Agenda

DDoS Hybrid Defender / Silverline

DDoS Challenges

DDoS Attack Trends

DDoS attacks are easy to launchhping3 nmap Low Orbit ION

High Orbit IONkillapache.pl slowloris

metasploitslowhttptest

RussKill

Pandora

Dirt Jumper

PhantomJS

MultipleVulnerable Points Attacks target the network, WAN bandwidth, and applications.

Sophisticatedand TargetedMulti-vector attacks can hide within encrypted payloads.

Good VersusBad TrafficDifficult to distinguish the good from the bad.

DDoS Hybrid Defender

Accurate Detection

Ultra-Fast Mitigation

Full Protection on All Fronts

Accurate Detection

Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.

Machine LearningLearns normal traffic baselines.

1 StressMonitoringDetects abnormal server stress.

2 Dynamic SignaturesIdentifies bad traffic and bad actors.

3 AttackMitigationShuns bad traffic automatically.

4

DDHD Configuration Options• Device protection

• Protected objects

• Protection profiles

• Auto discover

• Eviction Policy

• Attack vectors

(D)DoS Attack Vectors• Manual Configuration

• Detection / Reporting only

• Auto-Threshold (Learning)

• Dynamic Attack Signatures

• Bad Actor and Attacked Destination Detection

• Ability to initiate BGP Blackhole, Redirect, Flowspec

DDoS Hybrid Defender

Accurate Detection

Ultra-Fast Mitigation

Full Protection on All Fronts

Ultra-Fast Mitigation

Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.

Intelligent Mitigation Intelligent techniques determine good versus bad traffic, automatically blocking the bad without impacting the good.

Application InspectionLow and slow: application-specific attacks need deep application layer analysis.

Real-Time DecryptionProvides high performance, scalable SSL/TLS decryption services to provide visibility into encrypted attacks.

DDoS Hybrid Defender

Accurate Detection

Ultra-Fast Mitigation

Full Protection on All FrontsFull Protection on All Fronts

Comprehensive DDoS protection, tightly integrated on-premises and in the cloud.

Application ProtectionLeverages SSL/TLS inspection to defend against L7 DoS with behavioral analysis.

NetworkProtectionMultiple techniques: statistical method to baseline 3000+ L3/4 metrics and auto-threshold IP reputation feeds.

Bandwidth Saturation Sends excessive network traffic to F5 Silverline for cloud-based scrubbing.

Layer 7 DefensesBot detectionSSL/TLS inspectionLow and slow attack discoveryHeavy URL detection

Application Protection

Zero-Day ProtectionBehavior AnalysisMachine Learning algorithms to profile normal traffic.

Auto ThresholdMachine Learning algorithms to generate thresholds for static vectors.

No Touch Defenses

DoS PredictionStress ComputationAccurate assessment of DoS condition significantly reduces false positivesTake action before the attack can disrupt services

FlexibleDeployment Models

Cloud-deliveredOn-premises, in-line, or out-of-bandHybrid with appliances and F5 Silverline

NetflowBIG-IP

SPAN Port

Switch

BIG-IP

VLAN 1 VLAN 2

VLAN Group BIG-IPVLAN 1 VLAN 2

Routed Mode BIG-IPSubnet 1 Subnet 2

Virtual Wire BIG-IPVLAN 1 VLAN 1

Telco Router

Silverline

Enterprise Router

CoreInternet Edge Data Center

DDoSHybrid

Defender

DDoSHybrid

Defender

F5 Silverline

F5 Security Operations Center (SOC) is available 24x7x365 with security experts ready to respond to DDoS attacks and build WAF policies within minutes• Seattle, WA, U.S.• Warsaw, PL

Fully redundant and globally distributed data centers• San Jose, CA, U.S.• Ashburn, VA, U.S.• Frankfurt, DE• Singapore, SG• London, UK

• Scrubbing capacity of over 2.0 Tbps• Guaranteed bandwidth with Tier 1

carriers

Primary protection as thefirst line of defense

Always On Always AvailablePrimary protection

available on-demand

Two Ways to Direct Traffic to Silverline Scrubbing Centers

Multiple Ways to Return Clean Traffic

L2VPN / VIRTUAL ETHERNET

GRE TUNNELS

PROXY

BGP (BORDER GATEWAY PROTOCOL)ROUTED MODE

DNS PROXY MODE

TCP Connection: SYNSRC: 86.75.30.9:27182DST: 1.2.3.4:80

86.75.30.9

F5 SilverlineDDoS Protection

TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80

69.86.73.76

ISP RouterCustomer/ISP

Transit Network

F5 Router

Internet

GRE Tunnel

Customer Admin

BGP Configuration Change:withdraw advertisement for 1.2.3.0/24

BGP Route Advertisement:F5 route for 1.2.3.0/24 becomes preferred

F5 Router Customer Router

1.2.3.4

1.2.3.5

1.2.3.6

1.2.3.7

TCP Connection: SYN-ACKSRC: 1.2.3.4:80DST: 86.75.30.9:27182

Clean traffic is returned via GRE Tunnel to

customer’s data center

Data Center

F5 Silverline – Routed Mode

DDHD Testing POC

Attack vector Target RateDNS Garbage flood

DNS Srv 200 Mbps and higher

SYN Flood WEB Srv 100K PPS

ICMP Flood SMTP Srv 400 Mbps

HTTP GET Flood WEB Srv 100K RPS

•Realistically asses your DDoS protection readiness

•Identify weakness points and improve your protection level

•Increase your confidence level for the day of a real attack

•Application floods vs Network Floods

DNS Garbage Flood

TCP SYN/ICMP/HTTP GET Flood

Silverline redirection

NetworkProtection

Multiple techniques - statistical method to baseline 3000+ L3/4

metrics & auto thresholds IP reputation feeds

ApplicationProtection

Leverages SSL inspection todefend against L7 DDoSwith behavioral analysis

WAN BandwidthSaturation

Silverline protection, including signaling from on-premisses

devices

With F5 you get Full Protection on All Fronts

F5 DDoS Hybrid Defender

•

(6) Virtual switch(8) Routed mode(2) ERSPAN