F5 Distributed Cloud

Web App and API Protection (WAAP)

PRESENTER NAME

Position/Title

Date
 Speaker Bios

[Insert Name] [Insert Name]

[Insert Title] [Insert Title]
Brief bio or bullet points with key credential or accomplishment Brief bio or bullet points with key credential or accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Social media link • Social media link

​ 2 © 2022 F5
 Speaker Bios

[Insert Name] [Insert Name]

[Insert Title] [Insert Title]
Brief bio or bullet points with key credential or accomplishment Brief bio or bullet points with key credential or accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Key credential or major accomplishment • Key credential or major accomplishment
• Social media link • Social media link

​ 3 © 2022 F5
 Speaker Bios

[Insert Name]
[Insert Title]
Brief bio or bullet points with key credential or accomplishment
• Key credential or major accomplishment
• Key credential or major accomplishment
• Key credential or major accomplishment
• Social media link

​ 4 © 2022 F5
 Company Profile

Secure and Deliver Extraordinary

Digital Experiences

F5’s portfolio of automation, security,

performance, and insight capabilities
[Insert Partner Name] empowers our customers to create,
secure, and operate adaptive
applications that reduce costs,
Brief company description or bullet points with key
improve operations, and better protect
credentials and offerings.
users.
• Key highlight, offering, or service
How company supports F5 as a
• Key highlight, offering, or service partner

• Key highlight, offering, or service • Key highlight, offering, or service

• Key highlight, offering, or service

• Key highlight, offering, or service

​ 5 © 2022 F5
 Apps are evolving and becoming increasingly complex
API first architectures for apps are not table stakes

Simple application Increased back-end API

with back-end server services and connectivity

​ 6 © 2022 F5
 Increasing complexity and risk

Public Cloud APPDEV DEVOPS NETOPS SECOPS

Public Cloud

CDN
Users

Multiple configurations and

Public Cloud security policies that need to be
deployed and maintained across
distributed environments

Private Cloud / Data Center Branch/Customer Edge

Increased vulnerabilities due

to misconfigurations and
inconsistent policies
​ 7 © 2022 F5
 Lack of end-to-end visibility
Multiple toolsets used by different teams, across
different environments for monitoring and visibility

Public Cloud APPDEV DEVOPS NETOPS SECOPS

Public Cloud

CDN
Users

Public Cloud

Private Cloud / Data Center Branch/Customer Edge

​ 8 © 2022 F5
 Security enforcement impacts agility

Public Cloud APPDEV DEVOPS NETOPS SECOPS

Public Cloud

APPDEV DEVOPS CDN

NETOPS SECOPS Users

Public Cloud

Private Cloud / Data Center Branch/Customer Edge

​ 9 © 2022 F5
 Management & Ops Tier
Simplifying App Services – Generic Architecture System Source of Truth
Integration and Testing
A framework for organizing and optimizing critical app services Automated Delivery
Operational Observability and Insights
Business Workflow Management

Global Service Tier

Internet
Scalable App Delivery
Anti-Abuse
Global Shared Services Tier Management & Operational Services Tier
Global Connectivity Services
Global App Health
Global App Protection

Secure Network
Backbone
Site Shared Service Tier
Scalable App Delivery

Public Cloud Private Datacenter Colocation SaaS Provider Edge

Site Security
Site Connectivity
Region

Region

Region

Region
Site App Health
Site Shared
Site Shared
Services Tier Services
App Service Tier
Scalable App Delivery

App Instance Security

App Services App Services
Services Tier
Instance Connectivity
Instance App Health
​ 10 © 2022 F5
 The F5 portfolio of best-in-class application services
Application security and delivery

Global Services Tier Site Services Tier App Services Tier

Provider Edge Organizational Edge Embedded with App
Client-Side App Sec Stack:
Scalable App Delivery &
Defense Global Connectivity • Web App Firewall
Protection against CDN, Load Balancing, Network • Layer 7 DDoS Mitigation
client-side security Web app API Security
Secondary DNS Firewall • API Security
vulnerabilities firewall

