Initial commit of class 4 - Flowmon Integrated Out-of-path DDoS (#6)

docs/class4/class4.rst

@@ -0,0 +1,11 @@
+Flowmon Integrated Out-of-path DDoS Solution
+============================================
+
+.. toctree::
+   :maxdepth: 2
+   :numbered:
+   :caption: Contents:
+   :glob:
+
+   intro*
+   module*/module*

docs/class4/intro.rst

@@ -0,0 +1,69 @@
+Getting Started
+---------------
+
+Please follow the instructions provided by the instructor to start your
+lab and access your jump host.
+
+.. NOTE::
+	 All work for this lab will be performed exclusively from the Windows
+	 jumphost. No installation or interaction with your local system is
+	 required.
+
+Lab Topology
+~~~~~~~~~~~~
+
+The following components have been included in your lab environment:
+
+- 1 x F5 BIG-IP AFM VE (v13.1.0.6)
+- 2 x vyOS routers (v1.1.8)
+- 1 x Flowmon Collector (v9.01.04)/DDoS Defender (v4.01.00)
+- 1 x Webserver (Ubuntu 16.04)
+- 1 x Jumphost (Windows 7)
+- 1 x Attacker (Ubuntu 16.04)
+
+Lab Components
+^^^^^^^^^^^^^^
+
+The following table lists VLANS, IP Addresses and Credentials for all
+components:
+
+.. list-table::
+    :widths: 20 40 40
+    :header-rows: 1
+    :stub-columns: 1
+
+    * - **Component**
+      - **VLAN/IP Address(es)**
+      - **Connection Type, Credentials**
+    * - Jumphost
+      - - **Management:** 10.1.1.199
+        - **Users:** 10.1.10.30
+        - **Internal:** 10.1.20.30 
+        - **Servers:** 10.1.30.30
+      - RDP ``external_user``/``P@ssw0rd!``
+    * - BIG-IP AFM
+      - - **Management:** 10.1.1.7
+        - **Internal:** 10.1.20.245
+      - TMUI ``admin``/``admin``
+    * - Flowmon Collector/DDoS Defender
+      - - **Management:** 10.1.1.9
+        - **Internal:** 10.1.20.10
+      - TMUI ``admin``/``admin``
+    * - Router 1
+      - - **Management:** 10.1.1.10
+        - **Users:** 10.1.10.243
+        - **Internal:** 10.1.20.243
+      - ssh ``vyos``/``vyos``
+    * - Router 2
+      - - **Management:** 10.1.1.11
+        - **Users:** 10.1.10.244
+        - **Internal:** 10.1.20.244
+      - ssh ``vyos``/``vyos``
+    * - Attacker
+      - - **Management:** 10.1.1.4
+        - **Users:** 10.1.10.100
+      - ssh ``f5admin``/``f5admin``
+    * - Webserver
+      - - **Management:** 10.1.1.6
+        - **Servers:** 10.1.30.252
+      - ssh ``f5admin``/``f5admin``

docs/class4/module1/lab1.rst

@@ -0,0 +1,50 @@
+Deployment use case
+===================
+
+A Joint F5 + Flowmon solution is deployed “out-of-path” and provides an
+out-of-band DDoS mitigation of L3-4 volumetric DDoS attacks. It’s a
+simple and convenient solution that leverages the existing IT
+infrastructure to provide traffic flow information.
+
+Flowmon Collector appliance receives NetFlow/sFlow/IPFIX from edge
+routers while Flowmon DDoS Defender uses i/eBGP/Flowspec to route the
+traffic to F5 DHD/AFM appliance. F5 DHD/AFM DDoS profile, VS and other
+parameters provisioned dynamically through iControl REST.
+
+|image1|
+
+                `Pic.1 Solution Diagram`
+
+Lab blueprint setup
+===================
+
+Lab blueprint is deployed in Oracle Ravello cloud with access from F5
+UDF portal. All Flowmon elements are pre-configured, F5 AFM VE resources
+are provisioned and network is configured.
+
+|image2|
+
+             `Pic.2 Lab blueprint`
+
+
+Licensing
+=========
+
+BIG-IP is licensed automatically.
+
+Evaluation license has been applied to Flowmon Collector/DDoS Defender.
+Please contact Lab admin if there are issues with any lab elements.
+
+Other considerations
+====================
+
+.. NOTE:: Router1 is configured to export sFlow with sampling rate of 1
+
+.. NOTE:: Learn about sFlow:
+
+    https://sflow.org
+
+.. |image1| image:: images/image1.png
+   :scale: 75%
+.. |image2| image:: images/image2.png
+   :scale: 85%

