Manual Chapter :
Using Shun with Layer 7 DoS
Applies To:
Show VersionsBIG-IP ASM
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Using Shun with Layer 7 DoS
Overview: Using Shun with Layer 7 DoS
Layer 7 DoS in Application Security Manager™ (ASM) is set up to
automatically add IP addresses to a shun list (also called
auto-blacklisting
). The
BIG-IP system stops traffic that is thought to be causing a DoS attack, by
adding it to a shun list for a limited time. L7 DoS maintains the shun list and auto-blacklisting
works at Layer 7 when you configure an L7 DoS profile and attach it to a virtual server. Furthermore, by integrating L7 DoS shun with an IP intelligence policy, the auto-blacklisting
stops traffic at Layer 3 saving system resources. The auto-blacklisting works at Layer 3 when:
- You configure an L7 DoS profile and an IP intelligence policy, and then associate both with a virtual server, and
- You are using mitigations other than device ID or URL in the DoS profile.
The DoS profile you create should include all of the DoS mitigations you want to use for the
application. For example, you could enable these protections:
- Proactive Bot Defense with CAPTCHA challenge
- Stress-based Detection with Request Blocking and Rate Limiting
- Heavy URL Protection set to automatic detection
Source IP addresses that are thought to be causing a DoS attack based on the mitigations you
configured fall into the category of application denial of service blacklist, for which the IP
intelligence policy is configured to drop. Together, and using fewer resources, the DoS profile
and IP intelligence policy protect the web application from DoS attacks.
Task Summary
About the DoS shun list
A
shun list
is a temporary list of IP addresses that have been sending lots of
traffic that is failing 90%, or more, of the time. The failures occur as a result of any of the
mitigation methods in use in the DoS profile, including CAPTCHA, request blocking, client-side
integrity defense, proactive bot defense, and so on. The system creates a shun list of clients
that repeatedly fail to respond to DoS JavaScript challenges, undergo high block ratios in rate
limiting, or have been repeatedly handled by any of the other DoS mitigations. While these
clients are on the shun list, all traffic they send is blocked. Shun list features are set up using system variables. By default, the shun list is enabled, and
clients remain on the list and are blocked for 120 seconds. The default value for the minimum
ratio of successful responses to JavaScript challenges is 10% (to keep clients off the shun
list). A client being considered for the shun list must be sending a minimum of 10 requests per
second. Advanced users can change the default values, if necessary, by adjusting the system
variables from the command line.
Shun List system variables
The shun list is automatically managed with predefined conditions and thresholds set
using system variables. These system variables are set to reasonable values by default. Do not
change these variables unless you are an advanced BIG-IP system
user.
Variable |
Default Value |
What It Specifies |
---|---|---|
dosl7d.shun_list |
enable |
Whether to use the shun list to block IP addresses. |
dosl7d.min_challenge_success_ratio |
10% |
The minimum percentage of good transactions per IP address (or else the system
adds it to the shun list). |
dosl7d.min_challenge_rps |
10 |
The minimum requests per second before the system can apply shun
mitigation. |
dosl7d.shun_prevention_time |
120 |
The time in seconds (from 1-1000) to keep the IP address on the shun
list. |
For example, to disable the shun list, on the command line,
type:
(tmos)# modify sys db dosl7d.shun_list value disable
Configuring DoS protection for applications
You can configure Application Security
Manager to protect against and mitigate DoS attacks, and increase system
security.
- On the Main tab, click.The Protection Profiles list screen opens.
- ClickCreate.The Create New DoS Profile screen opens.
- In theNamefield, type the name for the profile, then clickFinished.
- In the list of DoS profiles, click the name of the profile you just created, and click theApplication Securitytab.This is where you set up application-level DoS protection.
- In theGeneral Settings, forApplication Security, clickEditand select theEnabledcheck box.General settings that you can configure are displayed.
- To configureHeavy URL Protection, edit the setting for which URLs to include or exclude, or use automatic detection.Another task describes heavy URL protection in more detail.
- To set up DoS protection based on the country where a request originates, edit theGeolocationssetting, selecting countries to allow or disallow.
- ClickEdit.
- Move the countries for which you want the system to block traffic during a DoS attack into theGeolocation Blacklist.
- Move the countries that you want the system to allow (unless the requests have other problems) into theGeolocation Whitelist.
- Use the Stress-based or TPS-based Detection settings to select appropriate mitigations by geolocation in theHow to detect attackers and which mitigation to usesettings.
- When done, clickClose.
- If you have written an iRule to specify how the system handles a DoS attack and recovers afterwards, enable theTrigger iRulesetting.
- To better protect an applications consisting of one page that dynamically loads new content, enableSingle Page Application.
