BIG-IP AFM and Flowmon DDoS protection Part II - Attack mitigation
In Part I of the series we covered typical deployment scenario and minimum basic configuration of Flowmon DDos Defender module and BIG-IP AFM. If protected objects or “Segments” defined correctly, Flowmon will begin a Baseline “learning” process to establish common traffic patterns and typical bandwidth utilization. It typically takes several days to define a traffic baseline, after which Flowmon is ready for DDoS detection and mitigation actions
Figure 1: Protected Segment example
Volumetric attacks can be detected by Flowmon in under 60 seconds, depending on traffic data source type. NetFlow/sFlow sources have demonstrated detection time of 30-45 seconds in F5 labs.
There are several things that happen upon attack detection when Flowmon is deployed as an integrated solution with BIG-IP AFM:
Figure2: Attack Detected example
- Scrubbing center actions
- DDoS Profile creation
- Virtual Server provisioning
- Redirection actions
- BGP route advertisement
Figure 3: Mitigation Start example
So how does Flowmon create a DDoS profile in AFM? Let’s look at the iControlREST interface:
Figure 4: Wireshark view of HTTP packets
Flowmon sends 2 POST HTTP requests to assign a DDoS profile according to the attack vector(s) and create a Virtual Server to listen for incoming traffic.
*Token-based authentication is performed prior to sending first POST request
Figure 5: Wireshark view of DDoS Profile JSON
Figure 6: Wireshark view of Virtual Server Creation JSON
Once AFM provisioning is done Flowmon executes traffic redirection routine. In case of BGP re-routing it sends a BGP UPDATE message to the corresponding router. Update message (iBGP) contains a NEXT_HOP attribute which points to BIG-IP AFM External Self-IP where L4 Forwarding Virtual Server is provisioned. NLRI prefix corresponds to a “Protected Segment”:
Figure 7: iBGP Update message example
After mitigation start Flowmon checks BIG-IP DDoS profile statistics every 30 seconds. It keeps checking the stats until it detects that attack is not active anymore, and no traffic is matched against any of DDoS vectors defined in BIG-IP AFM.
Figure 8: Attack Not Active example
Data is kept flowing through AFM for the minimum of 30 seconds beyond after attack is identified as inactive (“NOT ACTIVE” in Flowmon DDoS Defender ). This “buffer” interval helps prevent false negatives and keep protection in place if attacks resumes after a short interval.
Figure 9: Attack Ended example
Attack is marked as “ENDED” and traffic is re-routed back to it’s original path after being inactive (marked as “NOT ACTIVE” in Flowmon DDoS Defender) for pre-defined or “buffer” period of time.
“Mitigation Stop” step ensures no configuration is left in BIG-IP AFM, and sends BGP update message to the router so original or “default” route is used for the data traffic
Figure 10: Mitigation Stop example
As part of Mitigation Stop routine, Flowmon requests an F5 Analytics Report before removing DDoS profile and Virtual Server from BIG-IP AFM.
Detailed report (PDF and UI-based) is available for each attack for analysis and recording purposes:
Figure 11: Attack report example