Manual Chapter : Common elements for DoS and DNS tasks

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common elements for DoS and DNS tasks

Use these common elements in your DoS tasks.
  1. Select the
    Threshold Sensitivity
    .
    Select
    Low
    ,
    Medium
    , or
    High
    . A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  2. On the Main tab, click
    DoS Configuration
    Device Protection
    .
  3. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
  4. On the Main tab, click
    DoS Configuration
    Protection Profiles
    .
  5. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  6. Click the name of the protection profile to edit, or create a new one.
  7. For
    Families
    , select the types of vectors to include in the protection profile.
  8. In the
    Vector Name
    column, click the name of any vector to edit the settings.
    The vector settings appear on the right, in the
    Properties
    pane.
  9. To fully enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    If you have enforced most of the vectors at the device level using
    Device Protection
    , you can focus on adjusting the vector thresholds that vary for specific protected objects.
  10. By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    For most DoS vectors, you want to enforce the vector. Set a vector to
    Disabled
    (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  11. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  12. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  13. On the Main tab, click
    DoS Configuration
    Device Protection
    .
    The DoS Protection Device Configuration screen opens.
  14. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Protection Device Configuration screen opens.
  15. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The Device Protection screen opens.
  16. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The Device Protection screen opens.
  17. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  18. Click
    Whitelist
    .
    The DoS Protection Whitelist screen opens.
  19. Click
    Create
    .
    The New Protection Profile screen opens.
  20. Click
    Create
    .
    The New Protection Profile screen opens.
  21. Expand
    Whitelists
    and in the
    Whitelist Address List
    field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  22. If you have created a whitelist on the system, from the
    Default Whitelist
    list, select the list.
    You can also click
    Manage Address Lists
    to jump to the Address Lists screen where you can create or edit address lists.
  23. Type a
    Name
    for the address list.
  24. Optionally, type a
    Description
    for the address list.
  25. In the
    Contents
    field, type an address, and click
    Add
    . Repeat this step to add all items you want on the whitelist.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  26. Click
    Create
    .
    The New Whitelist Configuration screen opens.
  27. In the
    Name
    field, type the name for the profile.
  28. Click
    Finished
    .
    The DoS Protection: Protection Profiles screen opens.
  29. Click the name of the protection profile you want to modify.
  30. In the
    Name
    field, type a name for the whitelist entry.
  31. In the
    Description
    field, type a description for the whitelist entry.
  32. From the
    Protocol
    list, select the protocol for the whitelist entry.
    The options are
    Any
    ,
    TCP
    ,
    UDP
    ,
    ICMP
    , or
    IGMP
    .
  33. To allow the DoS vector thresholds to be automatically adjusted, for
    Threshold Mode
    , select
    Fully Automatic
    (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the
      Attack Floor EPS
      field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the
      Attack Ceiling EPS
      field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to
      Infinite
      .
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  34. If you use automatic threshold configuration, in the
    Attack Floor EPS
    field, specify the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
    Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
  35. If you use automatic threshold configuration, in the
    Attack Ceiling EPS
    field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
    Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to
    Infinite
    .
  36. To configure DoS vector thresholds manually, for
    Threshold Mode
    , select
    Fully Manual
    .
    1. From the
      Detection Threshold EPS
      list, select
      Specify
      or
      Infinite
      .
      Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
      Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
    2. From the
      Detection Threshold Percent
      list, select
      Specify
      or
      Infinite
      .
      Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. Use
      Infinite
      to set no value for the threshold.
    3. From the
      Mitigation Threshold EPS
      list, select
      Specify
      or
      Infinite
      .
      Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
      Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  37. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    You can also use
    Any
    to specify any address or VLAN.
  38. For the
    Destination
    setting, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use
    Any
    to specify any address or port.
  39. To configure DNS security settings, for
    Families
    , select
    DNS
    .
  40. To configure SIP security settings, for
    Families
    , select
    SIP
    .
