F5 Agility Labs - Index¶

Task 1 – Initial Set-up¶

• Open a web browser and access supplied link.(Given at Location)
• Login to the BIG-IP Configuration Utility via your preferred browser?

Note

When you first power up a F5 DHD device you would go through the steps of Licensing and Provisioning. We have assigned the management IP, hostname, NTP and DNS servers. You will be re-activating the license using a new license key.

• On the System > Platform page configure the following, and then click Update.

  Host Name	<your name>.f5demo.com
  Root Account (Password and Confirm)	f5DEMOs4u
  Admin Account (Password and Confirm)	f5DEMOs4u

• This will log you out. Log back in

• On Device Management->Devices select the device and then click “Change Device Name…”. Update the device name to match the hostname you have chosen. Retain Current Authority

• Click Update to save changes

• Review and Verify the following: System -> Configuration -> Device -> NTP page add pool.ntp.org to the Time Server List, and then click Update.

• Review and Verify the following: System -> Configuration -> Device ->DNS page add 8.8.8.8 to the DNS Lookup Server List, and then click Update.

• Open the System > License page and re-activate the BIG-IP system using the new development license key using Manual mode. Copy and Paste License file.

  

• Click Next and explore Resource Provisioning page

• When done click Submit.

• Access the Jumbox via RDP. PuTTY into the Hybrid Defender. Login with root and restart services

  bigstart restart

Take a break, ask questions, talk to your neighbor ..it will take several minutes to restart

Task 2 – DDoS Hybrid Defender iApp and Base Configuration¶

• In the BIG-IP Configuration Utility, open DoS Protection > Quick Configuration page.

• Select Install RPM method of Onboard

• Click Install

  

• Open the About page

  

• This page displays the current version of DDoS Hybrid Defender (DHD). You use this page to install and update the iApp LX version for DHD when newer versions are released.

  

• In the BIG-IP Configuration Utility, click iApps, Templates and Import, importing the two templates located on the jumpbox documents folder.

  

• Use the Browse and Upload buttons. (You will do this once for each template)

• In the BIG-IP Configuration Utility, open iApps > Application Services and select Create

  

• You will be creating two services based on the two Silverline Templates:

  • F5.silverline_connector
  • F5.silverline_dos_monitor

  

• Use the default settings for the Silverline connector

• Use the Silverline username and password supplied

• Create the 2^nd service for the Silverline DOS Monitor (f5.silverline_dos_monitor)

  

• Use the default settings for the dos_connector except for Volumetric Attack Event Monitoring, switch the network object from interface to VLAN.

  

• Open the DoS Protection > Quick Configuration Network Configuration page.

  

• In the Default Network section click default VLAN.

• Configure the VLANs using following information, and then click Done Editing.

  Internal: VLAN Tag	20
  Internal: Interfaces	1.2 Untagged
  Internal: IP Address / Mask	10.1.20.240/21 (Click Add)
  External: VLAN Tag	10
  External: Interfaces	1.1 Untagged (Click Add)

  

• At the bottom of the page click Update to create the default network.

• Open the Network > VLANs > VLAN Groups page and click defaultVLAN.

• A Bridged (VLAN Group) L2 configuration consistent recommended practices for most deployments was automatically created

• Open the Network > DNS Resolvers > DNS Resolver list page and click Create.

• Enter default_DNS_resolver and then click Finished.

• A DNS resolver is required by bot signatures to allow for proper detection of benign search engines such as Google and Bing.

• On the Jumpbox desktop, PuTTY to the BIG-IP

• Login as root

• Verify DNS by typing the following

  nslookup api.f5silverline.com

• Type the following to verify the correct date setting:

  date

• If the BIG-IP system date is not accurate, correct it using the following commands:

  bigstart stop ntpd
  ntpdate 10.1.1.254
  bigstart start ntpd
  

Task 3 – Configure Silverline Signaling¶

• In the BIG-IP Configuration Utility, open the DoS Protection > Quick Configuration page.

• Open the Silverline page.

  

• Configure using following information, and then click Update.

  Username	dhd2017us@f5agility.com
  Password	HybridDefense!Wins!
  Service Address	https://api.f5silverline.com

• Register the device with the Silverline iApp, to provide bandwidth utilization updates in iApps->Application Services->Applications->silverline_connector. In the iApp, select Reconfigure and then click Finished. This will cause the iApp to register under the new device name.

• Use a web browser and access https://portal.f5silverline.com.

• Log in with the above credentials

• In the Silverline browser, open the Config->Hybrid Configuration->Hybrid Device Management page.

  

• Locate your DHD device by searching for (<your name prefix>.f5demo.com) .

• Click the Approve button to approve device registration.

  

Task 4 – Configure DHD Device Bandwidth Thresholds¶

• In the DoS Protection > Quick Configuration page, open the

  Protected Objects page.

• In the Network Protection section click Create.

• Configure using following information, and then click Save.

  Maximum Bandwidth: Specify	500
  Scrubbing Threshold: Type	Percentage
  1.20Scrubbing Threshold: Value	75
  Advertisement Method	Silverline
  Scrubber Details: Type	Advertise All

  

• That completes the setup for BIG-IP DDoS Hybrid Defender with Silverline integration.

Task 1 – Create Protected Objects that the baseline traffic will be targeting¶

• In the BIG-IP Configuration Utility, open the DoS Protection>>Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Server5
  IP Address	10.1.20.15
  Port	*
  Protocol	All Protocols
  VLAN	Any
  Protection Settings: Action	Log and Mitigate
  Protection Settings: Silverline	Yes (selected)
  Protection Settings: DDoS Settings	IPv4, TCP,

  

• This protected object will be used for Auto-Threshold

  

Task 2 – Run Scripts to start L4 traffic generation – Good Traffic¶

• Putty SSH (use the shortcut) to open a shell to the good client system.

• Login as user : ubuntu. The session is preconfigured to authenticate with a certificate.

• Start the auto-threshold baselining script with:

  # sudo bash
  # cd ~/scripts
  # ./baseline_l4.sh
  

Task 1 – Disable Device-Level DHD DoS Protection¶

In this lab you will disable device-level DoS flood protection, and then issue an ICMPv4 flood and review the results.

• PuTTY to the BIG-IP CLI (10.1.1.245) and resize window by making it wider. Login with root/f5DEMOs4u.

• At the config prompt, type (or copy and paste) the following command:

  tcpdump -i 0.0

• Open a second PuTTY window and Load the Attacker Saved Session at 10.1.1.7 and log in as ubuntu. I’t will use a pre-loaded public key as the credentials.

  

• At the config prompt, type (or copy and paste) the following command:

  ping 10.1.20.12

The attacker can successfully communicate with a back-end resource behind the BIG-IP DHD.

• Examine the tcpdump window and verify ICMP packets are flowing through the BIG-IP DHD.

• Cancel the ping command, then verify the tcpdump stops receiving ICMP packets, and then press Enter several times to clear the recent log entries.

• In the Configuration Utility, in the DoS Protection, Quick Configuration, Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

  • Apply the settings above for TCP SYN flood and UDP Flood., and then click Update.

• On the Jumpbox in the Attacker PuTTY window type (or copy and paste) the following:

  # sudo su
  # cd scripts
  # ls
  

These are the different scripts we’ll be using during the exercises to simulate DoS attacks.

• Type (or copy and paste) the following commands:

  for i in {1..10}; do ./icmpflood.sh; done

This script launches 1,000,000 ICMP requests and then repeats for a total of ten occurrences.

• View the tcpdump window and verify that ICMP attack traffic is reaching the back-end server.

• Let the attack run for about 15 seconds before moving on.

• In the Configuration Utility, open the Statistics > Performance > Performance page.

• View the Active Connections and Total New Connections charts.

• There is a drastic spike in active connections.

  

• View the Throughput (bits) and Throughput (packets) charts.

There is also a drastic spike in both bits per second and packets per second.

• Open the Security > Event Logs > DoS > Network > Events page.

The log file is empty as we disabled device-level flood protection on BIG-IP DHD.

• On the Jumpbox Attacker shell slowly type Ctrl + C several times until back at the scripts prompt.

Task 2 – Re-enable Device-Level DHD DoS Protection¶

In this task you will re-configure device-level DoS protection, and then issue an ICMPv4 flood and review the results.

• In the Configuration Utility, in the Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page select the drop-down to “Enforce”

  

• Click Update.

• On the Jumpbox in the Attacker A PuTTY window re-run the following command:

  for i in {1..10}; do ./icmpflood.sh; done

• Let the attack run for about 15 seconds before moving on.

• In the Configuration Utility, open the Security > Dos Protection > DoS Overview > page

• You should see the attacks and statistics. Explore the sections

  

• In the Configuration Utility, open the Security > Event Logs > DoS > Network > Events page.

• Sort the event by Time in descending order.

There are now log entries showing dropped packets.

• The DoS Source is Volumetric, Aggregated across all SrcIP’s, Device-Wide attack, metric:PPS.
• The type is ICMPv4 flood.
• The action is Drop.
• On the Jumpbox Attacker shell slowly type Ctrl + C several times until back at the scripts prompt.

Task 3 – Configure Protected Object-Level IPv4 Flood DHD DoS Protection¶

In this task you will configure object-level DoS IPv4 flood protection, and

then issue an ICMPv4 flood and review the results.

• On the Protect Objects page, in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	ServerNet
  IP Address	10.1.20.0/22
  Port	*
  Protocol	All Protocols
  Protection Settings: Action	Log and Mitigate
  Protection Settings: DDoS Settings	IPv4

• In the IPv4 row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page configure using the following information, and then click Create at the bottom of the page.

  Detection Threshold PPS	Specify: 1000
  Detection Threshold Percent	Infinite
  Rate/Leak Limit	Specify: 1000

• On the Jumpbox in the Attacker A PuTTY window re-run the following command:

  for i in {1..10}; do ./icmpflood.sh; done

• Examine the tcpdump window to see if there are any ICMP packets hitting the back-end server.

• Let the attack run for about 30 seconds before moving on.

• In the Configuration Utility, click DoS Protection > Quick Configuration > ServerNet, and then in the IPv4 row click the + icon.

  

• Open the Security > Event Logs > DoS > Network > Events page.

• The DoS Source is Volumetric, Aggregated across all SrcIP’s, VS-Specific attack, metric:PPS.

• The context column displays /Common/ServerNet, identifying this is protected object-level protection.

• The action is Drop.

• The difference between packets in per second and dropped packets is roughly 1000.

• On the Jumpbox slowly type Ctrl + C several times until back at the scripts prompt.

• In the BIG-IP PuTTY window type Ctrl + C to stop the tcpdump.

