Professional Documents
Culture Documents
F5 Customer Demo: Big-Ip Afm - Use Network Dos Protection
F5 Customer Demo: Big-Ip Afm - Use Network Dos Protection
The purpose of this demo is to show how to use BIG-IP AFM to protect the BIG-IP system against network DoS
attacks and DoS floods. In this demo you will:
1. Launch a single network denial-of service attack against the BIG-IP system, and then show how BIG-IP
AFM blocks the malicious requests using the DoS overview page, the network events page, and the
DoS analysis page.
2. Launch an ICMP flood attack and show it being blocked using the same pages.
3. Run several network DoS attacks and floods simultaneously, showing them being identified on the
DoS overview page and blocked on the network events page.
4. View the custom DoS reports page and the DoS dashboard.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Prepare the BIG-IP Demo Environment
→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).
− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 1
Part 2 – Deliver the BIG-IP Customer Demo
− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, DoS_Tool_v5, and Windows_7_External
images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_network-dos_v14.1.ucs no-license
→NOTE: If you do not have the demo_afm_network-dos_v14.1.ucs archive file, complete part 1 of this
document.
− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Open a new Chrome window and click the DoS Tool bookmark, and then open three more tabs and click
the DoS Tool bookmark in each tab.
− In the first tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 179.51.96.10
Packets 10000
Packets/second 500
Network Attacks Select all attacks from Bad IP TTL Value to No L4
− In the second tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 115.84.224.40
Packets 15000
Packets/second 500
Network Attacks Select all attacks from Bad TCP Checksum to No L4
− In the third tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 188.160.59.40
Packets 20000
Packets/second 500
Network Attacks Select all attacks from IP Length > L2 Length to No L4
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 2
Part 2 – Deliver the BIG-IP Customer Demo
− In the fourth tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 175.45.176.50
Packets 30000
Packets/second 500
Network Attacks Select both IP SA == DA and No L4
→NOTE: Type the Ctrl+Alt keys to remove the mouse outside of the DoS_Tool desktop.
25,000 packets are sent that are configured to send IP requests that do not contain any layer 4
details. The attack will take about 50 seconds to complete.
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 3
Part 2 – Deliver the BIG-IP Customer Demo
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh.
BIG-IP AFM identifies that a network DoS attack is underway and is dropping requests.
The Aggregate > Dropped icon identifies that an attack ID has been assigned to the attack and that
rate limiting has been applied. You can also the average aggregate packets per second currently, for
the past minute, and for the past hour, and the number of dropped packets per second for the same
durations.
− Reload the DoS > Network > Events tab.
− Sort the list in descending order by the Time column.
AFM first identified the No L4 DoS attack based on the threshold values (Attack Started). It then it
began dropping packets every second while the attack continued (Attack Sampled).
− On the DoS Analysis tab view the Max Number of Attacks chart.
You can see that one attack was identified.
− Examine the Distinct Count of IPs chart.
There was only one IP address in this attack.
− Place your mouse over the red area of the Network Events chart.
You can view the number of dropped requests per second during the attack.
− On the DoS Overview (non-HTTP) tab click Refresh.
EITHER: The No L4 attack is now listed as Aggregate > Detected, which means the attack is still in the
detected state but it’s no longer being rated limited, or
The network DoS attack is no longer on the overview page, identifying that it has ended.
− Reload the DoS > Network > Events tab and examine the most recent Attack Stopped log entry.
AFM adds a log entry when it identifies that the network DoS attack has ended.
− Close the Denial of Service Demo Tool web page with only a single tab.
− On the DoS_Tool desktop, in one of the Terminal windows type the following:
./icmpflood-m.sh
This script submits an ICMP flood against the virtual server on the BIG-IP system.
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh.
Again, AFM immediately identifies this attack, assigns an attack ID, and begins rate limiting the
malicious requests.
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 4
Part 2 – Deliver the BIG-IP Customer Demo
− On the DoS Analysis tab place your mouse over the red area of the Distinct Count of IPs chart.
