Taking the Fear out of WAF

© F5 Networks, Inc 2

Who is this guy?

• Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks

• 9 years at F5, focused on application security solutions

• Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com

• Follow me on twitter @bamchenry


Who Owns the WAF?

Network Team App Dev TeamSecurity Team


Not Us!


My kingdom for a WAF admin!

WAF Administrator


With Great Power…

• Each web application is a snowflake!

• Application deploys can be too frequent for WAF policy tweaks to keep up.

• In DevOps environments, continuous delivery enables rapid vulnfixes in code.

WAF Administrator



Automated Traffic Consumes 50% of Resources

Typical Web Traffic

Humans Good Bots Bad Bots

https://www.incapsula.com/blog/bot-traffic-report-2015.html

• Roughly 50% of traffic is human

• About 20% is good bots• Remaining 30% is

malicious bots


What’s a Heavy URI?

• Any URI inducing greater server load upon request

• Requests that take a long time to complete

• Requests that yield large response sizes

© F5 Networks, Inc 10CONFIDENTIAL

• Attackers are proficient at network reconnaissance• They obtain a list of site URIs• Sort by time-to-complete (CPU cost)• Sort list by megabytes (Bandwidth)

• Spiders (bots) available to automate• Though they are often known by the security

community• Can be executed with a simple wget script, or

OWASP HTTP Post tool

Tools and Methods of L7 DoS Attacks

Exploiting POST for Fun & DoS•Determine:

• URL’s accepting POST• Max size for POST

•Bypass CDN protections (POST isn’t cache-able)

•Fingerprint both TCP & app at the origin

Attackers work to identify weaknesses in application infrastructure

Network Reconnaissance Example


Detection and Mitigation Challenges

• Source IP address mostly ineffective for detection

• Geo-fencing impractical for most sites

• Recent brute force attack sourced from 1M IP addresses

• Endless supply of IP addresses• Compromised routers, cable

modems, proxies, and more.

Web Application

DETECTING & STOPPING AUTOMATED TRAFFIC


Classifying the Bad BOTS…

• Most attacks are automated, whether DoS, Brute Force, or data breach

• Many reconnaissance tools available• WGET, SQLMap, etc.• Headless browsers (e.g. Phantom.js, et al)

• Attackers must automate to find weaknesses for manual probing


…from the Good BOTS

• Search-bots have unique capabilities• Reverse lookup should tell you if the IP is from the search provider

• Other bots, such as scrapers and aggregators may need to be allowed.• Determine unique characteristics• Signature-based bypass• Still may need to throttle benign bots


Bot Signatures

Known maliciousbots, blocked by default

Known “safe”bots, no action by default


Behavioral Analysis & Fingerprinting

• Detect GET flood attacks against Heavy URI’s

• Identify non-human surfing patterns

• Fingerprinting to identify beyond IP address• Identify fake User Agents• Track fingerprinted sessions• Assign risk scores to sessions • Detect known malicious browser extensions

• https://PanOpticlick.eff.org for a primer on the topic


• WAF injects a JS challenge with obfuscated cookie

• Legitimate browsers resend the request with cookie

• WAF checks and validates the cookie

• Requests with valid signed cookie are then passed through to the server

• Invalidated requests are dropped or terminated

• Cookie expiration and client IP address are enforced –no replay attacks

• Prevented attacks will be reported and logged w/o detected attack

1st time request to web server

JavaScript-based Bot Detection

Internet

Web Application

Legitimate browser verification

No challenge response from bots

BOTS ARE DROPPED

WAF responds with injected JS challenge. Request is not passed to server

1

JS challenge placed in browser

2

- WAF verifies response authenticity

- Cookie is signed, time stamped and finger printed

4

Valid requests are passed to the

server

5

Browser responds to challenge &

resends request

3

Continuous invalid bot attempts are blocked

Valid browser requests bypass challenge w/

future requests


• When checked, ASM will fingerprint and score the browser and check multiple variables to determine if it is a bot

Detecting bots and blocking

HIGHSCORE

AVERAGESCORE

WORST SCORE

Fingerprint

PASS! EVALUATE BLOCKCAPTCHA

ORJS CHALLENGE


Detecting bots and blocking

CAPTCHAOR

CHALLENGE

If “Block Suspicious Browsers” is unchecked à send CS challenge (like 11.6)

If “Block Suspicious Browsers” is checked à send Client Capabilities Challengeand if average score returned, send CAPCHA

If “CAPTCHA Challenge” is unchecked à Block

Charts and GraphsThe following slides are examples of how to present statistics and data in visual formats.

ASM’s unique Proactive Bot Defense and L7 DoSMitigating 30-40% across entire airline booking site

Two- to three-line summary of findings. Further detail in the right hand column below.

