Applies To:
Show Versions
F5 DDoS Hybrid Defender
- 14.0.0
Summary:
This release note covers F5 DDoS Hybrid Defender 14.0.0-4.0.
Contents:
- Platform support
- Browser support
- User documentation for this release
- New in 14.0.0
- Known issues
- Installation overview
- Upgrade info
- Contacting F5 Networks
- Legal notices
Platform support
This version of F5 DDoS Hybrid Defender runs on the following platforms.
DDoS Hybrid Defender requires the appropriate DDoS license. It enables one module flag mod_dos. That is the only module that can be active on the system.
Browser support
DDoS Hybrid Defender supports these browsers and versions:
- Microsoft Internet Explorer 11.x
- Mozilla Firefox v40, or later
- Google Chrome v44, or later
User documentation for this release
For installation and setup instructions, refer to F5 DDoS Hybrid Defender: Setup. You can find this, and additional documentation that is relevant to this release, in the F5 DDoS Hybrid Defender 14.0.0 Knowledge Center.
New in 14.0.0
F5 DDoS Hybrid Defender
This release introduces a new version of DDoS Hybrid Defender, a hybrid DDoS solution that offers comprehensive protection, high availability, and is easy to deploy and manage. It guards against aggressive volumetric and targeted DDoS attacks, includes hardware-assisted DDoS mitigation, and optionally, connects with Silverline, a cloud-based scrubbing service. DDoS Hybrid Defender protects the application infrastructure with a multi-layered defense that combines DDoS protection for Layers 2-4 and Layer 7, hardware-accelerated DDoS attack mitigation (with TurboFlex features), and SSL decryption capabilities.
Hardware enhancements to DoS protection
This release includes three compatibility levels that enable different levels of DoS protection and several types of whitelists, depending on the hardware platform of your system.
- Compatibility level 0 provides basic hardware DoS capabilities with device protection and rich whitelists.
- Compatibility level 1 applies to either a VE system with no hardwareoffload or a system with hardware DoS and sPVA capabilities. In addition to level 0 features, provides hardware DoS protection per protected object, whitelist address list, IP intelligence, and bad actor/attacked destination discovery.
- Comnpatibility level 2 applies to a system with hardware DoS, sPVA, and Neuron capabilities (in addition to level 1 features provides extended whitelist).
Simplified user interface
The 14.0.0-4 release has a new, simplified user interface that is easy to use. The DoS menu provides access to all the primary features needed to set up DDoS Hybrid Defender including DoS Configuration, DoS Setup, Network. In addition, an Advanced menu is accessible from a link at the bottom of the DoS menu, and it includes advanced configuration that may be needed in complex networking environments.
Visual network configuration
Network topology includes visual aids to help determine the appropriate way to configure DDoS Hybrid Defender in your network. You can select different methods for inline and out-of-band deployments, and are prompted for information needed for quick configuration of common network topologies.
DoS protection enhancements
Several enhancements improve DoS protection in DDoS Hybrid Defender. New vectors protect against attacks for NXdomain, SSL (renegotiation, flood, and incomplete handshake), non-TCP connection rate limit, and listener mismatch. You can associate a DNS profile with a protection profile.
Protocol Inspection improvements
Protocol inspection functionality now includes additional compliance checks for DNS, FTP, and HTTP protocols. The system provides learning and staging suggestions as a result of examining protocol to detect real attack attempts and reduce false positives. Protocol inspection analytics, charts and event logs allow users to filter information for events of interest, identify top inspections, attacking IP addresses, and applications under attack.
Netflow changes
You can now define Netflow Protected Server objects that represent subsets of traffic for use in developing distinct scrubbing policies.
Dynamic Signature support
Dynamic signature creation is supported in this release.
Advertisement of Flowspec routes
The system allows for advertisement of flowspec routes using flowspec route injector profiles. The flowspec route injector profile lets you deploy filtering rules among BGP peer routers to mitigate DDoS attacks.
Known issues
The following known issues apply to the current release of DDoS Hybrid Defender.
| ID number | Description |
|---|---|
| 599520 | If the Help tab in the left pane is open when you edit a protected object, the help does not display. Workaround: Click the Main tab, then return to the Help tab to display the help. |
| 600028 | When configuring Bad Actor Detection in Device Protection, the number of events per second (EPS) is per core (TMM). Workaround: When specifying EPS for system-wide Bad Actor Detection, multiply by the number of cores (TMMs) on your system. |
| 600031 | Hardware accelerated DoS protection drops packets based only on source IP address. A sampling of packets is "leaked" to the DoS software to provide visibility for logging and reporting. For this reason, the system provides the total packets dropped based on source IP address. |
| 600039 | The Detection Threshold setting for a DoS attack is per core (TMM), not per device. Since the system has multiple cores (TMMs), the total traffic may be greater than the configured threshold if each core (TMM) sees traffic below the threshold. In this case, the attack is not detected. Set a configured value reflecting the overall total required value divided by the number of cores (TMMs). The number of cores (TMMs) varies by platform. For example, for VE, there are two, by default. The 5250 platform has 8 cores (TMMs). Note that if traffic is unevenly distributed, one core (TMM) may reach the detection threshold while the other cores (TMMs) are still relatively idle. As a result, the device may detect an attack while processing traffic at fairly low levels overall. |
| 622838 | DDoS Hybrid Defender does not support deleting the high availability configuration. Call F5 Support if you need to remove the high availability configuration. |
| 624614 | If you attempt to delete more than 10 protected objects at once, DDoS Hybrid Defender may not complete the deletion process successfully. Therefore, F5 recommends deleting fewer than 10 protected objects at a time. Otherwise, if you need to clean up configuration objects left-over from deleting more than 10, F5 support can help you resolve configuration inconsistencies. |
| 626578 | If the connection to Silverline does not succeed when the configuration is entered for the first time, the Silverline configuration may have been lost. Workaround: Re-enter the Silverline Authentication Credentials on the Silverline screen. |
| 638708 | For a Protected Object, when changing the Maximum Bandwidth to Infinite and Scrubbing Threshold to Absolute (Enable External Redirection), the update fails with the following error message: Following Errors were found transaction failed:01071b08:3: Scrubber percentage threshold property requires throughput capacity to be configured on Virtual Server protected_obj. |
| 679661-1 | When changing the logging destination from Splunk to Arcsight in the Log Destination type, the logging destination does not get updated to the correct remote logging format. Workaround: To change the logging format, first set the remote logging format to Disabled, click Update, then change it to Arcsight, and click Update again. |
| 680730 | The system cannot successfully create an HA pair if the device name and hostname are different. Workaround: In an HA pair, use the same names for both the device name and hostname. |
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 11.x or later.
- Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 13.0.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrade info
Upgrading DDoS Hybrid Defender to 14.0.0-4 is a two-step process. First, you need to upgrade the system image to 14.0.0. Then you need to install the latest DDoS Hybrid Defender 14.0.0-4 rpm.
Following are the steps to upgrade DDoS Hybrid Defender to 14.0.0-4 :
- Upgrade the system to BIG-IP version 14.0.0 as described in the installation information section of these release notes.
- Download the 14.0.0-4 rpm from the F5 downloads site at https://downloads.f5.com.
- Log onto DDoS Hybrid Defender.
- Click , and install the rpm you downloaded.
- If using Silverline, click , and type the username and password for your account.
That completes the upgrade process.
Contacting F5 Networks
| Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
| Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
| Fax: | See Regional Support for your area. |
| Web: | https://support.f5.com/csp/home |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage cases online at F5 WebSupport (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.
