Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Mitigate L7 DDoS with BIG-IP ASM

PSilva
Legacy Employee
Legacy Employee

on ‎28-Nov-2017 04:00

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

0151T000003d777QAA.png

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

0151T000003d778QAA.png

We can also record traffic packet captures during attacks for post analysis.

0151T000003d779QAA.png

When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

0151T000003d77AQAQ.png

And JavaScript incapable clients never make it through.

0151T000003d77BQAQ.png

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

0151T000003d77CQAQ.png

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

0151T000003d77DQAQ.png

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

0151T000003d77EQAQ.png

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

0151T000003d77FQAQ.png

..then if they’re still not listening, you can instantly transform into a Honeypot.

0151T000003d77GQAQ.png

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don't stop. The traffic you recorded will be found in the, now populated, PCAP folders.

0151T000003d77HQAQ.png

Thanks to F5 SE Artiom Lichtenstein for the demo video.

ps

Related:

Labels:
Comments
dragonflymr
Cirrostratus
Cirrostratus
‎18-Dec-2017 03:05

Hi,

 

Nice article. I wonder how Honeypot protection is implemented here? Is that part of DVWA or some config in ASM?

 

Piotr

 

0 Kudos
Artiom_Lichtens
Historic F5 Account
‎19-Dec-2017 01:02

Hi Piotr,

The "Honeypot" in the video is a simple iRule 

ifile
call (for demo purposes only):

when IN_DOSL7_ATTACK {
     log local0.warning "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
    if { $DOSL7_MITIGATION contains "Rate Limiting" } {
        HTTP::respond 403 content [ifile get ifile_HONEYPOT]
         log local0.warning "Honeypot!"
    }
}

In production - I have a customer that simply redirects traffic to a specific pool / member which forwards traffic to a "real" Honeypot server for analysis etc.

0 Kudos
dragonflymr
Cirrostratus
Cirrostratus
‎19-Dec-2017 01:08

Hi,

 

Thanks a lot for explanation. Funny part is that I was watching your iRule LX (great one BTW) video on YouTube when you posted answer 🙂

 

Piotr

 

0 Kudos
Artiom_Lichtens
Historic F5 Account
‎21-Dec-2017 17:12

Thank you Piotr!

 

v13.1 which is out now, has a new built-in "Honeypot" enforcement.

 

I need to record a new video 🙂

 

0 Kudos
dragonflymr
Cirrostratus
Cirrostratus
‎22-Dec-2017 01:31

Hi,

 

Would be great to see video about new features in 13.1.0!

 

Piotr

 

0 Kudos
Version history
Last update:
‎28-Nov-2017 04:00
Updated by:
Legacy Employee
Contributors
Copyright © 2023 Khoros, LLC