L3/L4 DDoS Mitigation

• Log into the Console with your credentials, and select DDoS Service.

• Select Manage in left column menu, and then select Tunnels.

• Click Add Tunnel and this opens the new object creation form.

• Enter a name for your tunnel, and optionally set labels and description.

Do the following in the Tunnel Location section:

• Click on the Location Name drop-down and select a destination location from the displayed list of locations.

• Click on the Availability Zone drop-down and select a zone from the displayed list of zones. The Zone 1 is selected by default.

• Enter Bandwidth Speed Configuration in Bandwidth Max in MB box.

• Click on the Tunnel Type drop-down, select one of the tunnel types and perform configuration as per the guidelines provided in the following steps:

• Select GRE Over IPv4 and set the following fields for the GRE tunnel configuration:

  • Enter the IPv4 address for your endpoint in the Customer Endpoint IP field.
  • Optionally, select Enable for the IPv6 Interconnect field.
  • Optionally, select Enable for the Fragmentation field.
  • Optionally, select Enable for the Keepalive field.

Note: The IPv6 Interconnect, Fragmentation, and Keepalive options are disabled by default.

• Select GRE Over IPv6 and set the following fields for the GRE tunnel configuration:

  • Enter the IPv6 address for your endpoint in the Customer Endpoint IP field.
  • Optionally, select Enable for the IPv4 Interconnect field. This is disabled by default.

• Select IP Over IP enable IPv4 encapsulation within IPv4 address for the tunnel.

• Select IPv6 Over IPv6 enable IPv6 encapsulation within IPv6 address for the tunnel.

Go to Tunnel BGP Information section and perform configuration as per the following guidelines:

• Click on the ASN drop-down and select an ASN from the list of displayed ASN objects.

• Click on the Customer Peer Secret Override field, select one of the options from the drop-down as per the following guidelines:

• Select Use Default Secret to use the secret set during tenant provisioning, for establishing tunnel session. This is also the default selection.

• Select BGP Password Override to set a secret for the session. Click Configure and do the following:

  • Select Blindfolded Secret or Clear Secret for the secret type. If it is clear type, enter the secret in plain text format or Base64 format, and select Apply.
  • In case of Blindfolded Secret, enter the secret in the Secret to Blindfold, and select Apply.

• Select No Secret to disable using secret for the sessions.

• Enter a hold time value in seconds in the Holddown Timer field.

Figure: Tunnel Configuration

Click Save and Exit to complete creating the tunnel.

• Select Manage in left column menu, and then select ASNs.

• Click Add ASN and this opens the new object creation form.

• Enter a name for your ASN object, and optionally set labels and description.

• Enter a number in the ASN field. The allowed range is 0-4294967295.

Figure: ASN Configuration

• Click on the Use a BGP Neighbor drop-down and select whether BGP sessions are to be enabled or disabled. The Enable option is selected by default.

Click Save and Exit to complete creating the ASN object.

• Select Manage in left column menu, and then select Prefixes.

• Click Add Prefix and this opens the new object creation form.

• Enter a name for your prefix mapping, and optionally set labels and description.

• Enter an IP prefix in the Prefix field in the IP address/prefix-length format.

Figure: Prefix Configuration

• Click on the ASN drop-down and select ASN to be associated with this prefix.

Click Save and Exit to complete creating the prefix mapping.

• Select Manage in left column menu, and then select Route Advertisement.

• Click Add Route Advertisement and this opens the new object creation form.

• Enter a name for your route advertisement object, and optionally set labels and description.

• Enter an internet prefix in the Prefix field in the IP address/prefix-length format.

• Click on the Activation Selection drop-down and select whether this prefix is to be actively advertised or not. Active advertisement is selected by default.

In the Advanced configuration section, click on the Expiration drop-down and do as per the following guidelines:

• Select Expiration Time (UTC) and enter an expiration timestamp in the UTC format in the Expiration Time (UTC) field. After the expiration of this time, mitigation for this route will be deactivated.

Figure: Route Advertisement Configuration

• Select Never to always keep mitigation active for this route. This is also set by default.

Click Save and Exit to complete creating the route advertisement.

• Select Manage in left column menu, and then select Firewall Rules.

• Select All Firewall Rules.

• Select + Add Infraprotect Firewall Rules and this opens the new object creation form.

• Enter a name for your firewall rule object, and optionally set labels and description.

• Select Version.

• Select Source Prefix, enter Prefix, default option, if All Prefixes is not selected.

• Select Destination Prefix, enter Prefix, default option, if All Prefixes is not selected.

• Select Protocol.

  • Select Source Port.

  • Select Port Range.

• Select Destination Port, enter Port Range, default option, if All is not selected.

• Enter Description.

Figure: Firewall Rules Configuration

• Select Action in Options box. Deny is default.

• Select State, Off is default.

Note: To enable firewall rule options State needs to be On.

• Select Fragments, Deny is default.

Note: Set Allow in Fragments option to allow fragments in destination.

• Click Save and Exit to complete creating the route advertisement.

• Select Firewall Rules > IPv4 & IPv6 Firewall Rules to view and edit firewall rules.

• Select Manage in left column menu, select Deny List Rules.

• Select Add Infraprotect Deny List Rule to open new object creation form.

• Enter a name for your deny list object, and optionally set labels and description.

• Enter an internet prefix in the Prefix field in the IP address/prefix-length format.

• Click on the Expiration drop-down and select when this prefix is to expire. Never is selected by default.

Figure: Deny List Rules Configuration

Click Save and Exit to complete creating the deny list rules.

• Select Manage in left column menu, and then select Fast ACLs for Internet VIPs.