Proactive Bot DetectionConsistently protecting applications from another 30% of bot requests across airline booking site

• The following slides are examples of how to present statistics and data in visual formats.

Two- to three-line summary of findings. Further detail in the right hand column below.

Mitigated over 90% of bot traffic during peak times for target URL.As bot activity rises, Server Latency decreases with valid requests


Imagine: an Internet free of Bots.


Deep Thoughts

• Eliminating 30% of web traffic has serious impact• Capacity and performance improvements are measurable• Budget is always more available than for a security project

• Bot detection requires less per-application customization• Increases operational scale for application security

• Reduces threat model by eliminating most opportunistic attackers• Focus other defenses on vectors for directed attackers


Greatly Improve App Security Posture, Quickly and Easily…

Block Known Bad Requests1

Stop Talking to (Bad) Bots2

Stop Talking to Bad IPs3

Hide Details Nobody Needs4

Mask Sensitive Data5

See the Hostile Traffic6

Defend Against L7 DoS Attacks7

Web Application Security can be complicated.

However a well-designed Web Application Firewall, such as ASM, can provide substantial security benefit “out of the box”.

By making the simple things simple, ASM enables the security team to focus energy on critical tasks.


Block Known Bad RequestsBlock Known Bad Requests1







Even with a very simple-to deploy-policy ASM can block a host of known bad traffic:

• SQL Injection• CMD Injection• Cross-Site Scripting• Known Evasions and Encoded Attacks• Malformed Requests• Directory Traversal• Cookie Manipulation• Buffer Overflows• HPP Tampering• Parameter Tampering• Security Misconfiguration Attacks• Cross-Site Request Forgery• And much, much more….


Stop Talking to (Bad) BotsBlock Known Bad Requests1







Google, Bing, Yahoo, Ask, a couple others are ‘Friendly’… and whitelisted.

You don’t want to talk to any other bots:• Scrapers• DDoS Botnets• Scanners• Recon Bots• Malware Droppers & Worms

ASM Identifies Bots and Blocks Them:• Blocking Malformed Requests• Blocking ‘Friendly’ Bot Imposters• Blocking the Exploits that enable Malware Droppers• Bot Identification• Proactive Bot Defense

Bots are bad, M’kay?

THE VAST MAJORITY OF HITS ON THE

AVERAGE WEBSITE ARE

BOTS

>90%


Stop Talking to Bad IPsBlock Known Bad Requests1







There are millions of IP addresses in use on the Internet that produce nothing but hostile requests, all day long:

• Scanners• Botnets• Malware Hosts• Compromised Hosts• Phishing Sites• Recent Hacking Activity• DoS Activity• Cloud Hosting Networks• Anonymous Proxies

Additionally, many organizations will have known geo-locations that they have no reason to interact with—or for whom they would like to escalate visibility and inspection.

Block or track these in ASM with built-in Geo-Location enforcement and integration with F5’s IP Intelligence Services subscription.


Hide Details Nobody NeedsBlock Known Bad Requests1








Mask Sensitive DataBlock Known Bad Requests1







Using ASM’s DataGuard™ scan and automatically mask or block:

• Credit Card Numbers• Account Numbers• Social Security Numbers• Custom Defined Fields (for example: PHI detaisl)• Accidental Leakage of Office Documents


See the Hostile TrafficBlock Known Bad Requests1








Defend Against L7 DDoS AttacksBlock Known Bad Requests1







ASM Website

ApplicationSecurity

Web Bot

User

These are the hardest attacks to identify and mitigate without blocking the good traffic that drives your business.

• ASM tracks app performance all the time: it knows when you are being attacked.

• It tracks URLs for utilization and resource requirements.• It can block the bots and let your users through.• Run the DoS protection continuously, or flip it on during an

attack.


Change the Way We Deploy WAF

Traditional WAF• Signatures (OWASP Top 10)

• DAST Integration

• Site Learning

• File/URL/Parameter/Header/Cookie Enforcement

• Protocol Enforcement

• Login Enforcement / Session Tracking

• Data Leak Prevention

• Flow Enforcement

Advanced WAF• BOT Detection

• Web scraping Prevention

• Brute Force Mitigation

• L7 DDoS Protection

• Heavy URL Detection & Protection

• Captcha Challenges

• CSRF Token Injection

• Client fingerprinting


Web Firewall on BIG-IP is strong. Because, full proxy…

And a fully programmable

data plane at all layers with f5

iRules™ TCP

SSL

HTTP

TCP

SSL

HTTP

ICMP floodSYN flood

SSL renegotiation

DataleakageSlowloris attackXSS

NetworkFirewall

WAF WAF

THANK YOU!

@bamchenryhttp://www.slideshare.net/bamchenryhttps://www.linkedin.com/in/bamchenry

Technology

Taking the Fear out of WAF