For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cjunior_138458's avatar
cjunior_138458
Icon for Altostratus rankAltostratus
Sep 30, 2016

Silverline against internet link DDoS

Regarding: how to protect my internet link and not just VIPs.

 

Have someone here setting Silverline DDoS in proxy mode setup?

 

As I understand that an attacker will flood any "backdoor" in my public net link and so make it down.

 

I think the issue is that my internet infra shares the services like ecommerce, mail, vpn, etc, and I think that just setting up ecommerce VIPs in Silverline portal is not enough to guarantee its availability, since I have other known public addresses.

 

Obvious that, if the traffic is not sent to the Silverline, it can't protect against DDoS, thus, an attacker may arrive into IP address instead of name resolution. I understand that an ACL list is needed in ISP and it need to cover all my subnet and not just one or two addresses, So, an ACL white list with Silverline /21, otherwise, I need to be reactive (black list), am I wrong?

 

If I'm right and expecting to be proactive against DDoS attacks, I need to forward all the traffics (web, vpn, mail, etc) to the Silverline, correct? If so, should be a big trouble for me :(

 

Have you experienced this in a similar Silverline deployment?

 

Suggestions are welcome.

 

Best Regards.

 

application delivery
cloud
Silverline

2 Replies

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 03, 2016

    So from understanding - You have 2 modes.

     

    You have BGP Deployment and Proxy Deployment

     

    Both come with their own specific use cases, and indeed limitations on if you can deploy it.

     

    To answer your question, if you're deploying in "Proxy" mode, you'll delegate the DNS result to a Silverline front end IP, therefore any traffic which queries the FQDN will hit Silverline scrubbing centres... HOWEVER... Your "real" public IP will still be exposed, so therefore may still be subject to a DDoS attack. Its less likely.... but still possible. Security through obscurity.

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Oct 03, 2016

    Hi Iain. Exactly, I feel to the mercy of luck.

     

    Look, it's not a product effectiveness question (I have no doubt about the F5 team), but in how this product will protect the link whereas I understand I have a poor infra for that deployment.

     

    It's still worse, when my contract type is "Always Available", so I have to react when the link is under attack, thus, the IP range is exposed for all the time.

     

    The F5 Silverline allows me to be proactive at specific days, but never know when an attack will come and what the attacker is planning for today.

     

    Thanks for your comment.