F5 Customer Demo

BIG-IP AFM – Use Network DoS Protection

F5 vLab document version 14.1.A
Written for: TMOS® Architecture v14.1
Virtual images:
BIGIPA_v14.1, LAMP_v7
Windows_7_External (v9), DoS_Tool_v5

Estimated Completion Time: 25 minutes

The purpose of this demo is to show how to use BIG-IP AFM to protect the BIG-IP system against network DoS
attacks and DoS floods. In this demo you will:

1. Launch a single network denial-of service attack against the BIG-IP system, and then show how BIG-IP
AFM blocks the malicious requests using the DoS overview page, the network events page, and the
DoS analysis page.
2. Launch an ICMP flood attack and show it being blocked using the same pages.
3. Run several network DoS attacks and floods simultaneously, showing them being identified on the
DoS overview page and blocked on the network events page.
4. View the custom DoS reports page and the DoS dashboard.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 5/8/2019

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Prepare the BIG-IP Demo Environment

Part 1 – Prepare the BIG-IP Demo Environment

• Required virtual images: BIGIPA_v14.1, Windows_7_External (v9)
• Estimated completion time: 10 minutes

Prep Task 1 – Provision AFM

Provision BIG-IP AFM on the BIG-IP system.

− In the VMware library start up the BIGIPA_v14.1 and Windows_7_External images.

− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following. (NOTE: Use the copy and paste guide in
the My Documents > Demo setup copy and paste guides directory.)
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license

→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).

− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal

Prep Task 2 – Create an Application and Configure DoS Settings

Use TMSH commands to create an application to use during the demo and update the default network
DoS settings.

− In putty copy and paste the following lines together:

tmsh create ltm pool lorax_pool members add { 10.1.20.11:0 { address 10.1.20.11 } }
tmsh create ltm virtual lorax_virtual destination 10.1.10.20:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled source-address-translation
{ type automap } pool lorax_pool
tmsh modify security dos device-config dos-device-config log-publisher local-db-publisher
tmsh modify security dos device-config dos-device-config dos-device-vector { bad-ttl-val { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit
25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { bad-ver { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit 25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { ip-err-chksum { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit
25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { ip-len-gt-l2-len { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-
limit 25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { no-l4 { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit 25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { bad-tcp-chksum { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-
limit 25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { land-attack { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit
25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { l2-len-ggt-ip-len { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-
limit 25 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-syn-flood { detection-threshold-pps 50 detection-threshold-percent 200 default-internal-rate-limit
50 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-syn-oversize { detection-threshold-pps 50 detection-threshold-percent 200 default-internal-rate-
limit 50 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { icmp-frag { detection-threshold-pps 25 detection-threshold-percent 100 default-internal-rate-limit 25
}}
tmsh modify security dos device-config dos-device-config dos-device-vector { ip-frag-flood { detection-threshold-pps 50 detection-threshold-percent 200 default-internal-rate-limit
50 }}
tmsh modify security dos device-config dos-device-config dos-device-vector { icmpv4-flood { detection-threshold-pps 50 detection-threshold-percent 200 default-internal-rate-limit
50 }}
tmsh save sys ucs demo_afm_network-dos_v14.1.ucs
exit

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 1
 Part 2 – Deliver the BIG-IP Customer Demo

Part 2 – Deliver the BIG-IP Customer Demo

• Required virtual images: BIGIPA_v14.1, LAMP_v7, DoS_Tool_v5, Windows_7_External (v9)
• Estimated completion time: 20 minutes

BEFORE THE DEMO – Restore an Archive File

Use TMSH to restore the archive file you created in Part 1.

− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, DoS_Tool_v5, and Windows_7_External
images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_network-dos_v14.1.ucs no-license

→NOTE: If you do not have the demo_afm_network-dos_v14.1.ucs archive file, complete part 1 of this
document.

− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Open a new Chrome window and click the DoS Tool bookmark, and then open three more tabs and click
the DoS Tool bookmark in each tab.
− In the first tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 179.51.96.10
Packets 10000
Packets/second 500
Network Attacks Select all attacks from Bad IP TTL Value to No L4

− In the second tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 115.84.224.40
Packets 15000
Packets/second 500
Network Attacks Select all attacks from Bad TCP Checksum to No L4

− In the third tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 188.160.59.40
Packets 20000
Packets/second 500
Network Attacks Select all attacks from IP Length > L2 Length to No L4

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 2
 Part 2 – Deliver the BIG-IP Customer Demo
− In the fourth tab enter the following (do not click Submit).
Destination IP 10.1.10.20
Source IP 175.45.176.50
Packets 30000
Packets/second 500
Network Attacks Select both IP SA == DA and No L4

− Log into the DoS_Tool workstation as root / default

− Click the Terminal icon on the top-left side of the desktop to open a Terminal window and then open a
second Terminal window.

→NOTE: Type the Ctrl+Alt keys to remove the mouse outside of the DoS_Tool desktop.

Demo Task 1 – Launch a Network DoS Attack

Launch a network DoS attack against the BIG-IP system.

− In the Configuration Utility open the Virtual Server List page.

We have one server listening on IP address 10.1.10.11 and on all ports.
− Open the Security > DoS Protection > DoS Overview (non-HTTP) page.
There is no data on this page now, as we’re not currently under a network DoS attack.
− Navigate to Security > Event Logs > DoS > Network and right-click on Events and
select Open link in new tab, and then examine the new tab.
There are no network DoS events on this page yet.
− Navigate to Security > Reporting > DoS and right-click on Analysis and select Open link in new tab, and
then in the new tab for Real Time select On.
− For BIG-IP Health click the – icon to collapse the section.
− Under Virtual Servers collapse the Average Throughput in bits/s, Average Throughput in packets/s,
and Total Health charts.
− Open a new Chrome window and click the DoS Tool bookmark.
− On the Denial of Service Demo Tool web page enter the following information, and then click Submit.
Destination IP 10.1.10.20
Source IP 86.104.32.50
Packets 25000
Packets/second 500
Network Attacks No L4

25,000 packets are sent that are configured to send IP requests that do not contain any layer 4
details. The attack will take about 50 seconds to complete.

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 3
 Part 2 – Deliver the BIG-IP Customer Demo
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh.

BIG-IP AFM identifies that a network DoS attack is underway and is dropping requests.
The Aggregate > Dropped icon identifies that an attack ID has been assigned to the attack and that
rate limiting has been applied. You can also the average aggregate packets per second currently, for
the past minute, and for the past hour, and the number of dropped packets per second for the same
durations.
− Reload the DoS > Network > Events tab.
− Sort the list in descending order by the Time column.

AFM first identified the No L4 DoS attack based on the threshold values (Attack Started). It then it
began dropping packets every second while the attack continued (Attack Sampled).
− On the DoS Analysis tab view the Max Number of Attacks chart.
You can see that one attack was identified.
− Examine the Distinct Count of IPs chart.
There was only one IP address in this attack.
− Place your mouse over the red area of the Network Events chart.
You can view the number of dropped requests per second during the attack.
− On the DoS Overview (non-HTTP) tab click Refresh.
EITHER: The No L4 attack is now listed as Aggregate > Detected, which means the attack is still in the
detected state but it’s no longer being rated limited, or
The network DoS attack is no longer on the overview page, identifying that it has ended.
− Reload the DoS > Network > Events tab and examine the most recent Attack Stopped log entry.
AFM adds a log entry when it identifies that the network DoS attack has ended.
− Close the Denial of Service Demo Tool web page with only a single tab.

Demo Task 2 – Launch a Network DoS Flood

Launch a network DoS flood attack against the virtual server on the BIG-IP system.

− On the DoS_Tool desktop, in one of the Terminal windows type the following:
./icmpflood-m.sh

This script submits an ICMP flood against the virtual server on the BIG-IP system.
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh.

Again, AFM immediately identifies this attack, assigns an attack ID, and begins rate limiting the
malicious requests.

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 4
 Part 2 – Deliver the BIG-IP Customer Demo
− On the DoS Analysis tab place your mouse over the red area of the Distinct Count of IPs chart.
There are thousands of IP addresses involved in this attack.
− Reload the DoS > Network > Events tab and scroll to the bottom of the page to view the number of
pages of log entries.
This ICMP flood attack lasted for several seconds, accumulating several pages of log entries.
− At the top of the page in the filter field type Started (be sure to remove the asterisk * character), and
then note what time the ICMPv4 flood attack started.
− Replace the filter text with Stopped, then note what time the ICMPv4 flood attack stopped, and then
calculate the total duration of the ICMPv4 flood.

