Welcome!

Psilva's Prophecies

Peter Silva

Subscribe to Peter Silva: eMailAlertsEmail Alerts
Get Peter Silva via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Security Journal, IT Strategy, Secure Cloud Computing, F5 Networks

f5: Blog Feed Post

Mitigate L7 DDoS with BIG-IP ASM

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

l7d2

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

l7d34

We can also record traffic packet captures during attacks for post analysis.

l7d5

When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

l7d6

And JavaScript incapable clients never make it through.

l7d7

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

l7d8a

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

l7d8b

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

l7d8c

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

l78de

..then if they’re still not listening, you can instantly transform into a Honeypot

pot

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don’t stop. The traffic you recorded will be found in the, now populated, PCAP folders

dvwa logs full

Thanks to F5 SE Artiom Lichtenstein for the demo video.

ps

Related:


Read the original blog entry...

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.