• Click Select Fast ACLs for Internet VIPs and this opens the new object creation form.

• In the Select Fast ACLs for Internet VIPs form, click on the drop-down in the Fast ACLs column, and select a Fast ACL object.

Note: You can use the Add Item button to add more than one Fast ACL object.

• Click Save and Exit to complete creating the Fast ACLs for Internet VIPs.

In the DDoS and Transit Services page, select DDoS Protection > Visibility. The DDoS protection dashboard page opens. The following list provides information on the various sections in the dashboard.

Figure: DDoS Dashboard

Click on the Events tab to open the events page and explore the functionality using the following guidelines:

• The events are displayed in a table view with each row having event name, creator, source IP, start time, end time, and actions. There is also a Chart tab to view the events in a bar chart.

• Click on any event to open the event's specific monitoring page. The Alerts tab is displayed by default.

  • Click on the Mitigation Annotations tab to view the annotation details related to the event. These details include creator, description of event, and created time.
  • Click on the Pcap tab to view the packet capture information. You can also add a capture using the Add Pcap option.
  • Click on the Event Details tab to view the details related to event such as creator, title, created time, attachments, and actions. Actions include editing the information and deleting it. You can also add an event detail using the Add Event Detail option to add a specific event information.

Figure: DDoS Events View

• Click ... in the Actions column against any event to view detail of the event, add detail to it, or add a packet capture. The View Details option will load the Event Details page of monitoring view specific to that event.

Note: Similar to dashboard filters, events view also has the network traffic filter, time interval selector, and refresh options located on the top of the page. You can use these filters to adjust the view as per your need.

Click on the Alerts tab to open the alerts page and explore the functionality using the following guidelines:

• The alerts are displayed in a table view with each row having alert number, source IP, start time, end time, bandwidth, alert type, and associated event.

• Click on any alert number to view the prefixes and ports related to that alert in a modeless window.

• Click Edit button in the Events column for any alert to change the event assignment to that alert.

Note: Similar to dashboard filters, alerts view also has the network traffic filter, time interval selector, and refresh options located on the top of the page. You can use these filters to adjust the view as per your need.

Click on the Mitigations tab to open the mitigations page and explore the functionality using the following guidelines:

• Mitigations are displayed in a table view with each row having mitigation, source IP, network, status (ongoing or not), and start time.

• Click on a mitigation to open its specific monitoring page. The Dashboard tab is displayed by default.

• Dashboard shows the mitigation breakdown in terms of total and invalid packets in a graph. Place mouse pointer anywhere on the graph to view total and invalid packets in bits per second on that date. Use the controls on top right for switching measurement unit, time interval, refresh, and sort filter. Using the sort filter, you can adjust the graph to display based on maximum (peak) traffic, average traffic, or ignore short spikes in traffic.

• Click on the Blocked IPs tab to view the blocked IPs and their log count.

• Click on the Annotations tab to view the announcement or notification in the form of an annotation.

• Click on the Details tab to view the details related to the mitigation such as description, prefixes, etc.

Figure: DDoS Mitigations Monitoring View

Note: Similar to dashboard filters, events view also has the network traffic filter, time interval selector, and refresh options located on the top of the page. You can use these filters to adjust the view as per your need.

Click on the Top Talkers tab. Top talkers are the sources from which most traffic is sent and identified by source IP addresses. Top talkers are displayed in a table view with each row having source IP, incoming traffic, and outgoing traffic columns. The incoming and outgoing traffic are displayed in bits per second (bps).

Figure: Top Talkers View

Note: Similar to dashboard filters, events view also has the network traffic filter, internal vs external traffic filter, time interval selector, and refresh options located on the top of the page. You can use these filters to adjust the view as per your need.

Note: The reports are enabled and made available only upon requesting the F5 Distributed Cloud SOC team.

Click on the Reports tab to view reports that you can analyze to gain more insights on your network protection. The reports are displayed in a table view with each row having report name, report type, date of report generation, and attachment of the report itself.

Note: The reports view has the time interval selector and refresh options located on the top of the page. You can use these filters to adjust the view as per your need.

• The Traffic Usage monitoring view loads the Interface List page by default and shows traffic usage for backbone interfaces utilized for your DDoS mitigation protection. The interface list is a table showing interfaces with each row having interface name, outbound traffic, and inbound traffic columns.

• The inbound and outbound traffic are shown as graphs. Place the mouse pointer on anywhere on the graph of an interface to view the traffic in bits per second (bps) on the date of mouse pointer placement for that interface.

Figure: Traffic Usage by Interfaces

• Click anywhere on the inbound or outbound traffic graph of a specific interface to switch to their respective pages filtered to display data for that interface.

• Click on the Outbound Traffic monitoring view to view the outbound traffic graph for all the interfaces. Switch between the BPS and PPS tabs to display the graph in bits per second or packets per second measurements.

• Switch between Area Chart or Line Chart drop-down located on the top right of the graph to change the chart accordingly.

• Place the mouse pointer on anywhere on the graph to view the traffic in bits per second (bps) on the date of mouse pointer placement.

Figure: Traffic Usage by Outbound Interfaces

• Select or unselect interfaces on the right side of the graph to filter the graph to show information for specific interface(s).

• Click on the Inbound Traffic monitoring view to view the inbound traffic graph for all the interfaces. Switch between the BPS and PPS tabs to display the graph in bits per second or packets per second measurements.

• Switch between Area Chart or Line Chart drop-down located on the top right of the graph to change the chart accordingly.

• Place the mouse pointer on anywhere on the graph to view the traffic in bits per second (bps) on the date of mouse pointer placement.

• Select or unselect interfaces on the right side of the graph to filter the graph to show information for specific interface(s).