Lab – Configure Application Layer DoS Defenses

Check out how to detect and mitigate application layer attacks, not matter if it’s encrypted or behavioral based.

Create Protected Object for Behavioral DoS Protection

  1. In the BIG-IP Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click Create.

  2. Configure the protected object Server1-http using the following information:

    Name: Server1-http
    IP Address: 10.1.20.11/32
    Port: 80
    VLAN: defaultVLAN
    Protec. Settings Action: Log and Mitigate
    Protec. Settings Silverline: Yes (selected)
    Protec. Settings DDoS: IPv4, TCP, HTTP

  3. In the HTTP row click the + icon, and then click Behavioral, then from the Mitigation list select Standard Protection.

  4. In the HTTP section click Proactive Bot Defense, then from the Mitigate Action list select Disabled, finally click Create

    Note

    Both the good and bad (attack) traffic are generated with tools that would be blocked by Proactive Bot Defense. Please note that by default, the Hybrid Defender will set Proactive Bot Defense to always’. That’s the reason why we’re disabling it, only to allow the scripts to work and generate sample traffic.

  5. In the Protected Objects section click Create.

  6. Open the Security-> DoS Protection-> DoS Profiles page and click Server1-http.

    image34

  7. Open the Application Security page.

    image35

  8. Click Behavioral & Stress-based Detection, and then for Behavioral Detection and Mitigation click Edit.

  9. Select the Request signatures detection checkbox, and then click Update.

    image36

Generate L7 Behavioral baseline for Server1-http

Use a script to generate an L7 behavioral DoS baseline for the Hybrid Defender.

  1. In the goodclient terminal session, type (or copy and paste) the following command:

    sudo ~/tools_agility_183/generate_clean_traffic.sh

Note

This will generate traffic. Please note that it will take at least 15 minutes.

f5student@goodclient:~/tools_agility_183$ ./generate_clean_traffic.sh
welcome.php     status: 200     bytes: 1045     time: 0.017
welcome.php     status: 200     bytes: 1045     time: 0.014
welcome.php     status: 200     bytes: 1045     time: 0.014
welcome.php     status: 200     bytes: 1045     time: 0.015
headers.php     status: 200     bytes: 1847     time: 0.014
headers.php     status: 200     bytes: 1847     time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.013
httprequest.php status: 200     bytes: 710      time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.014
httprequest.php status: 200     bytes: 710      time: 0.013
badlinks.html   status: 200     bytes: 1270     time: 0.014
badlinks.html   status: 200     bytes: 1270     time: 0.014
F5_building.jpg status: 200     bytes: 33447    time: 0.019
F5_building.jpg status: 200     bytes: 33447    time: 0.021
bigip4200.jpg   status: 200     bytes: 9753     time: 0.016
bigip4200.jpg   status: 200     bytes: 9753     time: 0.017
viprion2400.jpg status: 200     bytes: 13009    time: 0.016
viprion4800.jpg status: 200     bytes: 10078    time: 0.018
viprion4800.jpg status: 200     bytes: 10078    time: 0.017

  1. Move on in the exercises while the baseline is being generated.

  2. Open a terminal session with the DHD and run the following command:

    admd -s vs./Common/Server1-http.info -s vs./Common/Server1-http.sig.health

[root@dhd-01:Active:Standalone]# admd -s vs./Common/Server1-http.info -s vs./Common/Server1-http.sig.health
vs./Common/Server2-http.sig.health:[0.452373]
vs./Common/Server2-http.sig.health:[0.453407]
vs./Common/Server2-http.sig.health:[0.451726]
vs./Common/Server2-http.sig.health:[0.45372]
vs./Common/Server2-http.sig.health:[0.452021]
vs./Common/Server2-http.sig.health:[0.45349]

Important

The results for each health check should not be 0.5, otherwise the system ins’t learning. Let both terminal sessions opened for the rest of this lab.

Configure DoS Protection for L7 Encrypted Traffic

Launch an encrypted Slowloris attack to the web server and view the results, then configure proper mitigation on the Hybrid Defender.

