Lab 4 - Multi-vector Demo

In this simple demo you will launch a small number of network attacks and show the configuration, logging and reporting capabilities of the Hybrid Defender. The point of this demo is to provide context for a UI walkthrough with some live data.

Task 1 - Access DoS Quick Configuration and display the ServerNet protected object

This protected object is defending all ports/protocols for 10.1.20.0/24, which is the network behind the Hybrid Defender. Attacks will be launched at 10.1.20.12, which is an interface on the LAMP server. Verify that the following vectors are configured:

image35

Launch the attacks and show the behavior

  • Open the following tabs in the DHD UI:

  • DoS Protection->Quick Configuration->ServerNet

  • Security->DoS Protection->DoS Overview (leave the filter at default: ’DoS Attack’)

  • Statistics->DoS Visibility

  • Access the Attacker System CLI and run the attack

    # cd ~/scripts
    # sudo bash
    # ./multivector.sh
    
    • Click Refresh on the DoS Overview page. You will see some attacks mitigated by Device Configuration and some mitigated by the more specific settings on the ServerNet Protected Object.

    image36

Navigate to Security->Event Logs->DoS->Network->Events.

  • Click on “custom search…” link.

  • Drag one of the values from the “Attack Type” column into the custom search builder. From the Action column, drag Drop into the search builder. Click “Search”.

    image37

  • Further explore the DoS Event logs as needed for your demo. For example, clear the search and identify the “Stop” and “Start” times for an attack, etc.

  • In the Hybrid Defender WebUI, access the DoS Visibility reporting tool at Statistics->DoS Visibility.

Note

DoS Visibility is a reporting tool, not a real-time monitoring tool. Events are displayed, much like other AVR-based reporting, in 5 minute windows. Do not expect events to be shown here immediately after running an attack. Be aware of this timing when doing a demo. Quicker/real-time monitoring of on-going DoS attacks is best accomplished in the DoS Event Logs and DoS Overview areas of the WebUI

  • You should see the attacks in the timeline and a variety of details in the windows. Use the slider to shorten the timeframe if needed, and click the Network filter, to focus on L4 activities.

    image38

    Note

    that you can select events from the timeline and see details about the attacks

    image39

  • Log in to Silverline at https://portal.f5silverline.com.

  • Navigate to Monitor and Analyze > Stats > Hybrid Device. Locate your device and explore the interface.