Case Studies

F5 Uses CloudShark in the Fight Against DDoS

3 min read

One of f5 networks key solutions is its Silverline DDoS protection. The task of capturing, detecting, and filtering such massive attacks means they often go directly to raw packet data to root out customer problems. CloudShark’s collaboration tools have changed the way they deal with packet captures, saving them valuable time in an industry where seconds matter.

f5

The Challenge: Using Packet Captures to Stop Escalating and Complex Cyberattacks

Distributed Denial of Service (DDoS) attacks on networks and systems are on the rise, and attackers have better tools and techniques than ever before. Mitigating this danger is a challenge that f5’s Silverline team proudly accepts. With tools built by the most experienced DDoS fighting veterans, their scrubbing service takes customer network traffic, removes the bad traffic causing the attack, and passes on what is needed to keep operating.

“DDoS services of today are very different from what they were even 5 years ago,” said Dan Murphy, Director of Systems Architecture for f5 Silverline. “Customers demand greater and greater visibility not only into traffic and application statistics, but also raw captures. This is for a variety of purposes, including being able to replay them in their own lab environment or as a means to track back the attackers with law enforcement.”

“While doing analysis on some of the more complicated attacks it became apparent that the engineers and Security Operations Center (SOC) folks were all looking at slightly different pcap data,” said Dan. “This was due to time frame differences and/or different capture parameters, and that everyone was using different tools.”

The Solution: Using CloudShark to Simplify Collaboration

“We wanted a way of sharing pcaps between the engineers and SOC in a way that would allow them to collaborate with one another and ensure we’re all looking at the same data set,” said Dan. “We also wanted a way to annotate and point to key places in the capture that could be focused on.”

That’s where CloudShark came in. “Cloudshark gives us an interface to exchange that data with our customers complete with annotation and analysis,” said Dan. “The greatest benefit overall is the ability to collaborate and work on the same dataset and have it securely stored in one place.”

“It also means we’re all using the same tools, looking directly at the same view, and don’t need to install Wireshark on systems that don’t support it quite so well. We threw a party because we don’t have to install/run XQuartz anymore: I’m sure that will resonate with all the OSX users out there. 

Seamless Integration Through the CloudShark API

“One of the largest reasons for the success of Silverline has been our seamless integration with our vendors and the degree to which we’ve automated things,” said Dan. “It would be easy to pick some shiny widget in the CloudShark GUI and say ‘Oh! That’s shiny and wonderful’, but by far my favorite feature of CloudShark is the REST API.”

“Being able to automatically send in pcaps for analysis directly from our remote sensors, or sharing more and more with our customers via our portal, without having to copy, email or scp things around has been a huge time saver,” said Dan. “That’s important because in the DDoS business, seconds really do matter.”