I am become loadbalancer, owner of your network

Back to the list of Speakers and Sessions
Watch the stream
In the last few years, a slew of remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against networking hardware known as load balancers. These devices primarily serve to distribute traffic across server farms & offload SSL processing are largely viewed as black box systems due to restrictive licensing, proprietary hardware, and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers. Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply 'apt get upgrade -y'. Since most run Linux/BSD as the management OS, the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.

In the last few years, a slew of high-profile, critical remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers. These devices primarily serve to distribute traffic across server farms & offload SSL processing; they cost between $40k-$250k per device and are largely viewed as black box systems due to restrictive licensing, proprietary hardware and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers.

Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply 'apt get upgrade -y'. Since they all run Linux/BSD as the management OS, once you've breached one with an 'exploit that fits in a tweet' the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.

In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they're deployed, what their management plane looks like and the access it affords you post-breach. You will also learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system. While this talk will focus on a specific architecture, all vendors use essentially the same design concepts so the information is applicable across most platforms. Additionally, armed with an understanding of the designs you'll be able to use freely available vendor documentation to hone & tune your post-exploitation shenanigans across other load balancing products.

While this talk is primary aimed at offensive operations, the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach.


Nate Warfield ,

Nate has been a hacker since he first laid hands on a 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects - hacking phones & researching network attack surface. After a record-setting 4.5 years shipping Windows patches for the Microsoft Security Response Center and a brief stint in Windows Defender ATP, he is currently the Chief Technology Officer of Prevailion. He was featured in WIRED magazines’ “25 people doing good in 2020” for his role in starting CTI League, a volunteer group of InfoSec professions who provided threat intelligence to hospitals during COVID-19.