F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP AFM: Network Firewall Policies and Implementations
  3. Preventing Attacks with Eviction Policies and Connection Limits
Manual Chapter : Preventing Attacks with Eviction Policies and Connection Limits

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Preventing Attacks with Eviction Policies and Connection Limits

What are eviction policies and connection limits?

An
eviction policy
 provides the system with guidelines for how aggressively it discards flows from the flow table. You can customize the eviction policy to prevent flow table attacks, where a large number of slow flows are used to negatively impact system resources. You can also set how the system responds to such flow problems in an eviction policy, and attach such eviction policies globally, to route domains, and to virtual servers, to protect the system, applications, and network segments with a high level of customization.
A
connection limit
 provides a hard limit to the number of connections allowed on a virtual server or on a route domain. If you set such a limit, all connection attempts that exceed this limit are not allowed.

Task list

Creating an eviction policy

You can create eviction policies to control the granularity and aggressiveness with which the system discards flows.
  1. On the Main tab, click
    DoS Configuration
    Eviction Policy
    .
  2. Click
    Create
    .
    The
    New Eviction Policy
     screen opens.
  3. In the
    Name
     field, type a name for the eviction policy.
  4. In the
    Trigger
     fields, type a high and low water mark for the eviction policy.
    This measure specifies the percentage of the quota, for this context, before flow eviction starts (high water mark) and ends (low water mark).
  5. Enable
    Slow Flow Monitoring
     to monitor flows that are considered slow by the system, and specify the slow flow threshold in bytes per second.
    This combination of settings monitors the system for flows that fall below the slow flow threshold for more than 30 seconds.
  6. In the
    Grace Period
     field you can set a grace period, in seconds, between the detection of slow flows that meet the threshold requirement, and purging of slow flows according to the
    Slow Flow Throttling
     settings.
  7. In the Slow Flow Throttling area, set the slow flow throttling options.
    Disabled
    Slow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.
    Absolute
    Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.
    Percent
    Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows that exceed the specified monitoring setting, so the default value of 100% removes all slow flows that exceed the slow flow threshold, after the grace period.
  8. For
    Strategies
    , configure the strategies that the eviction policy uses to remove flows by moving algorithms from the
    Available
     list to the
    Selected
     list.
  9. Click
    Finished
    .
The eviction policy appears in the Eviction Policy List.
To use an eviction policy, associate it with a protected object or a route domain. You can configure a global eviction policy at
System
Configuration
Local Traffic
General
.

Eviction policy strategy algorithms

This table lists the BIG-IP eviction policy algorithms and associated configuration information.
In an eviction policy, you specify one or more algorithms, or any combination of algorithms, to determine how traffic flows are dropped when the eviction policy threshold limits are reached. Selected algorithms are processed at the same time as a combined strategy, not in a specific order, so the combination of algorithms determines the final strategy used to remove flows. This strategy biases or weights the final algorithm toward the outcomes you have selected, though these choices are not absolute.
You must specify at least one algorithm to use to determine how traffic is dropped with an eviction policy, otherwise flows are removed at random when the eviction policy threshold is reached.
Algorithm
Description
Bias Idle
Biases flow removal toward the existing flows that have been idle, with no payload bytes, for the longest.
Bias Oldest
Biases flow removal toward the oldest existing flows.
Bias Bytes
Biases flow removal toward the flows with the fewest bytes. When this algorithm is selected, add a value to the field
Minimum Time Delay
 in the Strategy Configuration area. This value determines the period of time for which a flow is allowed to exist, at a minimum, before it is subject to removal through the Bias Bytes algorithm.
Bias Fast
Biases flow removal toward the fastest existing flows.
Bias Slow
Biases flow removal toward the slowest existing flows.
Low Priority Route Domains
Biases flow removal toward flows on low priority route domains. When this algorithm is selected, use the
Low Priority Route Domains
 setting in the
Strategy Configuration
 area to move low priority route domains from the
Available
 list to the
Selected
 list.
Low Priority Virtual Servers
Biases flow removal toward flows on low priority virtual servers. When this algorithm is selected, use the
Low Priority Virtual Servers
 setting in the
Strategy Configuration
 area to move low priority virtual servers from the
Available
 list to the
Selected
 list.
Low Priority Countries
Biases flow removal toward flows from lower priority countries. When this algorithm is selected, in the
Low Priority Countries
 setting in the
Strategy Configuration
 area, select low priority countries from the list and click
Add
 to add them to the low priority list.
Low Priority Ports and Protocols
Biases flow removal toward flows on low priority ports and protocols. When this algorithm is selected, use the
Low Priority Ports and Protocols
 setting in the
Strategy Configuration
 area to add ports, protocols, and combinations to the low priority ports and protocols list (you must also specify a name).

Limiting global connections and flows

You must first create an eviction policy before you can assign one globally. The system includes a global eviction policy, by default.
Assign global connection limits and an eviction policy to prevent possible attacks or overflows on system flows.
  1. On the Main tab, click
    System
    Configuration
    Local Traffic
    General
    .
    The Local Traffic General settings screen opens.
  2. From the
    Eviction Policy
     list, select the eviction policy to apply globally.
    The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,
    default-eviction-policy
     is applied and selected in this field.
  3. Click
    Update
     to apply the changes.
    The eviction policy is applied to the context.

Limiting connections and flows on a virtual server

You must first create an eviction policy before you can assign one to a virtual server.
Assign connection limits and an eviction policy to a virtual server to enact granular control over possible attacks or overflows on system flows.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the
    Configuration
     list, select
    Advanced
    .
  4. In the
    Connection Limit
     field, type a number that specifies the maximum number of concurrent open connections.
  5. From the
    Eviction Policy
     list, select an eviction policy to apply to the virtual server.
  6. Click
    Update
     to apply the changes.
    The eviction policy is applied to the context.

Limiting connections and flows on a route domain

Before performing this task, confirm that you have a configured route domain, or use the common route domain
0
. You must add VLANs to a route domain for the route domain to effect traffic.
Assign connection limits and an eviction policy to a route domain to enact granular control over possible attacks or overflows on system flows.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. In the
    Connection Limit
     field, type the maximum number of concurrent connections allowed for the route domain. Setting this to
    0
     turns off connection limits. The default is
    0
    .
  4. From the
    Eviction Policy
     list, select an eviction policy to apply to this route domain.
  5. Click
    Update
    .
    The system displays the list of route domains on the BIG-IP system.
The route domain now applies the connection limit and eviction policy to flows and connections.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information