Global Anti-Abuse
App Protection
Layer 3-4 DDoS Mitigation, API L7 DDoS Anti-fraud & App Delivery API App/web K8s
Security, Bot Defense etc. Mitigation Bot Gateway Server Management

End user Application

Global App Health App Infrastructure
DNS + Protection business logic
DNSEC

ACROSS ANY INFRASTRUCTURE

MULTI-CLOUD

Physical Virtual Public Software- Managed

Containers
systems machines cloud as-a-Service services
​ 11 © 2022 F5
 Multi-Level Application Security
Enforce critical app security policy and implement controls at the appropriate level

App Services Tier

• Closest to the application
• Integrated security controls and policy into
Global Services Tier
automation and CI/CD pipelines (agile with apps)
• Workload specific security policy definitions and • Keep unwanted traffic off your infrastructure
enforcement across containers/microservices • Broad spectrum volumetric DDoS volumetric
• Application and cloud infrastructure security mitigation (layers 3-4)
• Anti-abuse including bot/fraud detection and
mitigation at scale

Site Services Tier • Standard company app security

policy/policies used by all apps

• Localized, site level security policy, definition and

enforcement with more specific, granular controls

​ 12 © 2022 F5
 SaaS-delivered
Application More than just WAF, protect apps
and APIs against bots,
Easily scale and deploy in
any cloud

Security automation and fraud

A differentiated approach to
application and API security

Simplify management Advanced

and policy enforcement monitoring and
– deploy secure apps visualization
faster

Securely and efficiently handle

increasing request traffic
​ 13 © 2022 F5 © 2020 F5 Networks
 F5 App Security-as-a-Service
Multi-layered, highly effective modern app security bringing together the best of F5 application security

WAAP Fraud and Abuse Caching

API Bot Web App DDoS Client-Side

Security Defense Firewall Mitigation Defense CDN

Distributed Cloud Console (SaaS)

Multi-Cloud On-prem Edge

​ 14 © 2022 F5
 It's much more than just WAAP...

​ 17 © 2022 F5 Note: All aspects of flow not represented

 AI/ML Powered Anomaly Detection and Risk Scoring

Comprehensive client analysis with suspicion scoring for rapid

​ 19 © 2022 F5 decision making
 Centralized control and flexible deployments

APPDEV DEVOPS NETOPS SECOPS

Integration with Critical Automation, Integration with SIEM, Logging

Git Ops and Dev Tools and Alerting Platforms
F5 Distributed Cloud Console – Centralized control plane

CDN

API Bot Web App DDoS

Security Defense Firewall Mitigation

Public Cloud

F5 Global Network
Private Cloud / Data Center Branch/Customer Edge

​ 20 © 2022 F5
 Multi-App Dashboards
Rich observability with a 360-degree view of performance and security posture for all apps together

I L L U S T R AT I V E Security Performance
​ 21 © 2022 F5
 Flexible Deployment Models

Regional Edge (RE) Customer Edge (CE) Hybrid (RE + CE)

• Only leverages the F5 global network • Does not leverage the F5 global network • Requires deployment at customer edge

• Provides L3/L4 DDoS via network • Site includes WAAP security services except • Provides for private address/FQDN access
L3/L4 DDoS of origins
• Advertises via Anycast
• WAF and additional security services at
• Origins accessed via Public NAT/FQDN • Self-managed advertisement based on both the customer site and global network
• Global network can be access controlled deployed locations
• L3/L4 DDoS is provided via network
(ACL) at origin sites
• SaaS managed Load balancing/WAF endpoints

Public/Private Cloud

F5 Global Network Public/Private Cloud Branch F5 Global Network Public/Private Cloud

Datacenter

​ 22 © 2022 F5
 Flexible Service Options
Increasingly, F5 Distributed Cloud Services are being offered as a SaaS Managed Service. Offering critical app
security as a Managed Service enables F5 to deliver unique customer value in terms of service onboarding
and configuration, technical engineering support, 24x7 monitoring and phone support, uptime and specific
service SLAs etc.

