Manual Chapter : AFM DoS/DDoS Protection

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

AFM DoS/DDoS Protection

Overview: DoS/DDoS Protection

BIG-IP AFM DoS Protection protects your data center from denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by detecting and mitigating a wide variety of malicious traffic patterns and packet types. These malicious traffic patterns and packets are also referred to as
attack vectors
or
attack signatures
. With BIG-IP AFM, you can either manually or automatically configure DoS/DDoS detection and mitigation.
An effective DoS solution blocks attack traffic while allowing legitimate traffic.

Manual DoS configuration

An effective DoS/DDoS protection solution requires an in-depth traffic analysis to determine the baseline traffic patterns and thresholds, as well as attack patterns and thresholds. Once a traffic analysis is complete, you can determine the appropriate DoS/DDoS attack vectors, and manually configure the detection and mitigation thresholds for each.

Automatic DoS configuration

You can configure BIG-IP AFM to automatically detect and mitigate DoS/DDoS attacks using a wide variety of custom and default attack vectors. You can also enable the BIG-IP AFM Dynamic Signature feature to create and mitigate attacks based on traffic patterns that change over time.

DoS/DDoS attack vector categories

BIG-IP AFM has a large number of attack vectors that fall within three categories. This table lists the categories and a sample of the available DoS vectors from each category.
Network
DNS
SIP
  • ARP Flood
  • ICMP Flood
  • IP Fragment Flood
  • LAND attack
  • TCP SYN Flood
  • DNS AAAA Query
  • DNS Malformed
  • DNS NXDOMAIN Query
  • NS Oversize
  • DNS Response Flood
  • SIP ACK Method
  • SIP OPTIONS Method
  • SIP Malformed
  • SIP REGISTER Method
  • SIP URI Limit

Applying AFM DoS/DDoS protection

You can apply DoS/DDoS protection to the entire BIG-IP system or to individual virtual servers, also known as
protected objects
.
In the following scenario, we enable TCP SYN Flood attack protection at the device level and apply DNS NXDOMAIN Query attack protection to a protected object. We configure each of the DoS protections for automatic detection and mitigation.
Enabling and applying DoS protection involves several tasks.

Task list

  1. Enable Device Protection.
  2. Create a Protection Profile.
  3. Apply a Protection Profile.

Enable device level DoS protection

Device protection applies to the entire BIG-IP system. When the system detects an attack, it can apply mitgation to all ingress traffic. In this task, you configure the TCP SYN Flood DoS vector to automatically detect and mitigate TCP SYN Flood attacks, and you enable the Network Dynamic Signature feature.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
  2. For
    Log Publisher
    , for this scenario, select
    local-db-publisher
    .
    When the system detects an attack, it sends messages to the
    /var/log/ltm
    file indicating the begin and end times of each DoS attack.
  3. For the
    Threshold Sensitivity
    list, ensure that
    Medium
    is selected.
    A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage
  4. Click
    Network
    in the middle of the page.
    The area expands to display the attack vectors list.
  5. Under Attack Type , click the
    TCP SYN Flood
    link.
    You might find it easier to locate this link if you have the list sorted by name.
  6. In the properties pane to the right, change the
    State
    setting to
    Mitigate
    .
  7. Click
    Fully Automatic
    .
  8. Ensure that
    Bad Actor Detection
    is selected to blacklist any IP addresses that are the source of an attack.
  9. In the main screen area, scroll up to the
    Network Family settings
    , and click the
    Configure
    link.
    The Properties pane on the right changes to show Network Properties.
  10. From the
    Dynamic Signature Detection
    list, select
    Enabled
    .
    A dynamic DoS attack is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic signature enforcement, such attacks can be detected and mitigated automatically by AFM.
  11. From the
    Mitigation Sensitivity
    list, select
    Medium
    .
  12. At the upper left of the main screen, click
    Commit Changes to System
    .
The BIG-IP system is now configured to automatically detect and protect against TCP SYN Flood attacks, and dynamically create and mitigate attack vectors not in the predefined Network attack vector family.

Create a DoS protection profile

You can apply protection profiles to specific virtual servers, applying the type of DoS vectors and thresholds for that specific application. In this task example, you create a protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks.
  1. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
  2. On the far right, click
    Create
  3. Type a
    Name
    for the new protection profile.
    For this example, type
    nxdomain_ddos
    .
  4. For the
    Threshold Sensitivity
    list, ensure that
    Medium
    is selected.
    A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage.
  5. In the
    Families
    setting, select
    DNS
    .
    The DNS area displays below the Filter Attack Vectors filter.
  6. Click
    DNS
    .
  7. In the Vector Name column, click the
    DNS NXDOMAIN Query
    link.
    The properties pane opens on the right, showing the DNS NXDOMAIN Query.
  8. From the
    State
    list, select
    Mitigate
    .
  9. Click
    Fully Automatic
    .
  10. Ensure that
    Bad Actor Detection
    is selected.
  11. At the upper left of the main screen, click
    Commit Changes to System
    .
You have now created a medium threshold protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks. DoS protection does not occur until the protection profile is applied to the protected object.
Next, you need to apply the DoS protection profile to protected object.

Apply the DoS protection profile

As the last task in applying the DDoS protection, you apply the new Protection Profile to our DNS virtual server. The Protection Profile will prevent attackers from filling the BIG-IP system cache with bad requests and significantly impacting DNS resolution performance.
  1. On the Main tab, click
    Security
    DoS Protection
    Protected Objects
    .
  2. In the Name column, click the name of the virtual server.
    The Properties pane opens at the right of the page
  3. From the
    Service Profile
    list, ensure that the virtual server has an associated profile.
  4. Click
    Protection Settings
    at the bottom of the pane.
    The Protection Settings options display.
  5. From the
    Protection Profile
    list, select the name of the network firewall policy. For this example task, select
    nxdomain_ddos
    .
  6. Click
    Save
    .
You have now configured the virtual server to automatically detect and protect against DNS NXDOMAIN Query attacks.
You might now want to view DoS attack reports.