Global DDoS Custom Resource¶

The GlobalDDoS Custom Resource (CR) configures the Traffic Management Microkernel (TMM) proxy pod to protect applications and the TMM Pod from Denial of Service / Distributed Denial of Service (Dos/DDoS) attacks. Using custom packet signatures, the Global DDoS inspects all application traffic processed by the TMM Proxy Pod, to detect, report and/or mitigate DoS/DDoS events.

This document helps you understand, configure, and install a simple GlobalDDoS CR.

Hardware Acceleration for DDoS protection¶

The BIG-IP Next for Kubernetes’s Hardware Acceleration helps you offload only certain DoS vectors and address list to DPU to reduce the DDoS mitigation workload on the CPU and allow it to perform other functions. User must set dosGlobalOptions.common.forceSwDos to false in GlobalDDoS CR and back reference it to GatewayClass using spec.targetRef to use Hardware Acceleration for DDoS mitigation, see Ingress DDoS Protection in Gateway API. Only a few DoS vectors and address list supports Hardware Acceleration, see F5BigDdosGlobal CRD. It is not possible for users to selectively enable Hardware Acceleration for a subset of the supported DoS vectors.

Ensuring Unique Attack-IDs with dSSM Database¶

When Dos/DDoS attacks are detected, they are assigned a unique attack identifier (attack-ID). In order to prevent duplicate entries of attack-IDs and facilitate sharing among multiple TMM Proxy Pods, it is necessary to have the dSSM Database installed. The first TMM Proxy Pod that detects an attack will store its attack-ID in the dSSM database, and any subsequent TMM Proxy Pod replicas will first check the database before generating new attack-IDs.

CR shortName¶

The CR shortName provides an easy way to view installed CRs and their configuration parameters. The CR shortName can also be used to delete a CR instance. The Global DDoS CR shortName is ddos ddos.

View CR instance:

kubectl get ddos -n <namespace>

View CR configuration:

kubectl get ddos -n <namespace> -o yaml

List of parameters used in the CR example¶

The tables below describe the Global DDoS and section used in this document. For the full list of parameters, refer to the GlobalDDoS Reference.

hslPublisher¶

Parameter	Description
`hslPublisher`	Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by `metadata.name` parameter.

allowList¶

Allows you to exclude specific types of traffic from DDoS mitigations.

Parameter	Description
`allowList`	Specifies the F5BigCneAddresslist by `metadata.name` containing the source IP addresses to exclude from DDoS detection/mitigation.

vectors¶

DDoS attack vectors are the methods or techniques used by attackers to carry out a Distributed Denial of Service (DDoS) attack.

Parameter	Description
`vectors`	Specifies the type of Vector to detect and mitigate. Refer to F5BigDdosGlobal CRD for a full list.

Global DDoS CR example¶

Note: The rateLimit and detectionThresholdEps values provided in the example CR are per pod limits.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDdosGlobal
metadata:
   name: gateway-global-ddos
spec:
   hslPublisher: "hsl-pub"
   dosGlobalOptions:
     common:
      forceSwDos: false
   vectors:
     arpFlood:
      state: "detection-only"
      rateLimit: 320
      detectionThresholdEps: 160
      #detectionThresholdPercentage: 1

Requirements¶

Ensure you have:

Installed the CNE Controller.
Installed the dSSM Database when scaling TMM Proxy Pods.
A Linux based workstation.

Installation¶

Use these steps to install the example Global DDoS CR, and the optional CRs. Each step offers a brief description of the example CR.

Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:

Note: The F5BigLogHslpub CR will be referenced by the Global DDoS.

apiVersion: k8s.f5net.com/v1
kind: F5BigLogHslpub
metadata:
   name: "hsl-pub"
   namespace: alpha
spec:
   pool:
      - name: "pub_pool"
      endpoint:
      - "11.16.10.100:514"
      syslog:
      - name: "syslog"
      format: "rfc5424"
      protocol: "udp"
      pool: "pub_pool"

Apply the F5BigLogHslpub CR:
```
kubectl apply -f cnf-hsl-cr.yaml
```
Apply the F5BigCneAddresslist CR:
```
kubectl apply -f cnf-address-list.yaml
```
The example F5BigCneAddresslist specifies of IP addresses 2002::192:168:10:1 and 192.168.10.1. Copy and paste the example into a YAML file:

Note: The F5BigCneAddresslist CR defines lists of IP addresses that can be referenced by the Global DDoS CR. The DDoS supports the individual IP addresses and do not work on IP ranges or pre-fixes.
```
apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: "outbound-nat"
  namespace: "cnf-gateway"
spec:
  addresses:
  - "2002::192:168:10:1"
  - "192.168.10.1"
```

The example mitigates ipv6-frag-flood and dns-aaaa-query attacks, and excludes the F5BigCneAddresslist IPs from the policy. Copy and paste the example into a YAML file:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: wlist1
spec:
  addresses:
     - 10.10.10.10
     - 11.11.11.11
---
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDdosGlobal
metadata:
  name: test-ddos
spec:
  allowList:
     srcAddressList: wlist1

Apply the Global DDoS CR:

kubectl apply -f cnf-ddos-cr.yaml -n cnf-gateway

In this example, the BIG-IP Controller logs indicate the Global DDoS CR was added/updated:

I0208 12:00:00:12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dos", 
F5Dos cnf-gateway/cnf-dns-ddos was added/updated

Verify the Global DDoS status.

kubectl get f5-big-ddos-globals.k8s.f5net.com

The Global DDoS will inspect all application traffic processed by the TMM Proxy Pod. Continue to the Additional CRs and Dos/DDoS Statistics sections.

Dos/DDoS Statistics¶

Use the steps below to verify the Global DDoS CR DoS/DDoS statistics:

Connect to the debug sidecar:

kubectl exec -it deploy/f5-tmm -c debug -n <namespace> -- bash

In this example, the debug sidecar is in the cnf-gateway Namespace:

kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash

Verify the DoS/DDoS statistics:

tmctl -f /var/tmstat/blade dos_stat -s context_name,vector_name,profile_name,protocol_type,status,attack_detected,attack_count,drops

context_name vector_name         profile_name        protocol_type status  
------------ ------------------- ------------------- ------------- --------
Device       L3/4 BDoS                               L4 BDoS       Ready   
Device       DNS AAAA Query      cnf-dns-ddos-global Device        Learning
Device       IPv6 fragment flood cnf-dns-ddos-global Device        Learning

attack_detected attack_count drops
--------------- ------------ -----
            0            0     0
            0            0     0
            0            0     0

Related Topics