F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

In this article, I will show you how to easily protect your AWS CloudFront distributions with F5 Distributed Cloud (XC) Bot Defense. We will take advantage of AWS Lambda@Edge and the AWS Serverless Application Repository (SAR) to integrate with the F5 XC Bot Defense API.

Amazon CloudFront is a content delivery network (CDN) operated by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers that cache content, such as web videos or other bulky media, more locally to consumers, thus improving access speed for downloading the content.

F5's Distributed Cloud Bot Defense combined with Amazon's CloudFront to protect your vital applications from malicious traffic is an effective and robust solution.

General Overview of Architecture

Create a new Bot Defense application for AWS CloudFront

Log in to your F5 Distributed Cloud Console
Go to the Dashboard page of XC console and click Bot Defense
Fig 1: Image showing available features

Verify you are in the correct Namespace. Click Add Application at the top-left of the page.

Fig 2: Image showing Bot Defense Applications

Add a Name for the Application, and a Description.
Select a region (US, EMEA, or APJC).
For Connector Type, select AWS CloudFront.

Fig 3: Image showing connector options

Once AWS CloudFront is selected, options appear to configure AWS reference details.

Add AWS Reference Information

Enter your AWS 12-digit Account Number.
Specify your AWS Configuration and add your CloudFront distribution; a Distribution ID and/or a Distribution Tag. You can add one or more distributions. This information is needed to associate your newly created protected application to your AWS distribution(s).

Fig 4: Image showing location to add distribution ID's

Add Protected Endpoints

Click Configure to define your protected endpoints.

Fig 5: Image showing endpoint menu

Click Add Item
Enter a name and a description to the specific endpoint.
Specify the Domain Matcher. You can choose any domain or specify a specific host value.
Specify the Path to the endpoint (such as /login).
Choose the HTTP Methods for which request will be analyzed by Bot Defense. Multiple methods can be selected.
Select the Client type that will access this endpoint (Web Client).
Select the Mitigation action to be taken for this endpoint:
- Continue (request continues to origin)
- Redirect. Provide the appropriate Status Code and URI
- Block. Provide the Status Code, Content Type, and Response message
  Fig 6: Image showing endpoint configs
When done configuring the endpoint, click Apply.
To continue, click Apply at the bottom of the page.

Define Continue Global Mitigation Action

The Header Name for Continue Mitigation Action field is the header that is added to the request when the Continue mitigation action is selected and Add A Header was selected in the endpoint mitigation configuration screen.

Define Web Client JavaScript Insertion Settings

JS Location - Choose the location where to insert the JS in the code:

Just After <head> tag.
Just After </title> tag.
Right Before <script> tag.

Under Java Script Insertions. Select Configure.

Fig 7: Image showing Javascript insertion menu

Click Add Item
Add the Web Client JavaScript Path. You should select paths to HTML pages that end users are likely to visit before they browse to any protected endpoint.
Click Apply
Click Save & Exit to save your protected application configuration.

Fig 8: Image showing Javascript insertion config

Download Config File and AWS Installer Tool

In the Actions column of the table, click the 3 ellipses (…) on your application. Download both the Config File and the AWS Installer.

Fig 9: Image showing download options

Log in to your AWS Console

Login to AWS Console home page.
Select AWS Region Northern Virginia (US-EAST-1).

Use the search to find Serverless Application Repository and click it
Click Available Applications and search with "F5"
Fig 11: Image showing F5 Bot Defense application
Click the F5BotDefense tile

This will take you to the Lambda page. Here you will be creating and deploying a Lambda Function

Click Deploy to install the F5 Connector for CloudFront
Deploying the F5 Connector creates a new Lambda Application in your AWS Account. AWS sets the name of the new Lambda Application to start with serverlessrepo-.
The deployment can take some time. It is complete when you see the serverlessrepo-F5BotDefense-* of type Lambda Function.

You can click on the name to review contents of the installed Lambda Function.

Fig 13: Image showing lambda function details

Switch to AWS CloudShell

Configuration of the F5 Connector in AWS is best done via the F5 CLI tool. It is recommended to use the AWS CloudShell in us-east-1 region to avoid any issues.

After starting AWS CloudShell, click Actions and Upload file.

Upload the files you downloaded from the F5 XC Console, config.json and f5tool. (Only one file at a time can be uploaded)

Run bash f5tool --install <config.json>. Installation can take up to 5 minutes.
Note: Copy pasting the command may not work and so type it manually.

The installation tool saves the previous configuration of each CloudFront Distribution in a file. You can use the F5 tool to restore a saved Distribution config (thus removing F5 Bot Defense).

Note: Your F5 XC Bot Defense configuration, such as protected endpoints, is sensitive security info and is stored in AWS Secrets Manager. You should delete config.json after CLI installation.

Validate CloudFront Distribution Functions

Navigate to CloudFront > Distributions and select the distribution you are protecting.
Then go to Behaviors

Here under Behaviors are where you specify which request/response is forwarded to the Lambda@Edge Function to process with F5 XC Bot Defense.

F5 XC Bot Defense requires us to leverage Viewer Request and Origin Request events.
These events need to be available for user to use (IE they have not assigned other Functions)

The AWS Installer tool that we downloaded from Distributed Cloud Console and ran in the AWS CloudShell configured this for us.

AWS CloudWatch

AWS CloudWatch contains logs for Lambda function deployed by F5BotDefense serverless application.

The Log group name starts with /aws/lambda/us-east-1.serverlessrepo-F5BotDefense-F5BotDefense-*.
The logs of lambda function can be found in the region closest to the location where the function executed.

For troubleshooting, look for error messages contained in the links under Log steams.

View Bot Traffic

Now let’s return to F5 XC Console and show the monitoring page.

Log in to your F5 Distributed Cloud Console
Go to the Dashboard page of XC console and click Bot Defense.

Make sure you are in the correct Namespace

Under Overview click Monitor

Fig 19: Image showing Bot Defense monitoring dashboard

Here you can monitor and respond to events that are identified as Bot traffic.

Conclusion

That is all that is required to deploy F5 XC Bot Defense to protect your AWS Cloud Front distributions from mailicious bots protecting yourself from fraud and abuse.