DDoS Protection
Distributed Denial of Service (DDoS) attacks threaten businesses with downtime that can damage their brand and even lead to financial losses. With the many IoT device-powered botnets and for-hire DDoS services, the threat of an attack is greater than ever. F5 provides DDoS protection that makes sense for your architecture.
Under Attack? Call (866) 329-4253 or +1 (206) 272-7969
Volumetric
Attacks that consume all available bandwidth across the network link that connects an application to the Internet or other networks.
Application
Attacks that mimic legitimate application requests but attempt to overload web server resources such as CPU or memory.
Computational
Attacks that attempt to exhaust infrastructure resources, such as firewall state tables, leading to crashing or degraded performance.
DDOS ATTACKS
Explore the different app tiers to find out how different DDoS attacks target each part of the app.
HTTP Flood
In an HTTP flood, the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application. These attacks typically consume less bandwidth than others but focus on triggering complex server-side processing to bring down the targeted site or app. HTTP floods can sometimes trigger responses from web servers that can turn it into a pipe-saturating volumetric attack.
Slowloris
Slowloris works by opening multiple connections to a web server and sending HTTP requests, none of which are ever completed. Periodically, the attacker sends subsequent HTTP headers for each request, but never actually completes the request. Ultimately, the target server’s maximum concurrent connection pool is filled and legitimate connections are denied.
Heavy URL
During the reconnaissance phase, an attacker will map out the most computationally expensive URLs on a site or application, also known as heavy URLs. Heavy URLs include any URL causing greater server load upon request. The initial HTTP request is relatively small but can take a long time to complete or yield large response sizes. These requests can require the server to load multiple large files or run resource-intensive database queries.
Slow Post
An attacker begins by sending a legitimate HTTP POST request to a web server, in which the header specifies the exact size of the message body that will follow. However, that message body is then sent at an extremely slow rate. Because the message is technically correct and complete, the targeted server attempts to follow all specified rules. If an attacker establishes enough of these POST attacks simultaneously, they consume server resources to the extent legitimate requests are denied.
Brute-Force Login Attack
An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords to gain unauthorized access to an application or website.
A common mitigation is to temporarily lock out user accounts with multiple failed login attempts. However, this can result in a denial of service for those affected accounts.
SSL Renegotiation
This attack takes advantage of an asymmetric workload by requesting a secure connection, and then continuously renegotiating it. This requires a lot of CPU power from the server and can slow current or new connections or even take down the server.
SSL Flood
Attackers send numerous TLS/SSL connection requests with the client never closing the connection. Once the concurrent connection limit is reached, the TLS termination point stops processing traffic, including legitimate requests.
SSL Squeeze
A variant of an SSL renegotiation attack, the squeeze attack continuously attempts to renegotiate the connection handshake, forcing the server to decrypt “junk” requests.
Typical renegotiation attacks multiplex SSL handshakes, which can be mitigated by disabling renegotiation on the server. However, SSL squeeze opens new TCP connections for each request, eventually consuming I/O.
DNS Flood
DNS servers rely on the UDP protocol for name resolution, which (unlike TCP queries) is connectionless. Because confirmation that UDP packets have been received isn’t required, spoofing is easily accomplished.
This scripted botnet attack attempts to overwhelm server resources, ultimately affecting the DNS servers’ ability to direct legitimate requests. The attack can consist of valid UDP traffic from multiple sources or randomized packet data. This helps this attack type evade basic DDoS protection techniques like IP filtering.
NXDomain Flood
A variant of the DNS flood, an attacker floods the DNS server with requests for invalid or nonexistent records. Then, the DNS server spends its resources looking for something that doesn't exist instead of serving legitimate requests. The result is that the cache on the DNS server gets filled with bad requests and clients can't find the servers they’re looking for.
DNS Amplification
DNS amplification is a type of reflection attack that manipulates vulnerable internet facing DNS servers, causing them to flood an internet resource with an influx of large UDP packets.
An attacker-controlled botnet is scripted to send small, but specially formed, DNS queries to any publicly available DNS resolver. This elicits a disproportionate response from the DNS resolver. The packet headers also include a spoofed IP address, the IP address of the DDoS target. Upon receiving the query, the open DNS resolvers provide an extremely large response to the target of the attack, which eventually consumes the bandwidth of the internet resource.
SYN Flood
Every client-server conversation begins with a standard three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established with a final client ACK. In a SYN flood attack the client sends massive numbers of SYN requests, and never responds to the SYN-ACK messages from the server.
This leaves the server with open connections waiting for responses from the client. Each of these half-open connections is tracked in the TCP connection table, eventually filling the table and blocking additional connection attempts, legitimate or otherwise.
Memcached Amplification
An amplification attack is a type of reflection attack that takes advantage of the ability to send small spoofed packets to services that, as part of their normal operation, will reply back to the target with a much larger response.
Memcached is a database caching system for speeding up websites and networks. Attackers can spoof requests to a vulnerable internet-facing memcached server, which then floods a target with traffic, potentially overwhelming their resources. While the target’s infrastructure is overloaded, new requests can’t be processed and regular traffic can’t access the Internet resource, resulting in denial-of-service.
Other types of amplification attacks include NTP, SSDP, SNMPv2, CharGEN, QOTD, and more.
UDP Flood
UDP is a standard communication protocol across IP networks. Because UDP packets are stateless, they require less error checking and validation in contrast to TCP. A UDP flood attack attempts to overload a server with requests by saturating the connection tables on every accessible server port.
Filling the connection table with these requests prevents legitimate requests from being processed.
