Follow

Article 4 - How to Configure Hybrid Signaling DoS Monitor iApp for ASM Violation & Layer 7 DoS Event Monitoring

This article is a part of Hybrid Signaling Series Articles:

 

Description

This articles covers:

  • how an on-prem BIG-IP is configured via the Hybrid Signaling DoS Monitor iApp to determine when a Source IP address should be classified as a Bad Actor and a Signal should be sent to the F5 Silverline Cloud Platform to block that IP upstream
  • how to configure ASM Violation Event Monitoring in Hybrid Signaling DoS Monitor iApp
  • how to configure Layer 7 DoS Event Monitoring in Hybrid Signaling DoS Monitor iApp

 

What is Hybrid Signaling DoS Monitor iApp?

The Hybrid Signaling DoS Monitor iApp can leverage detection mechanisms in several different BIG-IP Modules.  Also, the iApp is module aware, and will provide configuration options based on the modules that are provisioned.  

There are 4 main configuration sections in the DoS Monitor iApp:

DoS Monitor iApp Configuration Section Requirements Configuration KB Article

1. Volumetric Attack Event Monitoring 

Module in-specific; just need TMOS, any module will do. Article 3 - How to Configure Hybrid Signaling DoS Monitor iApp - Volumetric and L3/L4 DDoS Event Monitoring

2. AFM Attack Event Monitoring 

Requirement: Advanced Firewall Manager (AFM) Article 3 - How to Configure Hybrid Signaling DoS Monitor iApp - Volumetric and L3/L4 DDoS Event Monitoring

3. ASM Violation Event Monitoring 

Requirement: Application Security Manager (ASM) Discussed below

4. Layer 7 DoS Event Monitoring 

Requirement: Application Security Manager (ASM Discussed below

 

Requirements for DoS Monitor iApp

To utilize the F5 Silverline DoS Monitor iApp you must meet the following criteria:

  1. F5 BIG-IP running TMOS 11.5.4+ with the latest HF applied
    • NOTE: 11.6.1+ latest HF applied is required for ASM-based functionality (Bad Actor and Layer 7 DoS Detections)
  2. DNS configured properly to resolve external DNS records (api.f5silverline.com)
  3. Outbound access from the on-prem BIG-IP, destined for port 443 (HTTPS) to api.f5silverline.com.  API calls (aka Signaling), are sent to: https://api.f5silverline.com/api/
  4. Sufficient resources available on the BIG-IP to periodically execute iCall scripts to generate Signals to Silverline (API calls)
  5. Successful deployment of the Hybrid Connector iApp -- See Article 1 - How to Configure Hybrid Connector iApp
  6. RECOMMENDED: NTP Properly Configured on each BIG-IP to ensure correct signal timestamps

 

Environment

  • Silverline DDoS
  • Hybrid Signaling
  • Hybrid Connector
  • F5 BIG-IP

 

Procedure

INSTALLATION

IMPORTANT: If the DoS Monitor iApp template has already been uploaded to the BIG-IP (as detailed in Article 3), skip this INSTALLATION section and start with the INITIAL CONFIGURATION section below.

Download the F5 Silverline DoS Monitor iApp Template

  1. Click this link (HERE), which is a repository of the current F5 Silverline Hybrid Signaling iApps.
  2. Download the iApp: Hybrid Signaling DoS Monitor iApp Template (f5.silverline_dos_monitor.tmpl).
  3. Note where the browser saves the file, so it can be retrieved later.

Install the F5 Silverline DoS Monitor iApp Template

  1. Log in to the BIG-IP (the currently Active device, if in a DSC setup) that you previously deployed the F5 Silverline Connector iApp and navigate to the iApp Templates section
  2. Click on the "Import..." button on the right hand side of the screen
  3. Check the "Overwrite Existing Templates" checkbox to update the template if the F5 Silverline DoS Monitor iApp template is being updated.
  4. Click on the "Choose File" button and find the "f5.silverline_dos_monitor.tmpl" file that was downloaded previously
  5. Click the "Upload" button
  6. iApp Templates are synchronized between devices in a DSC, so if the BIG-IP is not a standalone device and Automatic Sync is not enabled, uploading the template will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

INITIAL CONFIGURATION

IMPORTANT:  If the DoS Monitor iApp has already been deployed:

  1. In the BIG-IP GUI: Navigate to iApp -> Application Services
  2. Click on the existing Dos Monitor iApp Deployment
  3. Click the 'Reconfigure' Tab
  4. Skip this INITIAL CONFIGURATION SECTION and begin with the section below, titled: iApp Section 3: ASM Violation Event Monitoring

The Silverline DoS Monitor iApp will configure the necessary components and sync those items to each of the members of the Sync-Failover Device Service Cluster (DSC).

