Written by Tim Cullen, CISSP, F5-CTS
Senior Security Architect at ADAPTURE

Many of our clients have expressed interest in learning more about the latest F5 offering: F5 iSeries. I gave a high-level overview of the new product line in a recent post, and reviewed the associated solution F5 Herculon: SSL Orchestrator in Part 1 of this series. This post will review the second Herculon release—Hybrid DDoS protection.

Elimination of Manual Intervention

Usually DDoS protection from F5 is by way of its Silverline solution.  This is a cloud-based solution.  A company needs to route traffic to the Silverline SOC for protection against a DDoS attack.  With Herculon, the company can protect its system locally and use the Silverline cloud protection as the load increases beyond the device’s capacity.  The Herculon directs and protects traffic dynamically without the need of manual intervention.

What is a DDoS Attack?

But I am getting ahead of myself here.  To understand the advantages, let’s quickly discuss a DDoS attack and its purpose.  A Distributed Denial of Service attack is taking a Denial of Service attack and making it come from many other places all at the same time.  The goal is to not bring down a service, per se’.  The goal is to completely block anyone from being able to visit your site.  Your services could still be running and be minimally impacted by the attack, but your inbound link would be saturated and therefore unpassable.

Attack types vary and can be difficult to catch until it is too late.  Valid connection requests, SSL communications, and application or service vulnerabilities are all methods by which attackers attempt to disrupt your service.   You need a DDoS device that can inspect traffic and automatically trigger protections when an attack begins, while still allowing valid traffic to continue through.

F5’s DDoS Hybrid Defender: Decrypting SSL Requests

All F5 appliances can conduct SSL offload. It is part of the base code architecture. Adding this to a DDoS solution means you can now intelligently and contextually determine what is an attack and what is not.  For example, I had a customer that had an attack coming in and they had no idea.  The reason no one knew the attack was going on was because the attack was formatted as a flood of HTTP /GET requests.  This is a valid request to a webserver and would not normally trigger a protection device.  It was also to an SSL website, so even the firewall and IPD devices did not catch what was happening.  The only way the customer knew what was happening was the fact that the webserver traffic increased dramatically, and their internet connection became extremely slow.  While looking at the website’s log files I noticed a lot of /GET requests but nothing further.  Unfortunately, there was not a device that would enable the inspection or blocking of bad requests while letting good requests come in.  We ended up having to block everyone until the attack passed.

With F5’s DDoS Hybrid Defender, we would have been able to decrypt the SSL requests and identify/limit the attack locally, while allowing the good requests to connect.  If the attack had grown to a volumetric attack, then the onsite DDoS Hybrid defender appliance could have redirected the traffic to the Silverline cloud for scrubbing bad requests and releasing good requests.  This move also alleviates the attack load on the local inbound connection to the internet, because the traffic has to traverse the Silverline Cloud service before being routed to the webserver.

By introducing an appliance locally on the network that can accept and process large amounts of data, decrypt at wirespeed, throttle DoS attacks and redirect volumetric attacks away from your site, you have created a truly scalable and automated DDoS protection profile.

If you missed part 1 of this two-part post, click here to read: Part 1 – F5 Herculon: SSL Orchestrator

Categories: Cloud, DDoS, Security