- If your application uses many URLs, inURL Patterns, you can create logical sets of similar URLs with the varying part of the URL acting like a parameter. ClickNot Configuredand type one or more URL patterns, for example,/product/*.php.The system then looks at the URL patterns that combine several URLs into one and can more easily recognize DoS attacks, for example, on URLs that might be less frequently accessed by aggregating the statistics from other similar URLs.
- If you want to use performance acceleration, inPerformance acceleration, select the TCP fastL4 profile to use as the fast-path for acceleration.The profiles listed are those created in.
- ClickUpdateto save the DoS profile.
You have created a DoS profile that provides basic DoS protection including TPS-based
detection and heavy URL detection (automatically enabled).
Next, consider configuring additional levels of
DoS protection such as stress-based protection, single page applications, and geolocations. Look at the other options available under Application Security and adjust as
needed. Also, you need to associate the DoS profile
with a virtual server before it protects against DoS attacks.
Using an IP Intelligence policy with L7 DoS
You can create an IP intelligence policy that blocks traffic from IP addresses that
are on the shun list because they are in a specific blacklist category. For IP addresses
that were blocked originally as a result of DoS Layer 7 protections, this IP
intelligence policy causes traffic from those IP addresses to be dropped temporarily.
- On the Main tab, click.The IP Intelligence Policies screen opens.
- ClickCreateto create a new IP Intelligence policy.
- In theNamefield, type a name for the IP intelligence profile, such asip-intell-l7.
- Leave theDefault Actionlist set toDrop.
- ForBlacklist Matching Policy, specify the action for the application DoS category.
- ForBlacklist Category, selectapplication_denial_of_service.L7 DoS classifies bad IP addresses in the shun list asapplication_denial_of_serviceby default. Other categories are for use if you purchased an IPI subscription (or IP intelligence database). Refer to information on IP intelligence blocking.
- ForAction, selectDrop.
- ForLog Blacklist Category Matches, selectYes.
- ClickAdd.
- ClickFinished.
The IP intelligence policy now connects using the shun list at the IP level to
problems discovered originally at the application level. This allows the system to
slow down DoS attacks using fewer system resources.
The IP intelligence policy needs to be associated with a virtual server, or you can
assign a global IP intelligence policy to all virtual servers.
Associating a DoS
profile and IP intelligence policy with a virtual server
Before
you can accomplish this task, you must first create a DoS profile in Application Security Manager
(ASM) to protect your application. You also need an IP intelligence policy that tells the shun
list to temporarily drop traffic from IP addresses that have been sending suspicious
traffic.
You
can add DoS protection and an IP intelligence policy to a virtual server to provide enhanced
protection from DoS attacks, and use the shun list to recognize attackers.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the virtual server that you want to have DoS protection and use the shun list.
- On the menu bar, from the Security menu, choose Policies.
- To specify the shun list action for Layer 7 DoS, from theIP Intelligencelist, selectEnabled, and then, from thePolicylist, select the IP intelligence policy (for example,ip-intelligence) to associate with the virtual server.You can also apply one IP intelligence policy at the global level that applies to all virtual servers on the system ().
- To enable denial-of-service protection, from theDoS Protection Profilelist, selectEnabled, and then, from theProfilelist, select the DoS profile to associate with the virtual server.
- ClickUpdateto save the changes.
The
application represented by the virtual server now has DoS protection, and uses the shun list. If
ASM discovers lots of malicious traffic coming from one IP address, that IP address is added to
the shun list. Traffic from that IP address is blocked immediately for two minutes (using the
default value). After that, traffic from the IP address is allowed through to ASM and, if
necessary, is handled by other DoS mitigations specified in the DoS profile. If problems still
exist, the IP address is added back onto the shun list.
Result of using shun list with Layer 7 DoS
Now you have associated both a DoS profile and an IP intelligence policy with the virtual
server representing the application. Here's a general idea of what happens next:
- A client is sending lots of traffic from one IP address to the web application.
- Layer 7 DoS first inspects the traffic even before it gets to Application Security Manager™.
- If the client is blocked more than 90% of the time and it is sending at least 10 requests per second, the client IP address is put on the shun list.
- Traffic from the IP address on the shun list is blocked at the IP level (Layer 3) for two minutes.
- After that, the IP address is removed from the shun list.
- Traffic from the IP address is allowed through to L7 DoS where it is inspected according to the protections in the DoS profile.
- If the traffic is successful more than 10% of the time, it is allowed and handled by L7 DoS. Otherwise, that IP address is added back onto the shun list.
If DoS mitigation is performed by URL or device ID, the IP addresses are not shunned at the IP
level, but are shunned at Layer 7.