Task 4 – View the DoS Visibility Page¶

You can now use the new DoS Visibility page to view statistics about the

DoS attacks you submitted during this exercise.

• Open the Statistics > DoS Visibility page.

  Note

  It may take a couple of minutes for the correct data to display.

• In the Attack Duration window there are several attacks.

  

• Mouse over several of the attacks to get additional details of each attack.

• Scroll down in the left-side of the page to view the Attacks section.

• You can see the number of high, moderate, and low attacks in addition to the types of attacks (HTTP, DNS, Network) and the severity levels.

• View the details at the bottom of the Attacks section.

  

This table displays details of each attack that has occurred.

• Sort this table by Vector.

  

• Scroll down in the left-side of the page to view the Virtual Servers section.

You can see the details of device-wide attacks (Device Level) and protected object-level attacks (/Common/ServerNet).

• Scroll down in the left-side of the page to view the Countries section.
• View the details at the bottom of the Countries section.

This table displays the attack details from each country.

• View the various widgets in the panel on the right-side of the page.

• Click Network to filter out only the network-level attacks (all the attacks so far have been network-level).

  

• If it’s not already expanded, expand the Virtual Servers widget, and then select /Common/ServerNet.

• This filters the results to only attacks at this protected object-level. Notice the changes to the map on in the Countries section.

• Click /Common/ServerNet to remove the filter.

• Drag the resize handle on the right-side of the main window as far to the left as possible.

  

• Expand the Vectors widget, and then select ICMPv4 flood.

• Expand the Client IP Addresses widget.

  Question: How many client IP addresses contributed to this attack?

• Expand the Countries widget.

• Sort the countries by Dropped Requests.

  

• Select China, and then view the changes to both the Client IP Addresses widget and the map.

• At the top of the page open the Analysis page.

• Drag the resize handle on the as far to the right as possible.

• Examine the Avg Throughput (Bits per second) graph.

• Place your mouse over the peak in the graph.

  Question: What is the Average client in throughput during the attack?

• Feel free to examine more of the Dashboard page and the Analysis page.

Task 1 - Access DoS Quick Configuration and display the ServerNet protected object¶

This protected object is defending all ports/protocols for 10.1.20.0/24, which is the network behind the Hybrid Defender. Attacks will be launched at 10.1.20.12, which is an interface on the LAMP server. Verify that the following vectors are configured:

Launch the attacks and show the behavior

• Open the following tabs in the DHD UI:

• DoS Protection->Quick Configuration->ServerNet

• Security->DoS Protection->DoS Overview (leave the filter at default: ’DoS Attack’)

• Statistics->DoS Visibility

• Access the Attacker System CLI and run the attack

  # cd ~/scripts
  # sudo bash
  # ./multivector.sh
  

  • Click Refresh on the DoS Overview page. You will see some attacks mitigated by Device Configuration and some mitigated by the more specific settings on the ServerNet Protected Object.

  

Navigate to Security->Event Logs->DoS->Network->Events.

• Click on “custom search…” link.

• Drag one of the values from the “Attack Type” column into the custom search builder. From the Action column, drag Drop into the search builder. Click “Search”.

  

• Further explore the DoS Event logs as needed for your demo. For example, clear the search and identify the “Stop” and “Start” times for an attack, etc.

• In the Hybrid Defender WebUI, access the DoS Visibility reporting tool at Statistics->DoS Visibility.

• You should see the attacks in the timeline and a variety of details in the windows. Use the slider to shorten the timeframe if needed, and click the Network filter, to focus on L4 activities.

  

  Note

  that you can select events from the timeline and see details about the attacks

  

• Log in to Silverline at https://portal.f5silverline.com.

• Navigate to Monitor and Analyze > Stats > Hybrid Device. Locate your device and explore the interface.

Task 1 - Open the following tabs in the DHD UI:¶

• DoS Protection->Quick Configuration->ServerNet
• Security->DoS Protection->DoS Overview (leave filter at default: “DoS Attack”)
• Statistics->DoS Visibility
• Security->Event Logs->Network->IP Intelligence

Task 2 – Configure the following UDP Flood vectors for ServerNet:¶

• DoS Protection->Quick Configuration->ServerNet

  

• Access the Attacker system CLI and run the UDP flood attack:

  # sudo bash
  # cd ~/scripts
  # ./udp_flood.sh
  

  From the menu, select ‘1’ to start the attack

  root@attacker-a:~/scripts# ./udp_flood.sh
  
  1)Attack start
  2)Attack end
  3)Quit
  
  # ?
  

• In the Hybrid Defender UI, show the Security > DoS >DoS Overview page. Note the blocks by Bad Actor.

  

• In the Hybrid Defender UI, show the Security > Events > Network > IP Intelligence Event Logs. Note the IP addresses that are being added to the denial_of_service blacklist.

  

• In the Hybrid Defender WebUI, show the Statistics > DoS Visibility. Expand the Vectors inspector and select UDP Flood. When it updates, select a flood from the timeline. Note in the Attacks panel the #IPs blocked is 10.

  

From the menu, select ‘2’ to end the attack

or

# sudo bash
# killall -9 hping3

Task 1 – BIG-IP Herculon Hybrid Defender Licensing and Provisioning¶

Use a web browser (Chrome in incognito mode) to log into the WebUI of your DHD at https://10.1.1.245 . or use the bookmarked shortcut. Accept the SSL warning and proceed to connect.

• Username : admin

• Password : f5DEMOs4u

• Click System>>License and Click Re-activate

  

• Click Edit button, replace the existing key by entering your student license key. Select the “Manual” radio button and Click Next.

  

• Select all in the Dossier frame and copy. Click on “Click here to access F5 Licensing Server”

  

• You will be taken to the F5 Activation Site. Enter your Dossier that you copied in the step above and click next. Accept User Legal Agreement - Check box to agree to terms of license and click next.

  

• Select Everything the License frame and copy it.

  

• Go back to your F5 DHD management and paste the contents copied from above into Step 3: License and Click Next.

  

• The bigip will restart daemons and a window will pop up indicating system configuration has changed. Please wait for it to reconnect and click Continue. Your device is now licensed. Click Next.

  

• On the Resource Provisioning page validate that Management and DDOS Protection are provisioned.

• Click Submit once.

  

Task 2 – BIG-IP Herculon Hybrid Defender Initial Setup¶

• Click System>>Platform

• Change the hostname to <yourfirstinitiallastname>.hybriddefender.f5agility.com. For example, John Smith would register as jsmith.hybriddefender.f5agility.com. This is needed so that we can register your DHD to Silverline and uniquely identify it. Click Update.

  

• Click Device Management>>Devices select the device and then click “Change Device Name…”. Update the device name to match the hostname you have chosen and click Update

  

• Use Putty Shortcut to ssh to the F5 DHD and login as: root password: f5DEMOs4u

  

• From the Hybrid Defender shell, restart services with:

# bigstart restart

• Click System>>Configuration>>Device>>NTP and review that NTP server is configured
• Click System>>Configuration>>Device>>DNS and review that DNS server lookup is configured

Task 1 – Create Protected Objects that the baseline traffic will be targeting¶

• In the BIG-IP Configuration Utility, open the DoS Protection>>Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Server5
  IP Address	10.1.20.15
  Port	*
  Protocol	All Protocols
  VLAN	Any
  Protection Settings: Action	Log and Mitigate
  Protection Settings: Silverline	Yes (selected)
  Protection Settings: DDoS Settings	IPv4, TCP,

  

• This protected object will be used for Auto-Threshold

  

Task 2 – Run Scripts to start L4 traffic generation – Good Traffic¶

• Putty SSH (use the shortcut) to open a shell to the good client system.

• Login as user : ubuntu. The session is preconfigured to authenticate with a certificate.

• Start the auto-threshold baselining script with:

  # sudo bash
  # cd ~/scripts
  # ./baseline_l4.sh
  

Task 1 – Disable Device-Level DHD DoS Protection¶

Disable device-level DoS flood protection, and then issue an ICMPv4 flood and review the results.

• Ssh (putty) into the BIG-IP DHD using the shortcut provided. Resize the BIG-IP putty ssh window by making it wider.

• At the config prompt, type (or copy and paste) the following command:

  tcpdump -i 0.0 host 10.1.20.12

• Open a second putty window and ssh to the Attacker (use shortcut on the desktop) and log in as ubuntu. It will authenticate using the ssh key provided automatically.

• At the attacker config prompt, type (or copy and paste) the following command:

  ping 10.1.20.12

The attacker can successfully communicate with a back-end resource behind the BIG-IP DHD

• Examine the tcpdump window and verify ICMP packets are flowing through the BIG-IP DHD.

• Cancel the ping command (Ctrl+C), then verify the tcpdump stops receiving ICMP packets, and then press Enter several times to clear the recent log entries.

• In the Configuration Utility, in the Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

• Click Update.

• In the Attacker putty window type (or copy and paste) the following:

  # sudo bash
  # cd ~/scripts
  # for i in {1..10}; do ./icmpflood.sh; done
  

  This script launches 1,000,000 ICMP requests and then repeats for a total of ten occurrences.

• View the tcpdump window and verify that ICMP attack traffic is reaching the back-end server.

• Let the attack run for about 15 seconds before moving on.

• In the Configuration Utility, open the Statistics >> Performance >> Performance page.

• View the Active Connections and Total New Connections charts.

  There is a drastic spike in active connections.

  

• View the Throughput (bits) and Throughput (packets) charts.

  There is also a drastic spike in both bits per second and packets per second.

• Open the Security >> Event Logs >> DoS >> Network >> Events page.

  The log file is empty as we disabled device-level flood protection vector on BIG-IP DHD.

• In the Attacker putty ssh shell slowly hit Ctrl + C several times until the prompt is back at the /scripts.

Task 2 – Re-enable Device-Level DHD DoS Protection¶

• In the Configuration Utility, in the Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page select the drop-down to “Enforce”

  

• Click Update.

  This returns the configuration back to factory supplied device level enforcement.

Task 3 – Configure Protected Object-Level Network DoS Protection¶

With the DHD device wide protection provides a line of defense and is enforced for all traffic flowing through the device. For more granular control, we use protected objects and configure mitigation settings for those objects to be enforced. In this task we will configure object-level DoS network multi-vector protection, and then issue an attack and review the results in the next task.

• Go to Dos Protection>>Quick Configuration

• On the Protect Objects page, in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	ServerNet
  IP Address	10.1.20.0/24
  Port	*
  Protocol	All Protocols
  Protection Settings: Action	Log and Mitigate
  Protection Settings: DDoS Settings	IPv4,TCP,UDP, Sweep
  Maximum Bandwidth: Specify	200
  Enable External Redirection	Checked
  Scrubbing Threshold: Percentage	90%
  Scrubbing	Silverline
  Silverline	Checked

  

• Verify the newly created protected object:

  

• Click on the “ServerNet” object and configure the following vectors and click Update.