  41. To configure network security settings, click
    Network Security
    .
  42. In the
    Category
    column, expand the
    Single-Endpoint
    category.
  43. In the
    Category
    column, expand the
    Flood
    category.
  44. Click
    UDP Flood
    .
    The UDP Flood Properties pane opens on the right side of the screen.
  45. Click
    Single Endpoint Flood
    .
    The
    Single Endpoint Flood
    Properties pane opens on the right side of the screen.
  46. Click
    Single Endpoint Sweep
    .
    The Single Endpoint Sweep Properties pane opens on the right side of the screen.
  47. In the
    Packet Type
    area, select the packet types you want to detect for this attack type in the
    Available
    list, and move them to the
    Selected
    list.
  48. To enable attack detection based on the rate of protocol errors, next to
    Protocol Errors Attack Detection
    , click
    Edit
    in the far right column, then select
    Enabled
    .
  49. To enable Behavior Analysis, next to
    Behavior Analysis
    , click
    Edit
    in the far right column, then select
    Enabled
    .
    Behavior analysis detects and reports suspicious behavior that might indicate a DoS attack.
  50. Under Dynamic Signatures, from the
    Enforcement
    list, select
    Learn-Only
    .
  51. In the Properties pane, for
    Dynamic Signature Enforcement
    , from the list, select
    Enabled
    .
    At first, you may want to select
    Learn Only
    to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select
    Enabled
    .
  52. From the
    Mitigation Sensitivity
    list, select the sensitivity level for dropping packets.
    • Select
      None
      to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from
      Low
      to
      High
      . A setting of
      Low
      is least aggressive, but will also trigger fewer false positives. A setting of
      High
      is most aggressive, and the system may drop more false positive packets.
  53. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the
    Redirection/Scrubbing
    list, select
    Enabled
    .
  54. If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from the
    Scrubbing Category
    list, select the IP Intelligence category to assign to the scrubbed packets.
  55. In the
    Scrubbing Advertisement Time
    field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  56. To configure settings for a specific network DoS attack type, click the name of the attack in the
    Attack Type
    column.
    Settings for the attack open in the Properties pane on the right of the screen.
  57. To change the threshold, rate increase, rate limit, and blacklist settings for a sweep attack, in the Network Attack Types area, click
    Edit
    in the far right column, select
    Sweep
    , and select the
    Enabled
    check box. Change the values for
    Threshold
    ,
    Rate Increase
    , and
    Rate Limit
    in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the
    Enabled
    check box next to
    IP Fragment Flood
    , then set the
    Threshold
    field to
    9999
    and the
    Rate Increase
    field to
    250
    . To rate limit such requests to 33,000 events per second, set the
    Rate Limit
    field to
    33000
    .
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
    The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the
    Rate Limit
    setting, not at the attack detection threshold.
  58. For
    Threshold Sensitivity
    , select
    Low
    ,
    Medium
    , or
    High
    .
    Low
    means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to
    Medium
    or
    High
    because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to
    Low
    to get fewer false positives.
  59. In the IP Intelligence area, select
    Categorize address as Black list category
    and configure the settings. You can select a black list category from the list, and specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  60. In the
    Rate threshold
    field, type the rate of packets with errors per second to detect.
    This threshold sets an absolute limit which, when exceeded, registers an attack.
  61. In the
    Rate limit
    field, type the absolute limit for events per second with protocol errors. Packets that exceed this limit are dropped.
  62. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  63. From the
    Detection Threshold %
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  64. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  65. Click
    Simulate Auto Threshold
    to log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.
    This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select
    Fully Automatic
    for a vector.
  66. In the Additional Actions area, select
    Categorize address
    and configure the settings. You can select a black list category from the list, specify the detection time in seconds after which the attacking endpoint is blacklisted, and specify the duration for which the address remains assigned to the category. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds), and the IP address is blacklisted for 4 hours (14400 seconds).