Standard Managed Enhanced Managed Premium Managed

Self Service Service Service Service
Supported by Named Supported by Dedicated
Supported by SOC
Resource Resources

WAF X X X

DDoS Mitigation X X

Bot Defense X X X

Increased benefits, varies by service

​ 23 © 2022 F5
 “
Awards and Recognition
What I most liked about the
product [is] the ease of
deployment. Second is protecting
against the OWASP top 10 which
WAF does protect against.
Overall impressed with the ease
“
of use and level of security [of]
the product.

“
When Log4j was announced, F5
immediately updated their
signatures, and we could apply
them to a web application firewall.

F5 Distributed Cloud WAF (Web Application Firewall) Reviews & Ratings 2023 ([Link])
That gave us immediate
protection...And then we could
“
see requests instantly getting
blocked for that Log4j piece.
​ 24 © 2022 F5
 Awards and Recognition (cont.)

“ The API offering from F5 aims to

simplify the deployment and
management of critical app and
F5’s products strives to deliver a
cost-effective solution, requiring
no hardware or software “
API security controls. maintenance, which lowers the
total cost of ownership (TCO).

“
10 vendors that are a “must see”.
These “visionaries” provide
products and solutions that are
“
some of the best in the industry.
[Link]

​ 25 © 2022 F5
 API Security
Continuous API discovery, enforcement and observability

API Bot Web App DDoS

Security Defense Firewall Mitigation

Discover – detection of API endpoints and request/response

schemas, sensitive data, authentication state

Monitor – traffic inspection, analysis, ML-based anomaly

detection and risk scoring

Secure – enforcement of schemas, rate limiting, and blocking of

undesirable and malicious traffic
​ 26 © 2022 F5
 Our API Security breaks new ground
for operational simplification with
automated discovery & policy Automated API Protection
management
OWASP API Coverage Automated Discovery and Inventory Static & Behavioral Analysis Engine
Broad and expanding coverage for the OWASP API Top APIs change frequently. As APIs are used, the system
10 vulnerability exploits that updates automatically as determines normal behavior, usage, methods, Requests
new exploits are identified. sensitive data and detects outliers helping you detect Metadata
shadow APIs, shadow parameters and Zombie APIs. Malicious Client

Importing Swagger and OpenAPI Spec

Enforcement Monitoring and Anomaly Detection
Allows for positive security, enabling users to allowlist Analyzes what endpoints are used, in what order and
endpoints based on valid schema characteristics such the frequency, identifying bad actors not obeying normal
as parameters, methods, authentication types and behavior. API Sec
payloads, tightening security against abuse. Origin
F5 Distributed Cloud Server(s)
WAAP
Response Analysis Visualize API Usage (F5 Global Network)
The WAAP will analyze how the server responds to Identify usage patterns for APIs and show the most used Legitimate Client
queries, identifying persistent outliers that receive bad and attacked APIs, plus correlate good
response codes, but persist in sending bad requests. and bad actor activity to optimize APIs for a better client
experience.

Risk Scoring and Insights

API endpoints are tagged with a comprehensive risk Determine the Response
score and operators can track the activity history and Allow, rate limit or deny a client using the API based on
vulnerabilities of all endpoints. the threat level that it poses. Delivered via in-depth
forensics on suspicious and malicious traffic.
​ 27 © 2022 F5
 API Endpoint
Discovery

• Automatically learns the app API

surface
• Using AI/ML, models are built to
baseline and track API behavior
• For each API leaf, a model is built
for errors, latency, and request
metrics
• Detect outliers and shadow APIs
• Export swagger to improve API
definitions/update inventory

​ 28 © 2023 F5
 Behavioral
Analysis of API
Endpoints

• Monitor and baseline API

behavior continuously with
machine learning (ML) engine
• Easily identify anomalies (e.g.,
spikes in request rates, latency,
response size, etc.)
• Identify any PII in API
communications

​ 29 © 2023 F5
 Discovery and
Validation of API
Authentication

• Discover and view

authentication status, details
and risk scoring for all API
endpoints
• Easily create protection rules
(e.g. Blocking, rate limiting
etc.)

