Fastly Altitude - June 25, 2015. Joe Williams, Computer Operator at GitHub discusses using a CDN to mitigate security threats. Video of the talk: http://fastly.us/Altitude2015_Mitigating-Security-Threats-2 Joe's bio: Joe Williams is a Computer Operator at GitHub, and joined their infrastructure team in August 2013. Joe's passion for distributed systems, queuing theory and automation help keep the lights on. When not behind a computer you can generally find him riding a bicycle around Marin, CA.

2. Agenda
● Attack vectors
● Mitigation techniques
● Visibility
● Testing
● Future work and recommendations

3. Attack Vectors
● Javascript injection and Layer 7 (HTTP)
● Bandwidth amplification (SSDP, DNS, NTP)
● SYN flood
o Normal and fat SYNs
● HTTP GET flood to HTTPS
● UDP flood
● Slowloris
● Application saturation
● Attacks on secondary applications (marketing sites, etc)
● Attacks on your providers (DNS, CDN, etc)

4. Mitigation Techniques
“The normal stuff”
● BGP based routing and scrubbing providers
● Security devices at the edge of your network
● Heavy use of haproxy

5. Mitigation Techniques
Fast edge configuration changes
/banhammer base 403 add github.com/some/bad/path
/banhammer ip add 1.1.1.1
/securitydevice-mitigations start github.com_80
/scrubbingprovider enable
/banhammer ua tarpit add bad-ua

6. Mitigation Techniques
Identify specific attacks at the edge
● Example (slowloris):
acl content_present req_len gt 0
tcp-request inspect-delay 10s
tcp-request content accept if content_present
tcp-request content reject

7. Mitigation Techniques
Identify human requests at the edge
acl accept_lang hdr(Accept-Language) -m found
acl timezone_cookie hdr_sub(cookie) tz

8. Mitigation Techniques
Tuned timeouts
timeout http-request 15s
timeout tarpit 30s
timeout client 35s
timeout connect 5s

9. Visibility
Graphs

10. Visibility
Provider Graphs

11. Visibility
Logging
● Various headers
○ user agent, origin, referer, x-requested-with, etc
● Client GeoIP and Autonomous System
● GeoIP based on Fastly-Client-IP header
● Fastly resp.http.X-Served-By header

12. Configuration Testing
Functional integration testing
● Edge devices and services
● Providers

13. Configuration Testing
================ running tests for github.com against 127.0.0.100 ================
test: [github.com] http port ... OK (2s)
test: [github.com] ssh port ... OK (2s)
test: [github.com] https port ... OK (2s)
test: [github.com] git port ... OK (2s)
test: [github.com] www redirects to github.com ... OK (0s)
test: [github.com] fi.github.com redirects to enterprise.github.com ... OK (0s)
test: [github.com] embed.github.com redirects to HTTPS ... OK (0s)
test: [github.com] https embed.github.com redirects to https embed.githubusercontent.com ... OK (0s)
test: [github.com] render.github.com redirects to HTTPS ... OK (0s)
<snip>
================ running tests for github.map.fastly.net against github.map.fastly.net ================
test: [github.map.fastly.net] negotiates http/1.1 with ALPN ... OK (0s)
test: [github.map.fastly.net] doesn't negotiate http/1.0 with ALPN ... FAILED (expected)
test: [github.map.fastly.net] make sure we use good ciphers ... OK (0s)
test: [github.map.fastly.net] github.map.fastly.net make sure we dont use bad ciphers ... OK (0s)
test: [github.map.fastly.net] ssl fingerprint check ... OK (0s)
test: [github.map.fastly.net] make sure we are using the DigiCert High Assurance EV Root CA ... OK (0s)

14. Future Work and Recommendations
● HTTPS traffic authentication
● Multiple CDN providers
● Multiple DNS providers
● Per service configuration/architecture
○ Per service Fastly IP maps
○ Per service load balancer groups