03-May-2021 09:28
Dear All
I am not good in networking terms so please forgive if i am wrong.
I am a application owner. Last couple of days my application got DDoS attack (as per my network team). But the problem is they can't block it in the F5 Big-IP because when they try to find the source IP they are getting 10.x.x.x, 172.16.x.x, 172.31.x.x, 192.168.x.x which is private IP.
So my query is how to get the source where the original request is generate or how can i block this type of attack.
Thanks in advance.
04-May-2021 01:40
Hi RockBD,
I think it's a tricky one to give a simple answer to, but here's my two cents on how I would investigate;
Hope this helps.
04-May-2021 03:43
Sorry to inform you that most of your technical term didn't understand properly. but when the sys admin impose geo location policy that this site can only view/access with in the native country not around the world then i think the WAF stops the DDoS attack. So i don't think it is not generating form internal IPs.
Can you tell me how to check XFF header. or any other solution.
04-May-2021
05:40
- last edited on
24-Mar-2022
01:28
by
li-migration
Hi RockBD,
I agree with , check if these IP addresses aren't some real internal systems that are misconfigured. Maybe you application is an API or something like a reporting service and some systems are configured to query it regularly?
Second, IP addresses can be spoofed. The Wikipedia article on IP address spoofing will explain you what that is. If this is a DDoS attack, attackers usually retool and use different source IP addresses throughout the attack. They do this in order to bypass rate limiting or blocking. Also, if those are real internal IPs, you might block benign traffic / users from accessing your application.
Check with your network team is running an update version of BIG-IP and you have a ASM/AdvWAF license, they can use techniques such as client fingerprinting.
Take a look here: K19556739: Overview of BIG-IP ASM client fingerprinting
This should give you some understanding how the BIG-IP will identify devices (attackers) with more advanced techniques than "block by source IP".
Also read this devcentral article: What is Shape Security?
It will give you a better understand of the whole concept behind identifying attackers properly.
Best of luck
Daniel
04-May-2021 10:40
can you please guide me how to block DDoS attack on Big-IP? I don't know which article will be more appopriate for blocking DDoS. Is the following is the possible way to protect DDoS in F5 big-IP
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-dos-attacks-on-applications.html
04-May-2021 12:04
Look, there is not a one size fits all solution for DDoS. It much depends on the BIG-IP device you have, the TMOS version you run, the license you own and the kind of attack you see.
From the link you have shared, I would configure Behavioral & Stress-based Detection only. Do not combine Behavioral & Stress-based Detection with TPS-based detection.
Additionally I would add a Bot Defense Profile. https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/configuring-bot-defense.html