F5®DDoS Hybrid Defender™ protects your organization against a wide range of
DDoS attacks using a multi-pronged approach. By combining on-premises and cloud technologies,
analytics, and advanced methods, DDoS Hybrid Defender is a hybrid solution that detects
network and application layer attacks, and is easy to deploy and manage.
DDoS Hybrid Defender mitigates against the full spectrum of DDoS attacks including:
Network capacity attacks
DNS and SIP protocol volumetric
HTTP and HTTPS volumetric attacks
HTTP and HTTPS CPU-based (heavy URL)
You can specify which objects to protect on the network, assigning the appropriate
protections to network devices and application servers, and prevent attackers from exhausting
network resources and impacting application availability. DDoS Hybrid Defender can be
installed for high availability (two systems) or as a stand-alone system.
The deployment you use for DDoS Hybrid
Defender depends on the needs of your organization. For maximum DDoS protection, it is
recommended that you deploy DDoS Hybrid Defender inline. However, it can also be deployed out
of band, or in locations where symmetric data flows are not guaranteed. Typical locations for
the placement of DDoS Hybrid Defender are at the edge of the network or at the edge of the
data center as shown in the figure.
DDoS Hybrid Defender provides maximum protection
when deployed inline in one of two ways:
Bridged mode with
For bridged mode, you can place DDoS Hybrid Defender in transparent
mode on a link between two Layer 3 devices. This way, the IP addresses on each end of the
link do not have to change. You do this by creating VLAN groups on DDoS Hybrid Defender. The
VLANs and the VLAN group configured are purely internal, and are used to bridge traffic from
one port to another within DDoS Hybrid Defender.
For routed mode,
you can insert DDoS Hybrid Defender at the edge of the network without disturbing the
current configuration. It is possible to pick and choose the networks whose traffic goes
through the DDoS Hybrid Defender, and let the rest continue to follow the path it was
Step by step instructions are provided in the
Out of band
You can deploy DDoS Hybrid Defender out of band in
Set up a Layer 2
switch with span ports so that it mirrors traffic onto DDoS Hybrid Defender.
devices so that they send Netflow data to DDoS Hybrid Defender.
If using span ports, you can configure DDoS Hybrid Defender to
perform DDoS detection by listening to traffic that is mirrored from a Layer 2 switch. Of
the various ports that can be mirrored on the DDoS Hybrid Defender, it is usually best to
mirror the Layer 2 switch ports that connect to the firewall. Since firewalls are stateful
devices, traffic typically flows through them in a symmetric fashion. Thus, mirroring the
ports connected to the firewalls is a good way to send all the packets in a session directed
through the firewall and on to DDoS Hybrid Defender. Using span ports, DDoS Hybrid Defender
can use all L2 to L7 DDoS detection mechanisms.
can configure DDoS Hybrid Defender to detect DDoS attacks by examining Netflow traffic sent
to it. In this case, you can deploy DDoS Hybrid Defender anywhere in the network and
configure it to receive Netflow streams on a Netflow listener IP address and port. Netflow
traffic should be allowed through any firewalls that are in the path from devices sending
Netflow data to the DDoS Hybrid Defender.
Step by step
instructions are provided in the installation chapter.
Example DDoS Hybrid Defender deployment
DDoS Hybrid Defender guards against multiple types of attacks including
protection for the device, protection for the data center, networks, and, optionally,
offloading using F5 Silverline cloud-based services.
Here is how it works: A DDoS Hybrid Defender system that is deployed in
your network defends against DDoS Layer 3 through Layer 7 attacks as long the upstream
Internet pipe is not saturated. When the upstream pipe is flooded, DDoS Hybrid Defender can
signal the F5 Silverline Cloud Platform to help mitigate the attack. DDoS Hybrid Defender
sends Silverline Cloud Platform the information that an attack was detected, and provides the
application or CIDR definition, destination subnet, attack type, and the attack size.
The Hybrid Signaling feature enables enterprises with DDoS Hybrid Defender to integrate with
F5 Silverline to divert traffic during large attacks. The F5 Silverline Cloud Platform scrubs
the volumetric attack traffic and forwards the clean traffic to the customer’s networks. The
clean traffic is sent through GRE tunnels that were set up between the Silverline scrubbing
centers and the customer’s networks.