I am become loadbalancer, owner of your network

In the last few years, a slew of high-profile, most severe remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers.

These devices primarily serve to distribute traffic across server farms & offload SSL processing; they cost between $40k-$250k per device and are largely viewed as black box systems due to restrictive licensing, proprietary hardware and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers.

Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply ‘apt get upgrade -y’. Since they all run Linux/BSD as the management OS, once you’ve breached one with an ‘exploit that fits in a tweet’ the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.

In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they’re deployed, what their management plane looks like and the access it affords you post-breach. You will also learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system. While this talk will focus on a specific architecture, all vendors use essentially the same design concepts so the information is applicable across most platforms. Additionally, armed with an understanding of the designs you’ll be able to use freely available vendor documentation to hone & tune your post-exploitation shenanigans across other load balancing products.

This talk is primary aimed at offensive operations, however the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach. It will include real-world examples of both attack techniques and IOC data from a widely exploited vulnerability disclosed in 2020.

About the Speaker