Traffic Generator
Deploy a traffic generation VM with 50+ security tools, 19 organized attack suites, and headless Chrome automation for comprehensive F5 XC demo validation.
What This Provides
Section titled “What This Provides”The Traffic Generator is a purpose-built Azure VM that produces realistic attack traffic, reconnaissance scans, bot simulation, and API abuse patterns against an F5 Distributed Cloud HTTP load balancer. It validates that WAF policies, Bot Defense, API Security, and Client-Side Defense are correctly configured by generating the exact traffic those features are designed to detect and block.
All tools are pre-installed via cloud-init during Terraform provisioning. Traffic is organized into suites that can be run individually or in sequence using the included runner.sh orchestrator.
Traffic Suite Categories
Section titled “Traffic Suite Categories”| Suite | Description | F5 XC Feature Validated |
|---|---|---|
| api-attacks | OWASP API Top 10, SQLMap API mode, parameter discovery, endpoint fuzzing | API Security |
| bot-simulation | Headless Chrome, Puppeteer stealth, Playwright automation, rapid crawling | Bot Defense |
| cdn-load-testing | Cache behavior, thundering herd, connection pool, HTTP/2 multiplexing | CDN Integration |
| crapi-exploits | BOLA, OTP bruteforce, JWT manipulation, SSRF, NoSQL injection, IDOR | API Security |
| csd-demo-attacks | Card skimmer, formjacker, keylogger, cryptominer, DOM hijack | Client-Side Defense |
| dvga-exploits | Batch query DoS, deep recursion, SQL injection, introspection abuse | API Security (GraphQL) |
| dvwa-exploits | Brute force, command injection, CSRF, file inclusion, SQLi, XSS | WAF |
| javascript-exploits | DOM manipulation, inline script injection, Magecart-style skimming payloads | Client-Side Defense |
| juice-shop-exploits | SQLi login bypass, XSS, IDOR, admin access, null byte file access | WAF, Bot Defense |
| mitre-attack | ATT&CK tactics: recon, initial access, credential access, exfiltration | WAF, Bot Defense, API Security |
| owasp-scanning | ZAP, Nikto, Nuclei, Nmap vulnerability scanning, combined OWASP report | WAF, Web App Scanning |
| performance-testing | Concurrency ramp, sustained load, spike testing, breakpoint discovery | DDoS, Rate Limiting |
| reconnaissance | Nmap, Masscan, Gobuster, Subfinder, directory brute-forcing | WAF / Bot Defense |
| restaurant-exploits | BOLA, BOPLA, BFLA, rate limiting bypass, JWT weak secret | API Security |
| ssl-scanning | SSLScan, sslyze, testssl.sh TLS configuration analysis | WAF |
| traffic-generation | High-volume legitimate HTTP traffic for baseline and load testing | All |
| waf-encoding-evasion | Multi-layer URL/HTML/Unicode encoding, mixed nested encoding, chunked TE, header injection | WAF |
| web-app-attacks | SQL injection, XSS, command injection, path traversal, Nikto, Nuclei | WAF |
| demoapp-attacks | SQLi, XSS, path traversal against F5 DemoApp WAF testing endpoints | WAF |
Architecture VM layout, tool categories, tiered installation, and integration points with origin-server and F5 XC.
Deploy Complete Terraform walkthrough: clone, configure, apply, and verify all tools are operational.
Tool Catalog Every installed tool organized by category with install method, example commands, and suite mappings.
Suite Reference Detailed description of each traffic suite, scripts, tools used, and expected F5 XC detection results.