Follow

Article 3 - How to Configure Hybrid Signaling DoS Monitor iApp for Volumetric and L3/L4 DDoS Event Monitoring

This article is a part of Hybrid Signaling Series Articles:

 

Description

This article covers:

  • how an on-prem BIG-IP is configured via an iApp to detect for possible volumetric attacks and other L3/L4 attacks
  • how the signal is sent and received by Silverline
  • the F5 Silverline SOC actions
  • some common troubleshooting steps. 

What is Hybrid Signaling DoS Monitor iApp?

The Hybrid Signaling DoS Monitor iApp can leverage detection mechanisms in several different BIG-IP Modules.  Also, the iApp is module aware, and will provide configuration options based on the modules that are provisioned.  

There are 4 main configuration sections in the DoS Monitor iApp:

DoS Monitor iApp Configuration Section Requirements Configuration KB Article

1. Volumetric Attack Event Monitoring 

Module in-specific; just need TMOS, any module will do. Discussed below

2. AFM Attack Event Monitoring 

Requirement: Advanced Firewall Manager (AFM) Discussed below

3. ASM Violation Event Monitoring 

Requirement: Application Security Manager (ASM) Article 4 - How to Configure Hybrid Signaling DoS Monitor iApp - ASM Bad Actors & Layer 7 DoS

4. Layer 7 DoS Event Monitoring 

Requirement: Application Security Manager (ASM Article 4 - How to Configure Hybrid Signaling DoS Monitor iApp - ASM Bad Actors & Layer 7 DoS

 

Volumetric Attack Event Monitoring

  1. The Hybrid Signaling DoS Monitor iApp builds components that monitor bits-per-second, on either an interface, VLAN, or Route Domain, and compares that bps value to the user-defined threshold.
  2. Once that threshold (a combination of a defined aggregate ingress bandwidth and a defined percentage) is exceeded, a "Attack Started / Rate Above Threshold" signal is sent to the F5 Silverline Cloud Platform.
  3. That signal (API Call) triggers action for the F5 SOC if the attack is longer than 5 minutes.
  4. Also, once the bits-per-second value falls below the configured threshold for 60 consecutive seconds, an "Attack Stopped / Rate Below Threshold" signal is sent to Silverline as well.

AFM Attack Event Monitoring

  1. The Hybrid Signaling DoS Monitor iApp leverages the AFM module's configuration to detect and report attacks to F5 Silverline.
  2. Once an attack has been detected, the iApp signals to Silverline indicating that an attack is underway and includes the detected attack vector (e.g. UDP Flood).
  3. Once AFM reports that the attack has ceased, an "Attack Stopped" signal is sent to Silverline as well.

 

Requirements for DoS Monitor iApp

To utilize the F5 Silverline DoS Monitor iApp you must meet the following criteria:

  1. F5 BIG-IP running TMOS 11.5.4+ with the latest HF applied
    • NOTE: 11.6.1+ latest HF applied is required for ASM-based functionality (Bad Actor and Layer 7 DoS Detections)
  2. Valid F5 Silverline User Credentials with user type of Customer Admin 
  3. DNS configured properly to resolve external DNS records (api.f5silverline.com)
  4. Outbound access from the on-prem BIG-IP, destined for port 443 (HTTPS) to api.f5silverline.com.  API calls (aka Signaling), are sent to: https://api.f5silverline.com/api/
  5. Sufficient resources available on the BIG-IP to periodically execute iCall scripts to generate Signals to Silverline (API calls)
  6. Successful deployment of the Hybrid Connector iApp -- See Article 1 - How to Configure Hybrid Connector iApp
  7. RECOMMENDED: NTP Properly Configured on each BIG-IP to ensure correct signal timestamps

 

Environment

  • Silverline DDoS
  • Hybrid Signaling
  • Hybrid Connector
  • F5 BIG-IP

 

Procedure

Download the F5 Silverline DoS Monitor iApp Template

  1. Click this link (HERE), which is a repository of the current F5 Silverline Hybrid Signaling iApps.
  2. Download the iApp: Hybrid Signaling DoS Monitor iApp Template (f5.silverline_dos_monitor.tmpl).
  3. Note where the browser saves the file, so it can be retrieved later.

