Global DDoS

Overview

The GlobalDDoS Custom Resource Definition (CRD) configures the Traffic Management Microkernel (TMM) Proxy Pod to protect applications and the TMM Pod from Denial of Service / Distributed Denial of Service (Dos/DDoS) attacks. Using custom packet signatures, the Global DDoS inspects all application traffic processed by the TMM Proxy Pod, to detect, report and/or mitigate DoS/DDoS events.

This document guides you through understanding, configuring and installing a simple GlobalDDoS CRD.

CR Parameters

The tables below describe the Global DDoS and section used in this document. For the full list of parameters, refer to the GlobalDDoS Reference.

hslPublisher

Parameter Description
hslPublisher Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by metadata.name parameter.

allowList

Allows you to exclude specific types of traffic from DDoS mitigations.

Parameter Description
allowList Specifies the F5BigCneAddresslist by metadata.name containing the source IP addresses to exclude from DDoS detection/mitigation.

vectors

DDoS attack vectors are the methods or techniques used by attackers to carry out a Distributed Denial of Service (DDoS) attack.

Parameter Description
vectors Specifies the type of Vector to detect and mitigate. Refer to GlobalDDoS Reference for a full list.

CR Example for Global DDoS

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDdosGlobal
metadata:
spec:
  name: "cnf-dns-ddos"
  namespace: "cnf-gateway"
spec:
  hslPublisher: "cnf-hsl-pub"
  allowList:
    srcAddressList: "outbound-nat"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The Global DDoS CR shortName is ddos.

View CR instance:

kubectl get ddos -n <namespace>

View CR configuration:

kubectl get ddos -n <namespace> -o yaml

Multiple TMM Proxy Pods

When Dos/DDoS attacks are detected, the attack is identified using a unique attack identifier (attack-ID). To ensure the attack-ID can be shared across multiple TMM Proxy Pods, avoiding duplicate attack-ID entries, the dSSM Database must be installed. The first TMM Proxy Pod to detect an attack stores the attack-ID in the dSSM database, and the TMM Proxy Pod replicas then check the dSSM database before creating any new attack-IDs.

Requirements

Ensure you have:

Installation

Use these steps to install the example Global DDoS CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:

    Note: The F5BigLogHslpub CR will be referenced by the Global DDoS.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: "cnf-hslpool"
        endpoint:
        - "[2002::10:30:2:220]:514"
      syslog:
      - name: "syslog-dest"
        format: "rfc5424"
        protocol: "udp"
        pool: "cnf-hslpool"
    
  2. Install the F5BigLogHslpub CR:

    kubectl apply -f cnf-hsl-cr.yaml
    
  3. Install the F5BigCneAddresslist CR:

    kubectl apply -f cnf-address-list.yaml
    
  4. The example F5BigCneAddresslist specifies of IP addresses 2002::192:168:10:1 and 192.168.10.1. Copy and paste the example into a YAML file:

    Note: The F5BigCneAddresslist CR defines lists of IP addresses that can be referenced by the Global DDoS CR. The DDoS supports the individual IP addresses and do not work on IP ranges or pre-fixes.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigCneAddresslist
    metadata:
      name: "outbound-nat"
      namespace: "cnf-gateway"
    spec:
      addresses:
      - "2002::192:168:10:1"
      - "192.168.10.1"
    
  5. The example mitigates ipv6-frag-flood and dns-aaaa-query attacks, and excludes the F5BigCneAddresslist IPs from the policy. Copy and paste the example into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDdosGlobal
    metadata:
       name: "cnf-dns-ddos"
       namespace: "cnf-gateway"
    spec:
       hslPublisher: "cnf-hsl-pub"
       vectors:
        ipv6FragFlood:
          state: "mitigation"
          rateLimit: 200 
          perSrcIpDetectionEps: 100 
        dnsAaaaQuery:
          state: "detection-only"
          detectionThresholdEps: 100 
       allowList:
          srcAddressList: "outbound-nat"
    
  6. Install the Global DDoS CR:

    kubectl apply -f cnf-ddos-cr.yaml -n cnf-gateway
    

    In this example, the BIG-IP Controller logs indicate the Global DDoS CR was added/updated:

    I0208 12:00:00:12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dos", 
    F5Dos cnf-gateway/cnf-dns-ddos was added/updated
    
  7. Verify the Global DDoS status.

    kubectl get f5-big-ddos-globals.k8s.f5net.com
    
  8. The Global DDoS will inspect all application traffic processed by the TMM Proxy Pod. Continue to the Additional CRs and Dos/DDoS Statistics sections.

Additional CRs

To begin Dos/DDoS detection and mitigation, install one of the Traffic management CNFs CRs.

Dos/DDoS Statistics

Use the steps below to verify the Global DDoS CR DoS/DDoS statistics:

  1. Connect to the debug sidecar:

    kubectl exec -it deploy/f5-tmm -c debug -n <namespace> -- bash
    

    In this example, the debug sidecar is in the cnf-gateway Namespace:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the DoS/DDoS statistics:

    tmctl -f /var/tmstat/blade dos_stat -s context_name,vector_name,profile_name,protocol_type,status,attack_detected,attack_count,drops
    
    context_name vector_name         profile_name        protocol_type status  
    ------------ ------------------- ------------------- ------------- --------
    Device       L3/4 BDoS                               L4 BDoS       Ready   
    Device       DNS AAAA Query      cnf-dns-ddos-global Device        Learning
    Device       IPv6 fragment flood cnf-dns-ddos-global Device        Learning
    
    attack_detected attack_count drops
    --------------- ------------ -----
                0            0     0
                0            0     0
                0            0     0
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.