Manual Chapter :
AFM DoS/DDoS Protection
Applies To:
Show VersionsBIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
AFM DoS/DDoS Protection
Overview: DoS/DDoS Protection
BIG-IP AFM DoS Protection protects your data center from denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by detecting and mitigating a wide variety of malicious traffic patterns and packet types. These malicious traffic patterns and packets are also referred to as
attack vectors
or attack signatures
. With BIG-IP AFM, you can either manually or automatically configure DoS/DDoS detection and mitigation. An effective DoS solution blocks attack traffic while allowing legitimate traffic.
Manual DoS configuration
An effective DoS/DDoS protection solution requires an in-depth traffic analysis to determine the baseline traffic patterns and thresholds, as well as attack patterns and thresholds. Once a traffic analysis is complete, you can determine the appropriate DoS/DDoS attack vectors, and manually configure the detection and mitigation thresholds for each.
Automatic DoS configuration
You can configure BIG-IP AFM to automatically detect and mitigate DoS/DDoS attacks using a wide variety of custom and default attack vectors. You can also enable the BIG-IP AFM Dynamic Signature feature to create and mitigate attacks based on traffic patterns that change over time.
DoS/DDoS attack vector categories
BIG-IP AFM has a large number of attack vectors that fall within three categories. This table lists the categories and a sample of the available DoS vectors from each category.
Network | DNS | SIP |
---|---|---|
|
|
|
Applying AFM DoS/DDoS protection
You can apply DoS/DDoS protection to the entire BIG-IP system or to individual virtual servers, also known as
protected objects
. In the following scenario, we enable TCP SYN Flood attack protection at the device level and apply DNS NXDOMAIN Query attack protection to a protected object. We configure each of the DoS protections for automatic detection and mitigation.
Enabling and applying DoS protection involves several tasks.
Task list
- Enable Device Protection.
- Create a Protection Profile.
- Apply a Protection Profile.
Enable device level DoS protection
Device protection applies to the entire BIG-IP system. When the system detects an attack, it can apply mitgation to all ingress traffic. In this task, you configure the TCP SYN Flood DoS vector to automatically detect and mitigate TCP SYN Flood attacks, and you enable the Network Dynamic Signature feature.
- On the Main tab, click.
- ForLog Publisher, for this scenario, selectlocal-db-publisher.When the system detects an attack, it sends messages to the/var/log/ltmfile indicating the begin and end times of each DoS attack.
- For theThreshold Sensitivitylist, ensure thatMediumis selected.A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage
- ClickNetworkin the middle of the page.The area expands to display the attack vectors list.
- Under Attack Type , click theTCP SYN Floodlink.You might find it easier to locate this link if you have the list sorted by name.
- In the properties pane to the right, change theStatesetting toMitigate.
- ClickFully Automatic.
- Ensure thatBad Actor Detectionis selected to blacklist any IP addresses that are the source of an attack.
- In the main screen area, scroll up to theNetwork Family settings, and click theConfigurelink.The Properties pane on the right changes to show Network Properties.
- From theDynamic Signature Detectionlist, selectEnabled.A dynamic DoS attack is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic signature enforcement, such attacks can be detected and mitigated automatically by AFM.
- From theMitigation Sensitivitylist, selectMedium.
- At the upper left of the main screen, clickCommit Changes to System.
The BIG-IP system is now configured to automatically detect and protect against TCP SYN Flood attacks, and dynamically create and mitigate attack vectors not in the predefined Network attack vector family.
Create a DoS protection profile
You can apply protection profiles to specific virtual servers, applying the type of DoS vectors and thresholds for that specific application. In this task example, you create a protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks.
- On the Main tab, click.
- On the far right, clickCreate
- Type aNamefor the new protection profile.For this example, typenxdomain_ddos.
- For theThreshold Sensitivitylist, ensure thatMediumis selected.A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage.
- In theFamiliessetting, selectDNS.The DNS area displays below the Filter Attack Vectors filter.
- ClickDNS.
- In the Vector Name column, click theDNS NXDOMAIN Querylink.The properties pane opens on the right, showing the DNS NXDOMAIN Query.
- From theStatelist, selectMitigate.
- ClickFully Automatic.
- Ensure thatBad Actor Detectionis selected.
- At the upper left of the main screen, clickCommit Changes to System.
You have now created a medium threshold protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks. DoS protection does not occur until the protection profile is applied to the protected object.
Next, you need to apply the DoS protection profile to protected object.
Apply the DoS protection profile
As the last task in applying the DDoS protection, you apply the new Protection Profile to our DNS virtual server. The Protection Profile will prevent attackers from filling the BIG-IP system cache with bad requests and significantly impacting DNS resolution performance.
- On the Main tab, click.
- In the Name column, click the name of the virtual server.The Properties pane opens at the right of the page
- From theService Profilelist, ensure that the virtual server has an associated profile.
- ClickProtection Settingsat the bottom of the pane.The Protection Settings options display.
- From theProtection Profilelist, select the name of the network firewall policy. For this example task, selectnxdomain_ddos.
- ClickSave.
You have now configured the virtual server to automatically detect and protect against DNS NXDOMAIN Query attacks.
You might now want to view DoS attack reports.