?

In This Article

Introduction

DDoS (distributed denial of service) attacks are a type of DoS  (denial of service) attack. A DDoS attack entails the deployment of a botnet, which is a collection of connected online devices that are utilized to flood a target website with bogus traffic.

In a DDoS attack, cybercriminals take advantage of typical network device and server activity, frequently targeting network devices that create an internet connection. As a result, rather than compromising individual servers, attackers target edge network equipment (e.g., routers, switches). A DDoS attack causes the network's pipe (bandwidth) or the devices that provide that bandwidth to become overburdened. Years ago these attacks were considered a nuisance and could be mitigated easily, but now it is a sophisticated activity and very threatening. So let us see how F5 Distributed Cloud could be used to protect your applications from DDoS attacks.

DDoS attack classification

While thinking about mitigation techniques against these attacks, it is useful to group them as Infrastructure layer (Layers 3 and 4) and Application Layer (Layer 6 and 7) attacks.

Infrastructure layer attacks

Attacks at Layer 3 and 4, are often characterized as Infrastructure layer attacks. These are the most frequent sort of DDoS attacks, with vectors such as synchronized (SYN) floods and various reflection attacks such as User Datagram Packet (UDP) floods. These attacks are often high-volume and try to overwhelm the network or application servers' capability. However, these are the types of attacks that have distinct signatures and are thus easier to detect. Layer 3/4 DDoS Mitigation is enabled by default and requires no configuration for F5 distributed Cloud service.

Application layer attacks

Application layer attacks are commonly classified as attacks on Layers 6 and 7. These kinds of attacks are less widespread, but they are also more complex. These attacks are often less in scale than Infrastructure layer attacks, but they tend to target specific expensive areas of the application, rendering it unavailable to real users. A flood of HTTP requests to a login page, an expensive search API, or even WordPress XML-RPC floods, for example (also known as WordPress pingback attacks).

In this article, you will learn how simple it is to use F5 Distributed Cloud to protect your application from application-layer attacks.  Some of the benefits of using F5 Distributed Cloud DDoS Mitigation are:

  • Ensure application and network availability during DDoS attacks​
  • Block the malicious traffic while allowing the good, ensuring a good user experience for applications and services​
  • Identify and mitigate sophisticated application layer(L6-L7) DDoS attacks that exploit application & infrastructure weaknesses​
  • Block the attack where it originates with a global backbone and DDoS mitigation technology​
  • Protect small facility and cloud-based applications and services with DNS-based redirection

Configuring F5 Distributed Cloud DDoS Mitigation

From the F5 Distributed Cloud Console select Load Balancers to begin.

Screen Shot 2022-02-14 at 1.26.03 PM.png

For this article let's assume you have configured a very basic HTTP Load Balancer named "my-web-app".  On the right under Actions click the 3 dots and select Manage Configuration.

Screen Shot 2022-02-14 at 1.49.09 PM.png

The Basic Configuration shows the Domain name, "mydomain.com" in this example.  The Load Balancer is configured as HTTPS with Automatic Certificate and an HTTP redirect to HTTPS.  TLS security is set to High.

Screen Shot 2022-02-14 at 1.52.49 PM.png

Under Security Configuration, you may need to scroll down and toggle the Show Advanced Fields button to On to view the DDoS configuration.

Screen Shot 2022-02-14 at 2.07.21 PM.png

Scroll down to ML Config and select Single Load Balancer Application.

Screen Shot 2022-02-14 at 2.09.39 PM.png

Disable API Discovery.

Screen Shot 2022-02-14 at 2.22.13 PM.png

Scroll to the bottom and click Save and Exit.

Screen Shot 2022-02-14 at 2.24.38 PM.png

The application is now protected from Layer 7 DDoS attacks.

How to know when a DDoS attack occurs

Security Events will be generated when a DDoS attack occurs. Click on HTTP Load Balancers under Virtual hosts on the left, You could see your load balancer and security monitoring dashboard in the sections of the load balancer as the below image

 This can be viewed from the Security Monitoring Dashboard.

Screen Shot 2022-02-14 at 2.58.19 PM.png

Select the DDoS Dashboard to view a geographical map that shows the location of the affected application.

Screen Shot 2022-02-14 at 3.02.26 PM.png

Expand the DDoS Events for more detail. Under Metric we can see that Error Rate and Request Rate were triggered. Make a note of the Suspicious Users IP address so it can be blocked.

Screen Shot 2022-02-14 at 3.19.36 PM.png

How to mitigate attacks

Go back to Manage > Load Balancers. Click the 3 dots under Actions and select Manage Configuration.

Screen Shot 2022-02-14 at 3.25.52 PM.png

Click Edit Configuration on the top right.

Screen Shot 2022-02-14 at 3.30.56 PM.png

Scroll down under Security Configuration. Find the DDoS Mitigation Rules and click Configure.

Screen Shot 2022-02-14 at 3.33.36 PM.png

Click Add item.

Screen Shot 2022-02-14 at 3.39.14 PM.png

Give it a name ("block-by-ip" in this example).

Screen Shot 2022-02-14 at 3.40.42 PM.png

Under Mitigation Choice > IP Source, enter the IP prefixes you want to block.

Screen Shot 2022-02-14 at 3.43.53 PM.png

Note: IP address 1.2.3.4 is only being used as an example. 1.2.3.0/24 notations can be used to block entire subnets.

Click Add item at the bottom.

Screen Shot 2022-02-14 at 3.47.15 PM.png

Then click Apply.

Screen Shot 2022-02-14 at 3.48.34 PM.png

Scroll to the bottom and click Save and Exit.

Screen Shot 2022-02-14 at 3.50.00 PM.png

The attacking client has been blocked and will no longer trigger DDoS Events.

Summary

In this article, you learned how to enable and configure L7 DDoS Mitigation with the F5 Distributed Cloud. We also went over the monitoring of Security Events and what to do if a DDoS attack is detected. Below are a few references that expand on the power of F5 Distributed Cloud. Some examples include WAAP (Web Application & API Protection). 

Reach out to your WWT account for further information and a possible test drive in the Advanced Technology Center.

References

F5 Distributed Cloud WAAP:

F5 Distributed Cloud WAAP YouTube series

F5 deployment basic articles:

F5 SSLO Deployment Guides

Start your Journey of F5 + WWT  

Labs:

Service Chain Management Process with SSLO

Technologies