Tuesday, November 28, 2017

Mitigate L7 DDoS with BIG-IP ASM

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

We can also record traffic packet captures during attacks for post analysis.
When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

And JavaScript incapable clients never make it through.

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

..then if they’re still not listening, you can instantly transform into a Honeypot.

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don't stop. The traffic you recorded will be found in the, now populated, PCAP folders.

Thanks to F5 SE Artiom Lichtenstein for the demo video.

ps

Related:

No comments:

Post a Comment