docs/class4/module1/module1.rst

@@ -0,0 +1,12 @@
+.. _module1:
+
+Module – Deployment use case and Lab diagram
+============================================
+
+In this module you will learn about common use-case for AFM/DHD + Flowmon out-of-path DDoS protection solution and explore Lab diagram.
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   lab*

docs/class4/module2/lab1.rst

@@ -0,0 +1,51 @@
+Prepare traffic visualization and monitoring
+============================================
+
+- Connect to Windows jumphost using RDP
+
+- Open SSH connections to Router1 and Router2
+
+-  Verify Router1 BGP configuration. Protected subnet ``10.1.30.0/24`` should have a Next Hop defined as Router2 ``10.1.20.244``
+    ``show ip bgp``
+
+        |image3|
+
+-  Start interface monitoring in Router1 and Router2
+``monitor interfaces ethernet``
+
+    |image5|
+    |image6|
+    |image4|
+    |image7|
+
+-  Select *eth1* and press ``g`` to enable graphical statistics
+.. NOTE:: You may need to expand terminal window for graphs to appear
+
+-  Open Web Browser and click on `BIG-IP AFM` bookmark, then login into BIG-IP TMUI using ``admin`` credentials
+
+-  Open **DoS Visibility Dashboard** in AFM TMUI
+
+    |image8|
+
+-  In a new Browser tab click on `Flowmon Web interface` bookmark. Once Flowmon main menu opens, click on `Flowmon DDoS Defender` icon and login using ``admin`` credentials
+
+-  Open **Attack List** in Flowmon DDoS Defender WebUI
+
+    |image9|
+
+.. NOTE:: Disregard any active alarms Flowmon may show in the upper right screen corner. These are artifcts of this lab environment
+
+.. |image3| image:: images/image3.png
+   :scale: 60%
+.. |image4| image:: images/image4.png
+   :scale: 55%
+.. |image5| image:: images/image5.png
+   :scale: 55%
+.. |image6| image:: images/image6.png
+   :scale: 55%
+.. |image7| image:: images/image7.png
+   :scale: 55%
+.. |image8| image:: images/image8.png
+   :scale: 60%
+.. |image9| image:: images/image9.png
+   :scale: 50%