IP Fragmentation
IP fragmentation is a process established by design of the IP protocol that breaks packets or datagrams into smaller fragments, so they can pass through network links that have a smaller maximum transmission unit (MTU) limit. The host or stateful security devices receiving the fragments reassembles them into the original datagram. The packets’ or datagrams’ IP header tells the receiver how to reassemble the datagram.
These attacks come in various forms, but all variations attempt to use fragmentation to overwhelm the target server or network node.
WHAT DEFENSE MAKES SENSE?
When considering what protection model is best for your business think about ease of deployment based on where your applications are hosted—in the cloud, on-premises, or a mix of both. Also consider your number of in-house experts and the level of hands-on management you prefer. Your solution can evolve over time as Application Infrastructure Protection needs change.
ON-PREMISES
Maintain direct control of DDoS mitigation by owned and operated devices but remain vulnerable to large attacks that overwhelm bandwidth capacity.
CLOUD-BASED
All traffic flows through F5 Silverline with 24x7 expert monitoring and mitigation of attacks.
HYBRID
Retain control of mitigation timing and techniques but have automated on-demand help from F5 Silverline for the large, bandwidth-consuming attacks.
DDoS Solutions
F5 provides seamless, flexible, and easy-to-deploy solutions that enable a fast response, no matter what type of DDoS attack you’re under.
PROTECT APP INFRASTRUCTURE
Protect the network, DNS, and TLS
Your network, DNS, and TLS aren’t often thought of as a part of an application. But DoS or DDoS attacks against these tiers can render your networks, applications, or other supporting infrastructure inaccessible. Our DDoS protection solutions will ensure attacks against these tiers won’t introduce performance degradation or downtime.
DDoS Protection Products
F5’s suite of DDoS products offers comprehensive protection and easily fits into the environment that makes sense for your organization.
DDoS Hybrid Defender (DHD) >
A hardware solution that protects against blended network attacks and sophisticated application attacks, while enabling full SSL decryption, anti-bot capabilities, and advanced detection methods—all in one appliance. DDoS Hybrid Defender also provides an option for automated upstream signaling to scrub bad traffic before it reaches your data center.
Silverline DDoS Protection >
Silverline DDoS Protection is a fully managed, cloud-based protection service that detects and mitigates large-scale, SSL/TLS, or application-targeted attacks in real time.
Managing your solution
F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.
CLOUD-BASED MANAGED SERVICE
A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.
ON-PREMISES HARDWARE
An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation.
HYBRID
An on-premises appliance, giving you control over DDoS attack mitigation. For bandwidth saturating volumetric attacks that can’t be handled by an on-premises solution, the appliance automatically signals our fully managed upstream cloud-based scrubbing service to take over mitigation.
Deploying your solution
F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.
Need help deploying your F5 solution?
Contact F5: 1-888-882-7535
CLOUD-BASED: ALWAYS ON
A managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.
CLOUD-BASED: ALWAYS AVAILABLE
A cloud-based. managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.
ON-PREMISES: INLINE
Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.
ON-PREMISES: OUT OF PATH
Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
PROTECT APPLICATIONS
Layer 7 attacks are much more common in today’s threat landscape. Attackers are increasingly using low-and-slow attacks that target an application’s compute power to degrade performance or bring down an application. These attacks avoid network-level detection and are often unique to a particular application.
DDoS Protection Products
F5’s suite of DDoS products offers comprehensive protection and easily fits into the environment that makes sense for your organization.
DDoS Hybrid Defender (DHD) >
A hardware solution that protects against blended network attacks and sophisticated application attacks, while enabling full SSL decryption, anti-bot capabilities, and advanced detection methods—all in one appliance. DDoS Hybrid Defender also provides an option for automated upstream signaling to scrub bad traffic before it reaches your data center.
Silverline DDoS Protection >
Silverline DDoS Protection is a fully managed, cloud-based protection service that detects and mitigates large-scale, SSL/TLS, or application-targeted attacks in real time.
Managing your solution
F5 offers several options for managing your DDoS solution. Several factors, like where the app is hosted and the number of in-house technical experts you have, can help you decide what’s right for your organization.
CLOUD-BASED MANAGED SERVICE
A cloud-based scrubbing service, managed by F5 DDoS experts. This service detects and mitigates large-scale attacks targeted at layers 3-7, returning clean traffic to your site or application.
ON-PREMISES HARDWARE
An appliance for your on-premises or collocated data-center that gives you direct control over DDoS attack mitigation.
HYBRID
An on-premises appliance, giving you control over DDoS attack mitigation. For bandwidth saturating volumetric attacks that can’t be handled by an on-premises solution, the appliance automatically signals our fully managed upstream cloud-based scrubbing service.
Deploying your Solution
F5 DDoS solutions are available in several deployment options, so architecture changes aren’t required to mitigate DDoS attacks.
Need help deploying your F5 solution?
Contact F5: 1-888-882-7535
CLOUD-BASED: ALWAYS ON
A cloud-based managed service that continuously processes all traffic through Silverline cloud-scrubbing services, returning only clean traffic to your site or application.
CLOUD-BASED: ALWAYS AVAILABLE
A cloud-based managed service that’s pre-configured for your systems and runs on standby. Mitigation can be initiated when under attack.
ON-PREMISES: INLINE
Deploy your on-premises DDoS mitigation appliance inline to all traffic, so that it’s positioned to immediately analyze anomalous traffic and block it if necessary.
ON-PREMISES: OUT OF PATH
Deploy your DDoS mitigation appliance out of path of traffic to ensure traffic traverses the fewest devices possible. When an attack is recognized, your appliance signals your router to re-route traffic through the DDoS mitigation appliance to prevent any service degradation. As the attack subsides, traffic flow will return to its normal path.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