→NOTE: The ICMPv4 flood attack may not have an Attack Stopped log entry yet. If not, just
reload the DoS > Network > Events tab and note what time the last log entry occurred.

We can use the network event log to identify the total duration of each network DoS attack.

Demo Task 3 – Launch Multiple Network DoS Attacks

Launch several denial-of-service attacks directed at lorax_virtual.

− Open the Chrome window with four Denial of Service Demo Tool web page tabs.
We have several DoS attacks ready to go, each one from a different source IP address, configured
with a different amount of attacks, and a different number of each of the attacks. We’ll run all these
attacks simultaneously.
− Click Submit on all four tabs.
− After about 15 seconds, on the DoS Overview (non-HTTP) tab click Refresh a few times, about five
seconds apart.

There are several simultaneous attacks in progress, some that are aggregate and one that is
configured with bad actor detection.
− On the DoS_Tool desktop, in the first Terminal window type the following.
./1_ddos_attack.sh

− In the second Terminal window type the following.

./1_ddos_attack.sh

These scripts submit several DoS flood attacks against the virtual server on the BIG-IP system.
− In the Configuration Utility on the DoS Overview (non-HTTP) tab click Refresh a few times, about five
seconds apart.
The BIG-IP system is under a massive DDoS attack.
− Close the DoS Analysis tab, then on the DoS Analysis tab view the Max Number of Attacks chart.
There are now multiple concurrent DoS attacks.

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 5
 Part 2 – Deliver the BIG-IP Customer Demo
− In the Attack IDs widget select the newest attack ID.

− View the Number of IPs Participating in an Attack and the Attack Severity charts.
− Close the DoS Analysis tab, then reload the DoS > Network > Events tab, and then use the filter field to
search for Started.
You can see every new network DoS attack that has occurred this past hour. Notice that some are
aggregated across all source IPs, and some are per source IP.
− For any of the listed attacks, copy the Attack ID, and the paste the value in the filter field to search for all
log entries of that attack ID.
We can see all network event log entries for a specific attack, starting with the Attack Started entry,
then each Attack Sampled (for each second of the attack, and finally the Attack Ended entry.

Demo Task 4 – View DoS Reports

Use the Configuration Utility to view the custom and built-in DoS reports.

− Open the Security >Reporting > DoS > Custom Page page.
This page enables an administrator to create customized DoS reports and graphs. If we wanted, we
could delete the default reports that are displayed on the page.
− At the bottom of the page (on the left column, not the right column) click Add Widget.
− Use the following for the new widget, then click Done, and then view the new graph.
Reporting Module DoS Network
View by Countries
Date range Last Hour
Select Measurements Dropped Requests
Data visualization Pie chart

− Right below the new chart click Add Widget, then use the following for the new widget, then click Done,
and then view the new graph.
Reporting Module DoS Network
View by Vectors
Date range Last Hour
Show details Top 15
Select Measurements Dropped Requests
Total Requests
Data visualization Details Table
This customized page will retain these changes for the current BIG-IP administrator.
− Open the Security >Reporting > DoS > Dashboard page.
You use this page to see an overview of your organization’s DoS activity. The default view shows the
DoS activity in the past hour.

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 6
 Part 2 – Deliver the BIG-IP Customer Demo
− Place your mouse over one of the attack indicators.

You can view several details of the attack.

− Scroll down to the Attacks table, and on the top-right side of the table click the icon and remove the
Trigger and Virtual Server fields from the table.

This table shows each attack type, when it started and stopped (and in some cases if it’s ongoing),
how many IP addresses were involved, and how many malicious transactions were blocked.
− Scroll down and examine the Countries section.
You can see both a graphical map and a table of the source of the DoS attacks.
− Use your mouse to zoom into a red country in the map, then select the red country, and then scroll up to
view the other areas of the DoS visibility page.
You can zoom in and select a specific country, and then view specific attack details from that location.

That concludes this demonstration on using BIG-IP AFM to protect the BIG-IP system against network
DoS attacks and DoS floods.

AFTER THE DEMO –Reset the VMware Environment

− Click Log out, and then close the Configuration Utility.
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license
reboot

WWFE Lab Guides –BIG-IP AFM 05 Demo – Use Network DoS Protection; v14.1.A Page | 7