Forum Discussion

buzzkiller's avatar
buzzkiller
Icon for Altocumulus rankAltocumulus
Jan 10, 2025

How is CPU/Memory shared across Virtual Servers?

Greetings,

 

Suppose we have two websites, example1.com and example2.com, both exposed to the internet through an F5 Big-IP.

Now, let’s imagine an attacker launches a DDoS attack targeting example1.com. How does the F5 allocate resources in this scenario? Does it dedicate all available resources to manage the attack, potentially making example2.com unavailable as well, or is there a mechanism to limit resource allocation—for instance, capping at 70%—to ensure the other website remains operational?

This might seem like a straightforward question, but I haven’t been able to find a clear answer.

Thank you!

  • Hello,

     

    Using TMOS on HW as a reference point TMOS uses/assigns CPU to TMM process for consistent performance using features likes Hyper Threading etc.    TMOS does use adaptive resource allocation based on traffic patterns etc.  While TMOS memory is shared across all session and connections served by the TMOS the VS would consume more or less based on its current load.  

     

    BIG-IP will allocate more resources on the more heavily used VS however resources are not infinite ☹️, there are a number of mechanisms and features deployed to protect the system:

    For DDoS you really should consider    Distributed Cloud DDoS Protection   

    If you don't have a DDoS at the very least, you should consider provisioning BIG-IP Advanced Firewall Manager | F5 to deal with/manage against many different DoS vectors.

     

    BIG-IP system wise uses adaptive reaping to protect the system under duress and possible DoS scenarios:  Overview of adaptive connection reaping (11.6.0 and later)

    TCP/UDP profiles can manage and protect against buffer resource exhaustion, keepalives etc.  

    Managing Traffic with Bandwidth Controllers    & Managing Traffic with Rate Shaping   are features that can help protect against large traffic spikes

     

    You can also limit the number of connections on the Virtual Server, Pool Member and or Node:  Setting Connection Limits

     

    These are just a few things that come to mind, I didn't even mention iRules would open the door for other mitigations as well.  

     

     

  • hello buzz, 

    It all depends on the hw you have and your license.

    If f5 device has a license for 100mb, traffic will be affected for all devices.

    But in simple words, if the traffic is a lot in attack conditions, it will have an impact on the correct functioning of all services.

    best regards

     

  • To be honest you probably need 2 tier design with Tier 1 being F5 with AFM and maybe DNS/GTM module for protection for layer3/4 attacks and then the Tier2 being AWAF/LTM/APM (whatever you need). You can connect your AFM can use BGP flowspec to block the DOS attackers at the ISP level as to remove stress from the system BIG-IP AFM: Security for Data Center DDoS Protection Solution Overview

     

    Tier 1 can also be scrubbing center/Cloud like F5 XC Distributed Cloud for example. AWAF will protect against Web attacks and layer 7 Web DOS that is not with a big volume like layer 3/4.