Install the F5 Silverline DoS Monitor iApp Template

  1. Log in to the BIG-IP (the currently Active device, if in a DSC setup) that you previously deployed the F5 Silverline Connector iApp and navigate to the iApp Templates section
  2. Click on the "Import..." button on the right hand side of the screen
  3. Check the "Overwrite Existing Templates" checkbox to update the template if the F5 Silverline DoS Monitor iApp template is being updated.
  4. Click on the "Choose File" button and find the "f5.silverline_dos_monitor.tmpl" file that was downloaded previously
  5. Click the "Upload" button
  6. iApp Templates are synchronized between devices in a DSC, so if the BIG-IP is not a standalone device and Automatic Sync is not enabled, uploading the template will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

INITIAL CONFIGURATION

The Silverline DoS Monitor iApp will configure the necessary components and sync those items to each of the members of the Sync-Failover Device Service Cluster (DSC).

Initial iApp Configuration

  1. Press the + button to the right of Application Services.
  2. Enter a name for the DoS Monitor iApp deployment.
  3. From the Template dropdown, select: f5.silverline_dos_monitor.tmpl

 

iApp Section 1: Volumetric Attack Event Monitoring

  1. Select "Yes" to enable monitoring for Volumetric Attack Events
  2. Select either: Interface, VLAN, or Route Domain
    1. IMPORTANT: The interface, VLAN, or Route Domain that will be monitored must be consistent across DSC members.
    2. For Example:  If selecting Interface "1.1" in the iApp, then Interface 1.1 will be monitored on each DSC member.  DCS member #2 cannot be monitored on 1.2 or 1.3, etc.
    3. Similarly, the VLAN (or Route Domain) name that needs to be monitored must be consistent across DSC members.
    4. NOTE: if utilizing the DoS Monitor iApp on vCMP Guests, it is strongly recommended to utilize VLAN monitoring instead of Interface monitoring as interface values are not configurable when they are presented from the vCMP Host to the vCMP Guest.
  3. Select the Interface name, VLAN name, or Route Domain Name
  4. Define the Aggregate Ingress Bandwidth in Megabits Per Second
  5. Define the Prefix(es) that should be included in the API call to Silverline.
    1. This information assists the F5 SOC to know what traffic would need to be diverted to F5 Silverline via BGP.
  6. OPTIONAL: Select 'Advanced' in the Template Options section.  This will expose additional configuration options:
    1. The ability to define the percentage (%) of Aggregate Internet Traffic to detmine the threshold for signaling to Silverline.
    2. The ability to enable or disable sending of network statistics for the montored network element to Silverline.  This data is used to populate several reports and charts in the customer portal.

 

iApp Section 2: AFM Attack Event Monitoring

  1. Select "Yes" to enable monitoring for AFM Attack Events
  2. This portion of the DoS Monitor iApp leverages the AFM configuration that is done outside of the iApp:
  3. Configure AFM as needed for the environment

 

iApp Section 3: ASM Violation Event Monitoring

  1. These configurations are covered in Article 4.

 

iApp Section 4: L7 DoS Event Monitoring Sections

  1. These configurations are covered in Article 4.

 

iApp Section 5: Advanced Configuration

  1. Enabling verbose iApp logging (Disabled by default) will log activity from the iApp deployment to: /var/tmp/scriptd.out
  2. Disabling API calls to F5 Silverline (Enabled by default) will prevent signals from being sent to Silverline.  This will allow the local logging of attack detection events, but will not attempt to contact Silverline.

DoS Monitor iApp Deployment

  1. Example of DoS Monitor iApp Deployment:

NOTE: iApp Deployments are synchronized between devices in a DSC, so if the BIG-IP is not a standalone device and Automatic Sync is not enabled, deploying the iApp will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

SOC ACTION / WORKFLOW

In order to prevent a flood of alerts and SOC tickets, there is a timer in place to aggregate Hybrid Signaling alerts for action by the F5 SOC:

  1. First, when F5 Silverline receives a signal from a Hybrid BIG-IP for an attack that has started, a five minute timer begins.  If, within those 5 minutes, Silverline does NOT receive a "Attack Stopped" signal, a ticket will be created and the SOC is notified.
  2. If an "Attack Stopped" message is received within 30 minutes, that update is appended to the ticket that was created part of step 1.
  3. It is highly recommended that local logging, SNMP traps, and any other local notifications be configured on the on-prem BIG-IP for redundant alerting purposes.  Due to the nature of volumetric DDoS attacks, it is not guaranteed that API calls will be successful in egressing customer facilities due to multiple scenarios, including a pipe-full scenario.  

