A Guide to F5 Volumetric (Routed) DDoS Protection in F5 Distributed Cloud

Introduction

F5 Volumetric (Routed) DDoS protection is a service in F5 Distributed Cloud (F5 XC) available for standard deployment and emergency use. F5 has over 100 engineers in its incident response team and 24/7 dedicated SOC analysts in 3 security operations centers around the world. This means F5 can help with the quick detection, mitigation, and resolution of Layer3-4 routed DDoS attacks.

 

 

F5 Volumetric DDoS Protection stands out for several key reasons, especially for enterprises needing fully managed, hybrid, and multicloud-based DDoS mitigation with human-led and AI-assisted support.

 

Here’s some of the ways Volumetric DDoS protection with F5 stands out:

1. Fully Managed 24/7 Security Operations Center (SOC)
• F5’s SOC continuously monitors traffic for DDoS attacks in real time.
• Unlike purely automated solutions, human analysts intervene to fine-tune attack mitigation.
• The SOC provides expert-led response to mitigate complex or evolving threats.
2. Hybrid Deployment Flexibility
• Cloud-based, always-on, or on-demand models for different use cases.
• Integrates with on-prem F5 BIG-IP solutions for a hybrid defense strategy.
• Helps reduce false positives by fine-tuning security policies.
3. Advanced Attack Detection & AI-driven Mitigation
• Uses behavioral analytics to differentiate between legitimate traffic and attacks.
• Mitigates volumetric, application-layer, and multi-vector attacks.
• AI-assisted rules dynamically adapt to new attack patterns.
4. Large-Scale Scrubbing Capacity
• Global scrubbing centers prevent volumetric DDoS attacks from overwhelming networks.
• Reduces the risk of downtime by filtering malicious traffic before it reaches critical infrastructure.
• F5 blocks volumetric DDoS attacks by denying offending /24 prefixes (via BGP) the ability to route to the Distributed Cloud scrubbing centers. (reference DevCentral)
5. API-Driven and Customizable Security Policies
• Offers API integration for automated DDoS mitigation and security orchestration.
• Supports custom policies to protect specific applications from targeted attacks.
6. Enterprise-Grade Support & Compliance
• Designed for large enterprises, financial institutions, and high-security industries.
• Meets compliance standards such as PCI DSS, GDPR, and SOC 2.
• Backed by F5’s global threat intelligence network.

 

Logging & Observability

Recently introduced is the capability to observe security events using external handlers via the Global Log Receiver (GLR) service. Organizations can use AWS S3 buckets, HTTP(s) servers, Datadog, Splunk, AWS CloudWatch, Azure Event Hubs and Blog Storage, Google Cloud Platform (GCP), Kafka Receiver, NewRelic, IBM QRadar, and SumoLogic, to store Distributed Cloud events. Then, they can use any platform to watch DDoS and other security events.

If you’re curious how Distributed Cloud events look using ELK (Elasticsearch, Logstash, and Kibana), including how to set it up, see this related article in DevCentral.

To configure Distributed Cloud to send events from Global Log Receiver, log in to the Distributed Cloud console and navigate to Shared Configuration > Manage > Global Log Receiver. Add a new item, and ensure the following:

Log Type: Security Events
Log Message Selection: Select logs from all namespaces

 

For this example, I use Distributed Cloud App Connect to securely deliver events to an instance of ELK Stack running on AWS. To deliver the events locally with internal networking between Distributed Cloud and ELK Stack, I use a Customer Edge (CE) appliance, also in AWS. Having the CE deployed locally provides a secure endpoint with only local routing in the AWS VPC.

➡️ See the following documentation for how to deploy a CE in AWS.

 

Next is to use App Connect with an HTTP Load Balancer. In this case, the origin pool is my ELK Stack receiver, and I’ve configured ELK to receive events over HTTP.

 

 

Because I’ve configured the HTTP Load Balancer to be publicly available on the Internet to accept traffic from the Global Log Receiver, a Service Policy has been configured to restrict access to specific IP ranges. Although not shown, only traffic from the F5 Global Log Receiver designated IP ranges is allowed to access this load balancer.

➡️ See the following Allowlist reference documentation to learn which IP addresses to allow.

 

 

To receive and process events in ELK, I’ve configured the following for logstash:

 

root@3c99db3fa334:/etc/logstash/conf.d# cat 50-f5xc-logs.conf
input {
  http {
    port => 8080
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  elasticsearch {
    hosts => ["localhost"]
    index => "f5xc-logs-%{+YYY.MM.dd}"
  }
}

In the ELK console, new messages are visible under Analytics > Discover. With messages arriving from GLR, we can now see many of the fields becoming searchable in the “message_parsed” hierarchy. Volumetric (Routed) DDoS events appear in the field “sec_event_type”  with value “routed_ddos_sec_event”.

 

The following alert and mitigation messages may be classified and searched as follows:

• New ongoing alert
  • msg = “alert created”
  • no “alert_ended_at” field present

• New and already completed alert
  • msg = “alert created”
  • alert_ended_at field present

• Completed ongoing alert
  • msg = “alert completed”
  • alert_started_at field present
  • alert_ended_at field present

• New ongoing mitigation
  • msg = “mitigation created”
  • mitigation_ongoing = true
  • no “mitigation_stop_time” field present

• New and already-completed mitigation
  • msg = “mitigation created and completed”
  • mitigation_ongoing = false
  • migitation_stop_time field present

• Completed mitigation
• msg = “mitigation completed”
• mitigation_ongoing = false
• “mitigation_stop_time” field present

 

Putting it all together in ELK, it’s easy to visualize each routed_ddos_sec_event with a filtered dashboard. Using the pie visual below allows security admins to decide what type of attacks have happened and whether any are still occurring.

 

The dashboard visual can be added to other existing security dashboards in Kibana to provide a complete and robust overview of your security posture.

 

Demo

The following video further illustrates the capabilities of Volumetric (Routed) DDoS protection in Distributed Cloud. In it, I walk through the different ways protection can be activated and what some of the mitigation events and alerts look like in the console.

🎥 YouTube: https://youtu.be/jYiqog_tz2I  

 

Conclusion

F5 Volumteric (Routed) DDoS protection combines integrated services to provide core-protect, auto-mitigation, security-analyst-initiated mitigations, and advanced deep packet inspection and filtering to provide the best protection available for Layer-3 and Layer-4 routed networking. Adding routed DDoS to networks is a simple onboarding process. F5 also provides emergency DDoS mitigation for customers who are actively being attacked. Observing DDoS attacks is not only available in the Distributed Cloud console but is also available directly in your monitoring platform of choice when using Global Log Receiver.

 

Additional Resources

• 🎥 YouTube: Tour of Routed (Layer3 & Layer4) DDoS Protection in F5 Distributed Cloud
• How I did it - "Remote Logging with the F5 XC Global Log Receiver and Elastic"
• Deploy Secure Mesh Site v2 in AWS (ClickOps)
• Firewall and Proxy Server Allowlist Reference
• How To: Configure Global Log Receiver