Initial iApp Configuration

  1. Press the + button to the right of Application Services.
  2. Enter a name for the DoS Monitor iApp deployment.
  3. From the Template dropdown, select: f5.silverline_dos_monitor.tmpl

 

iApp Section 1: Volumetric Attack Event Monitoring

  1. These configurations are covered in Article 3.

 

iApp Section 2: AFM Attack Event Monitoring

  1. These configurations are covered in Article 3.

 

iApp Section 3: ASM Violation Event Monitoring

!!! WARNING !!! - It is highly recommended to configure the necessary addresses into the DoS Protection White List before enabling this capability. In the BIG-IP GUI, navigate to: Security -> DoS Protection -> White List. This will prevent IPs from being denylisted incorrectly both locally and in Silverline.

article-4-iApp-GUI-ASM-Section-v2.jpg

  1. Select "Yes" to enable monitoring for ASM Violation Events
  2. Provide an administrator set of credentials for iControl that will be used to query the ASM db
  3. ASM policies that are defined on the BIG-IP will initially show in the 'Options' box
  4. ASM policies that are in the 'Selected' box will be used to determine Bad Actors
  5. Using the arrow buttons, move the ASM polices as desired for the deployment
  6. Select the desired Violation Rating that will be used to determine Bad Actors (default is 4)
  7. Define the number of violations that will trigger denylisting for an offending Src IP (default is 10)
  8. Define the length that an offending Src IP should be denylisted (default is 15 min)
  9. OPTIONAL: Select 'Advanced' in the Template Options section.  This will expose additional configuration options:
    1. These settings work together.  Here is an EXAMPLE:
      1. Query ASM: Every 5 minutes
      2. Minutes of Data to Search: 1 minute
    2. This may not be an ideal configuration, because the iApp is searching only the last minute of data, so if an offending IP has 8 violations in minutes 1-4, and then only 2 in the last minute, it will not be flagged as a Bad Actor.
    1. Select how often the iApp should query ASM to determine Bad Actors (default is 1 min)
    2. Select how many minutes of data the query should search (default is 1 min)

 

iApp Section 4: Layer 7 DoS Event Monitoring Sections

!!! WARNING !!! - It is highly recommended to configure the necessary addresses into the DoS Protection White List before enabling this capability. In the BIG-IP GUI, navigate to: Security -> DoS Protection -> White List. This will prevent IPs from being denylisted incorrectly both locally and in Silverline.

article-4-GUI-L7DoS-Config-v3.jpg

  1. Select "Yes" to enable monitoring for Layer 7 DoS events
  2. Define the length that an offending Src IP should be denylisted (default is 15 min)
  3. This portion of the DoS Monitor iApp leverages the L7 DoS configuration that is done outside of the iApp:
  4. Configure the L7 DoS configurations as needed for the environment

 

iApp Section 5: Advanced Configuration

  1. Enabling verbose iApp logging (Disabled by default) will log activity from the iApp deployment to: /var/tmp/scriptd.out
  2. Disabling API calls to F5 Silverline (Enabled by default) will prevent signals from being sent to Silverline.  This will allow the local logging of attack detection events, but will not attempt to contact Silverline.

 

DoS Monitor iApp Deployment

  1. Example of DoS Monitor iApp Deployment:

NOTE: iApp Deployments are synchronized between devices in a DSC, so if the BIG-IP is not a standalone device and Automatic Sync is not enabled, deploying the iApp will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

SOC ACTION / WORKFLOW

The outcome of the ASM Event Monitoring and L7 DoS Event Monitoring, is to determine Bad Actors and denylist upstream in Silverline.  Due to this, the SOC is not involved in the signaling process.

  1. Once the iApp determines that a Bad Actor (or multiple Bad Actors) has been identified, a signal is sent to Silverline with the offending Src IP & subnet mask.
  2. Silverline receives the signal and incorporates the denylist requests into the denylist policy for the requested duration
  3. By default, the denylist entry is added to both the Proxy and Routed Denylist (see each tab):
  4. Once the denylist duration has expired, the denylist entry is automatically removed
  5. If the denylist entry needs to be removed before the automatic expiry, that can be done using the 'Delete Selected' button:

 

PORTAL VIEWS AND REPORTS

API Activity Log

In F5 Silverline Portal, signals can be viewed in the API Activity Log:  Audit -> API Activity Log

All API activity is logged here, including denylist entries:

 

Related Content

Getting Started with Hybrid Signaling

Additional Info

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request