​ 30 © 2023 F5
 Discovery and
Monitoring for
PII Data in APIs

• Detection and flagging of PII

that is being exposed via
APIs
• Including custom sensitive
data detection (names,
addresses, phone numbers
and unique social security
numbers)
• With masking capabilities to
hide sensitive data

​ 31 © 2023 F5
 API Endpoint
Risk Scoring

• Scores based on variety of

factors including vulnerabilities
discovered, attack impact,
attack likelihood and mitigating
controls
• Includes guidance with
instructions and evidence to aid
in remediation efforts

​ 32 © 2023 F5
 OpenAPI Spec Import
and Enforcement
Automatically enforce API schema
and a Positive Security Model

• Upload existing API schema for

enforcement of appropriate API
behavior Source: [Link]

• No wasted time spent configuring

and deploying APIs
• Easily allow valid requests and block
any method that the schema doesn’t
support
• Import via UI or the API and integrate
into a CI/CD Pipeline

​ 33 © 2022 F5
 Rich Inline Enforcement Capabilities
Comprehensive app and API security controls to block/allow, limit or control connections and activity

• API Protection Rules – allow/deny list, rate limit, Geo IP filter and custom rule creation
to act on incoming requests including match and request constraint criteria for specific
API endpoints or groups

• Layer 7 DoS – anomaly detection and alerting on abnormal traffic patterns and trends in
API endpoints with the ability to deny with auto mitigation

• IP reputation - client access can be allowed/denied based on IP reputation categories

• Masking Sensitive Data – prevents HTTP/HTTPS responses from exposing sensitive

information

• WAF Signatures and Enforcement – F5's core WAF technology, supports the
inspection of various API protocols against nearly 8,000 signatures identified by F5 labs

​ 34 © 2023 F5
 F5 Distributed Cloud Bot Defense
Enhanced AI/ML driven bot detection and mitigation

API Bot Web App DDoS

Security Defense Firewall Mitigation

Bot Defense mitigates malicious

Mitigate malicious automation that impairs the user automation to prevent sophisticated,
experience, imposes high financial costs, and impacts
the user experience: human-emulating attacks–bringing
together unified telemetry, network
• Credential stuffing bots lead to account takeover intelligence, and AI/ML with human
• Loyalty point bots steal value from customers analysis to identify and defend against
• Carding bots that validate stolen credit card data automated threats. ​
result in charge backs and fees
• Scraping bots slow performance, increase
infrastructure costs, and can bring down sites
• Scalping bots that take advantage of limited time
offers frustrate loyal customers
• Inventory hoarding bots prevent customers from
​
buying goods and services available in inventory
35 © 2022 F5
 Basic Bot Defense
Delivering a Good
• Included in base plan with WAF service
Multi-layer
• Signature based bot detection – identifies bots by
Defense Against matching signatures

Bots and
Unwanted
Automation
Standard Bot Defense
• Necessary to mitigate advanced, persistent bots Best

• Constant ML analysis of signal data to rapidly respond to

bot retooling, dynamic updates of real-time detection
models
• Designed to protect against all bot use cases e.g.
credential stuffing, account takeover, fake accounts etc.

​​ 36 | ©2021
36 © 2022F5
F5
 Standard Bot Defense
Highly effective real-time detection informs mitigation actions
XC Cloud
Bot Defense
Less Complex

2 Browser Are the headers in the right order?

Fingerprint
Analysis

Did the client execute JavaScript?

User Behavior
Pattern
Is the client what it claims to be?
3
Real-time
Mitigation Action Is the client reusing payloads?
Header Pattern
1
Collect telemetry Is the client exhibiting human behavior?
& transaction
metadata
Timing
Are their signs of reverse engineered responses?

…
IP/ASN
More Complex

​ 37 © 2022 F5
 Standard Bot Defense
Globalized network of signals & ML used to catch retooling

Billions of signals Rapid intelligent analysis at scale Dynamically updated

analyzed daily mitigation
Real-time

8/10 Mitigation Unsupervised

ML
Top Banking

2/3
Top Hospitality Expert
Review of FPs
[ HUMANS IN
2/10 THE LOOP ]
Expert Review
of Pattern
Top Retail [ HUMANS IN
THE LOOP ]
Machine Learning
5/10 model usage and training
Top Credit Cards