  Vector	Detection Thresh. PPS	Detection Thresh %	Rate Limit
  ICMP Fragment	100	500	200
  ICMPv4 Flood	100	500	200
  IP Fragment Flood	100	500	200
  TCP SYN Flood	100	500	200
  TCP SYN Oversize	100	500	200

  

  

Task 4 – Launch the attack and view the results¶

• Click DoS Protection>>Quick Configuration->ServerNet

• Open the following as new tabs (right click and select open link in a new tab) in the DHD UI (Google Chrome Window):

• Security>>DoS Protection>>DoS Overview (leave the filter at default: ‘DoS Attack’ and change auto refresh to 20 seconds)

• Statistics>>DoS Visibility

• Access the Attacker System CLI/shell and launch the attack:

  # sudo bash
  # cd ~/scripts
  # ./multivector.sh
  

  The attacks will be detected immediately. Let the attacks run for a couple of minutes. Click Refresh on the DoS Overview page and it will start to populate. You will see some attacks mitigated by Device Configuration and some mitigated by the more specific settings on the ServerNet Protected Object:

  

• Navigate to Security>>Event Logs>>DoS->Network>>Events.

• Click on “custom search…” link.

• Drag one of the values from the “Attack Type” column into the custom search builder. From the Action column, drag Drop into the search builder. Click “Search”

  

  Further explore the DoS Event logs. For example, clear the search and identify the “Stop” and “Start” times for an attack, etc.

• In the Hybrid Defender WebUI, access the DoS Visibility reporting tool at Statistics>>DoS Visibility. If you get a time-skew warning, then please ignore it as it’s the Windows PC that can’t keep the clock right.

  Note

  The DoS Visibility is a reporting tool, not a real-time monitoring tool. Events are displayed, much like other AVR-based reporting, in 5 minute windows. Do not expect events to be shown here immediately after running an attack. Quicker/real-time monitoring of on-going DoS attacks is best accomplished in the DoS Event Logs and DoS Overview areas of the WebUI.**

• You should see the attacks in the timeline and a variety of details in the windows. Use the slider to shorten the timeframe if needed, and click the Network filter, to focus on L4 attacks and mitigation.

  

  

• Stop the attack (Ctrl+C) in the Attacker CLI (ssh window).

Task 5 – Configure Bad Actor Detection¶

Add bad actor detection for a for the UDP flood protection.

• In the Configuration Utility, open the DoS Protection >> Quick Configuration page and in the Protected Objects section click ServerNet.

• In the UDP row click the + icon, and then click UDP Flood.

• On the right-side of the page configure using the following information in the table, and then click Update.

• Set the UDP Flood vector settings:

  Setting	Value
  Enforce	selected
  Manual Configuration	selected
  Detection Threshold PPS	100
  Detection Threshold Percent	500
  Rate Limit	200
  Bad Actor Detection	selected
  Per Source IP Detection	100 PPS
  Per Source IP Rate Limit	30 PPS
  Blacklist Attacking Addresses	selected
  Detection Time	15 seconds
  Duration	120 seconds

  

• Open the following in new tabs (Google Chrome - right click and select open link in new tab) in the DHD UI:

• DoS Protection>>Quick Configuration>>ServerNet

• Security>>DoS Protection>>DoS Overview (leave filter at default: “DoS Attack” and set refresh rate to 20s)

• Statistics>>DoS Visibility

• Security>>Event Logs>>Network->IP Intelligence

• Access the Attacker system CLI (putty ssh) and run the UDP flood attack:

  # sudo bash
  # cd ~/scripts
  # ./udp\_flood.sh
  
  From the menu, select ‘1’ to start the attack
  
  root@attacker-a:~/scripts# ./udp\_flood.sh
  1) Attack start
  2) Attack end
  3) Quit
  
  #?
  

  Note

  This attack is relatively short-lived. You can launch it again if the attack ends and you are not finished showing the various reports. Simply type ‘1’ again, to re-run the attack. You may have to run the attack multiple times using ‘1’.

• In the DoS Overview page observe the blocks by Bad Actor

  

  

• In the IP Intelligence Event Logs observe the IP addresses that are being added to the denial_of_service blacklist.

  

• In the DoS Visibility tab expand the Vectors inspector and select UDP Flood. When it updates, select a flood from the timeline. Note in the Attacks panel the #IPs blocked is 10

  

• End the UDP_Flood attack script by typing ‘2’ to kill any still running processes and then ‘3’ to exit the script.

• Clean-Up : Be sure to stop all hping3 processes by using the following command:

  # sudo bash
  # killall -9 hping3
  

Task 1 – Configure Auto Thresholding¶

• On the Good Client, if you have not already done so, start the network baselining. This step is needed if you didn’t start the good traffic generation in Exercise 2 or accidently stopped it.

  # sudo bash
  # cd ~/scripts
  # ./baseline_l4.sh
  

• In the Hybrid Defender UI, in Quick Configuration, select the Server5 Protected Object and verify that the IP and TCP vectors are all at default thresholds with auto-threshold disabled:

  Setting	Value
  All Detection Thresholds	30000 pps
  All Rate Limits	Infinite
  Auto Thresholding	Disabled

  

• In the Hybrid Defender CLI (BIGIP ssh window), restart auto-thresholding:

  # tmsh run security dos device-config auto-threshold-relearn
  # tmsh run security dos virtual name Server5 auto-threshold-relearn
  

In the Hybrid Defender WebUI, in the Server5 Protected Object configuration, enable auto-thresholding for the following vectors: ICMPv4 Flood, TCP SYN Flood, TCP Push Flood, TCP RST Flood, TCP SYN ACK Flood by selecting each vector and clicking the Auto-Threshold Configuration radio button. When all vectors are configured, click Update at the bottom of the screen.

• In the Hybrid Defender WebUI, view the Auto Threshold event log by navigation to Security>>Event Logs>>DoS>>Network>>Auto Threshold.

  

The system is updating the detection thresholds. With auto-thresholding, the system adjust the detection thresholds based on observed traffic patterns. However, mitigation rate limits are always dynamic based on detected system or protected object stress. If anomalous levels of traffic are running, but there is no stress, the Hybrid Defender will generate alerts but will not block traffic. Under stress, the rate limits are automatically created and adjusted dynamically.

Task 2 – Create Stress to trigger Auto Thresholding and view Reports.¶

• Let’s create some stress with a Flood attack. In the Attacker CLI start the auto-threshold flood:

  # sudo bash
  # cd ~/scripts
  # ./autot_flood.sh
  

  This is a long duration attack. You can terminate it with Ctrl+C when finished.

• In the Hybrid Defender WebUI, review the Auto Threshold event log. You will see that Rate limits are being automatically set and adjusted to mitigate the flood attack.

  

• In the Hybrid Defender WebUI, view the DoS Overview. Note that the ICMP Flood attack is being mitigated and the rate limit thresholds for each of the auto-threshold vectors have been adjusted based on stress, including vectors that are not detecting or blocking an attack.

  

  

• Select the filter type to Virtual Server (DoS protected) and Server5 and view how various Thresholds are dynamically adjusted based on the stress

  

• Terminate the attack in the Attacker CLI with Ctrl+C.

• After the attack has ended, in the Hybrid Defender WebUI, navigate to the DoS Visibility page. Under Vectors, select ICMPv4 Flood. View various details.

  

• Clean-up: On the Attacker CLI, if the attack is still running be certain to end it with Ctrl-C.

• Clean-up: For repeatability, it is necessary to disable the auto-thresholding for the ICMPv4 Flood, TCP RST Flood, TCP Push Flood, TCP SYN ACK Flood and TCP SYN Flood vectors on the Server5 protected object. Switch them back to Manual Configuration.

  

• Clean-up: After disabling auto-thresholding, clear the learning on the Hybrid Defender CLI with:

  # tmsh run security dos device-config auto-threshold-relearn
  # tmsh run security dos virtual name Server5 auto-threshold-relearn
  

• Clean-up: Stop the baseline traffic generation from the good-client if still running using CTRL+C

DNS Query Flood¶

This type of DoS of service attack has a couple possible resource impacts.

• Overwhelm the DNS server’s ability to respond by sending too many requests

This can be done just by asking for more requests than the server can reply with and prevent the server from servicing legitimate requests. It doesn’t really matter if the clients are spoofed or not, it only matters that the DNS server just can’t keep up.

Mitigation Options¶

DNS DoS mitigation generally requires an awareness of what you’re trying to protect. This allows you to apply the appropriate mitigations and push the problem upstream until the next step is to force it off premises and in to a cloud solution. Load balancing is one remedy to this solution (anycast). Spreading the requests across pools of servers can help mitigate against these types of attacks. DNS Express is another option to increase the capacity of your DNS infrastructure. Layering in DHD DNS DoS vector mitigation also stops common DNS attacks.

DNS Reverse flood¶

Sometimes DNS responses are used in flooding network resources. A small request has a disproportionately larger response and since the transport protocol is UDP it can easily be spoofed. The outbound pipe can easily get congested responding to a smaller number of requests with large responses.

Task 1 – Create Protected Object and Launch Attack¶

• In the BIG-IP Configuration Utility, open the DoS Protection > Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Server1
  IP Address	10.1.20.11
  Port	443
  VLAN (Selected)	defaultVLAN (uncheck ANY)
  Protection Settings: Action	Log and Mitigate
  Protection Settings: Silverline	Yes (selected)
  Protection Settings: DDoS Settings	IPv4, TCP

  

• Launch attacks without any layer 7 protection configured

• Open the following in separate tabs in the Hybrid Defender WebUI:

• DoS Protection>>Quick Configuration

• Security>>Reporting>>DoS>>Analysis

• From a firefox browser go to https://10.1.20.11. Ignore SSL warning and Add Exception. Note that this bypasses the Hybrid Defender and accesses the server directly, showing the availability and/or performance of the site directly. Click around a few links. This is the site we will launch an attack against and mitigate.

• Verify that the configuration is providing no L7 protections by taking the server offline with a slowloris attack. Note that apache will try to clean up the slow flows, but they will do so inefficiently and the server is impacted (which will show as an outage, missing objects and/or slower responsiveness). Run the slowloris attack from the Attacker CLI:

  # sudo bash
  # cd ~/scripts
  # ./slowloris.sh
  

  The tool will rapidly show the site offline (10-15 seconds, with trivial traffic load):

  

• Refresh https://10.1.20.11 to show the effects of the attack. [Note that since we are running locally from the Win7 system in a virtualized environment, you may be able to access the site, however it will be slower and often the GIFs will not load. An internet user would not be able to “fight through” the attack to get to the server as often as a system on the local LAN.]

