© F5 Networks, Inc 2

Rate Limit to Protect the ServerDetect and Block Bots and Bad ActorsCreate and Enforce Dynamic Signatures

Analyze Application Stress and Continually Tune Mitigations.

Start of AttackIdentify AttackersAdvanced Attacks

Persistent Attacks

Multiple Layers of Protection

Even basic attacks can take an unprotected server down quickly.

Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses.

The F5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations.

These sophisticated protections maximize application availability while minimizing false positives.

© F5 Networks, Inc 3

statistical site modelservice impact / service health

anomaly detectionbad actors

attack signaturesmultilayer defense from DDoS Attack

© F5 Networks, Inc 4

© F5 Networks, Inc 5

LegitimateUsers

DDoS Attackers

FinancialServices

E-Commerce

Subscriber

App

licat

ion

( http.request.method eq GET ) and( http.uri_file hashes like / ) and ( http.referer hashes like http://10.0.2.1/none.html ) and( http.accept contains application ) and ( http.accept_encoding_header_exists eq true ) and( http.headers_count eq 10 ) and(http.browser_type eq chrome)… Stress

Evaluator

Sign

atur

e

Bad Actor Detection

Mitigations

Signal metering

Stress TriggersSignature Generation

and enters “Attack” state

Per SrcIP

Signature-based

Mitigation

Selective Drops Rate Limit

Bad Actor Mitigation Global Mitigation

Goo

d D

ata

Attack D

ata

1

23

4

5

21

© F5 Networks, Inc 6

Freq

uenc

y (P

PS)

BrowserTypes

TTL SRC-IPlower

DstPort

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Other L3/L4 Predicates

t0

URI Referrer # Headers Other L7Predicates

Server Health

© F5 Networks, Inc 7

t0

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

Chrom

e

Firefox

IE / C

ortana

Safari

Opera

Freq

uenc

y (P

PS)

BrowserTypes

TTL

SRC-IP

lower

DstPort

Server Health

Other L3/L4 Predicates

URI Referrer

# Headers

Other L7Predicates

tN

© F5 Networks, Inc 8

Freq

uenc

y (P

PS)

BrowserTypes

TTL SRC-IPlower

DstPort

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Server Health

Other L3/L4 Predicates

URI Referrer # Headers Other L7Predicates

Max (Chrome)

Load (EPS)

Chrome

Firefox

IE / Cortana

Safari

Opera

Threshold

Min (Chrome)

Max(Chrome)

Load (EPS)

Threshold

Min (Chrome)

VR-N

VR-A

VR-B

VR-C

VR-D

Max(Chrome)

Load (EPS)

Threshold

Min (Chrome)

VR-N

VR-A

VR-B

VR-C

VR-D

© F5 Networks, Inc 9

Freq

uenc

y (P

PS)

Load (PPS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold

Min (Chrome)

t0

Current Value

Server Health

© F5 Networks, Inc 10

Freq

uenc

y (P

PS)

Load (PPS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold

Min (Chrome)

t1

Current Value

Server Health

© F5 Networks, Inc 11

Freq

uenc

y (P

PS)

Load (PPS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold

Min (Chrome)

t2

Current Value

Server Health

© F5 Networks, Inc 12

Freq

uenc

y (P

PS)

Load (PPS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold

Min (Chrome)

tN

Current Value

Server Health

© F5 Networks, Inc 13

Freq

uenc

y (P

PS)

Load (PPS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold Fixed during attack

Min (Chrome)

tN+1

Current Value

Server Health

© F5 Networks, Inc 14

Freq

uenc

y (P

PS)

BrowserTypes

Chrom

e

Firefox

IE / Cortana

Safari

Opera

tN>t

Load (PPS)

Chrome

Firefox

IE / Cortana

Safari

Opera

Max (Chrome)

Threshold Fixed during attack

Min (Chrome)

Current Value

URI Referrer # Headers Other L7Predicates

Max(Chrome)

Load (EPS)

Threshold

Min (Chrome)

VR-N

VR-A

VR-B

VR-C

VR-D

Max(Chrome)

Load (EPS)

Threshold

Min (Chrome)

VR-N

VR-A

VR-B

VR-C

VR-D

Max(Chrome)

Load (EPS)

Threshold

Min (Chrome)

VR-N

VR-A

VR-B

VR-C

VR-D

Server Health

© F5 Networks, Inc 15

LegitimateUsers

DDoS Attackers

FinancialServices

E-Commerce

Subscriber

App

licat

ion

( http.request.method eq GET ) and( http.uri_file hashes like / ) and ( http.referer hashes like http://10.0.2.1/none.html ) and( http.accept contains application ) and ( http.accept_encoding_header_exists eq true ) and( http.headers_count eq 10 ) and(http.browser_type eq chrome)… Stress

Evaluator

Sign

atur

e

Bad Actor Detection

Mitigations

Signal metering

Stress TriggersSignature Generation

and enters “Attack” state

Per SrcIP

Signature-based

Mitigation

Selective Drops Rate Limit

Bad Actor Mitigation Global Mitigation

Goo

d D

ata

Attack D

ata

1

23

4

5

21

© F5 Networks, Inc 16

www.f5.com