cancel
Showing results for 
Search instead for 
Did you mean: 
Sergey_Starzhi1
F5 Employee
F5 Employee

F5’s dedicated security portfolio is impressive - with WAF, DDoS Hybrid Defender and cloud-based Silverline, it provides solid Network and App protection for many customers around the world. In today’s market every Service Provider and Enterprise is trying to implement a comprehensive DDoS detection and mitigation systems to protect customers, network infrastructure and critical applications. With DDoS threat risks rising daily, new vectors and bot-initiated coordinated attacks, it is crucial for every company to have an automatic and dependable DDoS protection framework in place.

There are various deployment scenarios for DDoS protection solutions

  • On-premise or cloud-based In-line or "Always-ON"
  • Hybrid of “Always-ON” and “Always-available” i.e. F5 DDoS Hybrid Defender
  • Out-of-path using port mirroring (SPAN) for unidirectional traffic analysis and DDoS detection
  • "Always-available” with 3rd party DDoS detection 

0151T000003d78VQAQ.png

 

For most, in-line “Always-ON”  option, combined with “Always Available” Cloud-based scrubbing center, works best, as it allows for quick threat detection, can protect from Layer 7 attacks and usually have good capabilities to deal with large volumetric attacks. Some companies (ISPs in particular) though decide not to deploy in-line systems, opting for an out-of-band solutions that provide on-premise “Always Available” option. 

Through close partnership with Flowmon, F5 has created fully automated DDoS protection system, and today we will focus on deployment aspects and a configuration example in this solution.

0151T000003d78WQAQ.png

 

 

 

 

Bill of Materials

  • F5 BIG-IP AFM (appliance or VE)

Flowmon has been tested with BIG-IP v13.1 (13.1.0.1 and 13.1.0.2)

  • Flowmon Collector (appliance or VE)
  • Flowmon DDoS Defender module

Flowmon v8 and DDoS Defender v3.01.00 minimum is required

*Flowmon v9.x has fully integrated BIG-IP AFM interface. If installing Flowmon v9.x with DDoS Defender v4.x some configuration steps will be skipped

Configuration

BIG-IP platform should be licensed, provisioned and configured with necessary VLANs, trunks, and Self-IPs. For more information on initial configuration See https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-initial-configurati...

Application configuration i.e. Virtual Server, DDoS profile are configured dynamically by Flowmon via iControl REST. Details of this integration will be covered in Part II of the series.

Flowmon appliance (or VE) requires data sources and can utilize NetFlow/sFlow/IPFIX or Flowmon Probes (wiretaps) to collect, analyze and store network traffic data. Integrated L4 DDoS protection requires one of those source types to be connected to Flowmon.

Flowmon DDoS Defender needs to be configured to detect a DDoS attack and perform corresponding action(s). In integrated F5/Flowmon solution it means traffic is redirected to F5 AFM and valid configuration is created in AFM so it can perform traffic scrubbing effectively:

 - F5 Client for Flowmon DDoS Defender has to be installed. For download and installation instructions refer to Flowmon Support portal

*F5 Client installation step should be skipped if installing Flowmon v9.x with DDoS Defender v4.x

 - Create a new Scrubbing Center, selecting “F5 BIG-IP/VIPRION” as OSCI and providing IP address and Credentials for F5 iControlREST interface

0151T000003d78XQAQ.png

   

 

 

 

Figure 3: Scrubbing Center details

 - Add IP router(s) Flowmon will use to redirect network traffic. Various options available, including eBGP, iBGP, ACL and BGP Flowspec

0151T000003d78YQAQ.png

 

 

 

 

 

Figure 4: Router details

 - Create a new alert of type “Run Script” and upload “f5mitigation.sh”

0151T000003d78ZQAQ.png

 

 

 

 

 

Figure 5: Alert definition

* Alert should be configured according to requirements without custom script, if installing Flowmon v9.x with DDoS Defender v4.x

 - Create new Rule for DDoS detection. Input values for minimal traffic and baseline learning period, according to the environment

0151T000003d78aQAA.png

 

 

 

 

 

 

 

 

Figure 6: Rule definition

 - Finally, Create new segment which would list protected subnets and corresponding actions

0151T000003d78bQAA.png

 

 

 

 

 

 

 

 

 

Figure 7: Protected object definition

What’s next?

In Part II of the series we will see how Flowmon triggers traffic rerouting and what it provisions on BIG-IP AFM platform to enforce DDoS attack scrubbing. 

Version history
Last update:
‎27-Feb-2018 03:00
Updated by:
Contributors