5/10 Monitoring
Supervised
Top Airlines
ML

2/5
Top Insurance
Expert Review of Model
[ HUMANS IN THE LOOP ]
​ 38 © 2022 F5
 Bot Reporting and Insights

 Easily view and drill down into malicious traffic

 Clearly understand the type of automated traffic
being directed towards specific apps
 Quickly drill down and narrow the potential
threats by app, date and time
​ 39 © 2022 F5
 Use Cases

Streamline Security for Apps Eliminate Bots, Fraud, and Manage and Secure APIs Simplify Security for Agile
Across Multi-Cloud/Hybrid Abuse App Development
Environments

• Managing web app vulnerabilities • Malicious automated traffic • Identity and access management • Lack of programmability/automation
• Limited visibility across • Increasing bandwidth costs • API abuse • Limited or difficult Integrations with
environments • • Identifying shadow APIs development tools
Denial of service (DoS)
• Scaling security globally • Information leakage • Slowing development cycles and
• Inefficient app performance
• Information leakage releases
• Payment fraud • Maintaining compliance
• Maintaining compliance • Inefficient app performance
• Account takeover
• Inefficient app performance • Limits to scalability
• Scraping
• False positive suppression • Token cracking
• Inventory hoarding
• Ad fraud

​ 40 © 2022 F5
 F5 Distributed Cloud WAF - Identifying new threat actors
Moving beyond signature-based detection

API Bot Web App DDoS

Security Defense Firewall Mitigation

Signature based identification Behavior based to identify

Identifies a bad request based on a match threat actors and false positives
to one or more signatures in a database Identifies a client and follows their behavior
• Protection against known attack signatures • Identifies anomalous user behavior and blocks
• Live signature feed so you’re always up to malicious attacks
date with the changing threat landscape • Recognizes non-human, automated requests
• Threat campaigns that help you reduce that can potentially be harmful
false positives based on actor intent • Reduces the time spent resolving
• Evasion detection support finds potentially false positives
malicious requests that signatures alone
don’t find

​ 42 © 2022 F5
 A Next Gen WAF
Streamlined set up and management with
self-service or managed service options

• Robust Signature Engine including Threat

Campaigns

• IP Reputation Service

• Advanced Behavior Engine

• Powerful Service Policy engine

• Automatic Attack Signature Tuning

Better visibility for security events and traffic with drilldown
​ 43 © 2022 F5
 User Behavioral
Analysis
Visualize suspicion scores
of suspected malicious
clients

Scoring is based on:

• Number of WAF rules hit

• Forbidden access attempts per

Layer 7 policy deny rates

• Number of login failures

• Request rates

• Error rates

​ 44 © 2022 F5
 L7 Policy Enforcement – Service Policy Engine
Enabling micro segmentation and support for advanced security at the application layer

• Define Allow/Deny lists based on IP,

Countries, ASN and TLS fingerprints

• Create custom rules, specific match

criteria on a variety of parameters to act
on incoming requests between servers
and clients
- HTTP Method, Source, Domain, Path,
Query Parameters, Headers, Cookie,
Argument Match, Request Body,
Arguments, and Labels

• Possible actions are allow/deny

• Policies can be shared across multiple

load balancers and namespaces

*Shows configuration workflow for policy rule, policy/policies and policy set. Services Policy set consist of many
Service Policies and each Service Policy is comprised of many Policy Rules.

​ 45 © 2022 F5
 Layer 7 DoS
• Detection and alerting on
abnormal traffic patterns &
trends

• Advanced machine learning

(ML) to detect spikes, sudden
drops and more

• Analyzes request rate, error

rate, latency, and throughput of
app and API endpoints

• Deny with auto mitigation or

Rate limit endpoints

I L L U S T R AT I V E
​ 46 © 2022 F5
 IP Reputation
F5 database of known
malicious IP addresses
categorized into easily
applied threat categories
• Span sources

• Mobile threats

• Windows exploits

• Web attacks

• Botnets

• Scanners

• Denial of Service (DoS)

• Phishing

​ 47 © 2022 F5
 Threat Campaigns
Correlates singular attack incidents as extensive and sophisticated attack campaigns