• Stop the slowloris attack by using CTRL+C.

• Start a more effective Slow Read attack.

  This attack is harder for DoS mitigation tools to mitigate and can be very effective even with a tiny number of concurrent connections trickling in very slowly to the server to fly below the radar of network detections. In our example we will open 10 connections per second and read the response data at 1 byte / sec. The attack would be effective even at 1 cps, it would just take a bit longer to build up the connections.

• From the Attacker CLI/shell start the slowread attack:

  # sudo bash
  # cd ~/scripts
  # ./slowread.sh
  

  

As soon as the site is down (service available: NO), refresh https://10.1.20.11 to show that it is down/slow/intermittent.

Task 2 – Configure Protection/Mitigation, launch attack and view reports¶

• In the Hybrid Defender WebUI, access the Server1 Protected Object.

• Enable SSL.

• Select the default certificate and key. In your environment you would select a valid/cert key for your application.

• Enable ‘Encrypt Session to Server’ to avoid any server reconfiguration.

• Enable the HTTPS mitigation family.

• Click Update.

  

• View the Attacker CLI/shell. The slow read attack is now no longer showing the site as down (service available: YES) because Proactive Bot Detection has mitigated the attack.

  

• Refresh https://10.1.20.11 to see that the site behavior has returned to normal.

• You were able to mitigate an encrypted layer 7 attack quickly and with only a few simple steps.

• In the Hybrid Defender WebUI, view various reports in the Security>>Reporting>>DoS>>Analysis

• HTTP Report (Scroll towards the bottom) shows Proactive Mitigation.

  

• Stop the Slow Read attack by using CTRL+C.

This concludes your hands on labs. In this class you learned how to mitigated various DDoS attacks using F5 BIGIP Hybrid Defender (DHD).

Task 1 – Initial Set-up¶

• Login to the BIG-IP Configuration Utility via the desktop shortcut (DHD WEB GUI). You will land on the welcome page.

• Review and Verify the following: System -> Configuration -> Device -> NTP page. This should be already populated with pool.ntp.org

• Review and Verify the following: System -> Configuration -> Device ->DNS page. This should be already populated with 8.8.8.8

• Click System and explore Resource Provisioning page.

  

Task 2 – DDoS Hybrid Defender iApp and Base Configuration¶

• In the BIG-IP Configuration Utility, open DoS Protection > Quick Configuration page.

• If not already installed, Select Install RPM method of Onboard.

• Click Install.

  

• After the RPM is installed you will see the following:

• Open the About page.

  

• This page displays the current version of DDoS Hybrid Defender (DHD). You use this page to install and update the iApp LX version for DHD when newer versions are released.

  

• Open the DoS Protection > Quick Configuration Network Configuration page.

  

• In the Default Network section click default VLAN.

• Configure the VLANs using following information, and then click Done Editing.

  Internal: VLAN Tag	20
  Internal: Interfaces	1.2 Untagged
  Internal: IP Address / Mask	10.1.20.240/21 (Click Add)
  External: VLAN Tag	10
  External: Interfaces	1.1 Untagged (Click Add)

  

• At the bottom of the page click Update to create the default network.

• Open the Network > VLANs > VLAN Groups page and click defaultVLAN.

• Open the Network > DNS Resolvers > DNS Resolver list page and click Create.

• Enter default_DNS_resolver and then click Finished.

• A DNS resolver is required by bot signatures to allow for proper detection of benign search engines such as Google and Bing.

• On the Jumpbox desktop, SSH to the BIG-IP, it will log you in automatically as user root, using the shortcut.

• Verify DNS by typing the following:

  nslookup api.f5silverline.com

• Verify the Date by typing the following:

  date

• If the BIG-IP system date is not accurate, correct it using the following commands:

  bigstart stop ntpd
  ntpdate 10.1.1.254
  bigstart start ntpd
  

Task 3 – Explore DHD Device Bandwidth Thresholds¶

• In the DoS Protection > Quick Configuration page, open the Protected Objects page.

• In the Network Protection section click Create.

• This page is where you would supply values to protect your bandwidth and integrate with Silverline or use BGP to change your routing to go through a scrubbing center.

• Click Cancel when done exploring the available settings.

  

• That completes the initial setup for BIG-IP DDoS Hybrid Defender.

Task 1 – Disable Device-Level DHD DoS Protection¶

In this lab you will disable Device-level DoS flood protection, and then issue an ICMPv4 flood and review the results.

• PuTTY to the BIG-IP CLI (10.1.1.245) from your jumpbox desktop shortcut and resize window by making it wider. You will be logged on as root.

• At the config prompt, type (or copy and paste) the following command:

  tcpdump -i 0.0 host 10.1.20.12

• PuTTY to the Attacker host from your jumpbox desktop shortcut. You will be logged in as root. I’t will use a pre-loaded public key as the credentials. Accept the warning.

• At the config prompt, type (or copy and paste) the following command:

  ping 10.1.20.12

The attacker can successfully communicate with a back-end resource behind the BIG-IP DHD.

• Examine the tcpdump window and verify ICMP packets are flowing through the BIG-IP DHD.

• Cancel the ping command, then verify the tcpdump stops receiving ICMP packets, and then press Enter several times to clear the recent log entries.

• In the Configuration Utility, in the DoS Protection, Quick Configuration, Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

  Note

  If you minimize by clicking the + icon, it will make seeing the other sections easier.

• On the right-side of the page select the drop-down to “Don’t Enforce”

  

• Apply the settings above for TCP SYN flood and UDP Flood and then click Update.

• On the Jumpbox in the Attacker PuTTY window type (or copy and paste) the following:

  # cd scripts
  # ls
  

These are the different scripts we’ll be using during the exercises to simulate DoS attacks.

• Type (or copy and paste) the following commands:

  for i in {1..10}; do ./icmpflood.sh; done

This script launches 1,000,000 ICMP requests and then repeats for a total of ten occurrences.

• View the tcpdump window and verify that ICMP attack traffic is reaching the back-end server.

• Let the attack run for about 15 seconds before moving on.

• In the Configuration Utility, open the Statistics > Performance > Performance page.

• View the Active Connections and Total New Connections charts.

• There is a drastic spike in active connections.

  

• View the Throughput (bits) and Throughput (packets) charts.

There is also a drastic spike in both bits per second and packets per second.

• Open the Security > Event Logs > DoS > Network > Events page.

The log file is empty as we disabled device-level flood protection on BIG-IP DHD.

• On the Jumpbox Attacker shell slowly type Ctrl + C several times until back at the scripts prompt.

Task 2 – Re-enable Device-Level DHD DoS Protection¶

In this task you will re-configure device-level DoS protection, and then issue an ICMPv4 flood and review the results.

• In the Configuration Utility, in the Device Protection section click Device Configuration.

  

• In the Bad Headers row click the + icon, and then click Bad Source.

• On the right-side of the page select the drop-down to “Enforce”

  

• In the Flood row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page select the drop-down to “Enforce”

  

• Apply the settings above for TCP SYN flood and UDP Flood and then click Update.

Task 3 – Configure Protected Object-Level IPv4 Flood DHD DoS Protection¶

The DHD device wide protection is enforced for all traffic flowing through the device. For more granular control, we use protected objects and configure mitigation settings for those objects to be enforced. In this task you will configure object-level DoS IPv4 flood protection, and then issue an ICMPv4 flood and review the results.

• On the Protect Objects page, in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	ServerNet
  IP Address	10.1.20.0/24
  Port	*
  Protocol	All Protocols
  Protection Settings: Action	Log and Mitigate
  Protection Settings: DDoS Settings	IPv4

• In the IPv4 row click the + icon, and then click ICMPv4 flood.

• On the right-side of the page configure using the following information, and then click Create at the bottom of the page.

  Detection Threshold PPS	Specify: 1000
  Detection Threshold Percent	Infinite
  Rate/Leak Limit	Specify: 1000

• On the Jumpbox in the Attacker PuTTY window re-run the following command:

  for i in {1..10}; do ./icmpflood.sh; done

• Examine the tcpdump window to see if there are any ICMP packets hitting the back-end server.

• Let the attack run for about 30 seconds before moving on.

• In the Configuration Utility, click DoS Protection > Quick Configuration > ServerNet, and then in the IPv4 row click the + icon.

  

• Open the Security > Event Logs > DoS > Network > Events page.

• The DoS Source is Volumetric, Aggregated across all SrcIP’s, VS-Specific attack, metric:PPS.

• The context column displays /Common/ServerNet, identifying this is protected object-level protection.

• The action is Drop.

• On the Jumpbox Attacker shell slowly type Ctrl + C several times until back at the scripts prompt.

• In the BIG-IP CLI type Ctrl + C to stop the tcpdump.

Task 1 – Create Protected Objects that the baseline traffic will be targeting¶

• In the BIG-IP Configuration Utility, open the DoS Protection>>Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Server5
  IP Address	10.1.20.15
  Port	*
  Protocol	All Protocols
  VLAN	Any
  Protection Settings: Action	Log and Mitigate
  Protection Settings: Silverline	(un-selected)
  Protection Settings: DDoS Settings	IPv4, TCP

  

• This protected object will be used for the Auto-Thresholding lab.

  

Task 2 – Run Scripts to start L4 traffic generation – Good Traffic¶

• Putty SSH (use the desktop shortcut) to open a shell to the good client system.

• Accept the SSH Warning.

• You will be logged in as user : root. The session is preconfigured to authenticate with a certificate.

• Start the auto-threshold baselining script with:

  # cd ~/scripts
  # ./baseline_l4.sh
  

Task 1 - Access DoS Quick Configuration and display the ServerNet protected object¶

This protected object is defending all ports/protocols for 10.1.20.0/24, which is the network behind the Hybrid Defender. Attacks will be launched at 10.1.20.12, which is an interface on the LAMP server. Verify that the following vectors are configured:

• Add the TCP vectors under DDoS Settings.

• Click Update when finished.

You will now launch the attacks and show the behavior

• Open the following tabs in the DHD UI:

• DoS Protection->Quick Configuration->ServerNet

• Security->DoS Protection->DoS Overview (leave the filter at default: ’DoS Attack’)

• Statistics->DoS Visibility

• Access the Attacker shell and run the following commands/attack

  # cd ~/scripts
  # ./multivector.sh
  

• Click Refresh on the DoS Overview page. You will see some attacks mitigated by Device Configuration and some mitigated by the more specific settings on the ServerNet Protected Object.

