Mitigate L7 DDoS with BIG-IP ASM

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM. We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Se...
Published Nov 28, 2017
Version 1.0
ASM Advanced WAF
BIG-IP
ddos
iRules
mitigation
security
Artiom_Lichtens's avatar
Artiom_Lichtens
Historic F5 Account
Dec 19, 2017

Hi Piotr,

The "Honeypot" in the video is a simple iRule 

ifile
call (for demo purposes only):

when IN_DOSL7_ATTACK {
     log local0.warning "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
    if { $DOSL7_MITIGATION contains "Rate Limiting" } {
        HTTP::respond 403 content [ifile get ifile_HONEYPOT]
         log local0.warning "Honeypot!"
    }
}

In production - I have a customer that simply redirects traffic to a specific pool / member which forwards traffic to a "real" Honeypot server for analysis etc.