f5 technology

Interesting concept

Internal Users should be treated the same as external users

D30 use this product, on their Internet project. They have V13 D30 will want to add Popup Capacture, I am guessing for login.

D30 have 2 teams for looking after this product.

Hosted on Ooredoo


This uses a custom F5 specification.


Free BSD based, F5OS. This is the OS at the core of the BSD.


Built in the F5 factory.

All F5 is totally an Appliance

Load Balancing

F5 cache's - squid based for static, active - then F5 builds and caches.

F5 also changes the Web queries to use zip (built into all modern browsers).

It looks at the

- FMODIFY header

This header comes back from the Server - if the header says No Change, then F5 Renders the cached page.


It can use the standard algorithm - but F5 has its own mechanism

- Checks 
  - Speed
  - Errors
  - Quality


F5 sends a good morning query every 5s... this can be altered and customised.

Marked as Down

Typically 3 failures - then the server will flag the server as down - and now will move the traffic to the other service.

If the server then starts - you can optionally tell F5 that it should only send data to the machine on a manual approval base.

Multiple Data Centres

Apply a F5 DNS feature - which links the 2 data Centres.

The DNS Query then checks quick Site is available.

This means that the 2 Appliance's (F5) talk amongst themselves on a secure port 5334

All Etilisat traffic is served by 2 F5 applicances (Max Bandwidth 600Gb - currently using 175 Gb)

F5 Counterattack

It uses a Browser Identification mechanism. Switch Proxy.


Intrusion Detection Techniques


F5 can alter the return values from the Web page. I.e. it alters the database name, the Server type. In other words it masks what the real software/hardware is behind the F5.

Web Page Hacking - 0Day

F5 can be configured to "learn" what values are entered into the URL Requests.

This means if you have a log-ing page....

  • Username

    • Length 8
    • Characters A-Za-z
  • Password

    • Length 8
    • Character A-Za-z0-9

So if you manipulate a URL Request (When Hacking) F5 will drop a request that has a username of $HACKERZ$RUle becuase it does not match the signiture.



 ping -c 6000000 <Target>


  ab -n 1000 -c 100 http://localhost:4567/

F5 does this due to load balancing.

Drops Requests

These requests will be dropped

- Browser less
- headless

This is how to create the header

import requests

url = 'http://www.ichangtou.com/#company:data_000008.html'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}

response = requests.get(url, headers=headers)

Future Prediction

F5 tracks IP hosts and adds them to a reputation db.

F5 gathers

- Botnets
- Attackers
- Anaonymous Addresses
- Scanner
- Geolocation Database

In theory this means a HAcker will be blocked due to his IP/Signiture.

Anonymous Proxy

Check the use of this

# This is a simple port-forward / proxy, written using only the default python
# library. If you want to make a suggestion or fix something you can contact-me
# at voorloop_at_gmail.com
# Distributed over IDC(I Don't Care) license
import socket
import select
import time
import sys
# Changing the buffer_size and delay, you can improve the speed and bandwidth.
# But when buffer get to high or delay go too down, you can broke things
buffer_size = 4096
delay = 0.0001
forward_to = ('smtp.zaz.ufsk.br', 25)
class Forward:
def __init__(self):
self.forward = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def start(self, host, port):
self.forward.connect((host, port))
return self.forward
except Exception, e:
print e
return False
class TheServer:
    input_list = []
    channel = {}
def __init__(self, host, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.bind((host, port))
def main_loop(self):
while 1:
            ss = select.select
            inputready, outputready, exceptready = ss(self.input_list, [], [])
for self.s in inputready:
if self.s == self.server:
self.data = self.s.recv(buffer_size)
if len(self.data) == 0:
def on_accept(self):
        forward = Forward().start(forward_to[0], forward_to[1])
        clientsock, clientaddr = self.server.accept()
if forward:
print clientaddr, "has connected"
self.channel[clientsock] = forward
self.channel[forward] = clientsock
print "Can't establish connection with remote server.",
print "Closing connection with client side", clientaddr
def on_close(self):
print self.s.getpeername(), "has disconnected"
#remove objects from input_list
        out = self.channel[self.s]
# close the connection with client
self.channel[out].close()  # equivalent to do self.s.close()
# close the connection with remote server
# delete both objects from channel dict
del self.channel[out]
del self.channel[self.s]
def on_recv(self):
        data = self.data
# here we can parse and/or modify the data before send forward
print data
if __name__ == '__main__':
        server = TheServer('', 9090)
except KeyboardInterrupt:
print "Ctrl C - Stopping server"


Apparantly the F5 "defence app"

  • checks the IMEI
  • checks the Client Key certificate
  • Checks it is not Jailbreaked

If this passes....

    - Username
    - Password


        - Sends an SMS saying please use this 1 time pad


F5 will turn the VDI data-channel from the Client to the VDI Server image, into HTTPS data streams.

Then all traffic from the F5 to the Virtual Servers will be in native protocol.

This is nice

Lookup - further checks

monkey quest hack


DNS comes with AD, it is the 2nd most hacked protocol.


DNS Amplification
DNS Poisening

To improve resiliance modify the DNS defeinitions

Instead of being a A Records - Authority Put the Hostname as being a Reflective i..e go and check on some other server.


F5 custom application, for protection about Phishing & Malware.

Command and Control

Check out



F5 can provide a service that tracks if your web site has been duplicated and rehosted.


typing onto a web page - F5 can add a Layer 7 encryption to this data. This data then when it is sent to the Server is encrypted at the

Layer 7 - Application

Layer 5 - Session

Data Obfuscation

F5, obfuscates the fields and the internal classes.

I can see this working on the Client Data that is submitted - The server response will also be obfuscated !!! THIS MAKES SCRAPING IMPOSSIBLE BY NAME

But ...

WEB SCRAPING By Hierarchy is Possible