cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Sergey_Starzhi1
F5 Employee
F5 Employee

 

In Part I of the series we covered typical deployment scenario and minimum basic configuration of Flowmon DDos Defender module and BIG-IP AFM. If protected objects or “Segments” defined correctly, Flowmon will begin a Baseline “learning” process to establish common traffic patterns and typical bandwidth utilization. It typically takes several days to define a traffic baseline, after which Flowmon is ready for DDoS detection and mitigation actions

0151T000003d795QAA.pngFigure 1: Protected Segment example

0151T000003d796QAA.png

 

 

Volumetric attacks can be detected by Flowmon in under 60 seconds, depending on traffic data source type. NetFlow/sFlow sources have demonstrated detection time of 30-45 seconds in F5 labs.

There are several things that happen upon attack detection when Flowmon is deployed as an integrated solution with BIG-IP AFM:

0151T000003d797QAA.png

Figure2: Attack Detected example

 

  • Scrubbing center actions
    • DDoS Profile creation
    • Virtual Server provisioning
  • Redirection actions
    • BGP route advertisement

0151T000003d798QAA.png

Figure 3: Mitigation Start example

0151T000003d799QAA.png

 

 

So how does Flowmon create a DDoS profile in AFM? Let’s look at the iControlREST interface:

0151T000003d79AQAQ.png

Figure 4: Wireshark view of HTTP packets

Flowmon sends 2 POST HTTP requests to assign a DDoS profile according to the attack vector(s) and create a Virtual Server to listen for incoming traffic.

*Token-based authentication is performed prior to sending first POST request

0151T000003d79BQAQ.png

Figure 5: Wireshark view of DDoS Profile JSON
 

0151T000003d79CQAQ.png

Figure 6: Wireshark view of Virtual Server Creation JSON

Once AFM provisioning is done Flowmon executes traffic redirection routine. In case of BGP re-routing it sends a BGP UPDATE message to the corresponding router. Update message (iBGP) contains a NEXT_HOP attribute which points to BIG-IP AFM External Self-IP where L4 Forwarding Virtual Server is provisioned. NLRI prefix corresponds to a “Protected Segment”: 

0151T000003d79DQAQ.png

Figure 7: iBGP Update message example

 

After mitigation start Flowmon checks BIG-IP DDoS profile statistics every 30 seconds. It keeps checking the stats until it detects that attack is not active anymore, and no traffic is matched against any of DDoS vectors defined in BIG-IP AFM.

0151T000003d79EQAQ.png

 

 

0151T000003d79FQAQ.png

Figure 8: Attack Not Active example

Data is kept flowing through AFM for the minimum of 30 seconds beyond after attack is identified as inactive (“NOT ACTIVE” in Flowmon DDoS Defender ). This “buffer” interval helps prevent false negatives and keep protection in place if attacks resumes after a short interval.

0151T000003d79GQAQ.png 

 

0151T000003d79HQAQ.png

Figure 9: Attack Ended example

Attack is marked as “ENDED” and traffic is re-routed back to it’s original path after being inactive (marked as “NOT ACTIVE” in Flowmon DDoS Defender) for pre-defined or “buffer” period of time. 

“Mitigation Stop” step ensures no configuration is left in BIG-IP AFM, and sends BGP update message to the router so original or “default” route is used for the data traffic

0151T000003d79IQAQ.png

Figure 10: Mitigation Stop example

As part of Mitigation Stop routine, Flowmon requests an F5 Analytics Report before removing DDoS profile and Virtual Server from BIG-IP AFM. 

Detailed report (PDF and UI-based) is available for each attack for analysis and recording purposes:

0151T000003d79JQAQ.png

Figure 11: Attack report example

 

 

 

 

 

Version history
Last update:
‎01-Mar-2018 03:00
Updated by:
Contributors