cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
KevinGallaugher
F5 Employee
F5 Employee

Introduction

In this article you will learn how simple it is to use F5 Distributed Cloud to protect your application from DDoS attacks.  Some of the benefits of using F5 Distributed Cloud DDoS Mitigation are:

  • Ensure application and network availability during DDoS attacks​
  • Block the malicious traffic while allowing the good, ensuring a good user experience for applications and services​
  • Identify and mitigate sophisticated Layer 7 DoS attacks that exploit application & infrastructure weaknesses​
  • Block the attack where it originates with a global backbone and distributed DoS mitigation technology​
  • Protect small facility and cloud-based applications and services with DNS-based redirection

Layer 3/4 DDoS Mitigation is enabled by default and requires no configuration. 

DDoS Mitigation is included with the F5 Distributed Cloud service.

Configuring F5 Distributed Cloud DDoS Mitigation

From the F5 Distributed Cloud Console select Load Balancers to begin.

Screen Shot 2022-02-14 at 1.26.03 PM.png

 For this article let’s assume you have configured a very basic HTTP Load Balancer named “my-web-app”.  On the right under Actions click the 3 dots and select Manage Configuration.

Screen Shot 2022-02-14 at 1.49.09 PM.png

The Basic Configuration shows the Domain name, “mydomain.com” in this example.  The Load Balancer is configured as HTTPS with Automatic Certificate and an HTTP redirect to HTTPS.  TLS security is set to High.

Screen Shot 2022-02-14 at 1.52.49 PM.png

Under Security Configuration you may need to scroll down and toggle the Show Advanced Fields button to On to view the DDoS configuration.

Screen Shot 2022-02-14 at 2.07.21 PM.png

Scroll down to ML Config and select Single Load Balancer Application.

Screen Shot 2022-02-14 at 2.09.39 PM.png

Disable API Discovery.

Screen Shot 2022-02-14 at 2.22.13 PM.png

Scroll to the bottom and click Save and Exit.

Screen Shot 2022-02-14 at 2.24.38 PM.png

The application is now protected from Layer 7 DDoS attacks.

How to know when a DDoS attack occurs?

Security Events will be generated when a DDoS attack occurs.  This can be viewed from the Security Monitoring Dashboard.

Screen Shot 2022-02-14 at 2.58.19 PM.png

Select the DDoS Dashboard to view a geographical map that shows the location off the affected application.

Screen Shot 2022-02-14 at 3.02.26 PM.png

Expand the DDoS Events for more detail.  Under Metric we can see that Error Rate and Request Rate were triggered.  Make a note of the Suspicious Users IP address so it can be blocked.

Screen Shot 2022-02-14 at 3.19.36 PM.png

How to mitigate attacks?

Go back to Manage > Load Balancers.  Click the 3 dots under Actions and select Manage Configuration.

Screen Shot 2022-02-14 at 3.25.52 PM.png

Click Edit Configuration on the top right.

Screen Shot 2022-02-14 at 3.30.56 PM.png

Scroll down under Security Configuration.  Find the DDoS Mitigation Rules and click Configure.

Screen Shot 2022-02-14 at 3.33.36 PM.png

 Click Add item.

Screen Shot 2022-02-14 at 3.39.14 PM.png

Give it a name, “block-by-ip” in this example.

Screen Shot 2022-02-14 at 3.40.42 PM.png

 Under Mitigation Choice > IP Source enter the IP prefixes you want to block.

Screen Shot 2022-02-14 at 3.43.53 PM.png

Note: IP address 1.2.3.4 is only being used as an example.  1.2.3.0/24 notations can be used to block entire subnets.

Click Add item at the bottom.

Screen Shot 2022-02-14 at 3.47.15 PM.png

Then click Apply.

Screen Shot 2022-02-14 at 3.48.34 PM.png

Scroll to the bottom and click Save and Exit.

Screen Shot 2022-02-14 at 3.50.00 PM.png

The attacking client has been blocked and will no longer trigger DDoS Events.

Conclusion

In this article you learned how to enable and configure L7 DDoS Mitigation with the F5 Distributed Cloud.  We also went over the monitoring of Security Events and what to do if a DDoS attack is detected. 

For further information or to get started:

  • F5 Distributed Cloud WAAP YouTube series (Link)
  • F5 Distributed Cloud WAAP Services (Link)
  • F5 Distributed Cloud WAAP Get Started (Link)

Tag: F5 XC DDoS Mitigation

Version history
Last update:
‎24-Feb-2022 09:15
Updated by:
Contributors