-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial commit of class 4 - Flowmon Integrated Out-of-path DDoS (#6)
- Loading branch information
Showing
36 changed files
with
363 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Flowmon Integrated Out-of-path DDoS Solution | ||
============================================ | ||
|
||
.. toctree:: | ||
:maxdepth: 2 | ||
:numbered: | ||
:caption: Contents: | ||
:glob: | ||
|
||
intro* | ||
module*/module* |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
Getting Started | ||
--------------- | ||
|
||
Please follow the instructions provided by the instructor to start your | ||
lab and access your jump host. | ||
|
||
.. NOTE:: | ||
All work for this lab will be performed exclusively from the Windows | ||
jumphost. No installation or interaction with your local system is | ||
required. | ||
|
||
Lab Topology | ||
~~~~~~~~~~~~ | ||
|
||
The following components have been included in your lab environment: | ||
|
||
- 1 x F5 BIG-IP AFM VE (v13.1.0.6) | ||
- 2 x vyOS routers (v1.1.8) | ||
- 1 x Flowmon Collector (v9.01.04)/DDoS Defender (v4.01.00) | ||
- 1 x Webserver (Ubuntu 16.04) | ||
- 1 x Jumphost (Windows 7) | ||
- 1 x Attacker (Ubuntu 16.04) | ||
|
||
Lab Components | ||
^^^^^^^^^^^^^^ | ||
|
||
The following table lists VLANS, IP Addresses and Credentials for all | ||
components: | ||
|
||
.. list-table:: | ||
:widths: 20 40 40 | ||
:header-rows: 1 | ||
:stub-columns: 1 | ||
|
||
* - **Component** | ||
- **VLAN/IP Address(es)** | ||
- **Connection Type, Credentials** | ||
* - Jumphost | ||
- - **Management:** 10.1.1.199 | ||
- **Users:** 10.1.10.30 | ||
- **Internal:** 10.1.20.30 | ||
- **Servers:** 10.1.30.30 | ||
- RDP ``external_user``/``P@ssw0rd!`` | ||
* - BIG-IP AFM | ||
- - **Management:** 10.1.1.7 | ||
- **Internal:** 10.1.20.245 | ||
- TMUI ``admin``/``admin`` | ||
* - Flowmon Collector/DDoS Defender | ||
- - **Management:** 10.1.1.9 | ||
- **Internal:** 10.1.20.10 | ||
- TMUI ``admin``/``admin`` | ||
* - Router 1 | ||
- - **Management:** 10.1.1.10 | ||
- **Users:** 10.1.10.243 | ||
- **Internal:** 10.1.20.243 | ||
- ssh ``vyos``/``vyos`` | ||
* - Router 2 | ||
- - **Management:** 10.1.1.11 | ||
- **Users:** 10.1.10.244 | ||
- **Internal:** 10.1.20.244 | ||
- ssh ``vyos``/``vyos`` | ||
* - Attacker | ||
- - **Management:** 10.1.1.4 | ||
- **Users:** 10.1.10.100 | ||
- ssh ``f5admin``/``f5admin`` | ||
* - Webserver | ||
- - **Management:** 10.1.1.6 | ||
- **Servers:** 10.1.30.252 | ||
- ssh ``f5admin``/``f5admin`` |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
Deployment use case | ||
=================== | ||
|
||
A Joint F5 + Flowmon solution is deployed “out-of-path” and provides an | ||
out-of-band DDoS mitigation of L3-4 volumetric DDoS attacks. It’s a | ||
simple and convenient solution that leverages the existing IT | ||
infrastructure to provide traffic flow information. | ||
|
||
Flowmon Collector appliance receives NetFlow/sFlow/IPFIX from edge | ||
routers while Flowmon DDoS Defender uses i/eBGP/Flowspec to route the | ||
traffic to F5 DHD/AFM appliance. F5 DHD/AFM DDoS profile, VS and other | ||
parameters provisioned dynamically through iControl REST. | ||
|
||
|image1| | ||
|
||
`Pic.1 Solution Diagram` | ||
|
||
Lab blueprint setup | ||
=================== | ||
|
||
Lab blueprint is deployed in Oracle Ravello cloud with access from F5 | ||
UDF portal. All Flowmon elements are pre-configured, F5 AFM VE resources | ||
are provisioned and network is configured. | ||
|
||
|image2| | ||
|
||
`Pic.2 Lab blueprint` | ||
|
||
|
||
Licensing | ||
========= | ||
|
||
BIG-IP is licensed automatically. | ||
|
||
Evaluation license has been applied to Flowmon Collector/DDoS Defender. | ||
Please contact Lab admin if there are issues with any lab elements. | ||
|
||
Other considerations | ||
==================== | ||
|
||