The default F5 SOC workflow is as follows:

  1. Once the 5 minute counter has elapsed and the attack is deemed actionable, the F5 SOC will receive a ticket with data from the on-premises BIG-IP
    • Example Ticket:
  2. An F5 Silverline SOC Analyst will triage the ticket and then follow the Emergency Procedures as defined in the Portal to initiate contact with the customer.
  3. Also, upon SOC ticket creation, an automated e-mail containing the signal contents (attack detection info) & Silverline Support Ticket Number will be generated and sent to the customer's users who have elected to receive notification alerts from Hybrid BIG-IP devices (configurable under each user's profile).
  4. Example E-mail:
  5. The F5 SOC Analyst will then work with the customer to determine if routing traffic through F5 Silverline for mitigation is appropriate for the scenario.

 

PORTAL VIEWS AND REPORTS

API Activity Log

In F5 Silverline Portal, signals can be viewed in the API Activity Log:  Audit -> API Activity Log

All API activity is logged here, but the results can be filtered:

Example:

In addition to Attack Event Signals, there are several other types of API calls that are shown on the API Activity Log page, including Health Checks, Inventory Check-Ins, SOC Alerts (when tickets get opened), etc.

 

 

DDoS Activity

In F5 Silverline Portal, signals can be viewed in the API Activity Log:  Monitor & Analyze -> DDoS Activity -> Alerts for Hybrid BIG-IP (tab)

 

Hybrid BIG-IP Stats

In the F5 Silverline Portal, bits-per-second values can be viewed, if enabled in the DoS Monitor iApp config: Monitor & Analyze -> Stats -> Hybrid BIG-IP

 

 

By default, one BIG-IP's stats are displayed, but multiple devices can be shown by selecting 'All' from the 'Device' dropbox:

Also the chart has these features:

    1. The red bands indicate an attack's duration.  If the bands overlap, signifying multiple concurrent attacks, the red shading becomes darker.
    2. Hovering over an alert flag will provide additional detail on that alert.
    3. Clicking on a device's color indicator in the legend which will toggle that devices data on/off, and re-draw the chart.

And finally, you can click and drag on the graph to zoom into a particular time frame with greater detail:

Result:

 

TROUBLESHOOTING

IMPORTANT: Configuring verbose logging for the iApp or debugging for API calls is only meant for brief troubleshooting periods.  It is important to reconfigure these options to "No" once troubleshooting is completed.

VERBOSE iAPP LOGGING

Log messages are sent to /var/log/ltm as standard practice.  If verbose logging is enabled, more detailed log messages are sent to /var/tmp/scriptd.out. This file is not managed, and thus does not survive reboots or upgrades.  It is also not rolled or truncated, so verbose logging should not be left enabled for longer than necessary.

From the on-premises BIG-IP CLI, to see the log messages execute the command:

cat /var/log/ltm

To see the log messages in realtime (which can be helpful when deploying the iApp template or testing), execute this command from the on-prem BIG-IP CLI:

tail -f /var/log/ltm

Example of /var/log/ltm:

From the on-premises BIG-IP CLI, to see the verbose log messages execute the command:

cat /var/tmp/scriptd.out

To see the verbose log messages in realtime (which can be helpful when deploying the iApp template), execute this command from the on-prem BIG-IP CLI:

tail -f /var/tmp/scriptd.out

Example of /var/tmp/scriptd.out:

 

DEBUGGING for API CALLS

When enabling debugging for API calls, there will be several new /var/tmp/scriptd.out log entries showing the filenames where the API call contents are listed.

Example within /var/tmp/scriptd.out:

In order to view the contents of the API debugging file, execute this command (replace the filename with the filename from the log) from the on-premises BIG-IP CLI:

cat /tmp/.ag_Post.-1525430266.dat

Example of a API debugging file:

 

Related Content

Getting Started with Hybrid Signaling Series

Additional Info

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request