  1. Go to DoS Protection-> Quick Configuration page and in the Protected Objects section click Create.

  2. Configure another Protected Object using the following information, and then click Create.

    Name: Server2-http
    IP Address: 10.1.20.12/32
    Port: 80
    VLAN: defaultVLAN
    Protec. Settings Action: Log and Mitigate
    Protec. Settings Silverline: Yes (selected)
    Protec. Settings DDoS: IPv4, TCP, HTTP

  3. Now repeat the steps for disabling the Proactive Bot Defense which allows the HTTP request scripts to work.

  4. Go to the HTTP section and click Proactive Bot Defense, then from the Mitigate Action list select Disabled.

  5. In the HTTP section click DoS Tool, then from the Mitigate Action list select Report, and then click Create.

  6. Now run the monitor script on server2 as follows. It will be usefull for server health monitoring.

    ~/tools_agility_183/server2_monitor.sh

  7. Before launching the application layer attack, observe server2 is currently healthy.

    welcome.php     status: 200 bytes: 1045     time: 0.018
bigtext.html    status: 200 bytes: 634965   time: 0.136
httprequest.php status: 200 bytes: 710      time: 0.017

    Note

    The system is healthy since the web server returns HTTP Status Code 200 for every request.

  8. Now from the attacker terminal session run the following command:

    ~/tools_agility_183/slowloris.sh

    Mon Aug 13 11:26:54 2018:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type:                        SLOW HEADERS
number of connections:            4090
URL:                              https://server2.f5demo.com/
verb:                             GET
Content-Length header value:      4096
follow up data max size:          68
interval between follow up data:  10 seconds
connections per seconds:          200
probe connection timeout:         5 seconds
test duration:                    240 seconds
using proxy:                      no proxy

Mon Aug 13 11:26:54 2018:
slow HTTP test status on 30th second:
initializing:        0
pending:             1790
connected:           150
error:               0
closed:              2092
service available:   **NO**

  9. Observe how the service is impacted as the slowloris attack hits the server2.f5demo.com.

    welcome.php     status: 000 bytes: 0    time: 1.002
bigtext.html    status: 000 bytes: 0    time: 1.002
httprequest.php status: 000 bytes: 0    time: 1.002

    Note

    Since the slowloris attack is being encrypted (https://server2.f5demo.com) we need to setup the certificate and private keys so the traffic can be inspected by the Hybrid Defender..

  10. Configure SSL on the protected object to in order to inspect HTTPS traffic.

  11. Go to DDoS Protection-> Quick Configuration-> Protected Objects, then click Server2-http. Configure the SSL as follows:

    Port: 443
    SSL: Enabled
    SSL Certificate: default
    Key: default
    Encrypt Connection to Server: Yes (selected)

  12. Disable bot protections so the scripts can be used for testing the server health.

  13. On the Server2-http Protected Object section go to the HTTP row, click the + icon, click Behavioral

  14. Now from the Mitigation list select Standard Protection.

  15. In the HTTPS section click Proactive Bot Defense, then from the Mitigate Action list select Disabled.

  16. Now that SSL is also being inspected for this Protected Object, let’s run the slowloris script once again and verify if the attack still works.

– Behavioral L7 DoS Mitigation

Once the L7 behavioral baseline has been established, launch an L7 DoS attack and view the results.

  1. Now get back to the DHD terminal session.

  2. You will need to observe the info.learning signature to ensure that the system has accumulated enough learning details.

  3. This signature has 4 comma-separated values for monitoring the learning progress:

    • Value #1: baseline-learning_confidence

      This should be between 80 - 90%

    • Value #2: learned_bins_count (the number of learned bins)

      This should be > 0

    • Value #3: good_table_size (the number of learned requests)

      This should be > 4000

    • Value #4: good_table_confidence (how confident, as a percentage, the system is)

      It must be 100% for behavioral signatures

      vs./Common/Server1-http.info.learning:[96.3163, 78, 5355, 100]

  4. If you see the pattern such as that described, it indicates the traffic baseline was already established, then you can move forward with the lab.