  

Navigate to Security->Event Logs->DoS->Network->Events.

• Click on “custom search…” link.

• Drag one of the values from the “Attack Type” column into the custom search builder. From the Action column, drag Drop into the search builder. Click “Search”.

  

• Further explore the DoS Event logs. For example, clear the search and identify the “Stop” and “Start” times for an attack, etc.

Task 2 – View the DoS Visibility Page¶

You can now use the new DoS Visibility page to view statistics about the DoS attacks you submitted during this exercise.

• In the Hybrid Defender WebUI, access the DoS Visibility reporting tool at Statistics->DoS Visibility.

• You should see the attacks in the timeline and a variety of details in the windows. Use the slider to shorten the timeframe if needed. You might have to hit refresh several times.

  

• You can select events from the timeline and see details about the attacks.

  

• In the Attack Duration window view the attack.

  • Scroll down in the left-side of the page to view the Attacks section.

• View the details at the bottom of the Attacks section.

  

  This table displays details of each attack that has occurred.

• Sort this table by Vector.

  

• Scroll down in the left-side of the page to view the Virtual Servers section.

  You can see the details of device-wide attacks (Device Level) and protected object-level attacks (/Common/ServerNet).

• Scroll down in the left-side of the page to view the Countries section.

• View the details at the bottom of the Countries section. This table displays the attack details from each country.

• View the various widgets in the panel on the right-side of the page.

• Click Network to filter out only the network-level attacks (all the attacks so far have been network-level).

  

• If it’s not already expanded, expand the Virtual Servers widget, and then select /Common/ServerNet.

• This filters the results to only attacks at this protected object-level. Notice the changes to the map on in the Countries section.

• Click /Common/ServerNet to remove the filter.

• Drag the resize handle on the right-side of the main window as far to the left as possible.

  

• Expand the Vectors widget, and then select ICMPv4 flood.

• Expand the Client IP Addresses widget.

Question: How many client IP addresses contributed to this attack?

• Expand the Countries widget.

• Sort the countries by Dropped Requests.

  

• Select China, and then view the changes to both the Client IP Addresses widget and the map.

• At the top of the page open the Analysis page.

• Drag the resize handle on the as far to the right as possible.
• Examine the Avg Throughput (Bits per second) graph.
• Place your mouse over the peak in the graph.

Question: What is the Average client in throughput during the attack?

• Feel free to examine more of the Dashboard page and the Analysis page.
• Type Ctrl + C to stop the attack.

Task 1 - Open the following tabs in the DHD UI¶

• DoS Protection->Quick Configuration->ServerNet
• Security->DoS Protection->DoS Overview (leave filter at default: “DoS Attack”)
• Statistics->DoS Visibility
• Security->Event Logs->Network->IP Intelligence

Task 2 – Configure the following UDP Flood vectors for ServerNet¶

• DoS Protection->Quick Configuration->ServerNet

Set the following:

DDoS Settings: UDP, Sweep

• Click UDP Flood
  • Detection Threshold PPS: 1000
  • Detection Threshold Percent: 500
  • Rate Limit: 2000
• Bad Actor Detection - Check
  • Per Source IP Detection PPS: 100
  • Per Source IP Rate Limit PPS: 2000
• Blacklist Attacking Address
  • Detection Time: 15
  • Duration: 120

• Click Update when finished.

• Access the Attacker system CLI and run the UDP flood attack:

  # cd ~/scripts
  # ./udp_flood.sh
  

  From the menu, select ‘1’ to start the attack

  root@attacker-a:~/scripts# ./udp_flood.sh
  
  1)Attack start
  2)Attack end
  3)Quit
  
  # ?
  

• In the Hybrid Defender UI, show the Security > DoS Protection >DoS Overview page. Note the blocks by Bad Actor.

  

• In the Hybrid Defender UI, show the Security > Event Logs > Network > IP Intelligence Event Logs. Note the IP addresses that are being added to the denial_of_service blacklist.

  

• In the Hybrid Defender WebUI, show the Statistics > DoS Visibility. Expand the Vectors inspector and select UDP Flood. When it updates, select a flood from the timeline. Note in the Attacks panel the #IPs blocked is 10.

  

From the menu, select ‘2’ to end the attack

or

# sudo bash
# killall -9 hping3

Task 1 – Configure Auto Thresholding¶

• On the Good Client, if you have not already done so, start the network baselining. This step is needed if you didn’t start the good traffic generation in Exercise 3 or accidently stopped it.

  # cd ~/scripts
  # ./baseline_l4.sh
  

• In the Hybrid Defender UI, in Quick Configuration, select the Server5 Protected Object and verify that the IPv4 and TCP vectors are all at default thresholds with auto-threshold disabled:

  Setting	Value
  All Detection Thresholds	30000 pps
  All Rate Limits	Infinite
  Auto Thresholding	Disabled

  

• In the Hybrid Defender CLI (BIGIP ssh window), restart auto-thresholding:

  # tmsh run security dos device-config auto-threshold-relearn
  # tmsh run security dos virtual name Server5 auto-threshold-relearn
  

In the Hybrid Defender WebUI, in the Server5 Protected Object configuration, enable auto-thresholding for the following vectors: ICMPv4 Flood, TCP SYN Flood, TCP Push Flood, TCP RST Flood, TCP SYN ACK Flood by selecting each vector and clicking the Auto-Threshold Configuration radio button. When all vectors are configured, click Update at the bottom of the screen.

• In the Hybrid Defender WebUI, view the Auto Threshold event log by navigating to Security>>Event Logs>>DoS>>Network>>Auto Threshold.

  

The system is updating the detection thresholds. With auto-thresholding, the system adjusts the detection thresholds based on observed traffic patterns. However, mitigation rate limits are always dynamic based on detected system or protected object stress. If anomalous levels of traffic are running, but there is no stress, the Hybrid Defender will generate alerts but will not block traffic. Under stress, the rate limits are automatically created and adjusted dynamically.

Task 2 – Create Stress to trigger Auto Thresholding and view Reports¶

• Let’s create some stress with a Flood attack. In the Attacker CLI start the auto-threshold flood:

  # cd ~/scripts
  # ./autot_flood.sh
  

  This is a long duration attack. You can terminate it with Ctrl+C when finished.

• In the Hybrid Defender WebUI, review the Auto Threshold event log. You will see that Rate limits are being automatically set and adjusted to mitigate the flood attack.

  

• In the Hybrid Defender WebUI, view the DoS Overview. Note that the ICMP Flood attack is being mitigated and the rate limit thresholds for each of the auto-threshold vectors have been adjusted based on stress, including vectors that are not detecting or blocking an attack.

  

  

• Select the filter type to Virtual Server (DoS protected) and Server5 and view how various thresholds are dynamically adjusted based on the stress.

  

• Terminate the attack in the Attacker CLI with Ctrl+C.

• After the attack has ended, in the Hybrid Defender WebUI, navigate to the DoS Visibility page. Under Vectors, select ICMPv4 Flood. View various details.

  

• Clean-up: On the Attacker CLI, if the attack is still running be certain to end it with Ctrl-C.

• Clean-up: For repeatability, it is necessary to disable the auto-thresholding for the ICMPv4 Flood, TCP RST Flood, TCP Push Flood, TCP SYN ACK Flood and TCP SYN Flood vectors on the Server5 protected object. Switch them back to Manual Configuration.

  

• Clean-up: After disabling auto-thresholding, clear the learning on the Hybrid Defender CLI with:

  # tmsh run security dos device-config auto-threshold-relearn
  # tmsh run security dos virtual name Server5 auto-threshold-relearn
  

• Clean-up: Stop the baseline traffic generation from the good-client if still running using CTRL+C

DNS Query Flood¶

This type of DoS of service attack has a couple possible resource impacts.

• Overwhelm the DNS server’s ability to respond by sending too many requests.

This can be done just by asking for more requests than the server can reply with and prevent the server from servicing legitimate requests. It doesn’t really matter if the clients are spoofed or not, it only matters that the DNS server just can’t keep up.

Mitigation Options¶

DNS DoS mitigation generally requires an awareness of what you’re trying to protect. This allows you to apply the appropriate mitigations and push the problem upstream until the next step is to force it off premises and in to a cloud solution. Load balancing is one remedy to this solution (anycast). Spreading the requests across pools of servers can help mitigate against these types of attacks. DNS Express is another option to increase the capacity of your DNS infrastructure. Layering in DHD DNS DoS vector mitigation also stops common DNS attacks.

DNS Reverse flood¶

Sometimes DNS responses are used in flooding network resources. A small request has a disproportionately larger response and since the transport protocol is UDP it can easily be spoofed. The outbound pipe can easily get congested responding to a smaller number of requests with large responses.

Task 1 – Create Protected Object and Launch Attack¶

• In the BIG-IP Configuration Utility, open the DoS Protection > Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Server1
  IP Address	10.1.20.11
  Port	443
  VLAN (Selected)	defaultVLAN (uncheck ANY)
  Protection Settings: Action	Log and Mitigate
  Protection Settings: Silverline	Yes (selected)
  Protection Settings: DDoS Settings	IPv4, TCP

  

• Launch attacks without any layer 7 protection configured

• Open the following in separate tabs in the Hybrid Defender WebUI:

• DoS Protection>>Quick Configuration

• Security>>Reporting>>DoS>>Analysis

• From a Firefox browser go to https://10.1.20.11. Ignore SSL warning and Add Exception.

• Verify that the configuration is providing no L7 protections by taking the server offline with a slowloris attack. Note that apache will try to clean up the slow flows, but they will do so inefficiently and the server is impacted (which will show as an outage, missing objects and/or slower responsiveness). Run the slowloris attack from the Attacker CLI:

  # cd ~/scripts
  # ./slowloris.sh
  

  The tool will rapidly show the site offline (10-15 seconds, with trivial traffic load):

  

• Refresh https://10.1.20.11 to show the effects of the attack. [Note that since we are running locally from the Win7 system in a virtualized environment, you may be able to access the site, however it will be slower and often the GIFs will not load. An internet user would not be able to “fight through” the attack to get to the server as often as a system on the local LAN.]

• Stop the slowloris attack by using CTRL+C.

• Start a more effective Slow Read attack.

  This attack is harder for DoS mitigation tools to mitigate and can be very effective even with a tiny number of concurrent connections trickling in very slowly to the server to fly below the radar of network detections. In our example we will open 10 connections per second and read the response data at 1 byte / sec. The attack would be effective even at 1 cps, it would just take a bit longer to build up the connections.

• From the Attacker CLI/shell start the slowread attack:

  # cd ~/scripts
  # ./slowread.sh
  

  

As soon as the site is down (service available: NO), refresh https://10.1.20.11 to show that it is down/slow/intermittent.