​ 48 © 2022 F5
 Security Events Dashboard
Visualize all app security events in one place

Security Forensics
Event Logs

Event
Log Details

​ 49 © 2022 F5
 Managed WAF Onboarding
F5 experts help you with the creation, provisioning, deployment and tuning of best-in-class WAF policies

Technical Configure Set WAF to

Platform Setup Onboarding Configure WAF L7 DDoS Blocking

Getting Connected Setting Expectations Configure WAF Configure L7 DDoS ü Move policy from transparent
to the F5 Global Network to blocking mode
ü WAF Questionnaire ü Configure WAF policies in ü Configure Rate Limiting
ü SRE Provisions customer transparent mode Policies
portal for administrator ü Letter of Authorization
ü Review false positives and ü Configure Signature Based
ü ASN Entry and Submit ü SSL Cert and Key Upload false negatives with customer Bot Detection
Prefixes ü LB setup and configuration ü Configure exceptions and
ü Authoritative IRR ü Update DNS to direct tune policy
Live Traffic to LB
ü LB Testing

​ 50 © 2022 F5
 F5 Distributed Cloud DDoS Mitigation

API Bot Web App DDoS

Security Defense Firewall Mitigation

L3-L7 DDoS mitigation

Ensure the availability of critical application and network resources.

• Block the malicious traffic while allowing the good, ensuring good user
experience for applications and services
• Identify and mitigate sophisticated Layer 7 DoS attacks that exploit
application & infrastructure weaknesses
• Block attacks closer to where they originate with a global backbone and
distributed DoS mitigation technology
• Protect customer networks and services with Always On or Always
Available routed and proxy DDoS Mitigation service

​ 51 © 2022 F5
 F5 Distributed Cloud DDoS Mitigation - Layers of Protection
Advanced Mitigation
Full packet analysis, custom filtering and
advanced counter measures (scrubbing) for
the most advanced attacks
CoreProtect
Pre-set rules that mitigate known-bad/known-
useless traffic types that are always filtered
immediately for all customer
Layer 7 and Proxy DDoS Protection
Protects apps and services from protocol
attacks, L7 DoS and encrypted threats

Custom Mitigations
SOC analysis of traffic and implementation of any
additional rules necessary to improve efficacy or
Auto-Mitigation
reduce false positives of attack mitigation
Machine learning profiles traffic and
automatically creates and deploys counter-
measures for volumetric DDoS attacks

​ 52 © 2022 F5
 Mitigate Large, Sophisticated DDoS Attacks
Mitigate closer to the origin away from critical apps and infrastructure

World Class Global Security

Operations Center responds to
DDoS attacks in < 2 minutes on
average.*
Top BGP peering

Global DDoS Protection Network

with 13 Tb of scrubbing capacity.

Flexible Service Options including

Always Available or Always On
deployments
July ‘21 F5 Mitigated large
scale, multi-vector DDoS
attack(s) that totaled 1.2
Connect how and where you need terabits per second (Tbps) –
the largest single attack
with BGP or Proxy-based traffic peaked at 1.15Tbps.
redirection and direct connections, Source: [Link]
silverline-mitigates-record-breaking-ddos-attacks

peering or GRE tunnels for clean

traffic return.

Standard DDoS Service offering MSA specifies a 15 Minute Response SLA.

​ 53 © 2022 F5
 Routed DDoS Mitigation Service Options
Choose from two DDoS Mitigation configurations

Configured to continuously route and process your traffic through

the F5 network, allowing only legitimate traffic to reach your apps.
ALWAYS ON: • Lowest “Time to Mitigate”
Primary protection • Maximum visibility for attack trends and detected threats
as the first line of defence • Consistent, reliable service delivery metrics and awareness
• Zero activation tasks when under attack

Pre-configured for your systems, runs on standby, and can be

initiated when under attack.
ALWAYS AVAILABLE: • On-Demand Service Activation by BGP or Proxy (DNS redirection)
Protection available • Actions required by customer and/or SOC to initiate mitigation when
under attack
on-demand • No limit to the number of mitigation events or service activations
• Can be combined with Router Monitoring to provide accelerated attack
detection and notification

​ 54 © 2022 F5
 DDoS Mitigation Architecture

Edge Mitigation
CoreProtect – Global Rules
Auto Mitigation

Advanced Mitigation
Custom Filters/Countermeasures
Deep Packet Inspection

Inbound Traffic
Always-on or Always Available

Traffic Management
Deny Lists
Circuit Visibility

Connectivity Options
Layer 2 / Direct / 3rd Party

​ 57 © 2022 F5
 Integrated View
with DDoS Attacks

• Automatically base-lines the

application behavior in terms of
URL usage and request rates.

