F5 DDoS Protection
MarketingArrowECS_CZ
8,850 views
132 slides
Mar 14, 2017
Slide 1 of 132
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
About This Presentation
Slide Content
F5 DDoS protection
Mariusz Sawczuk –Specialist Systems Engineer North & East EMEA
[2017-03-08]
Mariusz Sawczuk –Specialist Systems Engineer North & East EMEA
[2017-03-08]
© F5 Networks, Inc 2
DDoS (Distributed Denial of Service)Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Internet
Web
Clients
Partners
WebsitesRemote
users
Attackers
Switch Switch Switch
DMZ
FW
VPN
FW
VPN
a ct/stb y
AntyMalware Proxy DLP
Users
Applications Data BaseDNS
Data Center
EmailUser User
NextGen
Firewall
NextGen
Firewall
Router Router
a ct/stb y
Multi-Layer
Switch
a ct/stb y
Multi-Layer
Switch
a ct/stb y
Application
DoS
Session
DoS
Network
DoS
Volumetric
DoS
DDoS (Distributed Denial of Service)Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Attackers Internet
Web
Clients
Partners
WebsitesRemote
users
Attackers
Switch Switch Switch
DMZ
FW
VPN
FW
VPN
a ct/stb y
AntyMalware Proxy DLP
Users
Applications Data BaseDNS
Data Center
EmailUser User
NextGen
Firewall
NextGen
Firewall
Router Router
a ct/stb y
Multi-Layer
Switch
a ct/stb y
Multi-Layer
Switch
a ct/stb y
Application
DoS
Session
DoS
Network
DoS
Volumetric
DoS
© F5 Networks, Inc 3
Growing
Anyone
Global Fun
Agenda
War tactics
Diverse
Business
DDoS World is Complex
Growing
Anyone
Global Fun
Agenda
War tactics
Diverse
Business
DDoS World is Complex
© F5 Networks, Inc 4
DDoS attacks hide the Real Threat
DDoS attacks hide the Real Threat
© F5 Networks, Inc 5
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10(e.g. XSS),
Slowloris, SlowPost/Read,
HTTP GET/POSTfloods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSHand ACKfloods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Typesof DDoS attacks
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10(e.g. XSS),
Slowloris, SlowPost/Read,
HTTP GET/POSTfloods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSHand ACKfloods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Typesof DDoS attacks
© F5 Networks, Inc 6
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10(e.g. XSS),
Slowloris, SlowPost/Read,
HTTP GET/POSTfloods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSHand ACKfloods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Blended Volumetric
Typesof DDoS attacks
Layer 2
NetworkLayer 3
Layer 4
Layer 5
Layer 6
Layer 7 Application
OWASP Top 10(e.g. XSS),
Slowloris, SlowPost/Read,
HTTP GET/POSTfloods,…
Session
SSL
DNS, NTP
DNS UDP floods,
DNS query floods,
DNS NXDOMAIN floods
SSL floods,
SSL renegotiation, …
SYN/UDP/Conn. floods,
PUSHand ACKfloods,
ICMP/Ping floods,
Teardrop, Smurf Attacks, …
Blended Volumetric
Typesof DDoS attacks
© F5 Networks, Inc 7
DDoS attacks are easy to launch
Press button and forget
hping3
nmap
Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
DDoS attacks are easy to launch
Press button and forget
hping3
nmap
Low Orbit ION
High Orbit IONkillapache.pl slowloris
metasploitslowhttptest
RussKill
Pandora
Dirt Jumper
PhantomJS
…, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
Evasion Techniques Differentiation
•Several User-Agents & Referrers
•Random URL/UA/Content-Length
DDoS attacks are easy to launch
Press button and forget-2016 Tools Bundle
© 2016 F5 Networks 8
•Several User-Agents & Referrers
•Random URL/UA/Content-Length
DDoS attacks are easy to launch
Press button and forget-2016 Tools Bundle
© 2016 F5 Networks 8
© 2016 F5 Networks 9
DDoS attacks are easy to launch
DDoS Coin –crowd funding DDoS
DDoS attacks are easy to launch
DDoS Coin –crowd funding DDoS
© F5 Networks, Inc 10
DDoS IoT (Internet of Things) –Mirai botnet
Mirai from Japaneess means Future
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
DDoS IoT (Internet of Things) –Mirai botnet
Mirai from Japaneess means Future
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
© F5 Networks, Inc 11
0,54 Tbps
0,62 Tbps
1,0 Tbps
1,2 Tbps
DDoS IoT –Mirai botnet
Known targets of DDoS attacks
0,54 Tbps
0,62 Tbps
1,0 Tbps
1,2 Tbps
DDoS IoT –Mirai botnet
Known targets of DDoS attacks
© F5 Networks, Inc 12
STOMP Attack
Non standard attacks
Known “VSE” attack offered by
online Booters(DDoS as a Service)
Exploiting online gaming servers
for amplification
Never implemented attack
A hidden “CFNull” Layer 7 attack:
DDoS IoT –Mirai botnet
DDoS Attacks
STOMP Attack
Non standard attacks
Known “VSE” attack offered by
online Booters(DDoS as a Service)
Exploiting online gaming servers
for amplification
Never implemented attack
A hidden “CFNull” Layer 7 attack:
DDoS IoT –Mirai botnet
DDoS Attacks
© F5 Networks, Inc 13
DDoS IoT –Mirai botnet
DDoS Attacks –HTTP Attacks
DDoS IoT –Mirai botnet
DDoS Attacks –HTTP Attacks
© F5 Networks, Inc 14
DDoS IoT –Mirai botnet
Coming Through the Front Door
DDoS IoT –Mirai botnet
Coming Through the Front Door
© F5 Networks, Inc 15
DDoS IoT –Mirai botnet
Change of tactics
DDoS IoT –Mirai botnet
Change of tactics
© F5 Networks, Inc 16
Mirai
LuaBot
qBot
(GayFgt/Torlus/Bashlite)
Darlloz
IRCTelnet
(Aidra2)
Hajime
DDoS IoT –Other botnets
IoT Malware Families
Mirai
LuaBot
qBot
(GayFgt/Torlus/Bashlite)
Darlloz
IRCTelnet
(Aidra2)
Hajime
DDoS IoT –Other botnets
IoT Malware Families
F5 Networks DDoS Protection
© F5 Networks, Inc 18
Protect Your Business and Stay Online During a DDoS Attack
•Mitigate mid-volume, SSL, or application
targeted attacks on-premises
•Complete infrastructure control
•Advanced L7 attack protections
•Turn on cloud-based service to stop
volumetric attacks from ever reaching your
network
•Multi-layered L3-L7 DDoSattack protection
against all attack vectors
•24/7 attack support from security experts
F5 SILVERLINE DDOS PROTECTION
When
under
attack
F5 ON-PREMISES DDOSPROTECTION
F5 Networks DDoS Protection
On-premises and cloud-based services for comprehensive DDoS Protection
Protect Your Business and Stay Online During a DDoS Attack
•Mitigate mid-volume, SSL, or application
targeted attacks on-premises
•Complete infrastructure control
•Advanced L7 attack protections
•Turn on cloud-based service to stop
volumetric attacks from ever reaching your
network
•Multi-layered L3-L7 DDoSattack protection
against all attack vectors
•24/7 attack support from security experts
F5 SILVERLINE DDOS PROTECTION
When
under
attack
F5 ON-PREMISES DDOSPROTECTION
F5 Networks DDoS Protection
On-premises and cloud-based services for comprehensive DDoS Protection
© F5 Networks, Inc 19
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
F5 Networks DDoS Protection-Reference Architecture
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
F5 Networks DDoS Protection-Reference Architecture
© F5 Networks, Inc 20
•Only single vendor with native, seamlessly integrated on-premise and cloud-based
scrubbing services
•Leverages industry leading application protections to defend against L7 DDoS and
vulnerability threats
•Most comprehensive HW-based DDoS protection coverage
•Unsurpassed SSL performance with SSL termination and outbound SSL interception
protection
•Ensures app availability and performance while under attack with leading datacenter
scalability and up to 2Tbps of cloud-based scrubbing capacity
•Gartner on DDoS –Go Hybrid!
•“Cloud + On-Premise” Makes the most sense
F5 Networks DDoS Protection-Why F5 Hybrid is better
•Only single vendor with native, seamlessly integrated on-premise and cloud-based
scrubbing services
•Leverages industry leading application protections to defend against L7 DDoS and
vulnerability threats
•Most comprehensive HW-based DDoS protection coverage
•Unsurpassed SSL performance with SSL termination and outbound SSL interception
protection
•Ensures app availability and performance while under attack with leading datacenter
scalability and up to 2Tbps of cloud-based scrubbing capacity
•Gartner on DDoS –Go Hybrid!
