Protect your applications using F5’s Distributed Cloud and Fast ACL’s

Introduction

In this article I will show you how to easily create Fast ACL’s to protect your applications from DDoS attacks. Layer 3-4 DDoS Mitigation is included with the F5 Distributed Cloud service.

When planning your DDoS strategy, you must plan at many layers. This means organizations need multiple tools and capabilities to protect themselves and keep their infrastructure and applications running. This layered approach uses network firewalls for Layer 3-4 DDoS protection, Web Application Firewalls (WAF) for Layer 7 protections, and as I’ll cover here Access Control Lists (ACLs) or as we call them Fast ACLs that can include rate-limiting.

These ACL rules are applied at very early stages in datapath ingress processing and form a first line of defense against attack.

Typical Use case(s) are:

Rate-limiting traffic to destination
Accepting traffic from certain source IPs to destination
Rate-limiting or dropping traffic from source IPs to destination

These rules are evaluated for each packet coming into the system (ingress), unlike session-based ACL’s where action is calculated only on first packet in the session.

It is specified in terms of five tuple of the packet {destination ip, destination port, source ip, source port, protocol}.

This gives you the ability to fine tune your DDoS strategy based on your network infrastructure and application performance.

Getting Started

Select the Cloud and Edge Sites Tile.

Navigate to Manage >> Firewall >> Fast ACL’s.

We will also be discussing and using Policers and Protocol Policers. They can be added from this screen or as we build out our DDoS protection. We will show how during the build out.

Click Add Fast ACL

Give your Fast ACL a Name, add a Label and Description to help identify later.

Next is what sets F5 XC Services apart.

Under Fast ACL Type you have 2 options.

This can be at the F5 XC Services regional edge (RE) or your own customer edge (CE) for apps deployed locally with F5 Distributed Cloud Service nodes. For this article I will cover the Customer Edge (CE).

Select Configure.

Here you have the option to select which network to apply this to at the CE, Inside or Outside, I will use the Outside Network. Next select the Destination IP, where you have three options to protect. I will use All Interface IP(s) as VIP.

Finally, under Source, we will configure the Rules we wish to apply. Click Configure

Under the Rules Section. Click Add Item

Give your Rule a Name and a Description.

Under Action you have 3 options, Simple Action, Policer Action and Protocol Policer Action.

First, we will cover the Simple Action. You have two options, allow or deny.

Under Source Port, click Add Item.

You have the option to select All Ports, A User Defined Port or DNS.

I will select User defined and add the value of 443.

Under Source I'll allow all from 0.0.0.0./0 and click Add Item.

Now you can go back in Rules and any additional rules that reflect your architecture. Click Add Item.

This time I'll select Deny as the Action and ALL as Source Ports and Source Prefix as 0.0.0.0/0

When complete click Apply, this takes you back a Screen, Click Apply again.

Protocol Policer

Finally, we will configure a FAST ACL Protocol Policer.

Give your Protocol Policer a Name, Labels and Description.

Select a pre-configured Protocol Policer if one is already configured or you have system wide one you wish to apply. For this demonstration we will click Create new Protocol Policer.

Click Add Item

This will give you the option of Packet Type. The options are TCP, ICMP, UDP and DNS. For this we will select TCP.

Then you select the appropriate TCP Flags, we will select SYN.

Policer

Dropping to the Policer section, we either need to select a preconfigured policer that might be used system wide or Create a new one. We will select Create New Policer.

Creating a Policer is straightforward. Give it a Name, Labels and Description. Select If the Policer is to be Shared or Not Shared System wide.

Here is where creating Fast ACLs helps you fine tune your DDoS protection for your application.

You will enter both a Committed Information Rate in pps and a Burst Size in pps.

Click Continue

Add item and then Continue.

Finally Save and Exit.

These are all the steps necessary to get started using Fast ACL's.

Two additional steps are needed and beyond the scope of this article. Most builds will already have the necessary configurations required.

You need to have a Network Firewall designated and what F5 Distributed Cloud calls a Fleet. The Firewall will reference the ACL and the Firewall and Fleet Tag will be asisgned to your Customer Edge (CE).

Conclusion

In this article you learned how to configure Fast ACLs DDoS protection quickly and easily with the F5's Distributed Cloud. We included Rate Limiting as a viable option to tune your DDoS settings. In a few short minutes you would be able to react to an attack on your network by going into the F5 Distributed Cloud Console and adjusting or adding DDoS protections.