• Flags unusual behavior in real-time

and shows the source of the attack.

• Take action (or not) to block these

requests.

​ 59 © 2022 F5
 Robust DDoS Attack Mitigation Reporting
Gain attack insights and threat intelligence

• Type and size of the attack

• Mitigation techniques

• Countermeasures applied to suppress attacks

• Attack protocols

• IP address range and ports being attacked

• Inbound attack traffic and outbound clean traffic

• Daily DDoS attack report

​ 60 © 2022 F5
 DDoS Mitigation Onboarding
F5 experts help you provision critical network components, configuring protections and establish incident procedures

Technical PREFIX
Platform Set Onboarding Traffic Routing BGP Activation Route Change

Getting Connected Setting Expectations Setup of Traffic Flows ü Router Configuration ü SOC Confirms Route Controls
to the F5 Global Network
ü DDoS Questionnaire ü Selection of RE for Tunnel ü SOC: Enabling BGP ü SOC Enables Route
ü Portal Tenant Account Termination Adjacency Announcement
ü Letter of Authorization
ü ASN Entry and Submit ü SOC previsions /31 to ü SOC: Controlling Route ü Analyze and Resolve Route Leaks
Prefixes ü Review AS-PATH Prepends customer Origination
ü SOC shows DDoS Alerts, events,
ü Authoritative IRR ü Upstream Carrier ü Peer Secret to SOC ü Router Change Scheduling dashboard, log exporting
Announcements Review
ü SOC activates tunnel ü Commit to Router ü Transition to CSM
ü Router Preference Values endpoints Changes/Test
ü Project Timeline ü Testing/Integrity of tunnels ü Tuning and Resolutions
ü Q&A with F5 SOC ü Private Links
DDoS Team

​ 61 © 2022 F5
Distributed Denial of Service (DDoS) Attacks Hit an all-time High in 2022
DDOS ATTACKS CONTINUE TO GROW IN SIZE AND COMPLEXITY YoY

DDoS attacks larger than 250 Gbps

grew by 1300% in 20211

1 Attack,
multiple vectors

This graph shows an ISP/hosting customer experiencing a DDoS multi-vector attack of a

1.4 Tbps Volumetric Attack and a 100 Mbps Application Attack at the same time. 1

1,
F5 Labs: 2022 Application Protection Report: DDoS Attack Trends, March 16, 2022
​ 62 © 2022 F5 CONFIDENTIAL - ISMC FY23
 Distributed Denial of Service (DDoS) Summary
DDoS
Attackers

Scanner Anonymous Anonymous Botnet Attackers

Proxies Requests

Network Application
SSL attacks
SSL renegotiation

ISP A
Routers

Firewalls Applications
Network attacks DNS attacks Firewall HTTP attacks
ICMP flood DNS amplification Load Balancers Vulnerabilities
UDP flood query flood Slowloris
SYN flood dictionary attack Slow POST
DNS poisoning DNS recursive
POST/GET

Volumetric Attacks – Protocol Attacks – Application Layer Attacks –

consume network bandwidth overwhelm network devices consume application resources
Most common Layers 3 and 4 Layer 7
​ 63 © 2022 F5
 Global Log Receiver
Integration with SIEM, Logging and Alerting Platforms

Simple UI Configuration

F5 Distributed Cloud Console – Centralized control plane

• Includes request and security event logs (e.g. WAF, Bot Defense,
API security, L7 DDoS , service policy and malicious user events) DDoS Web App Bot API
Mitigation Firewall Defense Security
• Support for multiple delivery streams e.g. vendor specific, public
cloud storage and generic HTTP(s) delivery options

• Logs are exported in common JSON format

• Export from regional edges (REs) and customer edge (CE) locations

​ 64 © 2022 F5
F5 Global Network
 Secure Application Delivery
F5 Distributed Cloud CDN integrated with app and API security

Secure CDN, multi-cloud, and edge app

delivery leveraging integrated app security
services within the same platform.