•“Cloud + On-Premise” Makes the most sense
F5 Networks DDoS Protection-Why F5 Hybrid is better
F5 On Premisses
DDoS Protection BIG-IP
DDoS Protection BIG-IP
© F5 Networks, Inc 22
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood
SYN flood
SSL renegotiation
Data
leakage
SlowlorisattackXSS
Network
Firewall
WAF WAF
F5 On-premises DDoS protection -Full proxy security
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood
SYN flood
SSL renegotiation
Data
leakage
SlowlorisattackXSS
Network
Firewall
WAF WAF
F5 On-premises DDoS protection -Full proxy security
© F5 Networks, Inc 23
Application
Access
Network
Access
Network
Firewall
Network DDoS
Protection
SSL DDoS
Protection
DNS DDoS
Protection
Application
DDoS Protection
Web Application
Firewall
Fraud
Protection
Virtual
Patching
F5 On-premises protection -Comprehensiveapplication security
Application
Access
Network
Access
Network
Firewall
Network DDoS
Protection
SSL DDoS
Protection
DNS DDoS
Protection
Application
DDoS Protection
Web Application
Firewall
Fraud
Protection
Virtual
Patching
F5 On-premises protection -Comprehensiveapplication security
© F5 Networks, Inc 24
F5 On-premises protection -ComprehensiveDDoS protection
More than only DDoS Protection
ASM DoS+ IPI
L7 DoSProfiles
Heavy URLs
AFM DoS+ IPI
Device DoS
Protocol DoS
IP Intelligence
B/W Lists
DNS DoS
DNS DoS
DNS SEC
LTM Profiles
HTTP/HTTPS
SSL
SIP
SMTP
BIGIP System
Reaper
75%-90%
iRules
F5 On-premises protection -ComprehensiveDDoS protection
More than only DDoS Protection
ASM DoS+ IPI
L7 DoSProfiles
Heavy URLs
AFM DoS+ IPI
Device DoS
Protocol DoS
IP Intelligence
B/W Lists
DNS DoS
DNS DoS
DNS SEC
LTM Profiles
HTTP/HTTPS
SSL
SIP
SMTP
BIGIP System
Reaper
75%-90%
iRules
© F5 Networks, Inc 25
Up to 640 Gbps,
7.5M CPS,576M CCS
in the datacenter
and over 1Tbps
in the cloud
F5 On-premises DDoS protection -Performance
10000 Series
11000 Series
5000 Series
2000 series /
4000 series
7000 Series
VIPRION 4800
VIPRION 4480
25M
200M
1Gbps
3Gbps
5Gbps
VIPRION 2400
New10Gbps
New VIPRION 2200
Up to 640 Gbps,
7.5M CPS,576M CCS
in the datacenter
and over 1Tbps
in the cloud
F5 On-premises DDoS protection -Performance
10000 Series
11000 Series
5000 Series
2000 series /
4000 series
7000 Series
VIPRION 4800
VIPRION 4480
25M
200M
1Gbps
3Gbps
5Gbps
VIPRION 2400
New10Gbps
New VIPRION 2200
© F5 Networks, Inc 26
Over 110+L3/4
DDoS vectors
with majority of
them mitigated
in hardware.
F5 On-premises DDoS protection–DDoS vectors hardware accelerated
Over 110+L3/4
DDoS vectors
with majority of
them mitigated
in hardware.
F5 On-premises DDoS protection–DDoS vectors hardware accelerated
© F5 Networks, Inc 27
F5 On-premises DDoS protection -Recommended by NSS Labs
F5 On-premises DDoS protection -Recommended by NSS Labs
Network
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
© F5 Networks, Inc 29
Network DDoS Mitigation
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
•The network tier at the
perimeter is layer 3 and 4
network firewall services
•Simple load balancing
to a second tier
•IP reputation database
•Mitigates transient and
low-volume attacks
NETWORK KEY FEATURES
Network DDoS Mitigation
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
•The network tier at the
perimeter is layer 3 and 4
network firewall services
•Simple load balancing
to a second tier
•IP reputation database
•Mitigates transient and
low-volume attacks
NETWORK KEY FEATURES
© F5 Networks, Inc 30
Demo TCP SYNFlood -SYNCookies
Flow table
Original SYN transformed into Cookie,
sent back to client with SYN-ACK
Flow table entry
created and inserted
on receipt of ACK
packet
Connection Established
Demo TCP SYNFlood -SYNCookies
Flow table
Original SYN transformed into Cookie,
sent back to client with SYN-ACK
Flow table entry
created and inserted
on receipt of ACK
packet
Connection Established
© F5 Networks, Inc 31
Demo TCP SYN Flood -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on port 80
-Type: Performance L4 (to start with)
-No HTTP profile (to start with)
-Pool members: 3x Apacheservers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
Demo TCP SYN Flood -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on port 80
-Type: Performance L4 (to start with)
-No HTTP profile (to start with)
-Pool members: 3x Apacheservers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
© F5 Networks, Inc 32
Demo TCP SYN Flood -Start the attack
Demo TCP SYN Flood -Start the attack
© F5 Networks, Inc 33
Demo TCP SYN Flood -Attack Mitigated
Demo TCP SYN Flood -Attack Mitigated
© F5 Networks, Inc 34
Demo TCP SYN Flood -AFM signatures mitigation
Demo TCP SYN Flood -AFM signatures mitigation
© F5 Networks, Inc 35
Application
Security
Data Center
Firewall
Access
Security
User
App
Servers
Classic
Server
DNSSecurity
Network DDoS
•Built on the market leading Application Delivery Controller (ADC)
•Consolidates multiple appliance to reduce TCO
•Protects against L2-L4 attacks with the most advanced full proxy architecture
•Delivers over 110 vectors and more hardware-based DOS vectors than any other vendor
•Ensures performance while under attack -scales to 7.5M CPS; 576M CC, 640 Gbps
•Offers a foundation for an integrated L2-L7 Application delivery firewall platform
Network DDoS Mitigation-AFM (Advanced Firewall Manager)
Application
Security
Data Center
Firewall
Access
Security
User
App
Servers
Classic
Server
DNSSecurity
Network DDoS
•Built on the market leading Application Delivery Controller (ADC)
•Consolidates multiple appliance to reduce TCO
•Protects against L2-L4 attacks with the most advanced full proxy architecture
•Delivers over 110 vectors and more hardware-based DOS vectors than any other vendor
•Ensures performance while under attack -scales to 7.5M CPS; 576M CC, 640 Gbps
•Offers a foundation for an integrated L2-L7 Application delivery firewall platform
Network DDoS Mitigation-AFM (Advanced Firewall Manager)
© F5 Networks, Inc 36
DOS Categories
DOS
Vectors
When to reportan attack
Absolute Number in PPS
Detection Threshold
When to report an attack
Relative Percent Increase in
PPS Detection Threshold
When to mitigatean attack
AbsoluteNumber in PPS
Mitigation Threshold
Network DDoS Mitigation-AFM: Stateless DDoS Mitigation
L2-L4 stateless DoSvectors
DOS Categories
DOS
Vectors
When to reportan attack
Absolute Number in PPS
Detection Threshold
When to report an attack
Relative Percent Increase in
PPS Detection Threshold
When to mitigatean attack
AbsoluteNumber in PPS
Mitigation Threshold
Network DDoS Mitigation-AFM: Stateless DDoS Mitigation
L2-L4 stateless DoSvectors
© F5 Networks, Inc 37
Demo Different Network DDoS Attacks -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on all ports
-Type: Standard
-TCP profile: tcp-lan-optimized on outside interface
-Pool members: 1 x servers listening on differentportsBIG-IP Platform
Server
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:all ports
User
.100
.11
Demo Different Network DDoS Attacks -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on all ports
-Type: Standard
-TCP profile: tcp-lan-optimized on outside interface
-Pool members: 1 x servers listening on differentportsBIG-IP Platform
Server
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:all ports
User
.100
.11
© F5 Networks, Inc 38
Demo Different Network DDoS Attacks -Start the attack
Demo Different Network DDoS Attacks -Start the attack
© F5 Networks, Inc 39
Demo Different Network DDoS Attacks -Attacks mittigated
Demo Different Network DDoS Attacks -Attacks mittigated
© F5 Networks, Inc 40
F5 IP Intelligence Service
•Dynamic Feed updated every 5 minutes
•Applied at Virtual-Server Level
9 Pre-Defined Categories
of Malicious IP’s/Subnets
Customizable Per-Category
Actions (Accept, Warn, Reject)
Policy Name
(attach-able to a Virtual Server)
Network DDoS Mitigation-Dynamic Endpoint Visibility & Enforcement
IP Intelligenceservice
F5 IP Intelligence Service
•Dynamic Feed updated every 5 minutes
•Applied at Virtual-Server Level
9 Pre-Defined Categories
of Malicious IP’s/Subnets
Customizable Per-Category
Actions (Accept, Warn, Reject)
Policy Name
(attach-able to a Virtual Server)
Network DDoS Mitigation-Dynamic Endpoint Visibility & Enforcement
IP Intelligenceservice
© F5 Networks, Inc 41
F5 IP INTELLIGENCE SERVICES
•Dynamic services feeds updated frequently
•Policy attached to global, route-domain or
VS contexts
•Categorize IP/Sub_netby attack type
•Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
•Create IP Black Lists and White Lists that
override IP intelligence services
•Merge multiple sources into 1 feed or
enforcement policy
•HTTP/S & FTP polling methods
•User defined categories
•Support for IPv6 and IPv4
Maintain a current IP reputation database that allows
you to automatically mitigate traffic from known bad or
questionable IP addresses.