  67. Select the
    Add Destination Address to Category
    check box to enable automatic blacklisting.
  68. In the
    Sustained Attack Detection Time
    field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  69. In the
    Category Duration Time
    field, specify the length of time in seconds that the address will remain on the blacklist. The default is
    14400
    seconds (4 hours).
  70. From the
    Category Name
    list, select a black list category to apply to automatically blacklisted addresses.
  71. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
    Bad Actor Detection is not available for every vector.
  72. In the
    Per Source IP Detection Threshold EPS
    field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  73. In the
    Per Source IP Mitigation Threshold EPS
    field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  74. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
    For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:
    Security
    Network Firewall
    IP Intelligence
    Policies
    . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  75. Under
    Profile Information
    click
    General Settings
    .
  76. From the list of
    Source IP Address Whitelist
    items, select the address list to apply as whitelisted addresses to the DoS profile.
  77. From the
    Category Name
    list, select the blacklist category to which to add blacklist entries generated by
    Bad Actor Detection
    .
  78. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  79. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  80. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at
    Security
    Options
    External Redirection
    Blacklist Publisher
    .
  81. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
  82. From the
    Port List Type
    list, select
    Include All Ports
    or
    Exclude All Ports
    .
    An
    Include
    list checks all the ports you specify in the Port List, using the specified threshold criteria, and ignores all others.
    An
    Exclude
    list excludes all the ports you specify in the Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  83. In the
    UDP Port List
    area, type a port number to add to an exclude or include UDP port list.
  84. In the
    UDP Port List
    area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None
      does not include or exclude the port.
    • Source only
      includes or excludes the source port.
    • Destination only
      includes or excludes the destination port.
    • Both Source and Destination
      includes or excludes both the source and destination ports.
  85. In the
    Rate Increased by %
    field, type the rate of change in protocol errors to detect as anomalous.
    The rate of detection compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
  86. To change the threshold or rate increase for a particular network attack, in the
    Attack Type
    column, click the name of the attack.
    The DoS attack Properties pane appears on the right side of the screen.
  87. In the Properties pane, from the
    State
    list, choose the appropriate enforcement option.
    • Select
      Mitigate
      to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select
      Detect Only
      to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select
      Learn Only
      to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select
      Disabled
      to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  88. To configure enforcement and settings for a DNS vector, in the Vector Name column, click the name.
    The vector properties pane opens on the right.
  89. To change the threshold or rate increase for a particular SIP vector, in the
    Attack Type
    column, click the vector name.
    The vector Properties pane opens on the right.
  90. On the Main tab, click
    Security
    DoS Protection
    Device Configuration
    .
    The Device Configuration screen opens.
  91. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    DNS
    .
    The DNS Security Profiles list screen opens.
  92. From the
    Query Type
    list, select how to handle query types you add to the
    Active
    list.
    • Select
      Inclusion
      to allow packets with the DNS query types and header opcodes you add to the
      Active
      list, and drop all others.
    • Select
      Exclusion
      to deny packets with the DNS query types and header opcodes you add to the
      Active
      list, and allow all others.
  93. In the
    Query Type Filter
    setting, move query types to filter for inclusion or exclusion from the
    Available
    list to the
    Active
    list.
  94. In the
    Header Opcode Exclusion
    setting, move header types to filter for exclusion from the
    Available
    list to the
    Active
    list.
    Only the
    query
    opcode is available for header exclusion.
  95. Click the name of an existing protection profile (or create a new one).
    The Protection Profile Properties screen for that profile opens.
  96. Click the name of an existing DoS profile (or create a new one, then open it), and click the
    Application Security
    tab.
  97. On the left, under Application Security, click
    General Settings
    , and ensure that
    Application Security
    is enabled.
    The screen displays additional settings.
  98. If you have written an application DoS iRule to specify how the system recovers after a DoS attack, select the
    Trigger iRule
    setting.
