Forum Discussion

Wasfi_Bounni's avatar
Wasfi_Bounni
Icon for Cirrocumulus rankCirrocumulus
Dec 05, 2019

Can DDOS Hybrid Defender be used with Akamai cloud?

Can DDOS Hybrid Defender be used with Akamai cloud? In the same way it can be used with the Silverline Cloud? I mean I want the Hybrid Defender on the BIG-IP to do the signalling to Akamai? is this possible?

 

Kindly

Wasfi

  • > Ok. In this case, if the protection is only "volumetric" based on a bandwidth-based threshold, and if this is the only protection needed, I guess the BIG-IP with Hybrid defender does not need to decrypt any traffic, right?

     

    If it is just Volumetric protection, then yes. But the DHD can do layer 7 traffic analysis as well, if encrypted traffic terminates on the DHD.

     

    > Hybrid defender on the BIG-IP signals the maximum threshold to the BGP router or to Silverline and that's it I am guessing?

     

    No - For BGP signalling, Hybrid Defender identifies the attacking IPs, and uses BGP to publish a blackhole route for the attacking /32 (or larger subnet). Basically the volumetric attack is then dropped at the upstream router (preferably prior to any congested links). This relies on the upstream router trusting the BGP advertisements from the DHD, and being able to accept /32 subnet routes (some routers don't, or may not have table-space for a large number of /32 routes).

    Silverline signalling is completely different and more complex - when the threshold is reached, Silverline makes a combination of BGP routing updates and/or Global DNS updates which are used to rapidly direct all the traffic targeted at the DHD directly to the Silverline scrubbing center, and only scrubbed traffic is sent from Silverline back to the DHD.

  • Does Akamai support BGP scrubbing via BGP blackhole route advertisement?

     

    As detailed in

    AskF5 Home / Knowledge Centers / F5 DDoS Hybrid Defender / F5 DDoS Hybrid Defender 13.1.0.3: Setup / Protecting Against DDoS Attacks

     

    • Configuring network bandwidth and scrubbing
    • You can configure general network protections, such as maximum bandwidth and scrubbing details, for all traffic on DDoS Hybrid Defender. When the maximum bandwidth and scrubbing thresholds are reached, you can configure the system so that traffic is scrubbed by sending it to a BGP router or, if you have an account, to Silverline.

     

     

    • Wasfi_Bounni's avatar
      Wasfi_Bounni
      Icon for Cirrocumulus rankCirrocumulus

      Thank you for your answer.

       

      Ok. In this case, if the protection is only "volumetric" based on a bandwidth-based threshold, and if this is the only protection needed, I guess the BIG-IP with Hybrid defender does not need to decrypt any traffic, right?

       

      Hybrid defender on the BIG-IP signals the maximum threshold to the BGP router or to Silverline and that's it I am guessing?

       

      Kindly

      Wasfi

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee

        > Ok. In this case, if the protection is only "volumetric" based on a bandwidth-based threshold, and if this is the only protection needed, I guess the BIG-IP with Hybrid defender does not need to decrypt any traffic, right?

         

        If it is just Volumetric protection, then yes. But the DHD can do layer 7 traffic analysis as well, if encrypted traffic terminates on the DHD.

         

        > Hybrid defender on the BIG-IP signals the maximum threshold to the BGP router or to Silverline and that's it I am guessing?

         

        No - For BGP signalling, Hybrid Defender identifies the attacking IPs, and uses BGP to publish a blackhole route for the attacking /32 (or larger subnet). Basically the volumetric attack is then dropped at the upstream router (preferably prior to any congested links). This relies on the upstream router trusting the BGP advertisements from the DHD, and being able to accept /32 subnet routes (some routers don't, or may not have table-space for a large number of /32 routes).

        Silverline signalling is completely different and more complex - when the threshold is reached, Silverline makes a combination of BGP routing updates and/or Global DNS updates which are used to rapidly direct all the traffic targeted at the DHD directly to the Silverline scrubbing center, and only scrubbed traffic is sent from Silverline back to the DHD.