Mitigate L7 DDoS with BIG-IP ASM

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM. We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Se...
Published Nov 28, 2017
Version 1.0
ASM Advanced WAF
BIG-IP
ddos
iRules
mitigation
security
PSilva's avatar
Ret. Employee
Technical writer, evangelist, speaker, video host, story teller and overall clever guy. Bringing the slightly theatrical and fairly technical together, I train, write, speak, along with overall evangelism. Highly technical information security professional with social media skills who has also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.
View Profile
PSilva's avatar
Ret. Employee
Technical writer, evangelist, speaker, video host, story teller and overall clever guy. Bringing the slightly theatrical and fairly technical together, I train, write, speak, along with overall evangelism. Highly technical information security professional with social media skills who has also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.
View Profile
Artiom_Lichtens's avatar
Artiom_Lichtens
Historic F5 Account
Dec 19, 2017

Hi Piotr,

The "Honeypot" in the video is a simple iRule 

ifile
call (for demo purposes only):

when IN_DOSL7_ATTACK {
     log local0.warning "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
    if { $DOSL7_MITIGATION contains "Rate Limiting" } {
        HTTP::respond 403 content [ifile get ifile_HONEYPOT]
         log local0.warning "Honeypot!"
    }
}

In production - I have a customer that simply redirects traffic to a specific pool / member which forwards traffic to a "real" Honeypot server for analysis etc.