  5. Once the info.learning values are acceptable based on the details above, from the attacker terminal session run the following command:

    ~/tools_agility_183/http_flood.sh

  6. Select option “1”

  7. Now take a look at the goodclient terminal session, you should start seeing the effects of the HTTP DoS attack, as requests are starting to fail (HTTP Status Code 000). If you were to examine the Lamp server at this time, you would see that it is under severe stress.

    welcome.php status: 200     bytes: 1045     time: 0.017
welcome.php status: 200     bytes: 1045     time: 0.029
welcome.php status: 000     bytes: 0        time: 1.000
headers.php status: 000     bytes: 0        time: 1.001
headers.php status: 200     bytes: 1847     time: 0.204
headers.php status: 200     bytes: 1847     time: 0.258
headers.php status: 200     bytes: 1847     time: 0.218
badlinks.html       status: 000     bytes: 0        time: 1.001
badlinks.html       status: 200     bytes: 1270     time: 0.242
badlinks.html       status: 200     bytes: 1270     time: 0.272
badlinks.html       status: 000     bytes: 0        time: 1.002
bigip4200.jpg       status: 200     bytes: 9318     time: 0.247

  8. Also from the DHD terminal session watch the health signal feed. You should see it climb from ~.5, which is optimal health, to values over 1, indicating an increase in server stress. You will also be able to watch as the system responds and mitigations are engaged.

  9. When the system has analyzed the attack traffic, dynamic signatures are created and engaged:

    vs./Common/Server1-http.sig.health:[0.768427]
vs./Common/Server1-http.info.attack:[1, 1]
vs./Common/Server1-http.sig.health:[0.746648]
vs./Common/Server1-http.info.signature:["Stable signature detected: (http.f5_filename_bin == 21) and (http.request.method eq \"GET\") and (!(http.user_agent matches \"(MSIE|Chrome|Firefox|Opera|Safari|Maxthon|Seamonkey)\")) and (!http.content_type) and ((http.hdr_len->= 128) and (http.hdr_len < 256)) and (http.request.uri matches \"^[^\\\\?]*$\") and (http.f5_headers_count == 5) and (http.f5_cache_control_bin == 0) and (http.accept) and (http.request.line matches \"Accept-Charset:.*\") and (http.f5_host_bin == 4) and (http.f5_referer_bin == 0) and (http.f5_uri_len_bin == 0) and (!(http.accept matches \"(application|audio|message|text|image|multipart)\")) and (http.connection) and (http.host) and (!(http.request.line matches \"Accept-Charset\")) and (http.user_agent)"]
vs./Common/Server1-http.info.attack:[1, 1]
vs./Common/Server1-http.sig.health:[0.726608]
vs./Common/Server1-http.info.attack:[1, 1]
vs./Common/Server1-http.sig.health:[0.709827]
vs./Common/Server1-http.info.attack:[1, 1]
vs./Common/Server1-http.sig.health:[0.691779]

  10. In the Configuration Utility, notice the indicator at the top-left side of the page.

    image37

  11. As you watch the feed, you should see HTTP requests being served again after the dynamic signature kicks in.

  12. In the Configuration Utility open the Security-> DoS Protection-> Behavioral Signatures page.

    image39

    You will see a signature that was created (as seen in the output of the admd command earlier). Note the system reports metrics such as Accuracy (an estimate of the percentage of traffic that will be blocked that is definitely hostile) and Efficiency (a measure of how much of the observed DoS traffic is mitigated by that signature). In our lab these values are both at or near 100%. In a real environment the Accuracy should be very high, but sometimes Efficiency will be lower (in a mutating attack) and the system may have to create additional signatures or refine the current one based on effectiveness.

  13. Click the new signature.

    Note the Wireshark filter at the bottom which can be used in conjunction with the Record Traffic feature of F5’s L7 DoS to identify exactly which requests the signature matches/will match. This can be helpful if using the “Approved Only” in the DoS profile setting to allow a risk-averse administrator to approve signatures before they begin to filter traffic.

  14. Change the Alias value to Agility2018, and then click Finished.

– View Silverline Signals

Use the Silverline portal to view details about the L7 DoS attacks that were launched in this exercise.

  1. Click Alerts for Hybrid Defender.

  2. Open the Audit-> API Activity Log page.

    image41

  3. Click the + icon to expand one of the entries to view additional attack details.

    That completes the hands-on exercise for BIG-IP DDoS Hybrid Defender.

Previous Next