BIG-IP AFM and Flowmon DDoS protection Part II - Attack mitigation


In Part I of the series we covered typical deployment scenario and minimum basic configuration of Flowmon DDos Defender module and BIG-IP AFM. If protected objects or “Segments” defined correctly, Flowmon will begin a Baseline “learning” process to establish common traffic patterns and typical bandwidth utilization. It typically takes several days to define a traffic baseline, after which Flowmon is ready for DDoS detection and mitigation actions

Figure 1: Protected Segment example



Volumetric attacks can be detected by Flowmon in under 60 seconds, depending on traffic data source type. NetFlow/sFlow sources have demonstrated detection time of 30-45 seconds in F5 labs.

There are several things that happen upon attack detection when Flowmon is deployed as an integrated solution with BIG-IP AFM:

Figure2: Attack Detected example


  • Scrubbing center actions
    • DDoS Profile creation
    • Virtual Server provisioning
  • Redirection actions
    • BGP route advertisement

Figure 3: Mitigation Start example



So how does Flowmon create a DDoS profile in AFM? Let’s look at the iControlREST interface:

Figure 4: Wireshark view of HTTP packets

Flowmon sends 2 POST HTTP requests to assign a DDoS profile according to the attack vector(s) and create a Virtual Server to listen for incoming traffic.

*Token-based authentication is performed prior to sending first POST request

Figure 5: Wireshark view of DDoS Profile JSON

Figure 6: Wireshark view of Virtual Server Creation JSON

Once AFM provisioning is done Flowmon executes traffic redirection routine. In case of BGP re-routing it sends a BGP UPDATE message to the corresponding router. Update message (iBGP) contains a NEXT_HOP attribute which points to BIG-IP AFM External Self-IP where L4 Forwarding Virtual Server is provisioned. NLRI prefix corresponds to a “Protected Segment”: 

Figure 7: iBGP Update message example


After mitigation start Flowmon checks BIG-IP DDoS profile statistics every 30 seconds. It keeps checking the stats until it detects that attack is not active anymore, and no traffic is matched against any of DDoS vectors defined in BIG-IP AFM.



Figure 8: Attack Not Active example

Data is kept flowing through AFM for the minimum of 30 seconds beyond after attack is identified as inactive (“NOT ACTIVE” in Flowmon DDoS Defender ). This “buffer” interval helps prevent false negatives and keep protection in place if attacks resumes after a short interval.



Figure 9: Attack Ended example

Attack is marked as “ENDED” and traffic is re-routed back to it’s original path after being inactive (marked as “NOT ACTIVE” in Flowmon DDoS Defender) for pre-defined or “buffer” period of time. 

“Mitigation Stop” step ensures no configuration is left in BIG-IP AFM, and sends BGP update message to the router so original or “default” route is used for the data traffic

Figure 10: Mitigation Stop example

As part of Mitigation Stop routine, Flowmon requests an F5 Analytics Report before removing DDoS profile and Virtual Server from BIG-IP AFM. 

Detailed report (PDF and UI-based) is available for each attack for analysis and recording purposes:

Figure 11: Attack report example






Published Mar 01, 2018
Version 1.0

Was this article helpful?

No CommentsBe the first to comment