F5BigDdosPolicy

Overview

The F5BigDdosPolicy Custom Resource (CR) configures the Traffic Management Microkernel (TMM) Proxy Pod to protect applications and the TMM Pod from Denial of Service / Distributed Denial of Service (Dos/DDoS) attacks. Using custom packet signatures, the F5BigDdosPolicy inspects all application traffic processed by the TMM Proxy Pod, to detect, report and/or mitigate DoS/DDoS events.

This document guides you through understanding, configuring and installing a simple F5BigDdosPolicy CR.

CR Parameters

The tables below describe the F5BigDdosPolicy CR parameters used in this document. For the full list of parameters, refer to the F5BigDdosPolicy Reference.

allowList

Parameter Description
sourceAddressList Specifies the F5BigCneAddresslist by metadata.name containing the source IP addresses to exclude from DDoS detection/mitigation.

vectors.floodVectors.commonConfigVectors

Parameter Description
vectorType Specifies the type of DoS Flood Vector to detect and mitigate: ipv6-frag-flood. Refer to F5BigDdosPolicy Reference for a full list.
state Specifies the reponse for a vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the attack detection threshold in PPS for the configured attack type. Default value 4294967295.
detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. Default value 4294967295.
rateLimit Specifies the rate limit in PPS for the configured attack. Default value 4294967295.

vectors.dnsFloodVectors.commonConfigVectors

Parameter Description
vectorType The type of DNS Flood Vector: dns-aaaa-query. Refer to F5BigDdosPolicy Reference for a full list.
state Specifies the reponse for a vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.

CR Example

apiVersion: "dos.k8s.f5net.com/v1"
kind: F5BigDdosPolicy
metadata:
  name: "cnf-dns-ddos"
  namespace: "cnf-gateway"
hslPublisher: "cnf-hsl-pub"
vectors:
  floodVectors:
    commonConfigVectors:
    - vectorType: "ipv6-frag-flood"
      state: "detection-only"
      detectionThresholdEps: 1111
      detectionThresholdPercentage: 11
      rateLimit: 10
  dnsFloodVectors:
    commonConfigVectors:
    - vectorType: "dns-aaaa-query"
      state: "detection-only"
      rateLimit: 111
      perDstIpLimitEps: 111111
allowList:
  sourceAddressList: "outbound-nat"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDdosPolicy CR shortName is ddos.

View CR instance:

oc get ddos -n <namespace>

View CR configuration:

oc get ddos -n <namespace> -o yaml

Address lists

The F5BigCneAddresslist CR defines lists of IP addresses that can be referenced by the F5BigDdosPolicy CR.

Example:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: "outbound-nat"
  namespace: "cnf-gateway"
spec:
  addresses:
  - "2002::33:22-2002::33:50"
  - "2003::/64"
  - "2004::1"
  - "192.168.1.0-192.168.1.10"
  - "10.10.10.0/24"
  - "192.168.2.1"

Multiple TMM Proxy Pods

When Dos/DDoS attacks are detected, the attack is identified using a unique attack identifier (attack-ID). To ensure the attack-ID can be shared across multiple TMM Proxy Pods, avoiding duplicate attack-ID entries, the dSSM Database must be installed. The first TMM Proxy Pod to detect an attack stores the attack-ID in the dSSM database, and the TMM Proxy Pod replicas then check the dSSM database before creating any new attack-IDs.

