For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Nov 02, 2015

Hi,

 

Thanks for hints. If I am not wrong limit for VE ends at 10Gb throughput? I am asking because right now under attack customer is reporting hardware BIG-IP as bottleneck (don't know yet what is HW). Wonder is alternative could be some LB pointing to ASM VE pool to create LB at the attack time in cost effective manner.

 

As far as I know ASM is most resource intensive module on BIG-IP.

 

Piotr

 

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Nov 02, 2015
10Gbps is indeed the current maximum supported by VE. Your next question is thougher, it's for sure that you can deploy ASM on a separate BigIP, and route requests to it from another AFM/LTM box. What I do not know is if you can implement some sort of balancing from a single AFM/LTM appliance/cluster to multiple ASM boxes. Not even sure if it will help you remedy the effects of a DOS attack significantly. Personally, I would leave out the balancing to multiple ASM appliances since the ASM module is quite costly and the desired solution is not guaranteed, but instead look into possibilities to take down the attack on the AFM/LTM box, and if the attack is huge (i.e the on-site appliance couldn't cope), manually activate the cloud-based DOS attack mitigation (i.e pay to subscribe service from F5 Silverline or Prolexic). Just some ideas.