There are thousands of IP addresses involved in this attack.
− Reload the DoS > Network > Events tab and scroll to the bottom of the page to view the number of
pages of log entries.
This ICMP flood attack lasted for several seconds, accumulating several pages of log entries.
− At the top of the page in the filter field type Started (be sure to remove the asterisk * character), and
then note what time the ICMPv4 flood attack started.
− Replace the filter text with Stopped, then note what time the ICMPv4 flood attack stopped, and then
calculate the total duration of the ICMPv4 flood.
→NOTE: The ICMPv4 flood attack may not have an Attack Stopped log entry yet. If not, just
reload the DoS > Network > Events tab and note what time the last log entry occurred.
We can use the network event log to identify the total duration of each network DoS attack.
− Open the Chrome window with four Denial of Service Demo Tool web page tabs.
We have several DoS attacks ready to go, each one from a different source IP address, configured
with a different amount of attacks, and a different number of each of the attacks. We’ll run all these
attacks simultaneously.
− Click Submit on all four tabs.
− After about 15 seconds, on the DoS Overview (non-HTTP) tab click Refresh a few times, about five
seconds apart.
There are several simultaneous attacks in progress, some that are aggregate and one that is
configured with bad actor detection.
− On the DoS_Tool desktop, in the first Terminal window type the following.
./1_ddos_attack.sh
These scripts submit several DoS flood attacks against the virtual server on the BIG-IP system.
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh a few times, about five
seconds apart.
The BIG-IP system is under a massive DDoS attack.
− Close the DoS Analysis tab, then on the DoS Analysis tab view the Max Number of Attacks chart.
There are now multiple concurrent DoS attacks.
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 5
Part 2 – Deliver the BIG-IP Customer Demo
− In the Attack IDs widget select the newest attack ID.
− View the Number of IPs Participating in an Attack and the Attack Severity charts.
− Close the DoS Analysis tab, then reload the DoS > Network > Events tab, and then use the filter field to
search for Started.
You can see every new network DoS attack that has occurred this past hour. Notice that some are
aggregated across all source IPs, and some are per source IP.
− For any of the listed attacks, copy the Attack ID, and the paste the value in the filter field to search for all
log entries of that attack ID.
We can see all network event log entries for a specific attack, starting with the Attack Started entry,
then each Attack Sampled (for each second of the attack, and finally the Attack Ended entry.
− Open the Security >Reporting > DoS > Custom Page page.
This page enables an administrator to create customized DoS reports and graphs. If we wanted, we
could delete the default reports that are displayed on the page.
− At the bottom of the page (on the left column, not the right column) click Add Widget.
− Use the following for the new widget, then click Done, and then view the new graph.
Reporting Module DoS Network
View by Countries
Date range Last Hour
Select Measurements Dropped Requests
Data visualization Pie chart
− Right below the new chart click Add Widget, then use the following for the new widget, then click Done,
and then view the new graph.
Reporting Module DoS Network
View by Vectors
Date range Last Hour
Show details Top 15
Select Measurements Dropped Requests
Total Requests
Data visualization Details Table
This customized page will retain these changes for the current BIG-IP administrator.
− Open the Security >Reporting > DoS > Dashboard page.
You use this page to see an overview of your organization’s DoS activity. The default view shows the
DoS activity in the past hour.
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 6
Part 2 – Deliver the BIG-IP Customer Demo
− Place your mouse over one of the attack indicators.
This table shows each attack type, when it started and stopped (and in some cases if it’s ongoing),
how many IP addresses were involved, and how many malicious transactions were blocked.
− Scroll down and examine the Countries section.
You can see both a graphical map and a table of the source of the DoS attacks.
− Use your mouse to zoom into a red country in the map, then select the red country, and then scroll up to
view the other areas of the DoS visibility page.
You can zoom in and select a specific country, and then view specific attack details from that location.
That concludes this demonstration on using BIG-IP AFM to protect the BIG-IP system against network
DoS attacks and DoS floods.
WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 7