.. NOTE:: Router1 is configured to export sFlow with sampling rate of 1 | ||
|
||
.. NOTE:: Learn about sFlow: | ||
|
||
https://sflow.org | ||
|
||
.. |image1| image:: images/image1.png | ||
:scale: 75% | ||
.. |image2| image:: images/image2.png | ||
:scale: 85% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
.. _module1: | ||
|
||
Module – Deployment use case and Lab diagram | ||
============================================ | ||
|
||
In this module you will learn about common use-case for AFM/DHD + Flowmon out-of-path DDoS protection solution and explore Lab diagram. | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
:glob: | ||
|
||
lab* |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Oops, something went wrong.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
Prepare traffic visualization and monitoring | ||
============================================ | ||
|
||
- Connect to Windows jumphost using RDP | ||
|
||
- Open SSH connections to Router1 and Router2 | ||
|
||
- Verify Router1 BGP configuration. Protected subnet ``10.1.30.0/24`` should have a Next Hop defined as Router2 ``10.1.20.244`` | ||
``show ip bgp`` | ||
|
||
|image3| | ||
|
||
- Start interface monitoring in Router1 and Router2 | ||
``monitor interfaces ethernet`` | ||
|
||
|image5| | ||
|image6| | ||
|image4| | ||
|image7| | ||
|
||
- Select *eth1* and press ``g`` to enable graphical statistics | ||
.. NOTE:: You may need to expand terminal window for graphs to appear | ||
|
||
- Open Web Browser and click on `BIG-IP AFM` bookmark, then login into BIG-IP TMUI using ``admin`` credentials | ||
|
||
- Open **DoS Visibility Dashboard** in AFM TMUI | ||
|
||
|image8| | ||
|
||
- In a new Browser tab click on `Flowmon Web interface` bookmark. Once Flowmon main menu opens, click on `Flowmon DDoS Defender` icon and login using ``admin`` credentials | ||
|
||
- Open **Attack List** in Flowmon DDoS Defender WebUI | ||
|
||
|image9| | ||
|
||
.. NOTE:: Disregard any active alarms Flowmon may show in the upper right screen corner. These are artifcts of this lab environment | ||
|
||
.. |image3| image:: images/image3.png | ||
:scale: 60% | ||
.. |image4| image:: images/image4.png | ||
:scale: 55% | ||
.. |image5| image:: images/image5.png | ||
:scale: 55% | ||
.. |image6| image:: images/image6.png | ||
:scale: 55% | ||
.. |image7| image:: images/image7.png | ||
:scale: 55% | ||
.. |image8| image:: images/image8.png | ||
:scale: 60% | ||
.. |image9| image:: images/image9.png | ||
:scale: 50% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
Initiate DDoS attack | ||
==================== | ||
|
||
Run SYN flood (hping3) from Attacker VM | ||
--------------------------------------- | ||
|
||
- Click on **Attacker SSH** icon to open ``Attacker VM`` ssh session | ||
|
||
- From Attacker VM run SYN flood towards Web server | ||
|
||
``./syn_flood`` | ||
|
||
|image10| | ||
|
||
- Observe traffic growth in both Router1 and Router2. After **15-45 | ||
seconds** traffic will drop in Router2 due to DDoS detection and | ||
mitigation start | ||
|
||
|image11| | ||
|
||
DDoS mitigation start | ||
--------------------- | ||
|
||
An *ACTIVE* attack with the new ID will appear in Flowmon DDoS defender | ||
‘Active attacks’ screen. Flowmon dynamically provisions AFM DDoS profile | ||
and VS, and initiates traffic diversion to AFM using BGP advertisement | ||
|
||
|image12| | ||
|
||
|image13| | ||
|
||
BGP route change and traffic drop | ||
--------------------------------- | ||
|
||
- Router1 shows new route to protected ``10.1.30.0/24`` subnet | ||
|
||
``show ip bgp`` | ||
|
||
|image14| | ||
|
||
- As traffic is being routed through AFM, Router2 shows no significant | ||
network activity while Router1 still experiences high traffic load | ||
|
||
|image15| | ||
|
||
AFM DDoS profile and virtual server | ||
----------------------------------- | ||
|
||