Rich observability via a single dashboard

with a 360-degree view of general app
performance and security events:

Security events and severity

Protection status of each app

App availability and traffic

View all applications together and identify critical
Violation/alert type security issues by importance
Drill down into apps that exhibit anomalies quickly –
go into a single app view to get more detail

​ 65 © 2022 F5
 Simplified Cloud Migration with ​USE CASE
Improved Resiliency and Robust ​Application Security and Performance

Security
Industry: Online Gaming
B2C GAMING CUSTOMER OUTCOMES
Online gaming and poker technology company F5 Distributed Cloud WAAP allowed this customer
experienced a large DDoS attack of their private to reduce their reliance on a private data center
data center which had a major impact on and seamlessly move to the cloud. Giving them
Reduced number of vendors
their business. Needing a quick solution to resolve virtually unlimited capacity to scale and
from 6+ to 2
the attack they turned to F5. more resiliency while simplifying their operations.
With a centralized view and common services
MULTI-CLOUD ADOPTION platform across their data center, clouds and edge
After the DDoS attack had been mitigated, they locations; collaboration across teams improved
realized they needed to think more critically about while a robust security stack enhanced their overall
security and redundancy – how they would prevent app security posture with WAF, DDoS Mitigation,
such events in the future with back-up/duplication API security:
of key business functions to reduce risk.
• Increased collaboration across siloed
F5 SOLUTION: DISTRIBUTED CLOUD technical functions

Following the initial engagement, they expanded • End-to-end security – reduced risk across their
use of Distributed Cloud Mesh to connect, load ever-expanding application ecosystem
balance and secure newly migrated workloads • Vendor consolidation – replaced multiple app Reduced time to service from
across multiple cloud environments. services, standardizing across multiple clouds 8+ weeks to 1

​ 66 © 2022 F5
 Key Differentiators

Efficacy + agility Deploy anywhere Common platform

Top-tier security controls provide Operate on F5 Global Network, WAAP combined with multi-cloud
higher efficacy, while SaaS model + public / private clouds or edge sites – networking, edge computing and a
unified management increase agility wherever apps are located global network in a single offering

​ 67 © 2022 F5
 Appendix – Bot and Fraud Solutions
within F5 Distributed Cloud

​ 70 © 2022 F5
 F5 Distributed Cloud Security and Fraud Solutions

Security Protection Fraud Protection

Client-Side Aggregator Account Authentication

Bot Defense Intelligence
Defense Management Protection

Secure Telemetry AI and ML Threat Management Center Network Intelligence

Account Opening Transaction Account Takeover Continuous

Protection Protection Protection Authentication

​ 71 © 2022 F5
 Bot Defense - Stop bots with unmatched accuracy and ongoing
efficacy

• Real-time, telemetry-based bot mitigation

• Global collective threat intelligence and AI

prevents retooling

• Sophisticated obfuscation architecture thwarts

reverse engineering

• Improve customer experience by minimizing user

friction of CAPTCHA and MFA

• Pre-built connectors and cloud, on-prem or hybrid

configuration for flexible deployments

• Managed service offering to augment security

staff

​ 72 © 2022 F5
 Distributed Cloud Client-Side Defense fills the gap with real-
time monitoring in the browser

Stop Magecart and Prevent PII Harvesting Protect Against Account

Formjacking Takeover (ATO)
Attacks

Protect against credentials, Block account takeover attempts at

Receive alerts when financial data, and all forms source by preventing credentials from
malicious JavaScripts of PII theft being stolen on client side
attempt to read or exfiltrate
data

​ 73 © 2022 F5 CONFIDENTIAL - ISMC FY23

 Client-Side Defense Architecture

MITIGATE JAVASCRIPT SUPPLY CHAIN ATTACKS

​ 74 © 2022 F5