How To: Schedule Silverline-Initiated DDoS Test

Important: Silverline has temporarily suspended in-house initiated DDoS simulations to our proxy infrastructure.

Description

This article outlines:

• What is a Silverline-initiated test?
• Terms & Conditions
• Procedure to schedule the test with Silverline SOC
• What happens on the test day
• After-test report

NOTE: This refers to Silverline-initiated tests.
For customer-initiated tests see Q&A: What is F5 Silverline's Policy on Customer-Initiated Pen Test/Application Scan/DDoS/Load Test?

 

What is the Silverline-Initiated DDoS Test?

Silverline provides the capability to generate a realistic DDoS attacks for Silverline customers. The main goal of DDoS testing is to evaluate the resiliency of the customer's systems and processes in addition to demonstrating F5 Silverline scrubbing capabilities.  

 

Terms & Conditions

• Silverline customers are eligible for 2 DDoS tests per year of contracted service.
• This attack simulation is free of charge for Silverline customers. 
• This attack simulation tool is also available for potential customers; however, they're allowed only 1 simulation free of charge for the duration of the Proof of Concept (POC). 
• Attacks can only be launched on prefixes protected by F5 Silverline
• Silverline customers can only select 2 different attack vectors:
  • TCP SYN Flood
  • UDP Flood
  • UDP Fragmentation Flood
  • ICMP Flood
• Customers can select up to 2 target IPs (proxy and/or routed)
• The attack bandwidth MUST NOT exceed 70% of customer internet link's capacity. Silverline can generate up to 3Gbps of attack traffic.
• The attack-test duration MUST not exceed 60 minutes
• The minimum time to submit the request is 6 business days prior the desired test date (leaving enough room for information gathering and approvals).

Pre-conditions

• Ensure that prior to scheduling the DDoS test with Silverline, the routing through Silverline is verified and tested. For guidance review our article Testing DDoS Services: Is there a mechanism to test moving Routed traffic over? Can we schedule that for a particular maintenance window?
• No route leaks should exist on customer prefixes, if these are observed the test cannot be performed. 
• More recommendations and best practices can be found in the article Q&A: Silverline-Initated DDoS test attack

Environment

• Silverline DDoS (Routed or Proxy)
  • Always On
  • Always Available

Procedure

• How to schedule the Silverline-initiated DDoS test?
• What happens on the attack-test day?
• Will I receive a report after the attack-test?

How to schedule the Silverline-initiated DDoS test?

1. Submit a support ticket to the SOC requesting a DDoS test initiated by Silverline. The request should be submitted at least 6 business days prior the desired test date and include the following information:
    

   ---

    
   1. 1. [Target] What Destination IPs/Ports/URLs should be targeted (max 2)?
      2. [Vector] What type of attacks (max 2)?
         - Current attack offering are UDP Flood, ICMP Flood, SYN Flood , Fragmentation Flood, HTTP / HTTPS attack
      3. [Time] What are desired time slots for this test?
         - Please provide the 1 hour time slots of your preference following this format → [ dd-mmm-yyyy HH:MM UTC] ← Include timezone
         - Minimum lead time of 6 business days after the request was submitted.
      4. [Bandwidth] What is the internet link capacity?
         - Confirm if the internet link is dedicated or shared
      5. [Volume] What is expected attack size Gbps/pps ?
         - Maximum attack size can’t exceed 70% of the total internet link capacity
         - Maximum attack size that Silverline can generate is 3Gbps
         NOTE: If the requested attack bandwidth is greater than the customer internet link capacity, a written authorization from the ISP(s) allowing the bursts of traffic during the test is mandatory.
      6. [Acknowledgement] While this test is performed there is a possibility of attack traffic reaching the destination while mitigations are implemented and tuned.
         - Please confirm that you are aware of this by stating “Yes, I am aware” next to this line.
      7. (non-silverline IP) [Authorize] An authorization form signed by the customer is required by our DDoS generator vendor in order to prepare the test. Please fill in the attached form and return it to us signed.
   2. 
      

      ---

       

      Attack Parameter	Description	Additional Information
      Target	What Destination IPs/Ports/URLs should be targeted?	- Select max 2 - Attacks on Silverline Proxy front-end IP's do not require an authorization form - Attacks on non-Silverline owned IP addresses, require an authorization form (See attachment)
      Vector	What type of attacks vectors would you like to test?	- Select max 2 - Current attack offering are UDP Flood, ICMP Flood, SYN Flood , Fragmentation Flood, HTTP / HTTPS attack  NOTE: For routed customers HTTP/S attacks can't be performed as Silverline does not have visibility over the encrypted traffic
      Time	What are desired time slots for this test?	- Please provide the 1 hour time slots of your preference following this format → [ dd-mmm-yyyy HH:MM UTC] ← Include timezone  - Minimum lead time of 6 business days after the request was submitted.
      Bandwidth	What is the internet link capacity?	Confirm if the internet link is dedicated or shared
      Volume	What is expected attack size Gbps/pps ?	- Maximum attack size can’t exceed 70% of the total internet link capacity - Maximum attack size that Silverline can generate is 3Gbps NOTE: If the requested attack bandwidth is greater than 70% of the customer internet link capacity, a written authorization from the ISP(s) allowing the bursts of traffic during the test is mandatory.
      Acknowledgement	While this test is performed there is a possibility of attack traffic reaching the destination while mitigations are implemented and tuned.	Please confirm that you are aware of this by stating “Yes, I am aware” next to this line.

       

2. Silverline will submit authorization to conduct attack to the 3rd party vendor. It can take up to 5 business days for authorization to be processed.
3. Silverline SOC will schedule the test upon receiving authorization from the 3rd party vendor (customer's owned IP's) or once the initial set of questions has been validated as completed by the SOC (proxy front-end IP's).
4. If required, prior to the attack-test day, the customer should ask the SOC to set up a Zoom session during the DDoS test.

What happens on the attack-test day?

1. On the attack-test day, if the target is a routed IP, Silverline SOC will perform one last check to verify no route leaks exist
2. Silverline SOC will confirm with customer before launching the attack.
3. The attack starts and the SOC will mitigate the attack by implementing countermeasures to scrub the malicious traffic.
4. An attack notification will be sent to the customer following the RTIP specified by the customer
5. If, at any point during the test issues are observed, inform the SOC immediately so the attack can be ceased.
6. The SOC reserves the right to stop the attack at any point during the test. 

Will I receive a report after the attack-test?

1. Yes, 24 - 48 hours after the attack-test is completed, Silverline SOC will generate a report that will be shared with the customer.
2. The report will include the following:
   • Indicate how much bandwidth was generated by the attack tool
   • Indicate how effective is the DDOS protection
   • Snippet of Traffic observed during the attack test(s)
   • Areas for improvement, recommendations