Manual Chapter : Common elements for DoS, DNS, DDoS Hybrid Defender tasks

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 15.0.0
Manual Chapter

Common elements for DoS, DNS, DDoS Hybrid Defender tasks

Use these common elements in your DoS tasks.
  1. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  2. On the Main tab, click
    Security
    DoS Protection
    White List
    .
    The DoS Protection White List screen opens.
  3. On the Main tab, click
    Security
    DoS Protection
    Device Configuration
    .
    The DoS Protection Device Configuration screen opens.
  4. To log DoS events to a log publisher, from the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries, and click
    Update
    .
  5. Click
    Whitelist
    .
    The DoS Protection White List screen opens.
  6. Click
    Create
    .
    The Create New Protection Profile screen opens.
  7. To use an address list as a source whitelist, select the address list from
    Source Address List
    .
  8. Click
    Create
    .
    The New White List Configuration screen opens.
  9. Under Profile Information, click
    General Settings
    , and in the
    Profile Name
    field, type the name for the profile.
  10. In the
    Name
    field, type a name.
  11. In the
    Description
    field, optionally type a description.
  12. From the
    Protocol
    list, select the protocol.
    The options are
    Any
    ,
    TCP
    ,
    UDP
    ,
    ICMP
    , or
    IGMP
    .
  13. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    You can also use
    Any
    to specify any address or VLAN.
  14. In the Destination area, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use
    Any
    to specify any address or port.
  15. To configure DNS security settings, click
    Protocol DNS
    , click
    Edit
    in the far right column, then select
    Enabled
    .
  16. To configure SIP security settings, click
    Protocol SIP Protection
    , click
    Edit
    in the far right column, then select
    Enabled
    .
  17. To configure network security settings, under
    Network
    click General Settings, click
    Edit
    in the far right column, then select
    Enabled
    .
  18. In the
    Category
    column, expand the
    Single Endpoint
    category.
  19. In the
    Category
    column, expand the
    Flood
    category.
  20. Click
    UDP Flood
    .
    The
    UDP Flood
    screen opens.
  21. Click
    Single Endpoint Flood
    .
    The
    Single Endpoint Flood
    screen opens.
  22. Click
    Single Endpoint Sweep
    .
    The Single Endpoint Sweep screen opens.
  23. In the
    Packet Type
    area, select the packet types you want to detect for this attack type in the
    Available
    list, and click
    <<
    to move them to the
    Selected
    list.
  24. To enable attack detection based on the rate of protocol errors, next to
    Protocol Errors Attack Detection
    , click
    Edit
    in the far right column, then select
    Enabled
    .
  25. To enable Behavior Analysis, next to
    Behavior Analysis
    , click
    Edit
    in the far right column, then select
    Enabled
    .
    Behavior analysis detects and reports suspicious behavior that might indicate a DoS attack.
  26. To configure reporting and rate limits for specific network DoS attack types, next to
    Attack Types
    , click
    Edit
    in the far right column, click the name of an attack, then click
    Enabled
    .
    Configure the settings for each enabled attack.
  27. To change the threshold, rate increase, rate limit, and blacklist settings for a sweep attack, in the Network Attack Types area, click
    Edit
    in the far right column, select
    Sweep
    , and select the
    Enabled
    check box. Change the values for
    Threshold
    ,
    Rate Increase
    , and
    Rate Limit
    in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the
    Enabled
    check box next to
    IP Fragment Flood
    , then set the
    Threshold
    field to
    9999
    and the
    Rate Increase
    field to
    250
    . To rate limit such requests to 33,000 packets per second, set the
    Rate Limit
    field to
    33000
    .
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
    The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the
    Rate Limit
    setting, not at the attack detection threshold.
  28. In the IP Intelligence area, select
    Categorize address as Black list category
    and configure the settings. You can select a black list category from the list, and specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  29. In the
    Rate threshold
    field, type the rate of packets with errors per second to detect.
    This threshold sets an absolute limit which, when exceeded, registers an attack.
  30. In the
    Rate limit
    field, type the absolute limit for packets per second with protocol errors. Packets that exceed this limit are dropped.
  31. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold.
  32. From the
    Detection Threshold %
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold.
  33. From the
    Rate/Leak Limit
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use
      Infinite
      to set no value for the threshold.
  34. In the Additional Actions area, select
    Categorize address
    and configure the settings. You can select a black list category from the list, specify the detection time in seconds after which the attacking endpoint is blacklisted, and specify the duration for which the address remains assigned to the category. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds), and the IP address is blacklisted for 4 hours (14400 seconds).
  35. Next to
    Auto-blacklisting
    , select
    Enabled
    .
  36. In the
    Blacklist Detection Period
    field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
    Enabled
    .
  37. In the
    Blacklist Duration
    field, specify the amount of time in seconds that the address will remain on the blacklist. The default is
    14400
    (4 hours).
  38. From the
    Blacklist Category
    list, select a black list category to apply to automatically blacklisted addresses.
  39. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
  40. In the
    Per Source IP Detection Threshold EPS
    field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  41. In the
    Per Source IP Mitigation Threshold EPS
    field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  42. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
  43. Under
    Profile Information
    click
    General Settings
    .
  44. From the list of
    Source IP Address Whitelist
    items, select the address list to apply as whitelisted addresses to the DoS profile.
  45. Select the
    Category Name
    to which blacklist entries generated by
    Bad Actor Detection
    are added.
  46. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  47. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  48. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher at
    Security
    Options
    Blacklist Publisher
    for the blacklist category.
  49. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Duration
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
  50. From the
    UDP Port List Type
    list, select
    Include All Ports
    or
    Exclude All Ports
    .
    An
    Include
    list checks all the ports you specify in the UDP Port List, using the specified threshold criteria, and ignores all others.
    An
    Exclude
    list excludes all the ports you specify in the UDP Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  51. In the
    UDP Port List
    area, type a port number to add to an exclude or include UDP port list.
  52. In the
    UDP Port List
    area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None
      does not include or exclude the port.
    • Source only
      includes or excluded the port from source packets only.
    • Destination only
      includes or excludes the port for destination packets only.
    • Both Source and Destination
      includes or excludes the port in both source and destination packets.
  53. In the
    Rate Increased by %
    field, type the rate of change in protocol errors to detect as anomalous.
    The rate of detection compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
  54. To change the threshold or rate increase for a particular network attack, in the Network Attack Types area, click
    Edit
    in the far right column, select the
    Enabled
    check box for each attack type that you want to configure, then change the values for
    Threshold
    ,
    Rate Increase
    , and
    Rate Limit
    in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the
    Enabled
    check box next to
    IP Fragment Flood
    , then set the
    Threshold
    field to
    9999
    and the
    Rate Increase
    field to
    250
    . To rate limit such requests to 33,000 packets per second, set the
    Rate Limit
    field to
    33000
    .
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
    The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the
    Rate Limit
    setting, not at the attack detection threshold.
  55. To change the threshold or rate increase for a particular DNS record, in the DNS Query Attack Detection area, click
    Edit
    in the far right column, select the
    Enabled
    check box for each record type that you want to configure, then change the values for
    Threshold
    ,
    Rate Increase
    , and
    Rate Limit
    in the associated fields.
    For example, to change the detection threshold for IPv6 address requests to 9,999 per second, or an increase of 250% over the average, select the
    Enabled
    check box next to
    aaaa
    , then set the
    Threshold
    field to
    9999
    and the
    Rate Increase
    field to
    250
    . To rate limit such requests to 33,000 packets per second, set the
    Rate Limit
    field to
    33000
    .
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
    DNS Query Attack Detection
    allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the
    Rate Limit
    setting, not at the attack detection threshold.
