BIG-IP AFM and Flowmon DDoS protection Part II - Attack mitigation

 

In Part I of the series we covered typical deployment scenario and minimum basic configuration of Flowmon DDos Defender module and BIG-IP AFM. If protected objects or “Segments” defined correctly, Flowmon will begin a Baseline “learning” process to establish common traffic patterns and typical bandwidth utilization. It typically takes several days to define a traffic baseline, after which Flowmon is ready for DDoS detection and mitigation actions

Figure 1: Protected Segment example

 

 

Volumetric attacks can be detected by Flowmon in under 60 seconds, depending on traffic data source type. NetFlow/sFlow sources have demonstrated detection time of 30-45 seconds in F5 labs.

There are several things that happen upon attack detection when Flowmon is deployed as an integrated solution with BIG-IP AFM:

Figure2: Attack Detected example

 

  • Scrubbing center actions
    • DDoS Profile creation
    • Virtual Server provisioning
  • Redirection actions
    • BGP route advertisement

Figure 3: Mitigation Start example

 

 

So how does Flowmon create a DDoS profile in AFM? Let’s look at the iControlREST interface:

Figure 4: Wireshark view of HTTP packets

Flowmon sends 2 POST HTTP requests to assign a DDoS profile according to the attack vector(s) and create a Virtual Server to listen for incoming traffic.

*Token-based authentication is performed prior to sending first POST request

Figure 5: Wireshark view of DDoS Profile JSON
 

Figure 6: Wireshark view of Virtual Server Creation JSON

Once AFM provisioning is done Flowmon executes traffic redirection routine. In case of BGP re-routing it sends a BGP UPDATE message to the corresponding router. Update message (iBGP) contains a NEXT_HOP attribute which points to BIG-IP AFM External Self-IP where L4 Forwarding Virtual Server is provisioned. NLRI prefix corresponds to a “Protected Segment”: 

Figure 7: iBGP Update message example

 

After mitigation start Flowmon checks BIG-IP DDoS profile statistics every 30 seconds. It keeps checking the stats until it detects that attack is not active anymore, and no traffic is matched against any of DDoS vectors defined in BIG-IP AFM.

 

 

Figure 8: Attack Not Active example

Data is kept flowing through AFM for the minimum of 30 seconds beyond after attack is identified as inactive (“NOT ACTIVE” in Flowmon DDoS Defender ). This “buffer” interval helps prevent false negatives and keep protection in place if attacks resumes after a short interval.

 

 

Figure 9: Attack Ended example

Attack is marked as “ENDED” and traffic is re-routed back to it’s original path after being inactive (marked as “NOT ACTIVE” in Flowmon DDoS Defender) for pre-defined or “buffer” period of time. 

“Mitigation Stop” step ensures no configuration is left in BIG-IP AFM, and sends BGP update message to the router so original or “default” route is used for the data traffic

Figure 10: Mitigation Stop example

As part of Mitigation Stop routine, Flowmon requests an F5 Analytics Report before removing DDoS profile and Virtual Server from BIG-IP AFM. 

Detailed report (PDF and UI-based) is available for each attack for analysis and recording purposes:

Figure 11: Attack report example

 

 

 

 

 

Published Mar 01, 2018
Version 1.0
AFM
BIG-IP
security

Was this article helpful?

No CommentsBe the first to comment