For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ukhan20's avatar
ukhan20
Icon for Cirrus rankCirrus
Dec 16, 2024

DDoS Two-Layer Architecture

How to achieve this two-layer with one arm deployment L3/l4 (AFM) and L7 (WAF) for PoC . i have F5 VIPRION 4450 blade with VCMP enable license and others too.
application delivery
security
HarunTuna's avatar
HarunTuna
Icon for Cirrus rankCirrus
Dec 16, 2024

Hi ukhan20

Different approach...

Let me summary what one-arm mode is 

In a one-arm deployment, all traffic flows through the BIG-IP system using a single network interface. The system inspects and processes the traffic but does not perform full routing.

  • Ingress and Egress Traffic: Both incoming and outgoing traffic use the same interface.
  • This simplifies the setup for PoC purposes and allows easy testing of DDoS mitigation at multiple layers (L3/L4 and L7).

Enable and Configure vCMP

Since your VIPRION 4450 supports vCMP (virtualized BIG-IP instances):

  1. Create two guest instances:
    • One for AFM (L3/L4 DDoS protection).
    • One for AWAF (L7 WAF protection).
  2. Assign appropriate resource allocations (CPU, memory, and bandwidth) to each guest.
  3. Configure VLANs or interfaces for traffic flow within the virtual guests.

Deploy L3/L4 DDoS Protection with AFM

Configure AFM (Advanced Firewall Manager) to mitigate DDoS attacks at the network tier (L3/L4):

Steps:

  1. Navigate to Security >> DoS Protection >> Network Protection.
  2. Enable DoS Protection on the Virtual Server handling traffic for the network tier.
  3. Create and apply DoS Profiles:
    • Enable protections like SYN Flood, UDP Flood, ICMP Flood, and DNS Amplification.
    • Set rate limits and thresholds to mitigate volumetric attacks.
  4. Configure IP Intelligence to detect and block malicious IPs automatically.

Key Notes:

  • Attach a DoS Profile to the wildcard or relevant Virtual Server.
  • Use Threshold Settings for traffic baselining.

So, to test...

  • Simulate different DDoS attack vectors:
    • Network Layer (L3/L4): Use tools like hping3, LOIC, or similar for SYN floods, UDP floods, etc.
    • Application Layer (L7): Use tools like slowloris, apache benchmark, or HTTP GET/POST floods.
  • Monitor traffic behavior using Dashboards:
    • AFM → Security >> DoS Protection >> DoS Dashboard.
    • AWAF → Security >> Application Security >> Charts and Reports.
  • Verify:
    • Traffic at the network tier is mitigated by AFM.
    • Legitimate traffic continues to flow through AWAF for L7 protection.

If you need anything, do not hesitate to come to here.

 

Harun