    For complete iRules information, visit
    https://devcentral.f5.com
    .
  99. In the Latency-based Anomaly area, for
    Operation Mode
    , select an operation mode to determine how the system reacts when it detects a DoS attack.
    Transparent
    Displays data about DoS attacks on the DoS: Application reporting screen but does not block requests.
    Blocking
    Applies the necessary mitigation steps to suspicious IP addresses, URLs, geolocations, or site-wide. Also displays information about DoS attacks on the DoS: Application reporting screen.
    The screen displays additional configuration settings when you select an operation mode.
  100. On the left, under Application Security, click
    TPS-based Detection
    .
    The screen displays TPS-based DoS Detection settings.
  101. On the left, under Application Security, click
    Behavioral & Stress-based Detection
    .
    The screen displays Behavioral & Stress-based DoS Detection settings.
  102. Click
    Edit All
    .
    You can also edit each setting separately instead of editing them all at once.
    The screen opens the settings for editing.
  103. For
    Operation Mode
    , select the option to determine how the system reacts when it detects a DoS attack.
    Transparent
    Displays data about DoS attacks on the DoS reporting screens, but does not block requests, or perform any of the mitigations.
    Blocking
    Applies the necessary mitigation steps to suspicious IP addresses, geolocations, URLs, or the entire site. Also displays information about DoS attacks on the DoS reporting screens.
    Select
    Off
    to turn this type of DoS Detection off.
    The screen displays additional configuration settings when you select an operation mode.
  104. For
    Stress-based Detection and Mitigation
    , specify how to identify and stop DoS attacks. By default, source IP addresses and URLs are enabled to detect DoS attacks. You can specify other detection methods, and, if setting thresholds manually, adjust the thresholds for each of the settings as needed.
    By Source IP
    Specifies conditions for when to treat an IP address as an attacker. The system calculates one automatic threshold for the most accessed source IP addresses, and another threshold for the rest.
    By Device ID
    Specifies conditions for when to treat a device as an attacker. For automatic thresholds, one threshold is calculated for highly accessed device IDs, and another for the rest.
    By Geolocation
    Specifies when to treat a particular country as an attacker. If using automatic thresholds, the system calculates thresholds for the top 20 geolocations, setting different thresholds for every hour of the day. Thus, thresholds calculated at 9:00AM are based on data from 8:00-9:00AM, and are used at 8:00AM next day.
    By URL
    Specifies when the system treats a URL as under attack. For automatic thresholds, one threshold is calculated for highly accessed URLs, and another for the rest. (Heavy URLs are not included in the calculations.)
    Site Wide
    Specifies conditions for how to determine when the entire web site is under attack. For automatic thresholds, one threshold is used sitewide.
    At least one mitigation method must be selected before you can edit the detection settings. If the specified thresholds in the settings are reached, the system limits the number of requests per second to the history interval and uses the selected mitigation methods described here. These methods do not apply to Behavioral DoS.
    Client Side Integrity Defense
    Sends a JavaScript challenge to determine whether the client is a legal browser or an illegal script. Only used when the
    Operation Mode
    is set to
    Blocking
    .
    CAPTCHA Challenge
    Issues a CAPTCHA challenge to the traffic identified as suspicious by source IP address, geolocation, URL, or site wide.
    Request Blocking
    Specifies how and when to block (if the operation mode is set to
    Blocking
    ) or report (if the operation mode is set to
    Transparent
    ) suspicious requests. Select
    Block All
    to block all suspicious requests or
    Rate Limit
    to reduce the number of suspicious requests.
  105. On the Properties pane, for
    State
    , select
    Mitigate
    .
  106. For
    Threshold Mode
    , select
    Fully Manual
    .
  107. For
    IP Detection Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    Source IP-Based
    in Client Side Integrity Defense,
    Source IP-Based
    in the CAPTCHA challenge, or
    Source IP-Based Rate Limit
    in Request Blocking.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
    TPS increased by
    Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    200
    requests per second.
