F5 Distributed CloudBlogF5Application Delivery ControllersEndpoint SecurityCloud SecurityData Protection & Cyber RecoveryNetwork SecurityCloudData CenterNetworkingSecurity Transformation
Blog6 minute read

F5 Distributed Cloud L7 DDoS Mitigation

Learn how to use F5 Distributed Cloud to protect your applications from DDoS attacks.

In this blog

Distributed-denial-of-service (DDoS) attacks are a type of denial-of-service (DoS) attack. DDoS attacks entail the deployment of a botnet — a collection of connected online devices used to flood a target website with bogus traffic.

In a DDoS attack, cybercriminals take advantage of typical network device and server activity, frequently targeting network devices that create an internet connection. As a result, rather than compromising individual servers, attackers target edge network equipment like routers and switches. DDoS attacks cause the network's pipe/bandwidth, or the devices that provide bandwidth, to become overburdened.

Years ago, DDoS attacks were considered an easily mitigated nuisance. Today, they're viewed as much more sophisticated and threatening.

In this article, we review how F5 Distributed Cloud can help. You'l learn how to enable and configure Layer 7 DDoS Mitigation with the F5 Distributed Cloud. Plus, we review how to monitor Security Events and what to do if a DDoS attack is detected.

Some benefits of F5 Distributed Cloud DDoS Mitigation include:

  • Ensuring application and network availability during DDoS attacks​.
  • Blocking malicious traffic while allowing good traffic (while ensuring a good user experience for apps and services)​
  • Identifying and mitigating sophisticated application-layer DDoS attacks that exploit application and infrastructure weaknesses​.
  • Blocking attacks that originate with a global backbone and DDoS mitigation technology​.
  • Protecting small facilities and cloud-based applications and services with DNS-based redirection.

Let's dive in!

 DDoS attack classification

When thinking about effective DDoS attack mitigation techniques, it's useful to group attacks into two buckets: attacks at the Infrastructure layer (Layers 3 and 4) and attacks at the Application layer (Layers 6 and 7).

 Infrastructure-layer attacks

DDoS attacks on layers 3 and 4 are often characterized as Infrastructure-layer attacks. These are the most frequent form of DDoS attack. Such attacks are often high-volume and try to overwhelm the network or application servers' capability. However, Infrastructure-layer attacks have distinct signatures and are thus easier to detect. Examples include attack vectors that leverage synchronized (SYN) floods and various reflection attacks such as Datagram Packet (UDP) floods.

With F5 Distributed Cloud, Layer 3/4 DDoS Mitigation is enabled by default and requires no configuration for F5 distributed Cloud service.

 Application-layer attacks

Application-layer attacks are commonly classified as attacks on layers 6 and 7. While less widespread, Application-layer attacks are more complex. Though they often feature lower volumes than Infrastructure-layer attacks, they tend to specifically target expensive areas of an application, rendering it unavailable to real users. Examples include a flood of HTTP requests to a login page, an expensive search API, or even WordPress XML-RPC floods (also known as WordPress pingback attacks).

 Configuring F5 Distributed Cloud DDoS Mitigation

So how do you configure F5 Distributed Cloud to protect against DDoS attacks? From the F5 Distributed Cloud Console, select "Load Balancers" to begin.

View of F5 Distributed Cloud Console, highlighting the Load Balancer option

For this article, let's assume you have configured a very basic HTTP Load Balancer named "my-web-app." On the right under Actions, click the three dots ("…") and select "Manage Configuration."

F5 Cloud Console view with an arrow pointing to the Manage Configuration option.

The Basic Configuration shows the Domain name, "mydomain.com" in this example. The Load Balancer is configured as HTTPS with Automatic Certificate and an HTTP redirect to HTTPS. TLS security is set to High.

Visualization of the basic configuration steps

Under Security Configuration, you may need to scroll down and toggle the Show Advanced Fields button to On to view the DDoS configuration.

Visualization of the "Show Advanced Fields" toggled to "ON"

Scroll down to ML Config and select "Single Load Balancer Application."

Visualization of the Single Load Balancer Application Section

Disable API Discovery.

Visualization of Disabling API Discovery

Scroll to the bottom and click "Save and Exit."

Visualization of where to save your changes

The application is now protected from Layer 7 DDoS attacks.

 How to know when a DDoS attack occurs

Security Events will be generated when a DDoS attack occurs. Click on "HTTP Load Balancers" under Virtual hosts on the left. You should see your Load Balancer and Security Monitoring dashboard in the sections of the load balancer as in the below image.

Visualization of HTTP Load Balancer location and Security Monitoring location on dashboard.

 This can be viewed from the Security Monitoring Dashboard.

View of Security Monitoring Dashboard

Select the DDoS Dashboard to view a geographical map that shows the location of the affected application.

View of the DDoS dashboard

Expand the DDoS Events for more detail. Under the Metric field, we can see that Error Rate and Request Rate were triggered. Make a note of the Suspicious Users IP address so it can be blocked.

where to expand your view on Dashboard, including location of Metric field.

 How to mitigate attacks

Go back to Manage > Load Balancers. Click the three dots ("…") under Actions and select "Manage Configuration."

Manage Configuration Option

Click "Edit Configuration" on the top right.

Edit Configuration Option

Scroll down under Security Configuration. Find the DDoS Mitigation Rules and click "Configure."

Configure Option for DDoS Mitigation rules

Click "Add Item."

Add Mitigation Rule

Give it a name ("block-by-ip" in this example).

Naming Mitigation rule

Under Mitigation Choice > IP Source, enter the IP prefixes you want to block.

IP Source that needs to be blocked

Note: IP address 1.2.3.4 is only being used as an example. 1.2.3.0/24 notations can be used to block entire subnets.

Click "Add Item" at the bottom.

Add Item option

Then click "Apply."

Apply Button Option

Scroll to the bottom and click "Save and Exit."

Save and Exit option

The attacking client has been blocked and will no longer trigger DDoS Events.

 Summary

In this article, you've learned how to enable and configure L7 DDoS Mitigation with the F5 Distributed Cloud. We also went over the monitoring of Security Events and what to do if a DDoS attack is detected. Below are a few references that expand on the power of F5 Distributed Cloud. One example touches on Web Application & API Protection (WAAP).

Reach out to your WWT account team for further information and a possible test drive of F5 Distributed Cloud in our Advanced Technology Center.

References

F5 Distributed Cloud WAAP:

F5 deployment basic articles:

Technologies