BIG-IP AFM and Flowmon DDoS protection Part II - Attack mitigation

In Part I of the series we covered typical deployment scenario and minimum basic configuration of Flowmon DDos Defender module and BIG-IP AFM. If protected objects or “Segments” defined correctly, Flowmon will begin a Baseline “learning” process to establish common traffic patterns and typical bandwidth utilization. It typically takes several days to define a traffic baseline, after which Flowmon is ready for DDoS detection and mitigation actions

Figure 1: Protected Segment example

Volumetric attacks can be detected by Flowmon in under 60 seconds, depending on traffic data source type. NetFlow/sFlow sources have demonstrated detection time of 30-45 seconds in F5 labs.

There are several things that happen upon attack detection when Flowmon is deployed as an integrated solution with BIG-IP AFM:

Figure2: Attack Detected example

Scrubbing center actions
- DDoS Profile creation
- Virtual Server provisioning
Redirection actions
- BGP route advertisement

Figure 3: Mitigation Start example

So how does Flowmon create a DDoS profile in AFM? Let’s look at the iControlREST interface:

Figure 4: Wireshark view of HTTP packets

Flowmon sends 2 POST HTTP requests to assign a DDoS profile according to the attack vector(s) and create a Virtual Server to listen for incoming traffic.

*Token-based authentication is performed prior to sending first POST request

Figure 5: Wireshark view of DDoS Profile JSON

Figure 6: Wireshark view of Virtual Server Creation JSON

Once AFM provisioning is done Flowmon executes traffic redirection routine. In case of BGP re-routing it sends a BGP UPDATE message to the corresponding router. Update message (iBGP) contains a NEXT_HOP attribute which points to BIG-IP AFM External Self-IP where L4 Forwarding Virtual Server is provisioned. NLRI prefix corresponds to a “Protected Segment”:

Figure 7: iBGP Update message example

After mitigation start Flowmon checks BIG-IP DDoS profile statistics every 30 seconds. It keeps checking the stats until it detects that attack is not active anymore, and no traffic is matched against any of DDoS vectors defined in BIG-IP AFM.

Figure 8: Attack Not Active example

Data is kept flowing through AFM for the minimum of 30 seconds beyond after attack is identified as inactive (“NOT ACTIVE” in Flowmon DDoS Defender ). This “buffer” interval helps prevent false negatives and keep protection in place if attacks resumes after a short interval.

Figure 9: Attack Ended example

Attack is marked as “ENDED” and traffic is re-routed back to it’s original path after being inactive (marked as “NOT ACTIVE” in Flowmon DDoS Defender) for pre-defined or “buffer” period of time.

“Mitigation Stop” step ensures no configuration is left in BIG-IP AFM, and sends BGP update message to the router so original or “default” route is used for the data traffic