Network DDoS Mitigation-AFM
Dynamically update security logic
F5 IP INTELLIGENCE SERVICES
•Dynamic services feeds updated frequently
•Policy attached to global, route-domain or
VS contexts
•Categorize IP/Sub_netby attack type
•Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
•Create IP Black Lists and White Lists that
override IP intelligence services
•Merge multiple sources into 1 feed or
enforcement policy
•HTTP/S & FTP polling methods
•User defined categories
•Support for IPv6 and IPv4
Maintain a current IP reputation database that allows
you to automatically mitigate traffic from known bad or
questionable IP addresses.
Network DDoS Mitigation-AFM
Dynamically update security logic
Session (DNS)
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
© F5 Networks, Inc 43
DNSDDoS Attacks
Why DNS is popular for DDoS?
•Widely used protocol, open on FWs, open recursion
•DNS is based on UDP
•DNS DDoS often uses spoofed sources
•Large Amplification Factor (100x) -using open resolvers or ANY type to an
authoritative NS
Traditional mitigations are failing
•Using an ACL block legitimate clients
•DNS attacks use massive volumes of source addresses, breaking many
firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and
standard tools can not provide adequate response to mitigate it without inhibiting
the ability of DNS to do its job
DNSDDoS Attacks
Why DNS is popular for DDoS?
•Widely used protocol, open on FWs, open recursion
•DNS is based on UDP
•DNS DDoS often uses spoofed sources
•Large Amplification Factor (100x) -using open resolvers or ANY type to an
authoritative NS
Traditional mitigations are failing
•Using an ACL block legitimate clients
•DNS attacks use massive volumes of source addresses, breaking many
firewalls
Denial of Service Attacks targeting DNS infrastructure are often complex and
standard tools can not provide adequate response to mitigate it without inhibiting
the ability of DNS to do its job
© F5 Networks, Inc 44
DNSDDoS Attacks -DNS UDP Flood
Synopsys
Many attackers or botnets flood an authoritativename server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation –PERFORMANCE, PERFORMANCE, ….
•F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
•Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles -ICSA–certified FW with support for 30+ DDoS vectors
•Use DNS Anycastto distribute the load between regional DCs
DNS Requests DNS Responses
Target DNS
infrastructure
DNSDDoS Attacks -DNS UDP Flood
Synopsys
Many attackers or botnets flood an authoritativename server,
attempting to exceed its capacity.
Dropped responses = reduced or no site availability.
Mitigation –PERFORMANCE, PERFORMANCE, ….
•F5 offers exceptional DNS capacity, over 2M RPS in case of appliance and
to over 20M RPS for chassis. Additionally the possibility to use Rapid
Response Mode to double during the attack.
•Identify unusually high traffic patterns to specific clients using F5 DNS
DDoS Profiles -ICSA–certified FW with support for 30+ DDoS vectors
•Use DNS Anycastto distribute the load between regional DCs
DNS Requests DNS Responses
Target DNS
infrastructure
© F5 Networks, Inc 45
DNSDDoS Attacks -DNS Amplification & NSQUERY
DNS Requests Large DNS Responses
Synopsys
By spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation
•DNS request type validation–force TCP in case of type ANY
•BIG-IP supports DNS type ACLs -filters for acceptable DNS query types
•Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoSProfiles and apply mitigations
•Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]
DNSDDoS Attacks -DNS Amplification & NSQUERY
DNS Requests Large DNS Responses
Synopsys
By spoofing a UDP source address, attackers can target a common
source. By requesting for large record types (ANY, DNSSEC, etc), a
36 byte request can result in a response over 100 times larger.
Mitigation
•DNS request type validation–force TCP in case of type ANY
•BIG-IP supports DNS type ACLs -filters for acceptable DNS query types
•Identify unusually high traffic patterns to specific clients or from
specific sources via DNS DoSProfiles and apply mitigations
•Drop all unsolicited responses (BIG IP’s default behavior)
[Target Site]
© F5 Networks, Inc 46
•Querying for randomly-generated
non-existent hostnames
•Causes enormous work on DNS resolver
•Blows out DNS caches
•Easy to generate –single packet per name
•Easy to spoof source address –UDP
•Asymmetric
•Low-Bandwidth
DNS DDoS Attacks-NXDOMAIN Random Hostname Attack
•Querying for randomly-generated
non-existent hostnames
•Causes enormous work on DNS resolver
•Blows out DNS caches
•Easy to generate –single packet per name
•Easy to spoof source address –UDP
•Asymmetric
•Low-Bandwidth
DNS DDoS Attacks-NXDOMAIN Random Hostname Attack
© F5 Networks, Inc 47
Demo DNS Flood -Start the attack
Demo DNS Flood -Start the attack
© F5 Networks, Inc 48
DNSDDoS Mitigation-AFM: DDoS Singnatures
Attack mitigated
DNSDDoS Mitigation-AFM: DDoS Singnatures
Attack mitigated
© F5 Networks, Inc 49
Malformed/Protocol Violations Detection
DNS DOS Detection by Query Type
When to reportand attack. Absolute and
Relative Increase Detection Thresholds
SIP DOS Detection by Method
When toreport and attack
Absolute and Relative Increase Detection Thresholds
DNSDDoS Mitigation-AFM: Stateless App. Layer DoSDetection
Application protocol volumetric attack detection: DNS & SIP
Malformed/Protocol Violations Detection
DNS DOS Detection by Query Type
When to reportand attack. Absolute and
Relative Increase Detection Thresholds
SIP DOS Detection by Method
When toreport and attack
Absolute and Relative Increase Detection Thresholds
DNSDDoS Mitigation-AFM: Stateless App. Layer DoSDetection
Application protocol volumetric attack detection: DNS & SIP
© F5 Networks, Inc 50
Filter by DNS Query types
a m mg locixfrdnamensec3param
aaaa px rp spfcertnesc3ipseckey
any md mr eidapldhcidnsap_ptr
cnamemf nullnxtaxfrzxfernsap
mx a6 wkskeysinkrrsignimloc
ns rt dlvx25naptrsshfpdnskey
ptr mb hipsigisdnmailamailb
soa ds opttsignsecafsdbhinfo
srv kx txtatagpostkey minfo
DNSDDoS Mitigation-AFM: Protocol Security
Application Protocol compliance & DNS DoSmitigation
Filter by DNS Query types
a m mg locixfrdnamensec3param
aaaa px rp spfcertnesc3ipseckey
any md mr eidapldhcidnsap_ptr
cnamemf nullnxtaxfrzxfernsap
mx a6 wkskeysinkrrsignimloc
ns rt dlvx25naptrsshfpdnskey
ptr mb hipsigisdnmailamailb
soa ds opttsignsecafsdbhinfo
srv kx txtatagpostkey minfo
DNSDDoS Mitigation-AFM: Protocol Security
Application Protocol compliance & DNS DoSmitigation
Network
Application
Session
SSL
DNS, NTP
Blended
Session (SSL)
DDoS
Mitigation
Application
Session
SSL
DNS, NTP
Blended
Session (SSL)
DDoS
Mitigation
© F5 Networks, Inc 52
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Firewall
Corporate Users
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
•Application-aware,
CPU-intensive defense
mechanisms
•SSL termination
•Web application firewall
•Mitigate asymmetric and SSL-
based DDoSattacks
SSL DDoS Mitigation -F5 Reference Architecture
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Firewall
Corporate Users
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
•Application-aware,
CPU-intensive defense
mechanisms
•SSL termination
•Web application firewall
•Mitigate asymmetric and SSL-
based DDoSattacks
SSL DDoS Mitigation -F5 Reference Architecture
© F5 Networks, Inc 53
Demo SSL Renegotiation -Start the attack
Demo SSL Renegotiation -Start the attack
© F5 Networks, Inc 54
Demo SSL Renegotiation –Attack mitigated
LTM: SSL Profile
Demo SSL Renegotiation –Attack mitigated
LTM: SSL Profile
Application
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
DDoS
Mitigation
Network
Application
Session
SSL
DNS, NTP
Blended
© F5 Networks, Inc 56
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Firewall
Corporate Users
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
•Application-aware,
CPU-intensive defense
mechanisms
•SSL termination
•Web application firewall
•Mitigate asymmetric and SSL-
based DDoSattacks
Application DDoS Mitigation -F5 Reference Architecture
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Next-Generation
Firewall
Corporate Users
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
Application
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
SSL attacks:
SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
•Application-aware,
CPU-intensive defense
mechanisms
•SSL termination
•Web application firewall
•Mitigate asymmetric and SSL-
based DDoSattacks
Application DDoS Mitigation -F5 Reference Architecture
© F5 Networks, Inc 57
▪Guards against RPS (TPS) and latency-based anomalies
