F5 Distributed Cloud L3-L7 DDoS Mitigation


In this article you will learn how simple it is to use F5 Distributed Cloud to protect your application from DDoS attacks.  Some of the benefits of using F5 Distributed Cloud DDoS Mitigation are:

  • Ensure application and network availability during DDoS attacks​
  • Block the malicious traffic while allowing the good, ensuring a good user experience for applications and services​
  • Identify and mitigate sophisticated Layer 7 DoS attacks that exploit application & infrastructure weaknesses​
  • Block the attack where it originates with a global backbone and distributed DoS mitigation technology​
  • Protect small facility and cloud-based applications and services with DNS-based redirection

Layer 3/4 DDoS Mitigation is enabled by default and requires no configuration. 

DDoS Mitigation is included with the F5 Distributed Cloud service.

Configuring F5 Distributed Cloud DDoS Mitigation

From the F5 Distributed Cloud Console select Load Balancers to begin.

 For this article let’s assume you have configured a very basic HTTP Load Balancer named “my-web-app”.  On the right under Actions click the 3 dots and select Manage Configuration.

The Basic Configuration shows the Domain name, “mydomain.com” in this example.  The Load Balancer is configured as HTTPS with Automatic Certificate and an HTTP redirect to HTTPS.  TLS security is set to High.

Under Security Configuration you may need to scroll down and toggle the Show Advanced Fields button to On to view the DDoS configuration.

Scroll down to ML Config and select Single Load Balancer Application.

Disable API Discovery.

Scroll to the bottom and click Save and Exit.

The application is now protected from Layer 7 DDoS attacks.

How to know when a DDoS attack occurs?

Security Events will be generated when a DDoS attack occurs.  This can be viewed from the Security Monitoring Dashboard.

Select the DDoS Dashboard to view a geographical map that shows the location off the affected application.

Expand the DDoS Events for more detail.  Under Metric we can see that Error Rate and Request Rate were triggered.  Make a note of the Suspicious Users IP address so it can be blocked.

How to mitigate attacks?

Go back to Manage > Load Balancers.  Click the 3 dots under Actions and select Manage Configuration.

Click Edit Configuration on the top right.

Scroll down under Security Configuration.  Find the DDoS Mitigation Rules and click Configure.

 Click Add item.

Give it a name, “block-by-ip” in this example.

 Under Mitigation Choice > IP Source enter the IP prefixes you want to block.

Note: IP address is only being used as an example. notations can be used to block entire subnets.

Click Add item at the bottom.

Then click Apply.

Scroll to the bottom and click Save and Exit.

The attacking client has been blocked and will no longer trigger DDoS Events.


In this article you learned how to enable and configure L7 DDoS Mitigation with the F5 Distributed Cloud.  We also went over the monitoring of Security Events and what to do if a DDoS attack is detected. 

For further information or to get started:

  • F5 Distributed Cloud WAAP YouTube series (Link)
  • F5 Distributed Cloud WAAP Services (Link)
  • F5 Distributed Cloud WAAP Get Started (Link)

Tag: F5 XC DDoS Mitigation

Updated Apr 10, 2023
Version 3.0

Was this article helpful?

No CommentsBe the first to comment