DDoS Protection

Distributed Denial of Service (DDoS) attacks threaten businesses with downtime that can damage their brand and even lead to financial losses. With the many IoT device-powered botnets and for-hire DDoS services, the threat of an attack is greater than ever. F5 provides DDoS protection that makes sense for your architecture.

Under Attack? Call (866) 329-4253 or +1 (206) 272-7969

Volumetric DDoS Attacks

Volumetric

Attacks that consume all available bandwidth across the network link that connects an application to the Internet or other networks. 

Application DDoS Attacks

Application

Attacks that mimic legitimate application requests but attempt to overload web server resources such as CPU or memory. 

Computational DDoS Attacks

Computational

Attacks that attempt to exhaust infrastructure resources, such as firewall state tables, leading to crashing or degraded performance.

DDOS ATTACKS

Explore the different app tiers to find out how different DDoS attacks target each part of the app.

App Services App Services App Services

HTTP Flood

In an HTTP flood, the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application. These attacks typically consume less bandwidth than others but focus on triggering complex server-side processing to bring down the targeted site or app. HTTP floods can sometimes trigger responses from web servers that can turn it into a pipe-saturating volumetric attack.

Slowloris

Slowloris works by opening multiple connections to a web server and sending HTTP requests, none of which are ever completed. Periodically, the attacker sends subsequent HTTP headers for each request, but never actually completes the request. Ultimately, the target server’s maximum concurrent connection pool is filled and legitimate connections are denied.

Heavy URL

During the reconnaissance phase, an attacker will map out the most computationally expensive URLs on a site or application, also known as heavy URLs. Heavy URLs include any URL causing greater server load upon request. The initial HTTP request is relatively small but can take a long time to complete or yield large response sizes. These requests can require the server to load multiple large files or run resource-intensive database queries.

Slow Post

An attacker begins by sending a legitimate HTTP POST request to a web server, in which the header specifies the exact size of the message body that will follow. However, that message body is then sent at an extremely slow rate. Because the message is technically correct and complete, the targeted server attempts to follow all specified rules. If an attacker establishes enough of these POST attacks simultaneously, they consume server resources to the extent legitimate requests are denied.

Arrow

Access Access Access

Brute-Force Login Attack

An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords to gain unauthorized access to an application or website.

A common mitigation is to temporarily lock out user accounts with multiple failed login attempts. However, this can result in a denial of service for those affected accounts.
 

Arrow

TLS TLS TLS

SSL Renegotiation

This attack takes advantage of an asymmetric workload by requesting a secure connection, and then continuously renegotiating it. This requires a lot of CPU power from the server and can slow current or new connections or even take down the server.

SSL Flood

Attackers send numerous TLS/SSL connection requests with the client never closing the connection. Once the concurrent connection limit is reached, the TLS termination point stops processing traffic, including legitimate requests.

SSL Squeeze

A variant of an SSL renegotiation attack, the squeeze attack continuously attempts to renegotiate the connection handshake, forcing the server to decrypt “junk” requests.

Typical renegotiation attacks multiplex SSL handshakes, which can be mitigated by disabling renegotiation on the server. However, SSL squeeze opens new TCP connections for each request, eventually consuming I/O.

Arrow

DNS DNS DNS

DNS Flood

DNS servers rely on the UDP protocol for name resolution, which (unlike TCP queries) is connectionless. Because confirmation that UDP packets have been received isn’t required, spoofing is easily accomplished.

This scripted botnet attack attempts to overwhelm server resources, ultimately affecting the DNS servers’ ability to direct legitimate requests. The attack can consist of valid UDP traffic from multiple sources or randomized packet data. This helps this attack type evade basic DDoS protection techniques like IP filtering.
 

NXDomain Flood

A variant of the DNS flood, an attacker floods the DNS server with requests for invalid or nonexistent records. Then, the DNS server spends its resources looking for something that doesn't exist instead of serving legitimate requests. The result is that the cache on the DNS server gets filled with bad requests and clients can't find the servers they’re looking for.