▪Provides predictive indicators
▪Support IP, geolocation, URL and site wide detection criteria
Application DDoS Mitigation -ASM (Application Security Manager)
Layer 7 HTTP/S DoSattack protection
▪Provides heavy URL protection
▪Protects against threats proactively
▪Simplified reports access and added
qkViewviolations export support
▪Advanced Prevention techniques
▪Client Side Integrity Defense
▪CAPTCHA (HTML or JS response)
▪Source IP Blocking
▪Geolocation blacklisting
▪Guards against RPS (TPS) and latency-based anomalies
▪Provides predictive indicators
▪Support IP, geolocation, URL and site wide detection criteria
Application DDoS Mitigation -ASM (Application Security Manager)
Layer 7 HTTP/S DoSattack protection
▪Provides heavy URL protection
▪Protects against threats proactively
▪Simplified reports access and added
qkViewviolations export support
▪Advanced Prevention techniques
▪Client Side Integrity Defense
▪CAPTCHA (HTML or JS response)
▪Source IP Blocking
▪Geolocation blacklisting
© F5 Networks, Inc 58
Demo Application DDoS Attacks -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on port 80
-Type: Performance L4 (to start with)
-No HTTP profile (to start with)
-Pool members: 3x Apacheservers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
Demo Application DDoS Attacks -Topology and initial configuration
•The TMOS version 12.1
•Virtual Server info:
-Listening on port 80
-Type: Performance L4 (to start with)
-No HTTP profile (to start with)
-Pool members: 3x Apacheservers listening on port 80BIG-IP Platform
Application
10.1.20/24
10.1.10/24
Attacker
.200
VS .80:80
Application
.13.11
Application
User
.100
.12
© F5 Networks, Inc 59
•Slow HEADERS (Slowloris)–openingHTTP connections to a web server
and then sending just enough data in an HTTP header (typically 5 bytes
or so) every 299 seconds to keep the connections open. Slow headers
is an attack that very slowly sends a HTTP request. The request headers
are sent so slowly that all available server connections are tied up
waiting for the slow request to complete. Slowlorisachieves denial-of-
service with just 394 open connections for typical Apache 2
Application DDoS Attacks -HTTP Slow (Low Bandwith)
•Slow HEADERS (Slowloris)–openingHTTP connections to a web server
and then sending just enough data in an HTTP header (typically 5 bytes
or so) every 299 seconds to keep the connections open. Slow headers
is an attack that very slowly sends a HTTP request. The request headers
are sent so slowly that all available server connections are tied up
waiting for the slow request to complete. Slowlorisachieves denial-of-
service with just 394 open connections for typical Apache 2
Application DDoS Attacks -HTTP Slow (Low Bandwith)
© F5 Networks, Inc 60
Demo Slow HEADERS -Start the attack
•Send the command:
slowhttptest-H -c 3000 -i10 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
Demo Slow HEADERS -Start the attack
•Send the command:
slowhttptest-H -c 3000 -i10 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
© F5 Networks, Inc 61
Demo Slow HEADERS -LTM: Standard Virtual Server with HTTP Profile
•LTM can protect the Apache servers by preventing the Slow Headers attack from ever reaching them. A
Standard Virtual Server with a HTTP profile does not open the server side connection until the full HTTP request
is received. Since the attack never completes the HTTP request, the attack is never propagated to the servers.
https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard
Demo Slow HEADERS -LTM: Standard Virtual Server with HTTP Profile
•LTM can protect the Apache servers by preventing the Slow Headers attack from ever reaching them. A
Standard Virtual Server with a HTTP profile does not open the server side connection until the full HTTP request
is received. Since the attack never completes the HTTP request, the attack is never propagated to the servers.
https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html#standard
© F5 Networks, Inc 62
DOS enhancements and new vectors
AFM delivers increased effectiveness of DoSvectors by enhancing vectors to provide
greater coverage, introducing new vectors, providing more hardware-based vectors, and
improve overall DoSlogging. Version 12.0 also provides Sweeper enhancements to Slow
Loris, BiasIdleCleanup and Reporting
Demo Slow HEADERS -AFM: Not only Network DDoS protection
DOS enhancements and new vectors
AFM delivers increased effectiveness of DoSvectors by enhancing vectors to provide
greater coverage, introducing new vectors, providing more hardware-based vectors, and
improve overall DoSlogging. Version 12.0 also provides Sweeper enhancements to Slow
Loris, BiasIdleCleanup and Reporting
Demo Slow HEADERS -AFM: Not only Network DDoS protection
© F5 Networks, Inc 63
•Slow POST (R.U.D.Y.) -Like Slowloris, the Slowpostuses a slow, low-
bandwidth approachbutinsteadof sending an HTTP header, it begins
an HTTP POST command andthen feeds in the payload of the POST
data very, very slowly. Slow POST is an attack that sends the initial
POST request, and attempts to send each additional piece of POST data
in subsequent packets very slowly. Since the initial POST completes,
LTM creates the connection to the web server. Since the POST data is
very slow to complete, all the available connections are tied up again...
Application DDoS Attacks -HTTP Slow (Low Bandwith)
•Slow POST (R.U.D.Y.) -Like Slowloris, the Slowpostuses a slow, low-
bandwidth approachbutinsteadof sending an HTTP header, it begins
an HTTP POST command andthen feeds in the payload of the POST
data very, very slowly. Slow POST is an attack that sends the initial
POST request, and attempts to send each additional piece of POST data
in subsequent packets very slowly. Since the initial POST completes,
LTM creates the connection to the web server. Since the POST data is
very slow to complete, all the available connections are tied up again...
Application DDoS Attacks -HTTP Slow (Low Bandwith)
© F5 Networks, Inc 64
Demo Slow POST -Start the attack
•Send the command:
slowhttptest-B -c 3000 -i20 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
Demo Slow POST -Start the attack
•Send the command:
slowhttptest-B -c 3000 -i20 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
© F5 Networks, Inc 65
Demo Slow POST -ASM: Deployment Policy
•ASM Deployment steps (shortened)
Apply!
You can use
Rapid Deployment
Demo Slow POST -ASM: Deployment Policy
•ASM Deployment steps (shortened)
Apply!
You can use
Rapid Deployment
© F5 Networks, Inc 66
Demo Slow POST -ASMProtection
•ASM can protect against Slow POST attacks by just being applied to the virtual server.
The policy does NOT need to be in blocking mode. Since ASM must protect itself from
slow connections, it will also protect the virtual server by limiting the number of slow
connections allowed. The number of allowed connections per TMM is configurable.
•Security > Options > Application Security > Advanced Configuration > System Variables
•When this protection kicks in, ASM will log to /var/log/asm:
Demo Slow POST -ASMProtection
•ASM can protect against Slow POST attacks by just being applied to the virtual server.
The policy does NOT need to be in blocking mode. Since ASM must protect itself from
slow connections, it will also protect the virtual server by limiting the number of slow
connections allowed. The number of allowed connections per TMM is configurable.
•Security > Options > Application Security > Advanced Configuration > System Variables
•When this protection kicks in, ASM will log to /var/log/asm:
© F5 Networks, Inc 67
•Slow READ -Slow Read is an attack that sends a normal request for a
HTTP page. The attacker then accepts the site data with a very small
TCP window. Upon receiving the first packet of data, the attacker
typically sends back a TCP window size of zero in the acknowledgement.
Since the server received a zero window from the client, it will wait to
send more data, holding open the TCP connection. Once enough zero
window clients have attached to the server, it is unable to accept new
clients.Since this behavior is RFC compliant (rarely happens in normally
functioning networks though), it is difficult for the F5 to detect an
attacker from a real slow client. There are a few ways to protect against
these types of attacks.
Application DDoS Attacks -HTTP Slow (Low Bandwith)
•Slow READ -Slow Read is an attack that sends a normal request for a
HTTP page. The attacker then accepts the site data with a very small
TCP window. Upon receiving the first packet of data, the attacker
typically sends back a TCP window size of zero in the acknowledgement.
