Lab - Configure Hybrid Defender Flood Protections

This lab teachs you on how to configure DoS protection for common network-level DoS vectors.

Configure Protected Object-Level IPv4 Flood DHD DoS Protection

Configure object-level IPv4 ICMP flood protection, and then issue an ICMP DoS flood and review the results.

1. On the Protect Objects page, in the Protected Objects section click Create.

2. Configure a protected object using the following information, and then click Create:

   Name:	ServerNet
   IP Address:	10.1.20.0/24
   Port:	any
   Protocol	All Protocols
   Protec. Settings Action:	Advertise All
   Protec. Settings DDoS:	IPv4

3. In the IPv4 row click the + icon, and then click ICMPv4 flood

4. On the right-side of the page configure using the following information, and then click Create.

   Detection Threshold PPS:	Specify: 1000
   Detection Threshold Percent:	Infinite
   Rate/Leak Limit:	Specify: 1000

   Important

   From now on, make sure you have an always-on terminal session with both the attacker and LAMP servers. Let them running the bmon utility, or a tcpdump. Those will provide instant and detailed visibility of the ammount of packets comming in/out of both virtual machines.

5. From the attacker terminal session launch an ICMPv4 DoS attack using the Pentmenu tool (Options 2, 1) as follows:

   target IP/hostname:	server1
   source IP:	r[random]

6. Check out the LAMP terminal session and observe how many ICMP packets are hitting this server.

7. Before moving on, wait the attack to run for about 30 seconds or so

8. In the Configuration Utility go to Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the Attack.

   

9. Now stop the Attack with Ctrl + C.

10. Open the Security-> Event Logs-> DoS-> Network-> Events page.

    The DoS Source is Volumetric, Aggregated across all SrcIP’s, VS-Specific attack, metric:PPS.

    • The virtual server column displays /Common/ServerNet, identifying this is a protected object.
    • The type is ICMPv4 flood.
    • The action is Drop.

11. Now check out the Security-> Event Logs-> DoS-> Network-> Events Page.

    

12. The DHD was able to detect the moment the attack started and stopped, along with all volumetric info.

Configure Protected Object-Level UDP Flood Attack Protection

Configure object-level DoS UDP flood protection, and then issue an UPD flood and review the results.

1. From the attacker terminal session launch an UDP flood attack using the Pentmenu tool (Options 2, 7) as follows:

   target IP/hostname:	server2
   target port (defaults to 80):	default [ENTER]
   random string (data to send):	F5Agility2018
   source IP:	r[random]

2. Let the attack run for about 30 seconds before moving on.

3. In the Configuration Utility, open the Statistics-> Performance-> Performance page. There is a spike in connections and throughput. The BIG-IP system is being hit with the UDP flood attack.

   

4. Open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

5. In the DDoS Settings row click the UDP checkbox. In the UDP row click the + icon, and then click UDP Flood.

6. On the right-side of the page configure using the following information, and then click Update.

   Detection Threshold PPS:	Specify: 1000
   Detection Threshold Percent:	Infinite
   Rate/Leak Limit:	Specify: 3000

7. From the Attacker terminal session launch a new UDP flood attack using the same options and values as previously in this task.

8. Let the attack run for about 30 seconds before moving on.

9. In the Configuration Utility, click Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the DNS Attack.

   

10. Now stop the Attack with Ctrl + C.

11. Open the Security-> Event Logs-> DoS-> Network-> Events page.

    • In one minute or so, the virtual server column displays /Common/ServerNet, identifying this is protected object.
    • The type is UDP flood.
    • The action is Drop.

    

Configure Bad Actor Detection

Add bad actor detection for the UDP flood protection

1. In the Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

2. In the UDP row click the + icon, and then click UDP Flood.

3. On the right-side of the page configure using the following information, and then click Update.

   Bad Actor Detection:	Yes (selected)
   Per Source IP Detection (PPS):	Specify: 100
   Per Source IP Rate Limit (PPS):	Specify: 30
   Blacklist Attacking Address:	Yes (selected)
   Detection Time:	30
   Duration:	60

4. From the attacker virtual machine launch an UDP flood attack using a single IP address [Pentmenu tool - Options 2, 7]:

   target IP/hostname:	server4
   target port (defaults to 80):	53
   random string (data to send):	F5Agility2018
   source IP:	i[interface]

5. Let the attack run for like 30s seconds before moving on.

6. Stop the attack with Ctrl + C.

7. Now try to ping the server4. Try to ping the same address from the goodclient virtual machine. Does it work ???

8. Stop the Attack with Ctrl + C and move to the next exercise.

Configure Protected Object-Based Sweep Protection

1. In the Configuration Utility, open the DoS Protection-> Quick Configuration page and in the Protected Objects section click ServerNet.

2. In the DDoS Settings row click the Sweep checkbox.

3. In the Sweep row click the + icon, and then click Sweep.

4. On the right-side of the page configure using the following information, and then click Update.

   Detection Threshold PPS:	Specify: 1000
   Rate/Leak Limit:	Specify: 3000
   Packet Types:	Move All IPv4 to the Selected field

5. On the attacker machine type (or copy and paste) the following command:

   sudo ./sweep.sh

6. Let the attack run for like 30s seconds before moving on.

7. Stop the attack with Ctrl + C.

8. In the Configuration Utility, click Security-> DoS Protection-> DoS Overview. You should be able to see the DHD stopping the Sweep attack.

   

Check out the DoS Visibility Page

1. Use the DoS Visibility page to view statistics about the DoS attacks you submitted during this exercise.

   

2. Mouse over several of the attacks to get additional details of each attack.

3. Scroll down in the left-side of the page to view the Attacks section.

4. You can see the number of high, moderate, and low attacks in addition to the types of attacks (HTTP, ICMP, etc.) and the severity levels.

Check out the Silverline Portal

Use the Silverline portal to view details about the attacks launched in this exercise.

1. Access the Silverline Portal https://portal.f5silverline.com

2. Open the Audit-> API Activity log page.

3. Enter the hostname of your DHD device in the Search field and then check out the activity your Hybrid Defender device has reported back to the Silverline Scrubing Center.