F5 Distributed Cloud L7 DDoS Mitigation
In This Article
Distributed-denial-of-service (DDoS) attacks are a type of denial-of-service (DoS) attack. DDoS attacks entail the deployment of a botnet -- a collection of connected online devices used to flood a target website with bogus traffic.
In a DDoS attack, cybercriminals take advantage of typical network device and server activity, frequently targeting network devices that create an internet connection. As a result, rather than compromising individual servers, attackers target edge network equipment like routers and switches. DDoS attacks cause the network's pipe/bandwidth, or the devices that provide bandwidth, to become overburdened.
Years ago, DDoS attacks were considered an easily mitigated nuisance. Today, they're viewed as much more sophisticated and threatening.
In this article, we review how F5 Distributed Cloud can help. You'l learn how to enable and configure Layer 7 DDoS Mitigation with the F5 Distributed Cloud. Plus, we review how to monitor Security Events and what to do if a DDoS attack is detected.
Some benefits of F5 Distributed Cloud DDoS Mitigation include:
- Ensuring application and network availability during DDoS attacks.
- Blocking malicious traffic while allowing good traffic (while ensuring a good user experience for apps and services)
- Identifying and mitigating sophisticated application-layer DDoS attacks that exploit application and infrastructure weaknesses.
- Blocking attacks that originate with a global backbone and DDoS mitigation technology.
- Protecting small facilities and cloud-based applications and services with DNS-based redirection.
Let's dive in!
DDoS attack classification
When thinking about effective DDoS attack mitigation techniques, it's useful to group attacks into two buckets: attacks at the Infrastructure layer (Layers 3 and 4) and attacks at the Application layer (Layers 6 and 7).
DDoS attacks on layers 3 and 4 are often characterized as Infrastructure-layer attacks. These are the most frequent form of DDoS attack. Such attacks are often high-volume and try to overwhelm the network or application servers' capability. However, Infrastructure-layer attacks have distinct signatures and are thus easier to detect. Examples include attack vectors that leverage synchronized (SYN) floods and various reflection attacks such as Datagram Packet (UDP) floods.
With F5 Distributed Cloud, Layer 3/4 DDoS Mitigation is enabled by default and requires no configuration for F5 distributed Cloud service.
Application-layer attacks are commonly classified as attacks on layers 6 and 7. While less widespread, Application-layer attacks are more complex. Though they often feature lower volumes than Infrastructure-layer attacks, they tend to specifically target expensive areas of an application, rendering it unavailable to real users. Examples include a flood of HTTP requests to a login page, an expensive search API, or even WordPress XML-RPC floods (also known as WordPress pingback attacks).
Configuring F5 Distributed Cloud DDoS Mitigation
So how do you configure F5 Distributed Cloud to protect against DDoS attacks? From the F5 Distributed Cloud Console, select "Load Balancers" to begin.
For this article, let's assume you have configured a very basic HTTP Load Balancer named "my-web-app." On the right under Actions, click the three dots ("…") and select "Manage Configuration."
The Basic Configuration shows the Domain name, "mydomain.com" in this example. The Load Balancer is configured as HTTPS with Automatic Certificate and an HTTP redirect to HTTPS. TLS security is set to High.
Under Security Configuration, you may need to scroll down and toggle the Show Advanced Fields button to On to view the DDoS configuration.
Scroll down to ML Config and select "Single Load Balancer Application."
Disable API Discovery.
Scroll to the bottom and click "Save and Exit."
The application is now protected from Layer 7 DDoS attacks.
How to know when a DDoS attack occurs
Security Events will be generated when a DDoS attack occurs. Click on "HTTP Load Balancers" under Virtual hosts on the left. You should see your Load Balancer and Security Monitoring dashboard in the sections of the load balancer as in the below image.
This can be viewed from the Security Monitoring Dashboard.
Select the DDoS Dashboard to view a geographical map that shows the location of the affected application.
Expand the DDoS Events for more detail. Under the Metric field, we can see that Error Rate and Request Rate were triggered. Make a note of the Suspicious Users IP address so it can be blocked.
How to mitigate attacks
Go back to Manage > Load Balancers. Click the three dots ("…") under Actions and select "Manage Configuration."
Click "Edit Configuration" on the top right.
Scroll down under Security Configuration. Find the DDoS Mitigation Rules and click "Configure."
Click "Add Item."
Give it a name ("block-by-ip" in this example).
Under Mitigation Choice > IP Source, enter the IP prefixes you want to block.
Note: IP address 126.96.36.199 is only being used as an example. 188.8.131.52/24 notations can be used to block entire subnets.
Click "Add Item" at the bottom.
Then click "Apply."
Scroll to the bottom and click "Save and Exit."
The attacking client has been blocked and will no longer trigger DDoS Events.
In this article, you've learned how to enable and configure L7 DDoS Mitigation with the F5 Distributed Cloud. We also went over the monitoring of Security Events and what to do if a DDoS attack is detected. Below are a few references that expand on the power of F5 Distributed Cloud. One example touches on Web Application & API Protection (WAAP).
Reach out to your WWT account team for further information and a possible test drive of F5 Distributed Cloud in our Advanced Technology Center.
F5 Distributed Cloud WAAP:
- F5 Distributed Cloud WAAP YouTube series
- F5 Distributed Cloud WAAP Articles
- Blog: F5 Introduces Comprehensive SaaS-based Security for Web Apps and APIs
- Blog: How to Combat Complexity and Elevate Modern App Security
F5 deployment basic articles: