Applies To:Show Versions
Configure a DoS/DDoS protection profile
- On the Main tab, click.The Protection Profiles list screen opens.
- ClickCreate.The New Protection Profile screen opens.
- In theNamefield, type the name for the profile.
- ForThreshold Sensitivity, selectLow,Medium, orHigh.Lowmeans the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this toMediumorHighbecause even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this toLowto get fewer false positives.
- If you have created a whitelist on the system, from theDefault Whitelistlist, select the list.You can also clickManage Address Liststo jump to the Address Lists screen where you can create or edit address lists.
- FromFamilies, selectNetwork,DNS, orSIP.
- At the bottom of the screen, click the selected family.The screen displays the attack vectors for the selected family.
- Click a specific Vector Name, to change the state, threshold or rate increase of the attack vector.The Properties page for the attack vector opens to the right of the page.
- In the Properties pane, from theStatelist, choose the appropriate enforcement option.
- SelectMitigateto enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
- SelectDetect Onlyto configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
- SelectLearn Onlyto configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
- SelectDisabledto disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
- ForThreshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection /Auto Mitigation), or, you can control the settings (Fully Manual).The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
- To allow the DoS vector thresholds to be automatically adjusted, forThreshold Mode, selectFully Automatic(available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
- In theAttack Floor EPSfield, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
- In theAttack Ceiling EPSfield, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this toInfinite.Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
- To detect IP address sources from which possible attacks originate, enableBad Actor Detection.Bad Actor Detection is not available for every vector.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:. For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
- From theCategory Namelist, select the blacklist category to which to add blacklist entries generated byBad Actor Detection.
- In theSustained Attack Detection Timefield, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
- In theCategory Duration Timefield, specify the length of time in seconds that the address will remain on the blacklist. The default is14400seconds (4 hours).
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at.
- ClickCommit Changes to Systemat the top of the page.