Since the server received a zero window from the client, it will wait to
send more data, holding open the TCP connection. Once enough zero
window clients have attached to the server, it is unable to accept new
clients.Since this behavior is RFC compliant (rarely happens in normally
functioning networks though), it is difficult for the F5 to detect an
attacker from a real slow client. There are a few ways to protect against
these types of attacks.
Application DDoS Attacks -HTTP Slow (Low Bandwith)
© F5 Networks, Inc 68
Demo Slow READ -Start the attack
•Send the command:
slowhttptest-X -c 3000 -i10 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
Demo Slow READ -Start the attack
•Send the command:
slowhttptest-X -c 3000 -i10 -r 50 -u http://10.1.10.80/ &
•…. websiteis down!
© F5 Networks, Inc 69
Demo Slow READ -ASM: DDoS Profile Defense for browser applications
•Proactive Bot Defense
•Many DDoS attacks are simple scripts or programs with very little logic. They exploit the known
behaviors of the application to prevent normal users from accessing the data. Proactive Bot
Defense challenges the client to perform some data manipulation using Javascript. Since many
scripts are unable to parse and perform the Javascriptchallenge, they are denied access.
Proactive Bot Defense should only be used when you know the normal clients are able to accept
Javascript. All modern browsers can pass this challenge.
•Client Side Integrity Defense
•Similar to Proactive Bot Defense, the client side Integrity Defense challenges the client with
Javascript. Client Side Integrity Defense differs in that it only challenges clients based upon the
criteria set within a DDoS profile.
•Captcha
•During an attack, clients can be forced to pass a Captcha challenge. This Captcha challenge
must be passed before the server data is requested and passed to the client.
•These protections are configured as DDoS profiles, and applied to a virtual server.
Demo Slow READ -ASM: DDoS Profile Defense for browser applications
•Proactive Bot Defense
•Many DDoS attacks are simple scripts or programs with very little logic. They exploit the known
behaviors of the application to prevent normal users from accessing the data. Proactive Bot
Defense challenges the client to perform some data manipulation using Javascript. Since many
scripts are unable to parse and perform the Javascriptchallenge, they are denied access.
Proactive Bot Defense should only be used when you know the normal clients are able to accept
Javascript. All modern browsers can pass this challenge.
•Client Side Integrity Defense
•Similar to Proactive Bot Defense, the client side Integrity Defense challenges the client with
Javascript. Client Side Integrity Defense differs in that it only challenges clients based upon the
criteria set within a DDoS profile.
•Captcha
•During an attack, clients can be forced to pass a Captcha challenge. This Captcha challenge
must be passed before the server data is requested and passed to the client.
•These protections are configured as DDoS profiles, and applied to a virtual server.
© F5 Networks, Inc 70
Demo Slow READ -ASM: TPS-Based Detection & Prevention
Demo Slow READ -ASM: TPS-Based Detection & Prevention
© F5 Networks, Inc 71
Demo Slow READ -ASM: DDoS Profile Defense for browser applications
•DoS Protection Profile
Apply DDoSProfile to
Virtual Server
Demo Slow READ -ASM: DDoS Profile Defense for browser applications
•DoS Protection Profile
Apply DDoSProfile to
Virtual Server
© F5 Networks, Inc 72
User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, you are sending too many requests.
Are you a browser ?
Yes, I’m a browser
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the web page
you asked for.
ASM: Bye Bye–Blocked
Demo Slow READ -ASM: Client-side Integrity Defense
User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, you are sending too many requests.
Are you a browser ?
Yes, I’m a browser
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the web page
you asked for.
ASM: Bye Bye–Blocked
Demo Slow READ -ASM: Client-side Integrity Defense
© F5 Networks, Inc 73
•Ultimate solution for identifying human or bot
•Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability because the user gets CAPTCHA for
his online shop (or similar) and then he will not stay
Demo Slow READ -ASM: Captcha
•Ultimate solution for identifying human or bot
•Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability because the user gets CAPTCHA for
his online shop (or similar) and then he will not stay
Demo Slow READ -ASM: Captcha
© F5 Networks, Inc 74
•Unlike most simple network attacks, which overwhelm computing resources with invalid packets,
HTTP flood attacks look like real HTTP web requests.
•To conventional firewall technology, these requests are indistinguishable from normal traffic
•Two main variations:
•Basic HTTP flood duiring whichmerely repeats the same request over andover again. Easy to
detect and mitigate.
•Advacned HTTP flood attack whitha recursive-get denial-of service. Clients using this attack
request the main application page, parse theresponse, and then recursively request every
object at the site. Difficultto detectand mitigate.
Application DDoS Attacks -HTTP Flood
•Unlike most simple network attacks, which overwhelm computing resources with invalid packets,
HTTP flood attacks look like real HTTP web requests.
•To conventional firewall technology, these requests are indistinguishable from normal traffic
•Two main variations:
•Basic HTTP flood duiring whichmerely repeats the same request over andover again. Easy to
detect and mitigate.
•Advacned HTTP flood attack whitha recursive-get denial-of service. Clients using this attack
request the main application page, parse theresponse, and then recursively request every
object at the site. Difficultto detectand mitigate.
Application DDoS Attacks -HTTP Flood
© F5 Networks, Inc 75
Demo HTTP Flood -Start the attack
•LOIC (Low Orbital Ion Cannon)
•Launch from many sources and…. websitewill bedown!
Demo HTTP Flood -Start the attack
•LOIC (Low Orbital Ion Cannon)
•Launch from many sources and…. websitewill bedown!
© F5 Networks, Inc 76
Demo HTTP Flood -Attack mitigated
Demo HTTP Flood -Attack mitigated
© F5 Networks, Inc 77
When any URL based is
mitigating, the heavy URL’s
that detected will get this
mitigation
Application DDoS Mitigation -ASM: Heavy URL Mitigation
When any URL based is
mitigating, the heavy URL’s
that detected will get this
mitigation
Application DDoS Mitigation -ASM: Heavy URL Mitigation
© F5 Networks, Inc 78
Automatic measure latency on
URL’s for 24 hours and decide
who is heavy
Application DDoS Mitigation -ASM: Heavy URL Mitigation
Heavy URL –configuration
Automatic measure latency on
URL’s for 24 hours and decide
who is heavy
Application DDoS Mitigation -ASM: Heavy URL Mitigation
Heavy URL –configuration
© F5 Networks, Inc 79
Application DDoS Mitigation -ASM: Heavy URL Reporting
Application DDoS Mitigation -ASM: Heavy URL Reporting
New anti-DDoS features 12.1
© F5 Networks, Inc 81
RTBH
BGP Black-Hole DoS protection (RTBH)
Automatic DDoS vectors thresholds
Behavioral analysis DDoS (BADOS)
BIG-IP/DHD Silverline signalization
New DDoS Features in TMOS 12.1
RTBH
BGP Black-Hole DoS protection (RTBH)
Automatic DDoS vectors thresholds
Behavioral analysis DDoS (BADOS)
BIG-IP/DHD Silverline signalization
New DDoS Features in TMOS 12.1
© F5 Networks, Inc 82
•RTBH (Remotely Triggered Black-Hole): Route Injection instructs upstream network devices to drop certain flows at
the edge of the network.
•RTBH is belongs to AFM, and we need AFM provisioned to configure this feature
•When you will configure settings for DDoS vectors at AFM, you can find column 'Bad actors' and instead of rate
limit them you can block them -this is ‚IP Shuning’.
•On top of this we can configure RTBH and signal this information to upstrem routers
•AFM IP-Intelligence (IPI) can now instruct the IP network within the local Autonomous System (AS) to "black-hole"
source or destination addresses which have been blacklisted.
•ARM (Advanced Routing), It belongs to AFM, everytime when you provision AFM you will have Advanced routing
license enabled also. ARM also is included in DHD.
New DDoS Features in TMOS 12.1
RTBH
•RTBH (Remotely Triggered Black-Hole): Route Injection instructs upstream network devices to drop certain flows at
the edge of the network.
•RTBH is belongs to AFM, and we need AFM provisioned to configure this feature
•When you will configure settings for DDoS vectors at AFM, you can find column 'Bad actors' and instead of rate
limit them you can block them -this is ‚IP Shuning’.
•On top of this we can configure RTBH and signal this information to upstrem routers
•AFM IP-Intelligence (IPI) can now instruct the IP network within the local Autonomous System (AS) to "black-hole"
source or destination addresses which have been blacklisted.
•ARM (Advanced Routing), It belongs to AFM, everytime when you provision AFM you will have Advanced routing
license enabled also. ARM also is included in DHD.
