#ddos Did you ever see that movie with George Clooney – Up in the Air? His life consists mostly of travel and somehow he logs 10 million miles (domestically!). I remember a line from the movie where he is giving a talk and he says that he travels 350,000 miles per year. Compare that to the moon, which is 250,000 miles away. I love that movie because that’s basically been my life, too. I’ve flown nearly 300,000 miles over two years.DIAG-SOL-SEC-ddos-v3

Most of that travel has been visit to high-profile global financial services institutions (FSIs) about their challenges around distributed denial-of-service (DDoS) attacks. One of the great things to come out of working with all these banks is the F5 DDoS Reference Architecture. This is what these customers have built, are building or want to build as soon as possible. It is a segmented network architecture optimized to be resistant to both volumetric and asymmetric DDoS attacks.

 

DIAG-PMAP-SEC-10807-ddos-protection-large-fsi-dc

The DDoS Reference Architecture – Global FSI Case

I do a lot of my best writing on airplanes where there is little distraction beyond the occasional comely stewardess. With all that time in the air, I’ve been able to document the reference architecture at the new F5 reference architecture site.

The essence of the reference architecture is that it diffuses the mitigation work across two tiers:

Tier 1 – Network Defense

The first tier is built around the network firewall. It is designed to mitigate computational attacks such as SYN floods and ICMP fragmentation floods. This tier also mitigates volumetric attacks up to the congestion of the ingress point (typically 80 to 90 percent of the rated pipe size). Many customers integrate their IP reputation databases at this tier and have controls to IP addresses by source during a DDoS attack.

The reference architecture allows that network firewall may or may not be the F5 firewall. Let me say straight out though, that no other firewall is as DDoS-aware as ours.

Tier 2 – Application Defense

The second tier is where F5 recommends deploying application-aware, CPU-intensive defense mechanisms like login walls, web application firewall policies, and dynamic security context using F5® iRules®. Often these components will share rack space with targeted IDS/IPS devices at this tier. Tier 2 is also where SSL termination typically takes place.

After the debut of the reference architecture, there were several inquiries asking if it was possible to terminate SSL at tier 1 instead. Yes, it is, and we have some customers who do that. But those customers are not global financial institutions. Global FSIs keep their keys as far behind the perimeter firewall as they can. I can’t and don’t argue with that. Their assets (our money) include the highest-value targets on the Internet.

image

If you’re into details like this then here is good news. The F5 Synthesis reference architecture site elucidates, explains and expands not just DDoS but Cloud Migration, LTE Roaming and Security for Service Providers and more.

Reaction to the reference architecture has been positive. Customers confirm that they they want to see more of this kind of technical depth in their collateral. So all those hours writing on airplanes were well spent. Certainly they were spent better than George Clooney spent his. That reminds me, my all-time favorite Clooney movie is The American. Check it out. Maybe you can stream it while you are reading through all the DDoS reference architecture collateral.