Applies To:

Show Versions Show Versions

Release Note: F5 DDoS Hybrid Defender 13.0.0 version 2.0
Release Note

Original Publication Date: 09/10/2018


This release note documents the 13.0.0 release of F5 DDoS Hybrid Defender.


- Platform support
- Browser support
- User documentation for this release
- New in 13.0.0
- Known issues
- Fixes in 13.0.0
- Contacting F5 Networks
- Legal notices

Platform support

This version of F5 DDoS Hybrid Defender runs on the following platforms.

Platform name Platform ID
F5-BIG-DDOS Virtual Edition (VE):
  • VE‑DDOS‑1G‑V13
  • VE‑DDOS‑3G‑V13
  • VE‑DDOS‑10G‑V13

DDoS Hybrid Defender requires the appropriate DDoS license. It enables one module flag mod_dos. That is the only module that can be active on the system.

Browser support

DDoS Hybrid Defender supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

User documentation for this release

For installation and setup instructions, refer to F5 DDoS Hybrid Defender: Setup. You can find this, and additional documentation that is relevant to this release, on the F5  DDoS Hybrid Defender 13.0.0 Knowledge Center page.

New in 13.0.0

F5 DDoS Hybrid Defender

This release introduces a new version of DDoS Hybrid Defender, a hybrid DDoS solution that offers comprehensive protection, high availability, and is easy to deploy and manage. It guards against aggressive volumetric and targeted DDoS attacks, includes hardware-assisted DDoS mitigation, and optionally, connects with Silverline, a cloud-based scrubbing service. DDoS Hybrid Defender defends the application infrastructure with a multi-layered defense that combines DDoS protection for Layer 3 and Layer 7, hardware-accelerated DDoS attack mitigation (with TurboFlex features), and SSL decryption capabilities.

Quick Configuration

DDoS Hybrid Defender provides quick configuration, which makes it easy to deploy. The initial setup wizard is fast, and takes you to the quick configuration screens where you can customize DDoS protection as needed for your environment. You establish networking support by creating VLANs, and static routes if necessary. DDoS Hybrid Defender completes the setup required. The networking configuration includes options for out-of-band deployment using span ports or NetFlow messaging.

High Availability

DDoS Hybrid Defender can be installed onto a dedicated system with a failover system that automatically takes over in case of system failure. Data is synchronized between the two systems ensuring high availability and consistent protection against DDoS attacks. To set up the two systems, follow the instructions in Installing DDoS Hybrid Defender for High Availability in the documentation because F5 recommends installing in a specific order.

Device-level protections

DDoS Hybrid Defender includes device-level protections that prevent DDoS attacks, including those caused by bad headers, DNS queries, flood and sweep attacks, and other attacks designed to exhaust your resources. Basic device-level protections are enabled by default.

Granular protections: Protected objects

DDoS Hybrid Defender lets you protect different types of network devices on the back end, such as application servers, network hosts, DNS servers, routers, and so on, against DDoS attacks. These network devices are called protected objects. You create objects that represent the different types, and select the DoS protections that are applicable to that device.

Logging and reporting

You can view event logs and reports showing DDoS attacks on DDoS Hybrid Defender. If you want to send the logs to a centralized location, remote logging is available.

F5 Silverline DDoS Protection Service

DDoS Hybrid Defender can be integrated with F5 Silverline DDoS Protection Services to enable both an on-premises and cloud DDoS mitigation architecture.

With a current subscription to F5 Silverline DDoS Protection in an Always Available configuration, you can set up DDoS Hybrid Defender to alert the F5 Silverline Cloud-based platform when an attack is underway that approaches customer Internet pipe saturation. The system provides volumetric attack mitigation with Silverline cloud scrubbing.

Signaling from DDoS Hybrid Defender to F5 Silverline alerts the F5 Silverline Security Operations Center (SOC) that an attack is underway. The SOC then works with you to migrate traffic to F5 Silverline for mitigation and then traffic normalization.

Known issues

The following known issues apply to the current release of DDoS Hybrid Defender.

ID number Description
592819 On the 5250 platform, DDoS protection in hardware prevents configuration of a whitelist for a protected object.
Workaround: Disable hardware support for DDoS protection using the command: modify sys db dos.forceswdos value true.
Note: Disabling DDoS hardware support may impact the performance of the device because then all DoS protection mechanisms are managed in software.
599520 If the Help tab in the left pane is open when you edit a protected object, the help does not display.

Workaround: Click the Main tab, then return to the Help tab to display the help.

600028 When configuring Bad Actor Detection in Device Configuration, the number of packets per second (PPS) is per core (TMM).

Workaround: When specifying PPS for system-wide Bad Actor Detection, multiply by the number of cores (TMMs) on your system.

600031 Hardware accelerated DoS protection drops packets based only on source IP address. A sampling of packets is "leaked" to the DoS software to provide visibility for logging and reporting. For this reason, the system provides the total packets dropped based on source IP address.
600039 The Detection Threshold setting for a DoS attack is per core (TMM), not per device. Since the system has multiple cores (TMMs), the total traffic may be greater than the configured threshold if each core (TMM) sees traffic below the threshold. In this case, the attack is not detected.

Set a configured value reflecting the overall total required value divided by the number of cores (TMMs). The number of cores (TMMs) varies by platform. For example, For VE, there are two, by default. The 5250 platform has 8 cores (TMMs). Note that if traffic is unevenly distributed, one core (TMM) may reach the detection threshold while the other cores (TMMs) are still relatively idle. As a result, the device may detect an attack while processing traffic at fairly low levels overall.

611752 The maximum number of protected objects that you can create on DDoS Hybrid Defender is 40.

Workaround: If you need support for creating more than that, follow these steps:

  1. After installing DDoS Hybrid Defender, log in to the device console.
  2. Execute the command tmsh modify sys db provision.extramb value 2048. This causes some daemons to restart. Wait 2-3 minutes for the daemons to restart.
  3. Edit the /etc/ file and change 10M to 100M
  4. Run the command bigstart restart restjavad.
You can then create up to 200 protected objects.
622838 DDoS Hybrid Defender does not support deleting the high availability configuration. Call F5 Support if you need to unconfigure high availability.
624614 If you attempt to delete more than 10 protected objects at once, DDoS Hybrid Defender may not complete the deletion process successfully. Therefore, F5 recommends deleting fewer than 10 protected objects at a time. Otherwise, if you need to clean up configuration objects left-over from deleting more than 10, F5 support can help you resolve configuration inconsistencies.
626578 If the connection to Silverline does not succeed when the configuration is entered for the first time, the Silverline configuration may have been lost. Workaround: Click the Silverline tab and re-enter the configuration data.
638708 For a Protected Object, when updating the Maximum Bandwidth to Infinite and Scrubbing Threshold to Absolute (Enable External Redirection), the update fails with the following error message: Following Errors were found transaction failed:01071b08:3: Scrubber percentage threshold property requires throughput capacity to be configured on Virtual Server protected_obj.
Workaround: Edit the protected object in two steps.
  1. Set Maximum Bandwidth to Infinite and click Update.
  2. Set Scrubbing Threshold to Absolute and click Update.

Fixes in 13.0.0

ID Number Description
617314 If a GUI timeout occurs while using DDoS Hybrid Defender, log in again to continue your work.
624184 If login credentials are specified incorrectly when configuring High Availability, you receive an error message.
624907 You can use underscores in the names of VLANs and routes.
633115 The DDoS Hybrid Defender installation completes successfully, or it provides an error message if the RPM download was not successful.

Contacting F5 Networks

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)