Task 2 – Configure Protection/Mitigation, launch attack and view reports¶

• In the Hybrid Defender WebUI, access the Server1 Protected Object.

• Enable SSL.

• Select the default certificate and key. In your environment you would select a valid/cert key for your application.

• Enable ‘Encrypt Session to Server’ to avoid any server reconfiguration.

• Enable the HTTPS mitigation family.

• Click Update.

  

• View the Attacker CLI/shell. The slow read attack is now no longer showing the site as down (service available: YES) because Proactive Bot Detection has mitigated the attack.

  

• Refresh https://10.1.20.11 to see that the site behavior has returned to normal.

• You were able to mitigate an encrypted layer 7 attack quickly and with only a few simple steps.

• In the Hybrid Defender WebUI, view various reports in the Security>>Reporting>>DoS>>Analysis

• HTTP Report (Scroll towards the bottom) shows Proactive Mitigation.

  

• Stop the Slow Read attack by using CTRL+C.

Task 1 – Create Protected Object and Launch Attack¶

• In the BIG-IP Configuration Utility, open the DoS Protection > Quick Configuration page and in the Protected Objects section click Create.

• Configure a protected object using the following information, and then click Create.

  Name	Auction
  IP Address	10.1.20.101
  Port / Protocol	80 TCP
  VLAN (Selected)	defaultVLAN (uncheck ANY)
  Protection Settings: Action	Log and Mitigate
  Protection Settings: DDoS Settings	HTTP

• Make sure Auction is with a capital “A”.

• Under the HTTP section make the following adjustments:

  • Set Behavioral to Standard Protection.
  • Make sure you check “Request Signature Detection”
  • Set Proactive Bot Defense to “Disabled”
  • Set DOS tool to “Report”

  

• When finished click Create

• From the Good Client CLI, issue the following command.

  ~/scripts/generate_clean_traffic.sh
  

  Note

  This will need to run for approximately 10 minutes.

• From the DHD CLI issue the following commands:

  #/root/scripts/l7bdos-reset.sh
  #/root/scripts/l7-mon.sh
  

• Monitor the window. When you see the following number go to 100, you will move on.

  

• The health of the Protected Object will be shown. In general, a healthy system will show a value around .45. If the value is .5 consistently, then for some reason no learning is occurring and you should check your configuration and verify that baselining traffic is hitting the protected object in question.

• If the system has detected and is mitigating and attack, or not. This will show in the output of ‘info.attack’ signal. The two numbers in brackets indicate if there is an attack (1 = yes, 0 = no) and if the system is mitigating that attack (1 = yes, 0 = no).

• The output will also include the ‘info.learning’ signal, which includes 4 comma-separated values that show the status of the admd behavioral dos learning:

  

  • signal values: [baseline_learning_confidence, learned_bins_count , good_table_size , good_table_confidence]
  • baseline learning_confidence in % - How confident the system is in the baseline learning.
    • This should be between 80% - 90%
  • learned_bins_count - number of learned bins
    • This should be > 0
  • good_table_size - number of learned requests
    • This should be > 4000
  • good_table_confidence - how confident, as a percentage, the system is in the good table.
    • It must be 100% for behavioral signatures.

• From the Attacker CLI issue the following command:

  ~/scripts/http_flood.sh
  

  

• Choose option 1, “Attack Auction”

• You will see the attack start in the DHD SSH window:

  

• In addition you will see the good client start returning a status of 000 as it is unresponsive. It no longer returns a Status 200. Until the DHD starts mitigation.

  

• Once the DHD has enough data a Stable Signature is detected.

  

• Let this run for 2 minutes. Stop the attack by pressing “Enter”” a couple of times in the Attacker window the choosing option “3” to stop the “Attack”

  Note

  The DHD does not record the end of the attack right away, it is very conservative, therefore you may have to wait 5 minutes to see the results.

  

• You can see in the top-left that a Behavioral Signature was created.

• Click on this link, then click on the Signature to see it.

  

• This concludes the DHD Hands on Labs.

Configure DHD Device Bandwidth Thresholds¶

1. In the Configuration Utility, open the Protected Objects page.

2. In the Network Protection section click Create.

3. Configure as follows then click Save.

   Maximum Bandwidth: Specify	100
   Scrubbing Threshold: Type	Percentage
   Scrubbing Threshold: Value	60
   Advertisement Method	Silveline
   Scrubber Details: Type	Advertise All

   

Turning Device-Level Protection off¶

1. In the Configuration Utility, in the Device Protection section click Device Configuration.

   

2. In the Bad Headers row click the + icon, and then click Bad Source.

3. On the right-side of the page configure using the following information.

   Detection Threshold PPS	Infinite
   Detection Threshold Percent	Infinite
   Rate/Leak Limit	Infinite

   

4. Now In the Flood row, click the + icon, and then click ICMPv4 flood.

5. On the right-side of the page configure using the following information.

   Detection Threshold PPS	Infinite
   Detection Threshold Percent	Infinite
   Rate/Leak Limit	Infinite

   

6. Apply the settings above for TCP SYN flood and UDP Flood.

7. In the Behavioral row click on Learn Only, then click Update.

   

8. On the goodclient, start the network baselining (Let it running for the entire lab)

   sudo ~/tools_agility_183/baseline_l4.sh

   Important

   In order to assure best performance and good lab results, always use the management network ip addresses/hostnames for remote access (goodclient-mgmt, attacker-mgmt and lamp-mgmt)

   f5student@goodclient:~$ cd ~/tools_agility_183/
   f5student@goodclient:~/tools_agility_183$ ./baseline_l4.sh
   /   status: 200     bytes: 3952     time: 0.016
   /   status: 200     bytes: 3952     time: 0.019
   /   status: 200     bytes: 3952     time: 0.014
   /   status: 200     bytes: 3952     time: 0.014
   /   status: 200     bytes: 3952     time: 0.018
   /   status: 200     bytes: 3952     time: 0.221
   /httprequest.php    status: 200     bytes: 699      time: 0.014
   /httprequest.php    status: 200     bytes: 699      time: 0.014
   

Launch an ICMP flood Attack on the LAMP Server¶

Hint

The pentest tool can be used to send several types of DoS Attacks for the most part of the lab, few free to try it out. For some specific exercises there will be custom shell scrtips though.

sudo ~/tools_agility_183/pentest

________ _______  _       _________ _______  ________  _
|  ____  ||  ____ \| \    /|\__   __/|       ||  ____ \| \    /||\     /|
| |    | || |    \/|  \  | |   | |   | || || || |    \/|  \  | || |   | |
| |____| || |__    |   \ | |   | |   | || || || |__    |   \ | || |   | |
|  ______||  __)   | |\ \| |   | |   | ||_|| ||  __)   | |\ \| || |   | |
| |       | |      | | \   |   | |   | |   | || |      | | \   || |   | |
| |       | |____/\| |  \  |   | |   | |   | || |____/\| |  \  || |___| |
|/        (_______/|/    \_|   |_|   |/     \||_______/|/    \_||_______|

Welcome to pentmenu!
Please report all bugs, improvements and suggestions to https://github.com/GinjaChris/pentmenu/issues
This software is only for responsible, authorised use.
YOU are responsible for your own actions!
Please review the readme at https://raw.githubusercontent.com/GinjaChris/pentmenu/master/README.md before proceeding

1) Recon
2) DOS
3) Extraction
4) View Readme
5) Quit
Pentmenu>

1. Hit option 2 (DOS), then 1 (ICMP Echo Flood)

2. Use Attack options as follows:

   Enter target IP/hostname:	server1
   Enter Source IP:	r (random)

3. Now open two more terminal sessions with attacker and lamp servers respectively. On each screen open the bmon util for instant traffic stats.

   eth1
   Interfaces                   │ RX bps       pps     %│ TX bps       pps     %
   lo                           │      0         0      │      0         0
   eth0                         │     66B        1      │    545B        1
       qdisc none (pfifo_fast)  │      0         0      │    525B        1
   ->eth1                       │     77B        1      │   1.59MiB  39.63K
       qdisc none (pfifo_fast)  │      0         0      │   1.59MiB  39.63K
   ───────────────────────────────┴───────────────────────┴────────────────────────────────────────────────────────────
                               (RX Packtes/second)
       5.00 ....|..|.........|......|........................|..........
       4.17 ...|||||||...|...|.||.|||...........|||.......|..||.|.|...||
       3.33 ...||||||||..|..||||||||||..||.....|||||.....|||||||||||.|||
       2.50 ...||||||||..|..||||||||||..||.....|||||.....|||||||||||.|||
       1.67 .|||||||||||||.|||||||||||||||....|||||||...||||||||||||||||
       0.83 ||||||||||||||||||||||||||||||||.|||||||||..||||||||||||||||
           1   5   10   15   20   25   30   35   40   45   50   55   60
       K                     (TX Packtes/second)
       52.32 ..............||||....|.||..................................
       43.60 ||.|||||||||||||||||||||||||||||||||..||||||||.|||||||||||||
       34.88 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
       26.16 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
       17.44 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
           8.72 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
               1   5   10   15   20   25   30   35   40   45   50   55   60
   

   Hint

   Use either the RIGHT and LEFT arrow keys to move between Bps and pps metrics. Don’t forget selecting the right inteface using the UP/DOWN arrow keys. Attacker uses eth1 and Lamp uses eth4 for data traffic.

4. Open a terminal session with the DHD and use the tcpdump util to verify that ICMP attack traffic is passing through the device.

   [root@dhd:Active:Standalone] config # tcpdump -i defaultVLAN

5. Observe the baseline running on goodclient. Since the flood attack is hitting the server hard, the legitimate client sessions are being degraded. Look at the statude code 000 for most requests.

6. In the Configuration Utility, open the Statistics-> Performance-> Performance page. As you can see, there is a drastic spike in the traffic.

   

7. Open the Security-> DoS Protection-> DoS Overview page.

8. In the Filter Type field select Device DoS. Then on the left corner search for ICMP.

   

9. Review the statistics for Current, 1 min. Average, and 1 hr Average.

10. Open the Security-> Event Logs-> DoS-> Network-> Events page.

    The log file is empty as we disabled device-level flood protection on BIG-IP DHD.

11. From the attacker terminal session type Ctrl + C to stop the ICMP flood.

Configure Protected Object-Level IPv4 Flood DHD DoS Protection¶

Configure object-level IPv4 ICMP flood protection, and then issue an ICMP DoS flood and review the results.