New DDoS Features in TMOS 12.1
RTBH
© F5 Networks, Inc 83
New DDoS Features in TMOS 12.1
RTBH
New DDoS Features in TMOS 12.1
RTBH
© F5 Networks, Inc 84
•Today
•Configuration
•Tune and maintain
•Impact leads to mitigate
•React to 0-day
•Static –automatic
•Impacts the good
•Uses wisdom of IT
•BADOS
•Hands free
•Unsupervised
•Predictive
•0-day capable
•Improves with time(experience)
•Minimal impact on good guys
•Uses wisdom of the crowd
New DDoS Features in TMOS 12.1
BADOS –Why?
•Today
•Configuration
•Tune and maintain
•Impact leads to mitigate
•React to 0-day
•Static –automatic
•Impacts the good
•Uses wisdom of IT
•BADOS
•Hands free
•Unsupervised
•Predictive
•0-day capable
•Improves with time(experience)
•Minimal impact on good guys
•Uses wisdom of the crowd
New DDoS Features in TMOS 12.1
BADOS –Why?
© F5 Networks, Inc 85
•3 modes of detection and prevention
Aggressive
+ proactive
mitigation until
health is restored
Standard
+ limit all
requests based
on servers health
Conservative
Slow down &
rate shape bad
actors
•Conservative
•Slows down & rate limit attackers
•Standard
•Like conservative but may rate limit all
requests based on server's health
•Aggressive
•Like standard but proactively performs
all protection actions
New DDoS Features in TMOS 12.1
BADOS –Why?
•3 modes of detection and prevention
Aggressive
+ proactive
mitigation until
health is restored
Standard
+ limit all
requests based
on servers health
Conservative
Slow down &
rate shape bad
actors
•Conservative
•Slows down & rate limit attackers
•Standard
•Like conservative but may rate limit all
requests based on server's health
•Aggressive
•Like standard but proactively performs
all protection actions
New DDoS Features in TMOS 12.1
BADOS –Why?
New anti-DDoS features 13.0
© F5 Networks, Inc 87
New DDoS Features in TMOS 13.0
ASM Auto Thresholding (for TPS-based Detection)
New DDoS Features in TMOS 13.0
ASM Auto Thresholding (for TPS-based Detection)
© F5 Networks, Inc 88
New DDoS Features in TMOS 13.0
ASM Auto Thresholding (for TPS-based Detection)
New DDoS Features in TMOS 13.0
ASM Auto Thresholding (for TPS-based Detection)
© F5 Networks, Inc 89
New DDoS Features in TMOS 13.0
BADOS Improvements
New DDoS Features in TMOS 13.0
BADOS Improvements
© F5 Networks, Inc 90
New DDoS Features in TMOS 13.0
Proactive Bot Defense Reporting
New DDoS Features in TMOS 13.0
Proactive Bot Defense Reporting
© F5 Networks, Inc 91
Security > Reporting > DoS > Visibility > Dashboard
New DDoS Features in TMOS 13.0
DoS Reporting Redisign
Security > Reporting > DoS > Visibility > Dashboard
New DDoS Features in TMOS 13.0
DoS Reporting Redisign
DDoS and
Application
Attacks
Mitigation –
iRules
Network
Application
Session
SSL
DNS, NTP
Blended
Application
Attacks
Mitigation –
iRules
Network
Application
Session
SSL
DNS, NTP
Blended
© F5 Networks, Inc 93
DDoS and Application Attacks Mitigation -iRules
Slow HEADERS (Slowloris) defense
DDoS and Application Attacks Mitigation -iRules
Slow HEADERS (Slowloris) defense
© F5 Networks, Inc 94
DDoS and Application Attacks Mitigation -iRules
Slow POST (R.U.D.Y.) defense
DDoS and Application Attacks Mitigation -iRules
Slow POST (R.U.D.Y.) defense
DHD (DDoS Hybrid Defender)
© F5 Networks, Inc 96
DHD –Configure and play
DHD –Configure and play
© F5 Networks, Inc 97
DHD –Simplified configuration
DDoS profile
Log profile
DDoS profile
VLAN/Network Info
Protocol profile
Log profile
Action
Deployment model
Network, protocol
Protocol profile
1
2
reference
1
3Virtual Server
Protected Object
DHD –Simplified configuration
DDoS profile
Log profile
DDoS profile
VLAN/Network Info
Protocol profile
Log profile
Action
Deployment model
Network, protocol
Protocol profile
1
2
reference
1
3Virtual Server
Protected Object
© F5 Networks, Inc 98
Attack detection
and Visibility via AVR
DHD
Access Network
Tap VLAN
Packet data (Tap)
•Avoid single point of failure network scenario
•Identify DDoS attacks (L3/4, SIP, DNS) via
mirrored pkts
•No need to reconfigure network
•No single point of failure
•Visibility
•RTBH with upstream router
•Signal to Silverline
•Simplified and easy POC
•Visibility via AVR
Apps
Edge router
Access router
Rx
Tx
DHD -Out-of-band TAP
Attack detection
and Visibility via AVR
DHD
Access Network
Tap VLAN
Packet data (Tap)
•Avoid single point of failure network scenario
•Identify DDoS attacks (L3/4, SIP, DNS) via
mirrored pkts
•No need to reconfigure network
•No single point of failure
•Visibility
•RTBH with upstream router
•Signal to Silverline
•Simplified and easy POC
•Visibility via AVR
Apps
Edge router
Access router
Rx
Tx
DHD -Out-of-band TAP
© F5 Networks, Inc 99
Attack detection
And inspection
Clean traffic
DDoS Platform
Edge Network
Access Network
Tap VLAN
DDoS Platform
Attack traffic
SCRUB VLAN
•Avoid single point of failure network scenario
•Doesn’t want to inspect/scrub all traffic
•Identify DDoS attacks via Netflow, IPFIX data
•ease of deployment
•No single point of failure
•Significant cost efficiencies
•Steer traffic to a local scrubber
•Share attacked_IP(s) with Silverline
•Simplified and easy POC
•Visibility via AVR
DHD -Out-of-band Netflow/IPFIX
Attack detection
And inspection
Clean traffic
DDoS Platform
Edge Network
Access Network
Tap VLAN
DDoS Platform
Attack traffic
SCRUB VLAN
•Avoid single point of failure network scenario
•Doesn’t want to inspect/scrub all traffic
•Identify DDoS attacks via Netflow, IPFIX data
•ease of deployment
•No single point of failure
•Significant cost efficiencies
•Steer traffic to a local scrubber
•Share attacked_IP(s) with Silverline
•Simplified and easy POC
•Visibility via AVR
DHD -Out-of-band Netflow/IPFIX
© F5 Networks, Inc 100
Choose a context:
Current Attacks, Device,
Single Profile or VS
Choose a filter:
(optional)
Limit by vector name,
or P.O. name
View Status of
Current Attacks
View Current
Traffic Statistics
Total Packets
Dropped Packets
View Current
Configuration
Manual vs. Auto-Mode
Aggregate & SrcIPLimits
Modify Configuration
Settings
Without navigating to new page
Same interface as Profile Page
DHD –AFM DoS“Overview” Page: 13.x
Choose a context:
Current Attacks, Device,
Single Profile or VS
Choose a filter:
(optional)
Limit by vector name,
or P.O. name
View Status of
Current Attacks
View Current
Traffic Statistics
Total Packets
Dropped Packets
View Current
Configuration
Manual vs. Auto-Mode
Aggregate & SrcIPLimits
Modify Configuration
Settings
Without navigating to new page
Same interface as Profile Page
DHD –AFM DoS“Overview” Page: 13.x
© F5 Networks, Inc 101
DHD
Demo –Slow POST (Application) DDoS Attack mitigated by DHD
•The TMOS version 12.1
•DHD operates in transparent mode
•BADOS (Behavioral DOS) protection
enabled
•Protected Object:
-Listening on port 443 (HTTPS)
DHDPlatform
Attacker
..200
User
..11:443 (protected)
10.1.20.0/24
10.1.20.0/24
(unprotected) 443:12.
User
.100
DHD
Demo –Slow POST (Application) DDoS Attack mitigated by DHD
•The TMOS version 12.1
•DHD operates in transparent mode
•BADOS (Behavioral DOS) protection
enabled
•Protected Object:
-Listening on port 443 (HTTPS)
DHDPlatform
Attacker
..200
User
..11:443 (protected)
10.1.20.0/24
10.1.20.0/24
(unprotected) 443:12.
User
.100
© F5 Networks, Inc 102
DHD
Demo –Slow POST (Application) DDoS Attack mitigated by DHD
•slowhttptest-B-c 3000 -i 20 -r 50 -u https://10.1.20.11/
Slow POST (R.U.D.Y.) -Like Slowloris, uses a
slow, low-bandwidth approach, butinstead
of sending an HTTP header, it begins an
HTTP POST command andthen feeds in the
payload of the POST data very, very slowly.
