F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions
In this article, I will show you how to easily protect your AWS CloudFront distributions with F5 Distributed Cloud (XC) Bot Defense. We will take advantage of AWS Lambda@Edge and the AWS Serverless Application Repository (SAR) to integrate with the F5 XC Bot Defense API.
Amazon CloudFront is a content delivery network (CDN) operated by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers that cache content, such as web videos or other bulky media, more locally to consumers, thus improving access speed for downloading the content.
F5's Distributed Cloud Bot Defense combined with Amazon's CloudFront to protect your vital applications from malicious traffic is an effective and robust solution.
General Overview of Architecture
Create a new Bot Defense application for AWS CloudFront
- Log in to your F5 Distributed Cloud Console
- Go to the Dashboard page of XC console and click Bot Defense
Verify you are in the correct Namespace. Click Add Application at the top-left of the page.
- Add a Name for the Application, and a Description.
- Select a region (US, EMEA, or APJC).
- For Connector Type, select AWS CloudFront.
Once AWS CloudFront is selected, options appear to configure AWS reference details.
Add AWS Reference Information
- Enter your AWS 12-digit Account Number.
- Specify your AWS Configuration and add your CloudFront distribution; a Distribution ID and/or a Distribution Tag. You can add one or more distributions. This information is needed to associate your newly created protected application to your AWS distribution(s).
Add Protected Endpoints
- Click Configure to define your protected endpoints.
- Click Add Item
- Enter a name and a description to the specific endpoint.
- Specify the Domain Matcher. You can choose any domain or specify a specific host value.
- Specify the Path to the endpoint (such as /login).
- Choose the HTTP Methods for which request will be analyzed by Bot Defense. Multiple methods can be selected.
- Select the Client type that will access this endpoint (Web Client).
- Select the Mitigation action to be taken for this endpoint:
- Continue (request continues to origin)
- Redirect. Provide the appropriate Status Code and URI
- Block. Provide the Status Code, Content Type, and Response message
- When done configuring the endpoint, click Apply.
- To continue, click Apply at the bottom of the page.
Define Continue Global Mitigation Action
The Header Name for Continue Mitigation Action field is the header that is added to the request when the Continue mitigation action is selected and Add A Header was selected in the endpoint mitigation configuration screen.
- JS Location - Choose the location where to insert the JS in the code:
- Just After <head> tag.
- Just After </title> tag.
- Right Before <script> tag.
- Under Java Script Insertions. Select Configure.
- Click Add Item
- Click Apply
- Click Save & Exit to save your protected application configuration.
Download Config File and AWS Installer Tool
In the Actions column of the table, click the 3 ellipses (…) on your application. Download both the Config File and the AWS Installer.
Log in to your AWS Console
- Login to AWS Console home page.
- Select AWS Region Northern Virginia (US-EAST-1).
- Use the search to find Serverless Application Repository and click it
- Click Available Applications and search with "F5"
- Click the F5BotDefense tile
This will take you to the Lambda page. Here you will be creating and deploying a Lambda Function
- Click Deploy to install the F5 Connector for CloudFront
Deploying the F5 Connector creates a new Lambda Application in your AWS Account. AWS sets the name of the new Lambda Application to start with serverlessrepo-.
The deployment can take some time. It is complete when you see the serverlessrepo-F5BotDefense-* of type Lambda Function.
You can click on the name to review contents of the installed Lambda Function.
Switch to AWS CloudShell
Configuration of the F5 Connector in AWS is best done via the F5 CLI tool. It is recommended to use the AWS CloudShell in us-east-1 region to avoid any issues.
- After starting AWS CloudShell, click Actions and Upload file.
- Upload the files you downloaded from the F5 XC Console, config.json and f5tool. (Only one file at a time can be uploaded)
- Run bash f5tool --install <config.json>. Installation can take up to 5 minutes.
Note: Copy pasting the command may not work and so type it manually.
The installation tool saves the previous configuration of each CloudFront Distribution in a file. You can use the F5 tool to restore a saved Distribution config (thus removing F5 Bot Defense).
Note: Your F5 XC Bot Defense configuration, such as protected endpoints, is sensitive security info and is stored in AWS Secrets Manager. You should delete config.json after CLI installation.
Validate CloudFront Distribution Functions
- Navigate to CloudFront > Distributions and select the distribution you are protecting.
- Then go to Behaviors
Here under Behaviors are where you specify which request/response is forwarded to the Lambda@Edge Function to process with F5 XC Bot Defense.
- F5 XC Bot Defense requires us to leverage Viewer Request and Origin Request events.
- These events need to be available for user to use (IE they have not assigned other Functions)
The AWS Installer tool that we downloaded from Distributed Cloud Console and ran in the AWS CloudShell configured this for us.
AWS CloudWatch contains logs for Lambda function deployed by F5BotDefense serverless application.
- The Log group name starts with /aws/lambda/us-east-1.serverlessrepo-F5BotDefense-F5BotDefense-*.
- The logs of lambda function can be found in the region closest to the location where the function executed.
For troubleshooting, look for error messages contained in the links under Log steams.
View Bot Traffic
Now let’s return to F5 XC Console and show the monitoring page.
- Log in to your F5 Distributed Cloud Console
- Go to the Dashboard page of XC console and click Bot Defense.
Make sure you are in the correct Namespace
Under Overview click Monitor
Here you can monitor and respond to events that are identified as Bot traffic.
That is all that is required to deploy F5 XC Bot Defense to protect your AWS Cloud Front distributions from mailicious bots protecting yourself from fraud and abuse.
- An overview of F5 Distributed Cloud Bot Defense
- How to easily protect your BIG-IP applications using F5's Distributed Cloud Bot Defense with iApps
- How to easily protect your BIG-IP applications using F5's Distributed Cloud Bot Defense, natively