DNS Amplification

DNS amplification is a type of reflection attack that manipulates vulnerable internet facing DNS servers, causing them to flood an internet resource with an influx of large UDP packets.

An attacker-controlled botnet is scripted to send small, but specially formed, DNS queries to any publicly available DNS resolver. This elicits a disproportionate response from the DNS resolver. The packet headers also include a spoofed IP address, the IP address of the DDoS target. Upon receiving the query, the open DNS resolvers provide an extremely large response to the target of the attack, which eventually consumes the bandwidth of the internet resource.
 

Arrow

Network Network Network

SYN Flood

Every client-server conversation begins with a standard three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established with a final client ACK. In a SYN flood attack the client sends massive numbers of SYN requests, and never responds to the SYN-ACK messages from the server.

This leaves the server with open connections waiting for responses from the client. Each of these half-open connections is tracked in the TCP connection table, eventually filling the table and blocking additional connection attempts, legitimate or otherwise.
 

Memcached Amplification

An amplification attack is a type of reflection attack that takes advantage of the ability to send small spoofed packets to services that, as part of their normal operation, will reply back to the target with a much larger response.

Memcached is a database caching system for speeding up websites and networks. Attackers can spoof requests to a vulnerable internet-facing memcached server, which then floods a target with traffic, potentially overwhelming their resources. While the target’s infrastructure is overloaded, new requests can’t be processed and regular traffic can’t access the Internet resource, resulting in denial-of-service.

Other types of amplification attacks include NTP, SSDP, SNMPv2, CharGEN, QOTD, and more.
 

UDP Flood

UDP is a standard communication protocol across IP networks. Because UDP packets are stateless, they require less error checking and validation in contrast to TCP. A UDP flood attack attempts to overload a server with requests by saturating the connection tables on every accessible server port.

Filling the connection table with these requests prevents legitimate requests from being processed.
 

IP Fragmentation

IP fragmentation is a process established by design of the IP protocol that breaks packets or datagrams into smaller fragments, so they can pass through network links that have a smaller maximum transmission unit (MTU) limit. The host or stateful security devices receiving the fragments reassembles them into the original datagram. The packets’ or datagrams’ IP header tells the receiver how to reassemble the datagram.

These attacks come in various forms, but all variations attempt to use fragmentation to overwhelm the target server or network node.
 

Arrow

WHAT DEFENSE MAKES SENSE?

When considering what protection model is best for your business think about ease of deployment based on where your applications are hosted—in the cloud, on-premises, or a mix of both. Also consider your number of in-house experts and the level of hands-on management you prefer. Your solution can evolve over time as Application Infrastructure Protection needs change. 

on-premises

ON-PREMISES

Maintain direct control of DDoS mitigation by owned and operated devices but remain vulnerable to large attacks that overwhelm bandwidth capacity.

cloud-based defense

CLOUD-BASED

All traffic flows through F5 Silverline with 24x7 expert monitoring and mitigation of attacks.

hybrid defense

HYBRID

Retain control of mitigation timing and techniques but have automated on-demand help from F5 Silverline for the large, bandwidth-consuming attacks. 

Choose the right model

A Guide to DDoS Protection

Get the eBook

DDoS Solutions

F5 provides seamless, flexible, and easy-to-deploy solutions that enable a fast response, no matter what type of DDoS attack you’re under.

See buying options

PROTECT APP INFRASTRUCTURE

Protect the network, DNS, and TLS

Your network, DNS, and TLS aren’t often thought of as a part of an application. But DoS or DDoS attacks against these tiers can render your networks, applications, or other supporting infrastructure inaccessible. Our DDoS protection solutions will ensure attacks against these tiers won’t introduce performance degradation or downtime.

