f5 technology

Interesting concept

Internal Users should be treated the same as external users

D30 use this product, on their Internet project. They have V13 D30 will want to add Popup Capacture, I am guessing for login.

D30 have 2 teams for looking after this product.

Hosted on Ooredoo

F5 HW/SW

This uses a custom F5 specification.

OS

Free BSD based, F5OS. This is the OS at the core of the BSD.

Hardware

Built in the F5 factory.

All F5 is totally an Appliance

Load Balancing

F5 cache's - squid based for static, active - then F5 builds and caches.

F5 also changes the Web queries to use zip (built into all modern browsers).

It looks at the

- FMODIFY header

This header comes back from the Server - if the header says No Change, then F5 Renders the cached page.

Algorithm

It can use the standard algorithm - but F5 has its own mechanism

- Checks 
  - Speed
  - Errors
  - Quality

Heartbeat

F5 sends a good morning query every 5s... this can be altered and customised.

Marked as Down

Typically 3 failures - then the server will flag the server as down - and now will move the traffic to the other service.

If the server then starts - you can optionally tell F5 that it should only send data to the machine on a manual approval base.

Multiple Data Centres

Apply a F5 DNS feature - which links the 2 data Centres.

The DNS Query then checks quick Site is available.

This means that the 2 Appliance's (F5) talk amongst themselves on a secure port 5334

All Etilisat traffic is served by 2 F5 applicances (Max Bandwidth 600Gb - currently using 175 Gb)

F5 Counterattack

It uses a Browser Identification mechanism. Switch Proxy.

IPS

Intrusion Detection Techniques

Masking

F5 can alter the return values from the Web page. I.e. it alters the database name, the Server type. In other words it masks what the real software/hardware is behind the F5.

Web Page Hacking - 0Day

F5 can be configured to "learn" what values are entered into the URL Requests.

This means if you have a log-ing page....

  • Username

    • Length 8
    • Characters A-Za-z
  • Password

    • Length 8
    • Character A-Za-z0-9

So if you manipulate a URL Request (When Hacking) F5 will drop a request that has a username of $HACKERZ$RUle becuase it does not match the signiture.

DDOS

Network

 ping -c 6000000 <Target>

Application

Loop:
  ab -n 1000 -c 100 http://localhost:4567/

F5 does this due to load balancing.

Drops Requests

These requests will be dropped

- Browser less
- headless

This is how to create the header

import requests

url = 'http://www.ichangtou.com/#company:data_000008.html'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}

response = requests.get(url, headers=headers)
print(response.content)

Future Prediction

F5 tracks IP hosts and adds them to a reputation db.

F5 gathers

- Botnets
- Attackers
- Anaonymous Addresses
- Scanner
- Geolocation Database

In theory this means a HAcker will be blocked due to his IP/Signiture.

Anonymous Proxy

Check the use of this

#!/usr/bin/python
# This is a simple port-forward / proxy, written using only the default python
# library. If you want to make a suggestion or fix something you can contact-me
# at voorloop_at_gmail.com
# Distributed over IDC(I Don't Care) license
import socket
import select
import time
import sys
# Changing the buffer_size and delay, you can improve the speed and bandwidth.
# But when buffer get to high or delay go too down, you can broke things
buffer_size = 4096
delay = 0.0001
forward_to = ('smtp.zaz.ufsk.br', 25)
class Forward:
def __init__(self):
self.forward = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def start(self, host, port):
try:
self.forward.connect((host, port))
return self.forward
except Exception, e:
print e
return False
class TheServer:
    input_list = []
    channel = {}
def __init__(self, host, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.bind((host, port))
self.server.listen(200)
def main_loop(self):
self.input_list.append(self.server)
while 1:
            time.sleep(delay)
            ss = select.select
            inputready, outputready, exceptready = ss(self.input_list, [], [])
for self.s in inputready:
if self.s == self.server:
self.on_accept()
break
self.data = self.s.recv(buffer_size)
if len(self.data) == 0:
self.on_close()
break
else:
self.on_recv()
def on_accept(self):
        forward = Forward().start(forward_to[0], forward_to[1])
        clientsock, clientaddr = self.server.accept()
if forward:
print clientaddr, "has connected"
self.input_list.append(clientsock)
self.input_list.append(forward)
self.channel[clientsock] = forward
self.channel[forward] = clientsock
else:
print "Can't establish connection with remote server.",
print "Closing connection with client side", clientaddr
            clientsock.close()
def on_close(self):
print self.s.getpeername(), "has disconnected"
#remove objects from input_list
self.input_list.remove(self.s)
self.input_list.remove(self.channel[self.s])
        out = self.channel[self.s]
# close the connection with client
self.channel[out].close()  # equivalent to do self.s.close()
# close the connection with remote server
self.channel[self.s].close()
# delete both objects from channel dict
del self.channel[out]
del self.channel[self.s]
def on_recv(self):
        data = self.data
# here we can parse and/or modify the data before send forward
print data
self.channel[self.s].send(data)
if __name__ == '__main__':
        server = TheServer('', 9090)
try:
            server.main_loop()
except KeyboardInterrupt:
print "Ctrl C - Stopping server"
            sys.exit(1)

UAE App

Apparantly the F5 "defence app"

  • checks the IMEI
  • checks the Client Key certificate
  • Checks it is not Jailbreaked

If this passes....

    - Username
    - Password

    Then

        - Sends an SMS saying please use this 1 time pad

Virtualisation

F5 will turn the VDI data-channel from the Client to the VDI Server image, into HTTPS data streams.

Then all traffic from the F5 to the Virtual Servers will be in native protocol.

This is nice

Lookup - further checks

monkey quest hack

DNS

DNS comes with AD, it is the 2nd most hacked protocol.

Hacks

DNS Amplification
DNS Poisening

To improve resiliance modify the DNS defeinitions

Instead of being a A Records - Authority Put the Hostname as being a Reflective i..e go and check on some other server.

WebSafe

F5 custom application, for protection about Phishing & Malware.

Command and Control

Check out

Thor

Fishing

F5 can provide a service that tracks if your web site has been duplicated and rehosted.

Encryption

typing onto a web page - F5 can add a Layer 7 encryption to this data. This data then when it is sent to the Server is encrypted at the

Layer 7 - Application

Layer 5 - Session

Data Obfuscation

F5, obfuscates the fields and the internal classes.

I can see this working on the Client Data that is submitted - The server response will also be obfuscated !!! THIS MAKES SCRAPING IMPOSSIBLE BY NAME

But ...

WEB SCRAPING By Hierarchy is Possible