docs/class4/module2/lab2.rst

@@ -0,0 +1,92 @@
+Initiate DDoS attack
+====================
+
+Run SYN flood (hping3) from Attacker VM
+---------------------------------------
+
+- Click on **Attacker SSH** icon to open ``Attacker VM`` ssh session
+
+- From Attacker VM run SYN flood towards Web server
+
+    ``./syn_flood``
+
+    |image10|
+
+-  Observe traffic growth in both Router1 and Router2. After **15-45
+   seconds** traffic will drop in Router2 due to DDoS detection and
+   mitigation start
+
+    |image11|
+
+DDoS mitigation start
+---------------------
+
+An *ACTIVE* attack with the new ID will appear in Flowmon DDoS defender
+‘Active attacks’ screen. Flowmon dynamically provisions AFM DDoS profile
+and VS, and initiates traffic diversion to AFM using BGP advertisement
+
+|image12|
+
+|image13|
+
+BGP route change and traffic drop
+---------------------------------
+
+-  Router1 shows new route to protected ``10.1.30.0/24`` subnet
+
+    ``show ip bgp``
+
+    |image14|
+
+-  As traffic is being routed through AFM, Router2 shows no significant
+   network activity while Router1 still experiences high traffic load
+
+    |image15|
+
+AFM DDoS profile and virtual server
+-----------------------------------
+
+.. NOTE:: Flowmon uses iControl REST interface to provision necessary parameters in AFM
+
+-  In AFM TMUI Navigate to **Security --> DoS protection --> DoS profiles** and confirm that
+   the DoS profile has been provisioned for the protected subnet
+
+    |image16|
+
+-  In **Local Traffic --> Virtual Servers --> Virtual Server List** confirm that
+   VS with corresponding Attack ID has been created
+
+    |image17|
+
+AFM DDoS mitigation
+-------------------
+
+In AFM TMUI navigate to **Security --> DoS Protection --> DoS Overview** and
+confirm that AFM is performing DoS mitigation using the provisioned DoS
+profile
+
+|image18|
+
+.. NOTE:: `Statistics -> DoS Visibility` TMUI menu provides graphical attack data
+It may take up to ~5 minutes for DoS Visibility Dashboard to show our simulated DDoS attack. You may need to click `Refresh` for data to appear
+
+|image26|
+
+.. |image10| image:: images/image10.png
+   :scale: 75%
+.. |image11| image:: images/image11.png
+   :scale: 35%
+.. |image12| image:: images/image12.png
+   :scale: 60%
+.. |image13| image:: images/image13.png
+.. |image14| image:: images/image14.png
+.. |image15| image:: images/image15.png
+   :scale: 60%
+.. |image16| image:: images/image16.png
+   :scale: 50%
+.. |image17| image:: images/image17.png
+   :scale: 50%
+.. |image18| image:: images/image18.png
+   :scale: 60%
+.. |image26| image:: images/image26.png
+   :scale: 85%

docs/class4/module2/lab3.rst

@@ -0,0 +1,66 @@
+Attack stop
+===========
+
+Stop SYN flood
+--------------
+
+Press (``Ctrl-C``) to finish the attack. Traffic will drop on Router1
+
+|image19|
+
+.. NOTE:: STOP HERE. It will take 5-10 minutes for Flowmon to mark the attack as `NOT ACTIVE`. This is done in order to avoid 'flip-flop' effect in repeated attack situation
+
+Mitigation stop
+---------------
+
+Flowmon DDoS Defender Attack List screen shows the current attack with
+status *NOT ACTIVE*. Attack will transition to *ENDED* state when
+Flowmon performs *Mitigation Stop* routine
+
+|image20|
+
+|image21|
+
+|image22|
+
+`\*It typically takes ~ 5min for Flowmon DDoS Defender to update attack
+status`
+
+AFM configuration, BGP route removal
+------------------------------------
+
+As part of *Mitigation Stop* routine Flowmon removes BGP route from
+Router1 and Virtual Server and DDoS Profile from AFM
+
+``show ip bgp``
+
+|image23|
+
+**In AFM TMUI navigate to Security --> DoS Protection --> DoS Profiles**
+
+Verify that only default “dos” profile present
+
+|image24|
+
+**In AFM TMUI navigate to Local Traffic --> Virtual Servers --> Virtual Server
+List**
+
+Verify that Virtual Server matching Attack ID has been removed
+
+|image25|
+
+Congratulations! You have successfully completed the lab!
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. |image19| image:: images/image19.png
+   :scale: 50%
+.. |image20| image:: images/image20.png
+   :scale: 60%
+.. |image21| image:: images/image21.png
+   :scale: 60%
+.. |image22| image:: images/image22.png
+.. |image23| image:: images/image23.png
+.. |image24| image:: images/image24.png
+   :scale: 60%
+.. |image25| image:: images/image25.png
+   :scale: 60%

docs/class4/module2/module2.rst

@@ -0,0 +1,12 @@
+.. _module2:
+
+Module – DDoS Attack
+====================
+
+In this module you will prepare for and launch a SYN flood DoS attack. You will need an active RDP connection to a Linux Jumphost to perform all necessary prerequisites
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   lab*