DDOS PROTECTION PRODUCTS

DDoS Protection Products

F5’s suite of DDoS products offers comprehensive protection and easily fits into the environment that makes sense for your organization.

DDoS Hybrid Defender (DHD) >

A hardware solution that protects against blended network attacks and sophisticated application attacks, while enabling full SSL decryption, anti-bot capabilities, and advanced detection methods—all in one appliance. DDoS Hybrid Defender also provides an option for automated upstream signaling to scrub bad traffic before it reaches your data center.

Silverline DDoS Protection >

Silverline DDoS Protection is a fully managed, cloud-based protection service that detects and mitigates large-scale, SSL/TLS, or application-targeted attacks in real time.
 

MANAGING YOUR SOLUTION

Managing your solution

F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.
 

CLOUD-BASED MANAGED SERVICE

A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.

ON-PREMISES HARDWARE

An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation.

HYBRID

An on-premises appliance, giving you control over DDoS attack mitigation. For bandwidth saturating volumetric attacks that can’t be handled by an on-premises solution, the appliance automatically signals our fully managed upstream cloud-based scrubbing service to take over mitigation.
 

DEPLOYING YOUR SOLUTION

Deploying your solution

F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.

Need help deploying your F5 solution?

Contact F5: 1-888-882-7535

CLOUD-BASED: ALWAYS ON

A managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.

CLOUD-BASED: ALWAYS AVAILABLE

A cloud-based. managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.

ON-PREMISES: INLINE

Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.

ON-PREMISES: OUT OF PATH

Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.

 

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

PROTECT APPLICATIONS

Layer 7 attacks are much more common in today’s threat landscape. Attackers are increasingly using low-and-slow attacks that target an application’s compute power to degrade performance or bring down an application. These attacks avoid network-level detection and are often unique to a particular application.

DDOS PROTECTION PRODUCTS

DDoS Protection Products

F5’s suite of DDoS products offers comprehensive protection and easily fits into the environment that makes sense for your organization.

DDoS Hybrid Defender (DHD) >

A hardware solution that protects against blended network attacks and sophisticated application attacks, while enabling full SSL decryption, anti-bot capabilities, and advanced detection methods—all in one appliance. DDoS Hybrid Defender also provides an option for automated upstream signaling to scrub bad traffic before it reaches your data center.

Silverline DDoS Protection >

Silverline DDoS Protection is a fully managed, cloud-based protection service that detects and mitigates large-scale, SSL/TLS, or application-targeted attacks in real time.

MANAGING YOUR SOLUTION

Managing your solution

F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.

CLOUD-BASED MANAGED SERVICE

A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.

ON-PREMISES HARDWARE

An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation.

HYBRID

An on-premises appliance, giving you control over DDoS attack mitigation. For bandwidth saturating volumetric attacks that can’t be handled by an on-premises solution, the appliance automatically signals our fully managed upstream cloud-based scrubbing service.

DEPLOYING YOUR SOLUTION

Deploying your Solution

F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.

Need help deploying your F5 solution?

Contact F5: 1-888-882-7535

CLOUD-BASED: ALWAYS ON

A cloud-based managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.

CLOUD-BASED: ALWAYS AVAILABLE

A cloud-based managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.

ON-PREMISES: INLINE

Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.

ON-PREMISES: OUT OF PATH

Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

Related Content

Protect your apps

The 2018 Application Protection Report

Be prepared

Ten Steps for Combating DDoS in Real Time

Get GDPR ready

How to bolster your security program

CUSTOMER STORY

HANSUNG UNIVERSITY IMPROVES SECURITY POSTURE AND CONSOLIDATES NETWORK EQUIPMENT WITH F5

Read the story

Get Started

Security products

Learn about our robust portfolio for your application security needs.

Try before you buy

Get a free 90-day trial.

Actionable threat intelligence

Actionable application threat intelligence that analyzes the who, what, when, why, how, and what’s next of cyber attacks.