Follow

What is Filtering and Mitigation Order for Incoming Routed Traffic for DDoS Customers?

 

Description

  • What is DDoS Routed Customer Traffic Filtering Order?
  • What is the order of filters and mitigations that DDoS Routed incoming traffic hits?

For customers using Proxy Services, refer to What is Filtering and Mitigation Order for Incoming Proxy Traffic?

 

Environment

  • Silverline DDoS
  • Routed DDoS

 

Answer

For DDoS Routed incoming traffic, this is the order that the traffic hits filters and mitigations:

 

1. Predefined Perimeter Filtering

  • Predefined firewall rules in place to sift through customer inbound traffic in scrubbing centers.
  • Firewall rules are enforced at the perimeter layer before traffic is allowed for further inspection.
    • Picture1.png
  • By default, configuration rules are crafted for each customer. 

For more details on this, refer to these KB articles:

 

2. Customer Defined Perimeter Filtering

In the portal, customers can choose to either block traffic (Denylist) or completely bypass inspection (Allowlist) based on source IP. These customer defined rules are also enforced at the perimeter.

For more details on this, refer to these KB articles:

 

3. F5 Silverline Mitigation Process

Traffic then passed through the mitigation layer before it is handed to Customer VRF.

  • Attack traffic is scrutinized and countermeasures are applied
  • Depending on the attack, cleaning the traffic can be performed by a specific device or can be a combination of multiple devices
  • Traffic is mitigated in F5 Silverline Scrubbing Center
    • Picture7.png
  • Examples of countermeasures used:
    • Countermeasure

      Description

      Invalid Packets

      Packets that are not RFC compliant.

      IPv4 Black/White Lists

      List of IPs to drop or pass traffic without further inspection.

      TCP SYN Authentication

      Intercepts and authenticates inbound TCP connections to the protected hosts.

      DNS Authentication

      Authenticates DNS requests and drops the requests that cannot be authenticated

      Payload Regular Expression

      Allows mitigation to drop malicious TCP or UDP traffic in any packet type.

      HTTP Malformed

      Drops HTTP traffic that does not conform to the RFC standards.

 

 

4. Customer Attachment Point Default filter:

F5 Silverline Routed Service make use of GRE or direct connection via L2VPN which serves as customer attachment point (CAP).

  • This is where we hand over clean traffic back to the customer. 
  • By default, we have a crafted filter in the CAP facing the customer as a last line of blocking (Figure 8).
    • Figure 8: Customer VRF Filtering PointPicture8.png

Default filtering applied at CAP

  • Allows GRE communication for customer’s endpoints
  • Allows BGP communication for customer’s endpoints
  • Allows ICMP
  • Sets Rate-limit to contracted value
  • Allow all communication

 

 

 

 

5. Customer Attachment Point Customer Defined Filter:

Using the portal, customers have the option to enforce firewall rules at the CAP.

 

Customer Attachment Point Customer Defined Filter – IP Denylist

IP Denylists feature takes the customer defined source IP and drops it at the Customer VRF (diagram below).

 

Picture10.png

 

Customer Attachment Point Customer Defined Filter – Firewall Filter

This feature gives customer a granular control to craft a customer filter to fit their need using different parameters such as Source/Destination IP, Protocols, Ports and Action.

For more details on this, refer to these KB articles:

 

Related Content

Related Silverline Order of Protection Articles:

Additional

 

 

Was this article helpful?
5 out of 6 found this helpful
Have more questions? Submit a request