    Minimum TPS Threshold for detection
    Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If these thresholds are reached the system treats the IP address as an attacker, and prevents further attacks by limiting the number of requests per second to the history interval.
  108. For
    Geolocation Detection Criteria
    , modify the threshold values as needed.
    This setting appears only if one of the
    Geolocation-based
    options is selected in the
    Prevention Policy
    .
    Geolocation traffic share increased by
    Specifies that a country should be considered suspicious if the number of requests from that country has increased by this percentage. The default value is
    500%
    .
    Geolocation traffic share is at least
    Specifies that a country should be considered suspicious if, of all the requests to the web application, the number of requests from that country is at least this percentage. The default value is
    10%
    .
    If both of these criteria are met, the system treats traffic from the country as an attack, and limits the number of requests per second to the history interval.
  109. For
    Detection Criteria
    , modify the threshold values as needed.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
    Latency increased by
    Specifies that the system considers traffic to be an attack if the latency has increased by this percentage, and the minimum latency threshold has been reached. The default value is
    500%
    .
    Latency reached
    Specifies that the system considers traffic to be an attack if the latency is greater than this value. This setting provides an absolute value, so, for example, if an attack increases latency gradually, the increase might not exceed the
    Latency Increased by
    threshold and would not be detected. If server latency reaches the
    Latency reached
    value, the system considers traffic to be an attack even if it did not meet the
    Latency increased by
    value. The default value is
    10000
    ms.
    Minimum Latency Threshold for detection
    Specifies that the system considers traffic to be an attack if the detection interval for a specific URL equals, or is greater than, this number, and at least one of the
    Latency increased by
    numbers was reached. The default setting is
    200
    ms.
    Click the
    Set default criteria
    link to reset these settings to their default values.
  110. For the
    Prevention Duration
    setting, specify the time spent in each mitigation step until deciding to move to the next mitigation step.
    Option
    Description
    Escalation Period
    Specifies the minimum time spent in each mitigation step before the system moves to the next step when preventing attacks against an attacker IP address or attacked URL. During a DoS attack, the system performs attack prevention for the amount of time configured here for the mitigation methods that are enabled. If after this period the attack is not stopped, the system enforces the next enabled prevention step. Type a number between
    1
    and
    3600
    . The default is
    120
    seconds.
    De-escalation Period
    Specifies the time spent in the final escalation step until retrying the steps using the mitigation methods that are enabled. Type a number (greater than the escalation period) between
    0
    (meaning the steps are never retried) and
    86400
    seconds. The default value is
    7200
    seconds (2 hours).
    DoS mitigation is reset after 2 hours, even if the detection criteria still hold, regardless of the value set for the
    De-escalation Period
    . If the attack is still taking place, a new attack occurs and mitigation starts over, retrying all the mitigation methods. If you set the
    De-escalation Period
    to less than 2 hours, the reset occurs more frequently.
  111. For
    Suspicious IP Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    Source IP-Based
    for Client Side Integrity Defense or the CAPTCHA challenge,
    Source IP-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    200
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  112. For
    Suspicious Geolocation Criteria
    , modify the threshold values as needed.
    This setting appears only if one of the
    Geolocation-Based
    options is selected in the
    Prevention Policy
    .
    Geolocation traffic share increased by
    Specifies that the system considers a country to be suspicious if the number of requests from a country has increased by this percentage. The default value is
    500%
    .
    Geolocation traffic share is at least
    Specifies that a country should be considered suspicious if, of all the requests to the web application, the number of requests from that country is at least this percentage. The default value is
    10%
    .
    If both of these criteria are met, the system treats traffic from the country as an attack, and limits the number of requests per second to the history interval.
  113. For
    Suspicious Site-Wide Criteria
    , modify the threshold values as needed.