.. NOTE:: Flowmon uses iControl REST interface to provision necessary parameters in AFM | ||
|
||
- In AFM TMUI Navigate to **Security --> DoS protection --> DoS profiles** and confirm that | ||
the DoS profile has been provisioned for the protected subnet | ||
|
||
|image16| | ||
|
||
- In **Local Traffic --> Virtual Servers --> Virtual Server List** confirm that | ||
VS with corresponding Attack ID has been created | ||
|
||
|image17| | ||
|
||
AFM DDoS mitigation | ||
------------------- | ||
|
||
In AFM TMUI navigate to **Security --> DoS Protection --> DoS Overview** and | ||
confirm that AFM is performing DoS mitigation using the provisioned DoS | ||
profile | ||
|
||
|image18| | ||
|
||
.. NOTE:: `Statistics -> DoS Visibility` TMUI menu provides graphical attack data | ||
It may take up to ~5 minutes for DoS Visibility Dashboard to show our simulated DDoS attack. You may need to click `Refresh` for data to appear | ||
|
||
|image26| | ||
|
||
.. |image10| image:: images/image10.png | ||
:scale: 75% | ||
.. |image11| image:: images/image11.png | ||
:scale: 35% | ||
.. |image12| image:: images/image12.png | ||
:scale: 60% | ||
.. |image13| image:: images/image13.png | ||
.. |image14| image:: images/image14.png | ||
.. |image15| image:: images/image15.png | ||
:scale: 60% | ||
.. |image16| image:: images/image16.png | ||
:scale: 50% | ||
.. |image17| image:: images/image17.png | ||
:scale: 50% | ||
.. |image18| image:: images/image18.png | ||
:scale: 60% | ||
.. |image26| image:: images/image26.png | ||
:scale: 85% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
Attack stop | ||
=========== | ||
|
||
Stop SYN flood | ||
-------------- | ||
|
||
Press (``Ctrl-C``) to finish the attack. Traffic will drop on Router1 | ||
|
||
|image19| | ||
|
||
.. NOTE:: STOP HERE. It will take 5-10 minutes for Flowmon to mark the attack as `NOT ACTIVE`. This is done in order to avoid 'flip-flop' effect in repeated attack situation | ||
|
||
Mitigation stop | ||
--------------- | ||
|
||
Flowmon DDoS Defender Attack List screen shows the current attack with | ||
status *NOT ACTIVE*. Attack will transition to *ENDED* state when | ||
Flowmon performs *Mitigation Stop* routine | ||
|
||
|image20| | ||
|
||
|image21| | ||
|
||
|image22| | ||
|
||
`\*It typically takes ~ 5min for Flowmon DDoS Defender to update attack | ||
status` | ||
|
||
AFM configuration, BGP route removal | ||
------------------------------------ | ||
|
||
As part of *Mitigation Stop* routine Flowmon removes BGP route from | ||
Router1 and Virtual Server and DDoS Profile from AFM | ||
|
||
``show ip bgp`` | ||
|
||
|image23| | ||
|
||
**In AFM TMUI navigate to Security --> DoS Protection --> DoS Profiles** | ||
|
||
Verify that only default “dos” profile present | ||
|
||
|image24| | ||
|
||
**In AFM TMUI navigate to Local Traffic --> Virtual Servers --> Virtual Server | ||
List** | ||
|
||
Verify that Virtual Server matching Attack ID has been removed | ||
|
||
|image25| | ||
|
||
Congratulations! You have successfully completed the lab! | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
.. |image19| image:: images/image19.png | ||
:scale: 50% | ||
.. |image20| image:: images/image20.png | ||
:scale: 60% | ||
.. |image21| image:: images/image21.png | ||
:scale: 60% | ||
.. |image22| image:: images/image22.png | ||
.. |image23| image:: images/image23.png | ||
.. |image24| image:: images/image24.png | ||
:scale: 60% | ||
.. |image25| image:: images/image25.png | ||
:scale: 60% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
.. _module2: | ||
|
||
Module – DDoS Attack | ||
==================== | ||
|
||
In this module you will prepare for and launch a SYN flood DoS attack. You will need an active RDP connection to a Linux Jumphost to perform all necessary prerequisites | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
:glob: | ||
|
||
lab* |