F5 Networks Inc. added three new security mechanisms to the current release of its Big-IP traffic management software designed to shut down some of the most common and destructive hacker attacks.
The traffic management and load balancing supplier created a mechanism to shut down so-called syn or ack floods by improving the “syn cookie” concept put forth in an academic paper several years ago.
Syn floods overwhelm a site with bogus TCP three-way handshake requests that can bring a site to its knees. “We use [the three-way handshake] as a challenge/response mechanism. We look at it, take properties from that packet, meld it together, assign a cryptographic number to it and send it back to the client,” said Raja Mukerji, principal engineer at Seattle-based F5.
“Big-IP doesnt go down that road if it doesnt trust it. With syn cookies, you still have to send replies back. Now Big-IP ignores the attackers,” said early user Brad Fitzpatrick, founder of Danga Interactive Inc., in Portland, Ore., which operates Livejournal.com. “It was the only problem that we couldnt do anything about.”
F5 combined the Syn Check function with a new Dynamic Reaper function that can effectively discern characteristics of traffic generated by DOS (denial-of- service) attacks.
Dynamic Reaper tracks the idle connection times that are common in network DOS attacks. Those links that show no activity are shut down, while legitimate connections that show activity are maintained.
In the third new security mechanism, F5 implemented support for OCSP (Online Certificate Status Protocol), an extension of Secure Sockets Layer that allows client certificates to be revoked in real time if they are not legitimate.
With its OCSP support, Big-IP links to an external OCSP responder list, checks the clients certificate status against the list to see if it is authorized and allows the connection through if it is authorized. If not, Big IP can deny access or redirect the client to an allowed site.
The new security mechanisms will be available at the end of the month as a free upgrade to Big-IP 4.5.