Skip to content
Traffic Generator

Architecture

Purpose

Section titled “Purpose”

This component provides an automated traffic generation platform that produces attack traffic, reconnaissance scans, bot simulation, and API abuse against an F5 Distributed Cloud HTTP load balancer. It is the “attacker” in a typical demo architecture — the source of malicious and suspicious traffic that F5 XC security features are designed to detect and block.

In the demo architecture:

Traffic Generator VM -> F5 XC HTTP LB (WAF/Bot/API/CSD) -> Origin Server VM

The Traffic Generator sends requests to the F5 XC load balancer’s public FQDN. The F5 XC platform inspects and filters the traffic before forwarding legitimate requests to the origin server. The operator then reviews the F5 XC security event logs to demonstrate detection and enforcement.

Architecture

Section titled “Architecture”
graph LR
    TG[Traffic Generator VM<br/>Ubuntu 24.04<br/>Standard_F16s_v2] -->|Attack Traffic<br/>HTTPS| XCHLB[F5 XC HTTP LB<br/>WAF / Bot Defense<br/>API Security / CSD]
    XCHLB -->|Filtered Traffic<br/>HTTP| ORIGIN[Origin Server VM<br/>nginx + Docker Apps]
    TG -->|Direct Baseline<br/>HTTP optional| ORIGIN
    RUNNER[runner.sh] --> SUITES[19 Traffic Suites]
    SUITES --> TG

The Traffic Generator VM runs on Azure with:

  • Ubuntu 24.04 LTS as the base image
  • 50+ security tools installed via cloud-init during provisioning
  • 19 organized traffic suites with numbered scripts executed in order
  • runner.sh orchestrator for suite execution with results logging
  • config.env for target configuration (FQDN, origin IP)

Tool Categories

Section titled “Tool Categories”
CategoryToolsPurpose
Web Application Testingnikto, sqlmap, nuclei, dalfox, ffuf, gobuster, feroxbuster, dirb, whatwebWAF attack payload generation
Network Analysisnmap, masscan, tshark, hping3, tcpdump, netcat, ngrep, iperf3, mtrReconnaissance and network probing
MITM and Proxymitmproxy, socatTraffic interception and manipulation
SSL/TLS Testingsslscan, sslyze, testssl.shTLS configuration scanning
Browser Automationplaywright, puppeteer, puppeteer-extra-plugin-stealthBot simulation with headless Chrome
Subdomain and DNSsubfinder, httpx, amass, dnsrecon, fierce, whois, dnsutilsReconnaissance and enumeration
Credential Testinghydra, medusa, ncrackAuthentication attack simulation
WAF Evasion Testinggotestwaf, waf-bypass, wfuzzMulti-layer encoding evasion and WAF bypass assessment
Exploit FrameworksZAP, Metasploit (full tier only)Comprehensive vulnerability scanning

Tiered Installation

Section titled “Tiered Installation”

The Traffic Generator supports two installation tiers controlled by the tool_tier Terraform variable:

Standard Tier (default)

Section titled “Standard Tier (default)”

Installs all tools listed in the tool catalog except ZAP and Metasploit. Provisioning completes in 15-20 minutes. This tier covers all 19 traffic suites and is sufficient for most demo scenarios.

Full Tier

Section titled “Full Tier”

Adds OWASP ZAP and Metasploit Framework on top of the standard tier. Provisioning takes approximately 25 minutes. These tools are large (ZAP ~500 MiB, Metasploit ~1 GiB) and are only needed for advanced vulnerability scanning demos.

See the Azure pricing calculator for current VM costs. The default Standard_F16s_v2 is a compute-optimized instance suitable for sustained traffic generation.

Integration Points

Section titled “Integration Points”

This component integrates with two other demo components:

  • Origin Server — The target backend that hosts Juice Shop, DVWA, VAmPI, httpbin, and whoami. The Traffic Generator sends attack traffic through F5 XC to reach these applications. See Integration for full architecture details.

  • CSD Demo — The Client-Side Defense demo application on the origin server. The javascript-exploits traffic suite generates Magecart-style script injection payloads that F5 XC Client-Side Defense detects. This validates CSD Phase 2 functionality.

Modular Component Design

Section titled “Modular Component Design”

Each lab component is self-contained and deployed independently:

  • Traffic Generator (this component) provides the attack source
  • Origin Server provides the vulnerable application targets
  • CDN Simulator provides the CDN edge caching layer (optional)
  • F5 XC configuration provides WAF, Bot Defense, API Security, and CSD policies

The human operator or AI assistant adds components one at a time. Deploy the origin server first, configure F5 XC in front of it, then deploy the traffic generator targeting the F5 XC load balancer FQDN.