Silverline DDoS capabilities are now available in F5 Distributed Cloud

The purpose of this article is to highlight the major enhancements of Silverline Routed and Proxy DDoS Protection capabilities as they are now available on the F5 Distributed Cloud platform. More capabilities of the service are on the roadmap and in development.

F5 Silverline is a managed service comprised of three core offerings: DDoS Protection, Bot Defense, and Web Application Firewall. Silverline services can be used as individual services or in combination to provide customers with a truly robust managed security solution.

Silverline DDoS Protection is a cloud-based managed service which detects and mitigates Layer 3/Layer 4 volumetric DDoS attacks as well as Layer 7 application-layer attacks in real time. Launched in 2014 with five primary scrubbing centers and 1.8Tbps of bandwidth capacity, it ultimately grew to 13 Points of Presence, three SOC locations, and 3Tbps of attack traffic mitigation capability.

F5 Distributed Cloud was launched in early 2020 with the acquisition of Shape Security to be a holistic SaaS platform with security, networking, and application management services capable of being deployed in customer facilities or in the cloud. In January 2021, F5 acquired Volterra to enhance edge capability concerns.  Volterra allows for enterprise-grade security and scale on the customer edge where traditionally there has been limited security features. 

Distributed Cloud builds upon Big-IP Advanced WAF, legacy Shape and Volterra technologies offering WAAP (Web Application and API Protection) composed of Web Application Firewall, DDoS Mitigation, API Security and Bot Defense.  It also offers App Infrastructure Protection as well as fraud and abuse security services like Client-Side Defense, Bot Defense, Account Protection and Authentication Intelligence. The flexibility of F5 Distributed cloud is that it consolidates the management and operation of these security services with high availability and simplicity provided by a single UX interface. Beyond the self-service option that protects apps and APIs offered on Distributed Cloud, the addition of Managed Services expands security functionality onto this integrated platform with greater global presence, capacity, and network capabilities supported by 24x7 SOC (Security Operations Center) experts. The core Silverline DDoS Protection features remain largely the same with a few important exceptions: the infrastructure, mitigation capability and capacity, Service Level Agreements, and updated customer dashboard views within the Distributed Cloud console.

The question now is “why move these Silverline services to F5 Distributed Cloud?

F5 Distributed Cloud provides 24 Regional Edges around the globe within 22 Metro Regions, featuring peering relationships with Tier 1 service providers creating a multi-terabit resilient private backbone.  

Figure 1 shows the locations of the global presence of Distributed Cloud

  

New edge mitigation options are automated through the speed and use of analytics, as well as SOC-generated and customer managed fast ACLs. Distributed Cloud allows for improved mitigation options which efficiently utilize traffic scrubbing resources while thwarting the DDoS attack’s malicious intent. Traffic scrubbing capacity has quadrupled by leveraging the distributed cloud’s vast global presence.

This is key to withstanding the overwhelming amount of traffic generated by the ever-growing number of toolkits. These kits are used by attackers to create volumetric attacks using protocols at the Internet, Transport and Application layers. The tools construct attack profiles that aim a high volume of burstable or sustained packet traffic at the target, typically using unsecured IOT (Internet of Things) devices. 

The F5 Distributed Cloud Mitigation service will continue to offer “Always Available/On Demand” and “Always On” service subscription options. With the “Always Available/On Demand” option, customers will have the ability to log into the Distributed Cloud console to announce or suppress the route announcement of their networks/prefixes or work with a SOC engineer for any route changes.

Figure 2 shows the mitigation process and the existing mitigation features

 

Due to the global reach of Distributed Cloud, all Silverline DDoS customers will have updated SLAs (Service Level Agreements). The legacy Silverline SLA offered 1 hour response time with 99.999% uptime and no mitigation SLA. The new standard tier SLAs include the initial support response being 15 minutes, with standard mitigation SLAs set to 0s for 60% of the attacks, 6 minutes for 95% of the attacks and 12 minutes for 100% of the attacks. The new enhanced tier further reduces the SLA time to mitigation by offering 0s for 60% of the attacks, 2 minutes for 95% of the attacks and 4 mins for 100% of the attacks.

Customers can view attacks in real-time by logging into the Distributed Cloud console. Due to the inherently vast security services overlay structure, a data rich console showing all subscribed services is available for analysis and report generation. Additionally, the SOC will have the ability to create customized reports and upload those to the customer’s view within their tenant.

The Distributed Cloud console displays normal and attack activity for DDoS events and uses an enhanced view that will differ from the Silverline management console. The two main UI menus that customers will want to focus on are the DDoS traffic, event/mitigation screens and the tunnel status visibility screens. 

Customers can see the alert details, targeted IP address, start/end time, bandwidth (size of attack) and type of attack. For clarity, events can also be assigned to an alert for correlation.

Figure 3 shows where the alerts and events are detailed.

 

Figure 4 shows a snapshot of how the traffic for a particular network has been affected, its breakdown by application and region

 

As part of the roadmap, F5 Distributed Cloud customers will have the ability to monitor the status of their tunnels. The screenshots below depict the possible future console layout of what may be displayed.  Giving customers the ability to view their tunnel connectivity is invaluable. Knowing which tunnels are down, exhibiting high use or flapping may cause delays in the delivery of post-scrubbed traffic to the origin.

Figure 5 shows the state of the tunnels

 

Figure 6 shows the details of a tunnel including type, location, status, the end points and its history

F5 Distributed Cloud offers a modern SDN architecture that will allow customers to deploy and protect applications rapidly, with a larger global footprint, additional mitigation options, enhanced reporting, and expanded dashboard views. 

Additional features will be continuously released to further enhance the offering.