Slow POST is an attack that sends the initial
POST request, and attempts to send each
additional piece of POST data in subsequent
packets very slowly. Since the POST data is
very slow to complete, all the available
connections are tied up again.
DHD
Demo –Slow POST (Application) DDoS Attack mitigated by DHD
•slowhttptest-B-c 3000 -i 20 -r 50 -u https://10.1.20.11/
Slow POST (R.U.D.Y.) -Like Slowloris, uses a
slow, low-bandwidth approach, butinstead
of sending an HTTP header, it begins an
HTTP POST command andthen feeds in the
payload of the POST data very, very slowly.
Slow POST is an attack that sends the initial
POST request, and attempts to send each
additional piece of POST data in subsequent
packets very slowly. Since the POST data is
very slow to complete, all the available
connections are tied up again.
F5 Silverline
DDoS Protection
Silverline
DDoS Protection
Silverline
© F5 Networks, Inc 104
DDoS AttacksSize
24%
38%
20%
6%
12%
0.5-1 Gbps1-10 Gbps 10-50 Gbps Over 50Gbps Unknown
DDoS AttacksSize
24%
38%
20%
6%
12%
0.5-1 Gbps1-10 Gbps 10-50 Gbps Over 50Gbps Unknown
© F5 Networks, Inc 105
F5 Silverline-3 Cloud-based Security Services
F5 Silverline-3 Cloud-based Security Services
© F5 Networks, Inc 106
Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
•San Jose, CA US
•Ashburn, VA US
•Frankfurt, DE
•Singapore, SG
Industry-Leading Bandwidth
•Attack mitigation bandwidth
capacity over 2.0 Tbps
•Scrubbing capacity up to 1.0
Tbps(with upstream ACLs)
•Guaranteed bandwidth with
Tier 1 carriers
24/7 Support
F5 Security Operations Center
(SOC) in Seattle: staffed
24x7x365 with security experts
for DDoSProtection and WAF.
Warsaw is staffed for Websafe.
•Seattle, WA U.S.
•Warsaw, Poland
SOC
SOC
F5 Silverline-Global Coverage
Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
•San Jose, CA US
•Ashburn, VA US
•Frankfurt, DE
•Singapore, SG
Industry-Leading Bandwidth
•Attack mitigation bandwidth
capacity over 2.0 Tbps
•Scrubbing capacity up to 1.0
Tbps(with upstream ACLs)
•Guaranteed bandwidth with
Tier 1 carriers
24/7 Support
F5 Security Operations Center
(SOC) in Seattle: staffed
24x7x365 with security experts
for DDoSProtection and WAF.
Warsaw is staffed for Websafe.
•Seattle, WA U.S.
•Warsaw, Poland
SOC
SOC
F5 Silverline-Global Coverage
© F5 Networks, Inc 107
•Monitoring and mitigating attacks while
reducing false positives requires a 24/7
staff of skilled DDoS analysts
•Full provisioning and configuration
•Proactive alert monitoring
•Identification and inspection of attacks
•Custom and script mitigation
•Service level agreements time to
•Notify, mitigate, escalate
Availability & Support
Tier II DDoS Analysts
and Above
Active DDoS Threat
Monitoring
Security Operations Center (SOC)
F5 Silverline-Security Operation Center
Outsourcing DDoS monitoring and mitigation
•Monitoring and mitigating attacks while
reducing false positives requires a 24/7
staff of skilled DDoS analysts
•Full provisioning and configuration
•Proactive alert monitoring
•Identification and inspection of attacks
•Custom and script mitigation
•Service level agreements time to
•Notify, mitigate, escalate
Availability & Support
Tier II DDoS Analysts
and Above
Active DDoS Threat
Monitoring
Security Operations Center (SOC)
F5 Silverline-Security Operation Center
Outsourcing DDoS monitoring and mitigation
© F5 Networks, Inc 108
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
DDoS
Attackers
•Real-time Volumetric DDoS
attack detection and
mitigation in the cloud
•Multi-layered L3-L7 DDoS
attack protection
•24x7 expert SOC services
•Transparent attack
reporting via F5 customer
portal
CLOUD KEY FEATURES
F5 SilverlineDDoS Protection-Cloud-based ScrubbingCenter
ScannerAnonymous
Proxies
Anonymous
Requests
BotnetAttackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall
Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control
DDoS
Attackers
•Real-time Volumetric DDoS
attack detection and
mitigation in the cloud
•Multi-layered L3-L7 DDoS
attack protection
•24x7 expert SOC services
•Transparent attack
reporting via F5 customer
portal
CLOUD KEY FEATURES
F5 SilverlineDDoS Protection-Cloud-based ScrubbingCenter
© F5 Networks, Inc 109
Inspection
Toolsets
Scrubbing Center
Inspection Plane
Traffic Actioner
Route Management
Flow
Collection
Portal
SwitchingRouting/ACL
Network
Mitigation
Routing
(Customer VRF)
GRE Tunnel
Proxy
IP Reflection
L2VPN Customer
Data Plane
Netflow Netflow
Copied traffic
for inspection
BGP signaling
Signaling
Visibility
Management
Proxy
Mitigation
Switchingmirrors
traffic to Inspection
Toolsets and Routing
layer
Inspection Tools
provideinput on
attacks for Traffic
Actioner & SOC
Traffic Actioner injects
routes and steers
traffic
Network Mitigation
removes advanced L4
attacks
Proxy Mitigation
removes L7
Application attacks
Flow collection
aggregates attack
data fromall sources
EgressRouting
returns good traffic
back to customer
Portal provides real-
time reporting and
configuration
Ingress Router
applies ACLs and
filters traffic
Legitimate
Users
DDoS
Attackers
Volumetric DDoS protection,
Managed Application firewall
service, zero-day threat
mitigation with iRules
Silverline
WAF
DDoS
Cloud
F5 SilverlineDDoS Protection-ScrubbingCenter Architecture
Inspection
Toolsets
Scrubbing Center
Inspection Plane
Traffic Actioner
Route Management
Flow
Collection
Portal
SwitchingRouting/ACL
Network
Mitigation
Routing
(Customer VRF)
GRE Tunnel
Proxy
IP Reflection
L2VPN Customer
Data Plane
Netflow Netflow
Copied traffic
for inspection
BGP signaling
Signaling
Visibility
Management
Proxy
Mitigation
Switchingmirrors
traffic to Inspection
Toolsets and Routing
layer
Inspection Tools
provideinput on
attacks for Traffic
Actioner & SOC
Traffic Actioner injects
routes and steers
traffic
Network Mitigation
removes advanced L4
attacks
Proxy Mitigation
removes L7
Application attacks
Flow collection
aggregates attack
data fromall sources
EgressRouting
returns good traffic
back to customer
Portal provides real-
time reporting and
configuration
Ingress Router
applies ACLs and
filters traffic
Legitimate
Users
DDoS
Attackers
Volumetric DDoS protection,
Managed Application firewall
service, zero-day threat
mitigation with iRules
Silverline
WAF
DDoS
Cloud
F5 SilverlineDDoS Protection-ScrubbingCenter Architecture
© F5 Networks, Inc 110
Europe
Customer DC
Customer App
Cloud
Network
GRE
Tunnels
US East US West
GRE
Tunnels
Cloud
Network
Cloud
Network
DDoS Attack
Asia
Legitimate
Traffic
InternetInternet
DDoS Attack Legitimate
Traffic
Response
Traffic
Response
Traffic
Anycast
Europe
Customer DC
Customer App
Cloud
Network
GRE
Tunnels
US East US West
GRE
Tunnels
Cloud
Network
Cloud
Network
DDoS Attack
Asia
Legitimate
Traffic
InternetInternet
DDoS Attack Legitimate
Traffic
Response
Traffic
Response
Traffic
Anycast
© F5 Networks, Inc 111
Primary protection as the first line of defense
The Always On subscription stops bad traffic from ever
reaching your network by continuously processing all
traffic through the cloud-scrubbing service and
returning only legitimate traffic to your network.
Primary protection available on-demand
The Always Available subscription runs on stand-by and
can be initiated when under attack.Client routers
monitoring (optional)
Always AvailableAlways On
Proactive Hybrid
AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation
when the datacenter is under volumetric attack
Silverline is always on and the first point of detection and mitigation for volumetric attacks
before traffic is passed to the datacenter.
Reactive Hybrid
F5 SilverlineDDoS Protection-Service Options
Primary protection as the first line of defense
The Always On subscription stops bad traffic from ever
reaching your network by continuously processing all
traffic through the cloud-scrubbing service and
returning only legitimate traffic to your network.