    This setting appears only if using site-wide prevention policies.
    TPS increased by
    Specifies that the system considers a whole site to be under attack if the transactions sent per second have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a whole site to be under attack if the number of requests sent per second is equal to or greater than this number. The default value is
    10000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a whole site to be under attack if the detected TPS is equal to or greater than this number, and the
    TPS increased by
    number was reached. The default setting is
    2000
    TPS.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  114. For
    Suspicious URL Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    URL-Based
    for Client Side Integrity Defense or CAPTCHA Challenge, or
    Source IP-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers a URL to be an attacker if the transactions sent per second sent to the URL have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a URL to be suspicious if the number of transactions sent per second to the URL is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    1000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a URL to be an attacker if the detected TPS for a specific URL equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  115. For
    URL Detection Criteria
    , modify the threshold values for when the system treats a URL to be under attack.
    This setting appears only if
    Prevention Policy
    is set to
    URL-Based
    for Client Side Integrity Defense or CAPTCHA Challenge, or
    URL-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers a URL to be that of an attacker if the transactions sent per second to the URL have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a URL to be suspicious if the number of transactions sent per second to the URL is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    1000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a URL to be an attacker if the detected TPS for a specific URL equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    200
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  116. For
    Site-Wide Detection Criteria
    , modify the threshold values for when the system treats a website as being under attack.
    This setting appears only if using site-wide prevention policies.
    TPS increased by
    Specifies that the system considers a whole site to be under attack if the transactions sent per second have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a whole site to be under attack if the number of requests sent per second is equal to or greater than this number. The default value is
    10000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a whole site to be under attack if the detected TPS is equal to or greater than this number, and the
    TPS increased by
    number was reached. The default setting is
    2000
    TPS.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings. This mitigation method is used last because it may drop some legitimate requests.
  117. Click
    Update
    to save the DoS profile.
  118. Click
    Update
    to save the device configuration.
  119. For automatic blacklisting, click
    Attacked Destination Detection
    , and configure the additional settings as for Bad Actor Detection.
  120. Set the
    Threshold Mode
    for the vector.
    • If the attack allows automatic threshold configuration, you can select
      Fully Automatic
      or
      Manual Detection/Auto Mitigation
      to configure automatic or partially automatic thresholds.
    • To configure thresholds manually, click
      Fully Manual
      .
  121. To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from the
    Set State
    list at the bottom of the screen, select
    Mitigate
    ,
    Detect Only
    , or
    Disable
    .
    The state you click is set for all selected vectors.
  122. If desired, you can configure threshold settings for multiple DDoS vectors.
    1. Select the check box next to the vector names.
    2. At the bottom of the screen, click
      Set Threshold Mode
      , and choose the threshold setting.
      Select
      Fully-automatic
      for the system to set the thresholds for the vectors that use auto-thresholding. See
      Automatically setting DDoS thresholds for Protected Objects
      for details.
      To work accurately, using fully automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
      To configure thresholds manually, click
      Manual
      . See
      Manually setting DDoS thresholds for protected objects
      for details.
      Choose
      Manual Detection/Auto-Mitigation
      to configure thresholds manually but have the system automatically mitigate system stress.
  123. Click a family (
    Network
    ,
    DNS
    , or
    SIP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  124. Click a family (
    Network
    ,
    DNS
    ,
    SIP
    , or
    HTTP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  125. In the
    Attack Type
    column, click the name of any attack type to edit the settings.
    The attack type settings appear on the right, in the Properties pane.
  126. When you finish adjusting the settings, click
    Commit Changes to System
    .
  127. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  128. If the vector includes other settings, such as Bad Actor Detection and Attacked Destination Detection, configure them as needed. If using automatic blacklisting with Bad Actor Detection, be sure to assign a global IP intelligence policy to the device (
    Security
    Network Firewall
    IP Intelligence
    Policies
    ).