations that have defended against multiple DDoS attacks understand the importance of having an objective method to assist in combating them. What is their solution? The F5 DDoS Playbook. This document can be the basis for developing that tool for your organization. 3 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks The Five Worksheets There are five worksheets to complete that will assist you in repelling a DDoS attack. Once completed, these worksheets can be kept in your data center and used for reference purposes. • Worksheet 1: Contact List–Fill it out as you initiate contacts (page 21). If you have not recorded this information • Worksheet 2: Whitelists–Map your partners, users, and services (page 22). prior to your first attack, record it as you collect it. • Worksheet 3: Application Triage–Know your own applications (page 23). • Worksheet 4: Device Map–Create a device map (page 24). • Worksheet 5: Attack Log–Note the attack details (page 25). Your organization may have regulatory compliance statutes that require a Regulatory level of reporting around cyber-attacks, breaches, or even DDoS attacks. Compliance “Worksheet 5: Attack Log” on page 25 can assist you in this situation, as you can track and refer to the log later during the reporting process. 4 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks Preparing for a DDoS Attack DDoS-Resilient Architecture If you are fortunate enough to be reading this document prior to being attacked, then there are steps that you can take now to make your applications, networks, and processes, DDoS-resilient. Network Defense Architecture Considerations After you have filled out the worksheets, obtain the F5 DDos Recommended Practices document so you can consider how to lay out your network architecture defenses. F5 recommends a Multi-Tier Approach DDoS Architecture, where Multi-Tier Approach Layer 3 and Layer 4 DDoS attacks are mitigated at the Network Tier, with DDoS Architecture firewalls and IP reputation databases (see Figure 2. F5 Recommends a Multi-Tier DDoS Approach Architecture). Figure 2. F5 Recommends a Multi-Tier DDoS Approach Architecture The Application Tier handles high-CPU security functions such as SSL Application Tier termination and web-application firewall functionality. 5 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks To combat DDoS, a modern organization will need a Cloud-based DDoS Cloud-based DDoS Scrubbing Tier. These service offerings can scrub hundreds of gigabytes Scrubbing Tier per second and return “clean” traffic to the customer data center. DNS is handled in the DMZ and partially protected by the Network Tier. DNS This Multi-Tier Approach can assist in the following attack types and effects: • Defeat TCP connection floods • Overcome SNAT port exhaustion • Turn back SSL floods These are just some of the recommended practices and considerations. You can obtain additional resources in the comprehensive F5 DDos Recommended Practices document. 6 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks DDoS Mitigation Steps If you appear to be suffering a volumetric attack, it can help to have a Monitoring historical sense of your own traffic patterns. Keep a baseline of normal traffic Volumetric Attacks: Remember to keep patterns to compare against. a monitoring web page open to indicate when the If you have determined that you are under a DDoS attack, record the attack may be over (or “estimated start time” (see “Worksheet 5: Attack Log” on page 25). mitigate). You will need to follow up to 10 steps for your DDoS Mitigation: • STEP 1–VERIFY THE ATTACK • STEP 2–CONTACT TEAM LEADS • STEP 3–TRIAGE THE APPLICATIONS • STEP 4–IDENTIFY THE ATTACK • STEP 5–PROTECT REMOTE USERS AND PARTNERS • STEP 6–EVALUATE SOURCE ADDRESS MITIGATION OPTIONS • STEP 7–MITIGATE SPECIFIC APPLICATION ATTACKS • STEP 8–INCREASE APPLICATION-LEVEL SECURITY POSTURE • STEP 9–CONSTRAIN RESOURCES • STEP 10–MANAGE YOUR PUBLIC RELATIONS 7 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 1– VERIFY THE ATTACK Most outages are not caused by a DDoS attack DNS misconfiguration. Upstream routing issues and human error are some common causes. You must first rule out these types of non-DDoS attacks, and distinguish them from a common outage. Common Outages The faster that you can verify the attack is a real DDoS attack, the faster you can respond.Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that may resemble a DDoS attack. The Slashdot Effect occurs when a particular page on your site is featured on Slashdot Effect a very popular forum or blog. Your investigation must rule out such possibilities. Is there outbound connectivity? If not, then the attack is so severe that it is Outbound Connectivity as congesting all inbound and outbound traffic. Check with your usual diagnostic tools (traceroute, ping, dig, etc.), and rule out all such possibilities. Check the following Internet weather reports to determine if the attack is a Global Issue global issue: •Internet Health Report •Internet Traffic Report Attempt to access your application from an external network. Services that External Network can perform this kind of monitoring are: Access •Keynote Testing and Monitoring •GomezSM –Comprehensive Performance-Monitoring Tool from Compuware® •HP® SiteScope™ – Agentless monitoring •SolarWinds® NetFlow Traffic Analyzer •Down for everyone or just me? Check to see if DNS is responding for your website. The following UNIX command DNS Website Response resolves a name against the OpenDNS project server. % dig @208.67.222.222 yourdomain.co 8 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 2–CONFIRM DDOS ATTACK Contact Team Leads Now it is time to contact the leads of the relevant teams. If you have not filled out “Worksheet 1: Contacts List” on page 21, fill it out now. When an outage occurs, your organization may hold a formal conference call including various operations and applications teams. If your organization has such a process, leverage the meeting to officially confirm the DDoS attack with team leads. Contact Your Bandwidth Service Provider One of the most important calls you can make is to the bandwidth service provider. They can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation. Contact Your Fraud Team The number for your service provider should It is especially important to invoke the fraud team as soon as the attack is be listed in verified. DDoS attacks can be used as “cover” to hide an infiltration. Logs “Worksheet 1: that would normally show a penetration may get lost during a DDoS attack. Contacts List” on page 21. This is why using high-speed, off-box logging is so important. 9 WHITE PAPER F5 DDoS Playbook: A Procedural Survival Guide to Combating DDoS Attacks STEP 3–TRIAGE APPLICATIONS If you have not done this exercise yet, now is the time to triage your applications. When faced with an intense DDoS attack and limited resources, triage decisions have to be made. High-value assets typically generate high-value on-line revenue. These are the applications that you will want to keep alive. Ultimately, these are financial decisions–make them appropriately. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so that their CPU and network resources can be put to the aid of the higher-value applications. You may need the input of the team leads to do this. • Record your choices in “Worksheet 3: Triage Applications” on Worksheet 3 page 23 for future reference. takes only a few minutes to fill out, and will greatly assist you in combating • Decide which applications are low-priority and can be disabled (and an actual DDoS event. thus protected) during the attack.