F5 Silverline DDoS Protection
At F5 we’ve been talking about providing security services from the cloud for years. Three primary factors have been pushing us in this direction. The first factor is customers. Customers today have a cloud-first strategy; they make an effort to deploy into the cloud all applications that don’t directly support their own intellectual property. Second, the shortage of information security personnel continues to add to the difficulty of administering on-premises security devices. According to The Foote Research Group, individuals with skill in Security Architecture were the second highest paid IT professionals in 2014. Only the most marquee industry names seem to be able to consistently hire and retain high-demand security personnel. Last, the sheer size of recent denial-of-service attacks requires a cloud-based response. The graph below shows how, in just the past year, the largest recorded DDoS attacks have grown from 100 Gbs to over 300 Gbs. Attacks of this size are simply too big for anyone but carrier service providers to mitigate solely with on-premises equipment.
Traditionally our customers have known F5 as the strategic point of control, directing traffic in the datacenter. We are now adding services from the cloud to complement the value of the customers’ F5 investment. So this week, we’re officially announcing Silverline, F5’s new cloud-based services delivery platform.
The first security service we’re rolling out under the Silverline umbrella is the DDoS Protection service. This cloud-based service mitigates volumetric DDoS attacks on behalf of F5 customers. We are launching the Silverline DDoS Protection service as a global, tier one service with enough capacity for even the most demanding enterprise customers. To accomplish this, F5 acquired the Defense.net DDoS service and then doubled the number of its datacenters to ensure the service has a global reach when it is launched as the Silverline DDoS Protection service.
Benefits of global reach
That global reach is important for two main reasons.
The first has to do with the mechanics of a DDoS campaign. When a major campaign is launched against a target, there will be devices attacking from all over the world. IP Anycast diffuses the attack across multiple Silverline DDoS Protection datacenters around the globe so that the campaign can never focus all its firepower on a single site, even if they are all targeting the same IP address.
The second benefit of having datacenters around the globe is to reduce the latency of the return traffic to the customer. Customers have expressed that availability and performance are crucial factors for any cloud service they purchase. This means that datacenters in North America, Europe and Asia Pacific are a requirement to keep latency at a minimum.
Inside Silverline DDoS Protection
When a customer is targeted by a volumetric DDoS attack it can shift all (or some) of the incoming Internet traffic to the Silverline DDoS Protection service. The traffic is intercepted and delivered across the global datacenters. Each connection is categorized into a spectrum of suspicion, which includes:
- Known good traffic.
- Embryonic (SYN) traffic.
- Accumulated connections.
- Application traffic.
- DNS traffic
- Known Bad traffic.
Ultimately the traffic is “scrubbed clean” as bad traffic is identified and removed. Most customers would rather that some junk traffic get through the scrubber than too many legitimate requests get mis-identified as bad and discarded. The customer can review the ongoing campaign through a dashboard set up by the veteran staff.
Modes of operation
The F5 Silverline DDoS Protection service has two modes of operation.
Always On™ - First line of defense. This subscription continuously stops bad traffic from ever reaching your network.
Always Available™ - Available on demand. This subscription runs on standby and can be initiated when you’re under attack.
Most customers will choose the Always Available mode, which follows the traditional model of per-engagement DDoS scrubbing center, but there are some who like the analytics and portal experience so much that they put all their traffic through Always On.
F5 in the Cloud
F5 Silverline DDoS Protection is our first cloud-based security service. We are expecting fast adoption because customer interest in DDoS remains very high. And in our experience, customers' satisfaction with their current DDoS mitigation providers is suboptimal. We expect DDoS attacks to continue evolving, and the F5 security operations center staff will stay current to extend protection to F5 customers.
DDoS Protection won’t be the only F5 security service for long – watch for more the Silverline services to get rolled out from F5 in the Cloud.