1. On the Protect Objects page, in the Protected Objects section click Create.

2. Configure a protected object using the following information, and then click Create:

   Name:	ServerNet
   IP Address:	10.1.20.0/24
   Port:	any
   Protocol	All Protocols
   Protec. Settings Action:	Advertise All
   Protec. Settings DDoS:	IPv4

3. In the IPv4 row click the + icon, and then click ICMPv4 flood

4. On the right-side of the page configure using the following information, and then click Create.

   Detection Threshold PPS:	Specify: 1000
   Detection Threshold Percent:	Infinite
   Rate/Leak Limit:	Specify: 1000

   Important

   From now on, make sure you have an always-on terminal session with both the attacker and LAMP servers. Let them running the bmon utility, or a tcpdump. Those will provide instant and detailed visibility of the ammount of packets comming in/out of both virtual machines.

5. From the attacker terminal session launch an ICMPv4 DoS attack using the Pentmenu tool (Options 2, 1) as follows:

   target IP/hostname:	server1
   source IP:	r[random]

6. Check out the LAMP terminal session and observe how many ICMP packets are hitting this server.

7. Before moving on, wait the attack to run for about 30 seconds or so

8. In the Configuration Utility go to Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the Attack.

   

9. Now stop the Attack with Ctrl + C.

10. Open the Security-> Event Logs-> DoS-> Network-> Events page.

    The DoS Source is Volumetric, Aggregated across all SrcIP’s, VS-Specific attack, metric:PPS.

    • The virtual server column displays /Common/ServerNet, identifying this is a protected object.
    • The type is ICMPv4 flood.
    • The action is Drop.

11. Now check out the Security-> Event Logs-> DoS-> Network-> Events Page.

    

12. The DHD was able to detect the moment the attack started and stopped, along with all volumetric info.

Configure Protected Object-Level UDP Flood Attack Protection¶

Configure object-level DoS UDP flood protection, and then issue an UPD flood and review the results.

1. From the attacker terminal session launch an UDP flood attack using the Pentmenu tool (Options 2, 7) as follows:

   target IP/hostname:	server2
   target port (defaults to 80):	default [ENTER]
   random string (data to send):	F5Agility2018
   source IP:	r[random]

2. Let the attack run for about 30 seconds before moving on.

3. In the Configuration Utility, open the Statistics-> Performance-> Performance page. There is a spike in connections and throughput. The BIG-IP system is being hit with the UDP flood attack.

   

4. Open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

5. In the DDoS Settings row click the UDP checkbox. In the UDP row click the + icon, and then click UDP Flood.

6. On the right-side of the page configure using the following information, and then click Update.

   Detection Threshold PPS:	Specify: 1000
   Detection Threshold Percent:	Infinite
   Rate/Leak Limit:	Specify: 3000

7. From the Attacker terminal session launch a new UDP flood attack using the same options and values as previously in this task.

8. Let the attack run for about 30 seconds before moving on.

9. In the Configuration Utility, click Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the DNS Attack.

   

10. Now stop the Attack with Ctrl + C.

11. Open the Security-> Event Logs-> DoS-> Network-> Events page.

    • In one minute or so, the virtual server column displays /Common/ServerNet, identifying this is protected object.
    • The type is UDP flood.
    • The action is Drop.

    

Configure Bad Actor Detection¶

Add bad actor detection for the UDP flood protection

1. In the Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

2. In the UDP row click the + icon, and then click UDP Flood.

3. On the right-side of the page configure using the following information, and then click Update.

   Bad Actor Detection:	Yes (selected)
   Per Source IP Detection (PPS):	Specify: 100
   Per Source IP Rate Limit (PPS):	Specify: 30
   Blacklist Attacking Address:	Yes (selected)
   Detection Time:	30
   Duration:	60

4. From the attacker virtual machine launch an UDP flood attack using a single IP address [Pentmenu tool - Options 2, 7]:

   target IP/hostname:	server4
   target port (defaults to 80):	53
   random string (data to send):	F5Agility2018
   source IP:	i[interface]

5. Let the attack run for like 30s seconds before moving on.

6. Stop the attack with Ctrl + C.

7. Now try to ping the server4. Try to ping the same address from the goodclient virtual machine. Does it work ???

8. Stop the Attack with Ctrl + C and move to the next exercise.

Configure Protected Object-Based Sweep Protection¶

1. In the Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

2. In the DDoS Settings row click the Sweep checkbox.

3. In the Sweep row click the + icon, and then click Sweep.

4. On the right-side of the page configure using the following information, and then click Update.

   Detection Threshold PPS:	Specify: 1000
   Rate/Leak Limit:	Specify: 3000
   Packet Types:	Move All IPv4 to the Selected field

5. On the attacker machine type (or copy and paste) the following command:

   sudo ./sweep.sh

6. Let the attack run for like 30s seconds before moving on.

7. Stop the attack with Ctrl + C.

8. In the Configuration Utility, click Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the Sweep attack.

   

Check out the DoS Visibility Page¶

1. Use the DoS Visibility page to view statistics about the DoS attacks you submitted during this exercise.

   

2. Mouse over several of the attacks to get additional details of each attack.

3. Scroll down in the left-side of the page to view the Attacks section.

4. You can see the number of high, moderate, and low attacks in addition to the types of attacks (HTTP, ICMP, etc.) and the severity levels.

Check out the Silverline Portal¶

Use the Silverline portal to view details about the attacks launched in this exercise.

1. Access the Silverline Portal https://portal.f5silverline.com

2. Open the Audit-> API Activity log page.

3. Enter the hostname of your DHD device in the Search field and then check out the activity your Hybrid Defender device has reported back to the Silverline Scrubing Center.

   

Use a Protected Object to Mitigate a DNS Query Flood¶

1. In the Protected Objects section click Create.

2. Configure a protected object using the following information, and then click Create.

   Name:	DNS_Server
   IP Address:	10.1.20.14/32
   Port:	53
   Protocol	UDP
   Protec. Settings Action:	Log and Mitigate
   Protec. Settings DDoS:	DNS

3. In the DNS row click the + icon, and then click DNS A Query.

4. On the right-side of the page configure using the following information, and then click Create.

   Detection Threshold PPS:	Specify: 75
   Rate Limit	Specify: 100

Establish a DNS Baseline¶

Use a script to establish a DNS baseline on the BIG-IP DHD.

1. From the goodclient terminal session run the following commands:

   sudo ~/tools_agility_183/dnsbaseline.sh

2. Let the baseline run until you get the following results:

   [Status] Testing complete (time limit)
   
   Statistics:
   
   Queries sent:         6000
   Queries completed:    6000 (100.00%)
   Queries lost:         0 (0.00%)
   
   Response codes:       NXDOMAIN 6000 (100.00%)
   Average packet size:  request 41, response 116
   Run time (s):         120.000552
   Queries per second:   49.999770
   
   Average Latency (s):  0.005793 (min 0.003970, max 0.020681)
   Latency StdDev (s):   0.001383
   

3. In the Configuration Utility, go to Security-> DoS Protection-> DoS Overview.

4. In the Filter Type select Virtual Server with DNS_Server protected object, then examine the a statistics for DNS A Query.

   

Initiate a DNS Attack¶

Run a script to generate a DNS DoS alert. This script will send 80 pps of “A” queries just above our detection threshold PPS setting of 75. This is just the threshold that we are alerting at. It has not reached a high enough threshold to determine that we should do something about it.

1. From the attacker terminal session run the following commands:

   sudo ~/tools_agility_183/dnsdosattack.sh

2. Wait for the attack to run for about 30 seconds before moving on.

3. In the Configuration Utility, open the Security-> DoS Protection-> DoS Overview page.

4. In the Filter Type select DoS Attack.

   

   Note

   The A query DOS attack vector will be detected, but not yet blocked. It will take up to a couple minutes to display as Detected.

5. Wait for the attack to complete (if not done yet). Verify the results of the DNS attack from the attacker terminal session:

   [Status] Testing complete (time limit)
   
   Statistics:
   
   Queries sent:         28800
   Queries completed:    27217 (94.50%)
   Queries lost:         1583 (5.50%)
   
   Response codes:       NXDOMAIN 27217 (100.00%)
   Average packet size:  request 41, response 116
   Run time (s):         360.000538
   Queries per second:   75.602665
   
   Average Latency (s):  0.004487 (min 0.002909, max 0.036921)
   Latency StdDev (s):   0.001372
   

Initiate a DNS Attack that Exceeds the Rate Limit¶

Run another script that initiates a DNS DoS attack that exceeds the rate limit we set earlier.

1. From the attacker terminal session run the following commands:

   sudo ~/tools_agility_183/dnsdosrate.sh

2. Wait for the attack to run for about 30 seconds before moving on.

3. In the Configuration Utility Review the DoS Overview page -> Security-> DoS Protection-> DoS Overview.

   

   Note

   The A query DOS attack vector is now dropping attack traffic.

   Also take a look at the script which will record the number of drops if any as a result of the attack rate limit being hit. You should be able to correlate the drops registered with the script with the drops recorded by the Hybrid Defender.

   Statistics:
   
   Queries sent:         5899
   Queries completed:    3504 (59.40%)
   Queries lost:         2395 (40.60%)
   
   Response codes:       NXDOMAIN 3504 (100.00%)
   Average packet size:  request 41, response 116
   Run time (s):         120.000642
   Queries per second:   29.199844
   
   Average Latency (s):  0.006696 (min 0.002080, max 0.087619)
   Latency StdDev (s):   0.003606
   

4. In the Configuration Utility open the Statistics-> DoS Visibility page.

5. View the attack details in the Attacks section.

Create Protected Object for Behavioral DoS Protection¶

1. In the BIG-IP Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click Create.

2. Configure the protected object Server1-http using the following information:

   Name:	Server1-http
   IP Address:	10.1.20.11/32
   Port:	80
   VLAN:	defaultVLAN
   Protec. Settings Action:	Log and Mitigate
   Protec. Settings Silverline:	Yes (selected)
   Protec. Settings DDoS:	IPv4, TCP, HTTP

3. In the HTTP row click the + icon, and then click Behavioral, then from the Mitigation list select Standard Protection.

4. In the HTTP section click Proactive Bot Defense, then from the Mitigate Action list select Disabled, finally click Create

   Note

   Both the good and bad (attack) traffic are generated with tools that would be blocked by Proactive Bot Defense. Please note that by default, the Hybrid Defender will set Proactive Bot Defense to always’. That’s the reason why we’re disabling it, only to allow the scripts to work and generate sample traffic.

5. In the Protected Objects section click Create.

6. Open the Security-> DoS Protection-> DoS Profiles page and click Server1-http.

   

7. Open the Application Security page.

   

8. Click Behavioral & Stress-based Detection, and then for Behavioral Detection and Mitigation click Edit.

9. Select the Request signatures detection checkbox, and then click Update.

   

Generate L7 Behavioral baseline for Server1-http¶

Use a script to generate an L7 behavioral DoS baseline for the Hybrid Defender.