Primary protection available on-demand
The Always Available subscription runs on stand-by and
can be initiated when under attack.Client routers
monitoring (optional)
Always AvailableAlways On
Proactive Hybrid
AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation
when the datacenter is under volumetric attack
Silverline is always on and the first point of detection and mitigation for volumetric attacks
before traffic is passed to the datacenter.
Reactive Hybrid
F5 SilverlineDDoS Protection-Service Options
© F5 Networks, Inc 112
Traffic Steering to Silverline Capabilities
ASYMETRICL3/L4
TUNNEL CLEAN TRAFFIC
PROTECT ENTIRE NETBLOCK/24
FULL PROXY(SYMETRIC)
L7
SSL TERMINATION
WAF
BGP (BORDER GATEWAY PROTOCOL)
ROUTED MODE
DNS
PROXY MODE
SINGLE APPLICATION (IP)
F5 SilverlineDDoS Protection
Traffic Steering to Silverline Capabilities
ASYMETRICL3/L4
TUNNEL CLEAN TRAFFIC
PROTECT ENTIRE NETBLOCK/24
FULL PROXY(SYMETRIC)
L7
SSL TERMINATION
WAF
BGP (BORDER GATEWAY PROTOCOL)
ROUTED MODE
DNS
PROXY MODE
SINGLE APPLICATION (IP)
F5 SilverlineDDoS Protection
F5 Silverline PortalSilverlinePortal
© F5 Networks, Inc 115
•Stas, Visibility, Reporting and Intelligence
•Real time attack view
•Real time mitigation view
•Real time scrubbing & clean traffic view
•Non-Attack (regular) traffic reporting capability
•Instant, downloadable PDF reports
•Secure set up & management of SOC services
•Knowledge base & how to
F5 SilverlinePortal
https://portal.f5silverline.com
•Stas, Visibility, Reporting and Intelligence
•Real time attack view
•Real time mitigation view
•Real time scrubbing & clean traffic view
•Non-Attack (regular) traffic reporting capability
•Instant, downloadable PDF reports
•Secure set up & management of SOC services
•Knowledge base & how to
F5 SilverlinePortal
https://portal.f5silverline.com
© F5 Networks, Inc 116
•Securely communicate with Silverline SOC
experts
•View centralized attack and threat
monitoring reports with details including:
•source geo-IP mapping
•blocked vs. alerted attacks
•blocked traffic and attack types
•alerted attack types
•Threats*
•bandwidth used
•hits/sec*
•type of traffic and visits (bots v. humans)*
Customer Portal
Visibility &
Compliance
Attack Reports
F5 SilverlinePortal-Stats, Visibility, Reporting & Intelligence
F5 Customer Portal
•Securely communicate with Silverline SOC
experts
•View centralized attack and threat
monitoring reports with details including:
•source geo-IP mapping
•blocked vs. alerted attacks
•blocked traffic and attack types
•alerted attack types
•Threats*
•bandwidth used
•hits/sec*
•type of traffic and visits (bots v. humans)*
Customer Portal
Visibility &
Compliance
Attack Reports
F5 SilverlinePortal-Stats, Visibility, Reporting & Intelligence
F5 Customer Portal
© F5 Networks, Inc 117
F5 SilverlinePortal-Stats: Traffic (Post i Pre-Scrubbing)
•Dashboard > Netflow: Traffic, Application, Zones
F5 SilverlinePortal-Stats: Traffic (Post i Pre-Scrubbing)
•Dashboard > Netflow: Traffic, Application, Zones
© F5 Networks, Inc 119
Downloadable PDFs
for internal
reporting
F5 SilverlinePortal -Stats: Attack Reporting
Downloadable PDFs
for internal
reporting
F5 SilverlinePortal -Stats: Attack Reporting
© F5 Networks, Inc 120
Directly manage configuration via customer portal
•Configure Proxy and Routing attributes
•Manage SSL Certificates
•Update White and Black List information
•Check health status of GRE tunnels
•Administer users and roles
•Download reports and view audit history
F5 SilverlinePortal -Configuration and Provisioning
Directly manage configuration via customer portal
•Configure Proxy and Routing attributes
•Manage SSL Certificates
•Update White and Black List information
•Check health status of GRE tunnels
•Administer users and roles
•Download reports and view audit history
F5 SilverlinePortal -Configuration and Provisioning
© F5 Networks, Inc 121
F5 SilverlinePortal -Configuration: Routed mode
F5 SilverlinePortal -Configuration: Routed mode
© F5 Networks, Inc 122
F5 SilverlinePortal -Configuration: Proxy mode
F5 SilverlinePortal -Configuration: Proxy mode
© F5 Networks, Inc 123
F5 SilverlinePortal -Configuration: Proxy mode
F5 SilverlinePortal -Configuration: Proxy mode
© F5 Networks, Inc 124
F5 SilverlinePortal -Configuration: Proxy mode
F5 SilverlinePortal -Configuration: Proxy mode
© F5 Networks, Inc 125
F5 SilverlinePortal -Configuration: Proxy mode
F5 SilverlinePortal -Configuration: Proxy mode
F5 Hybrid SignalingBIG-IP /
DHD
Silverline
DHD
Silverline
© F5 Networks, Inc 127
•New Hybrid DDoS Signaling iApp available for BIG-IP
•DHD can signal to Silverline natively
https://support.f5silverline.com/hc/en-us/sections/205571867-Hybrid-Signaling
F5 Networks Hybrid DDoS Protection
Silverline Signalling
•New Hybrid DDoS Signaling iApp available for BIG-IP
•DHD can signal to Silverline natively
https://support.f5silverline.com/hc/en-us/sections/205571867-Hybrid-Signaling
F5 Networks Hybrid DDoS Protection
Silverline Signalling
© F5 Networks, Inc 128
•Configure connection to Silverline
F5 Networks Hybrid DDoS Protection
Silverline Signalling for DHD
•Configure connection to Silverline
F5 Networks Hybrid DDoS Protection
Silverline Signalling for DHD
Conclusion
© F5 Networks, Inc 130
Virtual EditionAppliance Chassis
BIG-IP Platform on-premises
F5 SilverlineCloud Security
Anti-DDoS
Managed Service
Web Application
Firewall
Managed Service
High Performance Security Simplified Security Scalable Security
Conclusion: F5 Hybrid Security
Virtual EditionAppliance Chassis
BIG-IP Platform on-premises
F5 SilverlineCloud Security
Anti-DDoS
Managed Service
Web Application
Firewall
Managed Service
High Performance Security Simplified Security Scalable Security
Conclusion: F5 Hybrid Security
© F5 Networks, Inc 131
TMOS -Full Proxy
DDoS
Protection
App
Protection
Network
Protection
Web
Fraud
Protection
SSL
Visibility &
Protection
DNS
Protection
App
Access
Virtual EditionAppliance Chassis
BIG-IP Platform
Conclusion: Rethink…Multi-Layer Security with F5
TMOS -Full Proxy
DDoS
Protection
App
Protection
Network
Protection
Web
Fraud
Protection
SSL
Visibility &
Protection
DNS
Protection
App
Access
Virtual EditionAppliance Chassis
BIG-IP Platform
Conclusion: Rethink…Multi-Layer Security with F5
© F5 Networks, Inc 132
Performance
Minimize business
impact from
volumetric
attacks7.5M
Extensibility
Take immediate
action on new
DDoS threats
Protection
Protect against the
full spectrum of
modern cyber threats
attacks
Expertise
Augment resources
with F5 Security
experts
24x7x365 DDoS support
from Security Operations
Centers in the US, APAC,
and EMEA
1,000’s of iRules
have been written
to mitigate traffic
based on any type
of content data
Up to 640 Gbps;
7.5MCPS; 576M
CCS; in the
datacenter and over
1Tbps in the cloud
100+ DDoS Vectors;
Most advanced app
security; 98% of
fortune 1000 trust
their traffic to F5
Conclusion: Key DDoS Mitigation Values
Performance
Minimize business
impact from
volumetric
attacks7.5M
Extensibility
Take immediate
action on new
DDoS threats
Protection
Protect against the
full spectrum of
modern cyber threats
attacks
Expertise
Augment resources
with F5 Security
experts
24x7x365 DDoS support
from Security Operations
Centers in the US, APAC,
and EMEA
1,000’s of iRules
have been written
to mitigate traffic
based on any type
of content data
Up to 640 Gbps;
7.5MCPS; 576M
CCS; in the
datacenter and over
1Tbps in the cloud
100+ DDoS Vectors;
Most advanced app
security; 98% of
fortune 1000 trust
their traffic to F5
Conclusion: Key DDoS Mitigation Values
© F5 Networks, Inc 133
Q & A
Q & A
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8,850
- Slides 132
- Favorites 16
- Age 3186 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
31 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
33 views