Requirements

Ensure you have:

Installation

Use these steps to install the example F5BigDdosPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:

    Note: The F5BigLogHslpub CR will be referenced by the F5BigDdosPolicy.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: "cnf-hslpool"
        endpoint:
        - "[2002::10:30:2:220]:514"
      syslog:
      - name: "syslog-dest"
        format: "rfc5424"
        protocol: "udp"
        pool: "cnf-hslpool"
    
  2. Install the F5BigLogHslpub CR:

    oc apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  3. The example F5BigCneAddresslist specifies a range 2002::33:22-2002::33:50, and a subnet 2003::/64 of IPv6 addresses. Copy and paste the example into a YAML file:

    Note: The F5BigCneAddresslist CR will be referenced by the F5BigDdosPolicy CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigCneAddresslist
    metadata:
      name: "outbound-nat"
      namespace: "cnf-gateway"
    spec:
      addresses:
       - "2002::33:22-2002::33:50"
       - "2003::/64"
       - "2004::1"
       - "192.168.1.0-192.168.1.10"
       - "10.10.10.0/24"
       - "192.168.2.1"
    
  4. Install the F5BigCneAddresslist CR:

    oc apply -f cnf-address-list.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigCneAddresslist CR was added/updated:

    I0208 12:00:00:12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5AddressList", 
    F5AddressListProfile cnf-gateway/outbound-nat was added/updated
    
  5. The example F5BigDdosPolicy mitigates ipv6-frag-flood and dns-aaaa-query attacks, and excludes the F5BigCneAddresslist IPs from the policy. Copy and paste the example into a YAML file:

    apiVersion: "dos.k8s.f5net.com/v1"
    kind: F5BigDdosPolicy
    metadata:
      name: "cnf-dns-ddos"
      namespace: "cnf-gateway"
    hslPublisher: "cnf-hsl-pub"
    vectors:
      floodVectors:
        commonConfigVectors:
        - vectorType: "ipv6-frag-flood"
          state: "detection-only"
          detectionThresholdEps: 1111
          detectionThresholdPercentage: 11
          rateLimit: 10
      dnsFloodVectors:
        commonConfigVectors:
        - vectorType: "dns-aaaa-query"
          state: "detection-only"
          rateLimit: 111
          perDstIpLimitEps: 111111
    allowList:
      sourceAddressList: "outbound-nat"
    
  6. Install the F5BigDdosPolicy CR:

    oc apply -f cnf-ddos-cr.yaml -n cnf-gateway
    

    In this example, the BIG-IP Controller logs indicate the F5BigDdosPolicy CR was added/updated:

    I0208 12:00:00:12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dos", 
    F5Dos cnf-gateway/cnf-dns-ddos was added/updated
    
  7. The F5BigDdosPolicy will inspect all application traffic processed by the TMM Proxy Pod. Continue to the Additional CRs and Dos/DDoS Statistics sections.

Additional CRs

To begin Dos/DDoS detection and mitigation, install one of the Traffic management CNFs CRs.

Dos/DDoS Statistics

Use the steps below to verify the F5BigDdosPolicy CR DoS/DDoS statistics:

  1. Connect to the debug sidecar:

    oc exec -it deploy/f5-tmm -c debug -n <namespace> -- bash
    

    In this example, the debug sidecar is in the cnf-gateway Namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the DoS/DDoS statistics:

    tmctl -d /var/tmstat/blade dos_stat -s context_name,vector_name,profile_name,protocol_type,status,attack_detected,attack_count,drops
    
    context_name vector_name profile_name              protocol_type status
    ------------ ----------- ------------------------- ------------- ------
    Device       L3/4 BDoS                             L4 BDoS       Ready
    Device       UDP flood   /Common/dos-device-config Device        Ready
    
    attack_detected attack_count drops
    --------------- ------------ -----
                  0            0     0
                  1            2  8523
    
    context_name vector_name                     profile_name
    ------------ ------------------------------- -------------------------
    Device       L3/4 BDoS
    Device       DNS A Query                     /Common/dos-device-config
    Device       IPv6 fragment flood             /Common/dos-device-config
    Device       IPv6 too many extension headers /Common/dos-device-config
    Device       DNS AAAA Query                  /Common/dos-device-config
    
    protocol_type status attack_detected attack_count  drops
    ------------- ------ --------------- ------------- -----
    L4 BDoS       Ready                0            0      0
    Device        Ready                0            0      0
    Device        Ready                3            4  18523
    Device        Ready                0            0      0
    Device        Ready                0            0      0
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.