1. In the goodclient terminal session, type (or copy and paste) the following command:

   sudo ~/tools_agility_183/generate_clean_traffic.sh

Note

This will generate traffic. Please note that it will take at least 15 minutes.

f5student@goodclient:~/tools_agility_183$ ./generate_clean_traffic.sh
welcome.php     status: 200     bytes: 1045     time: 0.017
welcome.php     status: 200     bytes: 1045     time: 0.014
welcome.php     status: 200     bytes: 1045     time: 0.014
welcome.php     status: 200     bytes: 1045     time: 0.015
headers.php     status: 200     bytes: 1847     time: 0.014
headers.php     status: 200     bytes: 1847     time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.013
httprequest.php status: 200     bytes: 710      time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.013
badlinks.html   status: 200     bytes: 1270     time: 0.014
badlinks.html   status: 200     bytes: 1270     time: 0.014
F5_building.jpg status: 200     bytes: 33447    time: 0.019
F5_building.jpg status: 200     bytes: 33447    time: 0.021
bigip4200.jpg   status: 200     bytes: 9753     time: 0.016
bigip4200.jpg   status: 200     bytes: 9753     time: 0.017
viprion2400.jpg status: 200     bytes: 13009    time: 0.016
viprion4800.jpg status: 200     bytes: 10078    time: 0.018
viprion4800.jpg status: 200     bytes: 10078    time: 0.017

1. Move on in the exercises while the baseline is being generated.

2. Open a terminal session with the DHD and run the following command:

   admd -s vs./Common/Server1-http.info -s vs./Common/Server1-http.sig.health

[root@dhd-01:Active:Standalone]# admd -s vs./Common/Server1-http.info -s vs./Common/Server1-http.sig.health
vs./Common/Server2-http.sig.health:[0.452373]
vs./Common/Server2-http.sig.health:[0.453407]
vs./Common/Server2-http.sig.health:[0.451726]
vs./Common/Server2-http.sig.health:[0.45372]
vs./Common/Server2-http.sig.health:[0.452021]
vs./Common/Server2-http.sig.health:[0.45349]

Important

The results for each health check should not be 0.5, otherwise the system ins’t learning. Let both terminal sessions opened for the rest of this lab.

Configure DoS Protection for L7 Encrypted Traffic¶

Launch an encrypted Slowloris attack to the web server and view the results, then configure proper mitigation on the Hybrid Defender.

1. Go to DoS Protection-> Quick Configuration page and in the Protected Objects section click Create.

2. Configure another Protected Object using the following information, and then click Create.

   Name:	Server2-http
   IP Address:	10.1.20.12/32
   Port:	80
   VLAN:	defaultVLAN
   Protec. Settings Action:	Log and Mitigate
   Protec. Settings Silverline:	Yes (selected)
   Protec. Settings DDoS:	IPv4, TCP, HTTP

3. Now repeat the steps for disabling the Proactive Bot Defense which allows the HTTP request scripts to work.

4. Go to the HTTP section and click Proactive Bot Defense, then from the Mitigate Action list select Disabled.

5. In the HTTP section click DoS Tool, then from the Mitigate Action list select Report, and then click Create.

6. Now run the monitor script on server2 as follows. It will be usefull for server health monitoring.

   ~/tools_agility_183/server2_monitor.sh

7. Before launching the application layer attack, observe server2 is currently healthy.

   welcome.php     status: 200 bytes: 1045     time: 0.018
   bigtext.html    status: 200 bytes: 634965   time: 0.136
   httprequest.php status: 200 bytes: 710      time: 0.017
   

   Note

   The system is healthy since the web server returns HTTP Status Code 200 for every request.

8. Now from the attacker terminal session run the following command:

   ~/tools_agility_183/slowloris.sh

   Mon Aug 13 11:26:54 2018:
   slowhttptest version 1.6
   - https://code.google.com/p/slowhttptest/ -
   test type:                        SLOW HEADERS
   number of connections:            4090
   URL:                              https://server2.f5demo.com/
   verb:                             GET
   Content-Length header value:      4096
   follow up data max size:          68
   interval between follow up data:  10 seconds
   connections per seconds:          200
   probe connection timeout:         5 seconds
   test duration:                    240 seconds
   using proxy:                      no proxy
   
   Mon Aug 13 11:26:54 2018:
   slow HTTP test status on 30th second:
   initializing:        0
   pending:             1790
   connected:           150
   error:               0
   closed:              2092
   service available:   **NO**
   

9. Observe how the service is impacted as the slowloris attack hits the server2.f5demo.com.

   welcome.php     status: 000 bytes: 0    time: 1.002
   bigtext.html    status: 000 bytes: 0    time: 1.002
   httprequest.php status: 000 bytes: 0    time: 1.002
   

   Note

   Since the slowloris attack is being encrypted (https://server2.f5demo.com) we need to setup the certificate and private keys so the traffic can be inspected by the Hybrid Defender..

10. Configure SSL on the protected object to in order to inspect HTTPS traffic.

11. Go to DDoS Protection-> Quick Configuration-> Protected Objects, then click Server2-http. Configure the SSL as follows:

    Port:	443
    SSL:	Enabled
    SSL Certificate:	default
    Key:	default
    Encrypt Connection to Server:	Yes (selected)

12. Disable bot protections so the scripts can be used for testing the server health.

13. On the Server2-http Protected Object section go to the HTTP row, click the + icon, click Behavioral

14. Now from the Mitigation list select Standard Protection.

15. In the HTTPS section click Proactive Bot Defense, then from the Mitigate Action list select Disabled.

16. Now that SSL is also being inspected for this Protected Object, let’s run the slowloris script once again and verify if the attack still works.

– Behavioral L7 DoS Mitigation¶

Once the L7 behavioral baseline has been established, launch an L7 DoS attack and view the results.

1. Now get back to the DHD terminal session.

2. You will need to observe the info.learning signature to ensure that the system has accumulated enough learning details.

3. This signature has 4 comma-separated values for monitoring the learning progress:

   • Value #1: baseline-learning_confidence

     This should be between 80 - 90%

   • Value #2: learned_bins_count (the number of learned bins)

     This should be > 0

   • Value #3: good_table_size (the number of learned requests)

     This should be > 4000

   • Value #4: good_table_confidence (how confident, as a percentage, the system is)

     It must be 100% for behavioral signatures

     vs./Common/Server1-http.info.learning:[96.3163, 78, 5355, 100]
     

4. If you see the pattern such as that described, it indicates the traffic baseline was already established, then you can move forward with the lab.

5. Once the info.learning values are acceptable based on the details above, from the attacker terminal session run the following command:

   ~/tools_agility_183/http_flood.sh

6. Select option “1”

7. Now take a look at the goodclient terminal session, you should start seeing the effects of the HTTP DoS attack, as requests are starting to fail (HTTP Status Code 000). If you were to examine the Lamp server at this time, you would see that it is under severe stress.

   welcome.php status: 200     bytes: 1045     time: 0.017
   welcome.php status: 200     bytes: 1045     time: 0.029
   welcome.php status: 000     bytes: 0        time: 1.000
   headers.php status: 000     bytes: 0        time: 1.001
   headers.php status: 200     bytes: 1847     time: 0.204
   headers.php status: 200     bytes: 1847     time: 0.258
   headers.php status: 200     bytes: 1847     time: 0.218
   badlinks.html       status: 000     bytes: 0        time: 1.001
   badlinks.html       status: 200     bytes: 1270     time: 0.242
   badlinks.html       status: 200     bytes: 1270     time: 0.272
   badlinks.html       status: 000     bytes: 0        time: 1.002
   bigip4200.jpg       status: 200     bytes: 9318     time: 0.247
   

8. Also from the DHD terminal session watch the health signal feed. You should see it climb from ~.5, which is optimal health, to values over 1, indicating an increase in server stress. You will also be able to watch as the system responds and mitigations are engaged.

9. When the system has analyzed the attack traffic, dynamic signatures are created and engaged:

   vs./Common/Server1-http.sig.health:[0.768427]
   vs./Common/Server1-http.info.attack:[1, 1]
   vs./Common/Server1-http.sig.health:[0.746648]
   vs./Common/Server1-http.info.signature:["Stable signature detected: (http.f5_filename_bin == 21) and (http.request.method eq \"GET\") and (!(http.user_agent matches \"(MSIE|Chrome|Firefox|Opera|Safari|Maxthon|Seamonkey)\")) and (!http.content_type) and ((http.hdr_len->= 128) and (http.hdr_len < 256)) and (http.request.uri matches \"^[^\\\\?]*$\") and (http.f5_headers_count == 5) and (http.f5_cache_control_bin == 0) and (http.accept) and (http.request.line matches \"Accept-Charset:.*\") and (http.f5_host_bin == 4) and (http.f5_referer_bin == 0) and (http.f5_uri_len_bin == 0) and (!(http.accept matches \"(application|audio|message|text|image|multipart)\")) and (http.connection) and (http.host) and (!(http.request.line matches \"Accept-Charset\")) and (http.user_agent)"]
   vs./Common/Server1-http.info.attack:[1, 1]
   vs./Common/Server1-http.sig.health:[0.726608]
   vs./Common/Server1-http.info.attack:[1, 1]
   vs./Common/Server1-http.sig.health:[0.709827]
   vs./Common/Server1-http.info.attack:[1, 1]
   vs./Common/Server1-http.sig.health:[0.691779]
   

10. In the Configuration Utility, notice the indicator at the top-left side of the page.

    

11. As you watch the feed, you should see HTTP requests being served again after the dynamic signature kicks in.

12. In the Configuration Utility open the Security-> DoS Protection-> Behavioral Signatures page.

    

    You will see a signature that was created (as seen in the output of the admd command earlier). Note the system reports metrics such as Accuracy (an estimate of the percentage of traffic that will be blocked that is definitely hostile) and Efficiency (a measure of how much of the observed DoS traffic is mitigated by that signature). In our lab these values are both at or near 100%. In a real environment the Accuracy should be very high, but sometimes Efficiency will be lower (in a mutating attack) and the system may have to create additional signatures or refine the current one based on effectiveness.

13. Click the new signature.

    Note the Wireshark filter at the bottom which can be used in conjunction with the Record Traffic feature of F5’s L7 DoS to identify exactly which requests the signature matches/will match. This can be helpful if using the “Approved Only” in the DoS profile setting to allow a risk-averse administrator to approve signatures before they begin to filter traffic.

14. Change the Alias value to Agility2018, and then click Finished.