  56. To change the threshold or rate increase for a particular SIP method, in the
    SIP Method Attack Detection
    settings, click
    Edit
    in the far right column, select the
    Enabled
    check box for each request type that you want to change, then change the values for
    Threshold
    ,
    Rate Increase
    and
    Rate Limit
    in the associated fields.
    For example, to change the threshold for NOTIFY requests to 9,999 per second, or an increase of 250% over the average, select the
    Enabled
    check box next to
    notify
    , then set the Threshold field to
    9999
    and the Rate Increase field to
    250
    . To rate limit such requests to 33,000 packets per second, set the
    Rate Limit
    field to
    33000
    .
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the
    500%
    base rate would indicate an attack if the average rate for the previous hour was
    100000
    packets/second, and over the last minute the rate increased to
    500000
    packets/second.
    SIP request detection allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the
    Rate Limit
    setting, not at the attack detection threshold.
  57. On the Main tab, click
    Security
    DoS Protection
    Device Configuration
    .
    The Device Configuration screen opens.
  58. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    DNS
    .
    The DNS Security Profiles list screen opens.
  59. From the
    Query Type
    list, select how to handle query types you add to the
    Active
    list.
    • Select
      Inclusion
      to allow packets with the DNS query types you add to the
      Active
      list, and drop all others.
    • Select
      Exclusion
      to deny packets with the DNS query types you add to the
      Active
      list, and allow all others.
  60. Click the name of an existing DoS profile (or create a new one).
    The DoS Profile Properties screen for that profile opens.
  61. On the left, under Application Security, click
    General Settings
    , and ensure that
    Application Security
    is enabled.
    If
    Application Security
    is disabled, click
    Enabled
    .
    The screen displays additional settings.
  62. If you have written an application DoS iRule to specify how the system recovers after a DoS attack, select the
    Trigger iRule
    setting.
    For complete iRules information, visit
    https://devcentral.f5.com
    .
  63. In the Latency-based Anomaly area, for
    Operation Mode
    , select an operation mode to determine how the system reacts when it detects a DoS attack.
    Transparent
    Displays data about DoS attacks on the DoS: Application reporting screen but does not block requests.
    Blocking
    Applies the necessary mitigation steps to suspicious IP addresses, URLs, geolocations, or site-wide. Also displays information about DoS attacks on the DoS: Application reporting screen.
    The screen displays additional configuration settings when you select an operation mode.
  64. On the left, under Application Security, click
    TPS-based Detection
    .
    The screen displays TPS-based DoS Detection settings.
  65. On the left, under Application Security, click
    Stress-based Detection
    .
    The screen displays Stress-based DoS Detection settings.
  66. Click
    Edit All
    .
    You can also edit each setting separately instead of editing them all at once.
    The screen opens the settings for editing.
  67. For
    Operation Mode
    , select the option to determine how the system reacts when it detects a DoS attack.
    Transparent
    Displays data about DoS attacks on the DoS reporting screens, but does not block requests, or perform any of the mitigations.
    Blocking
    Applies the necessary mitigation steps to suspicious IP addresses, geolocations, URLs, or the entire site. Also displays information about DoS attacks on the DoS reporting screens.
    The screen displays additional configuration settings when you select an operation mode.
  68. For
    How to detect attackers and which mitigation to use
    , specify how to identify and stop DoS attacks. By default, source IP addresses and URLs are used to detect DoS attacks. You can specify other detection methods and adjust the thresholds for each of the settings as needed.
    By Source IP
    Specifies conditions for when to treat an IP address as an attacker.
    By Device ID
    Specifies conditions for when to treat a device as an attacker.
    By Geolocation
    Specifies when to treat a particular country as an attacker.
    By URL
    Specifies when the system treats a URL as under attack.
    Site Wide
    Specifies conditions for how to determine when the entire website is under attack.
    Behavioral
    Analyzes traffic behavior to detect DoS attacks, and mitigates the attacks more or less aggressively, depending on the protection level you select.
    At least one mitigation method must be selected before you can edit the detection settings. If the specified thresholds in the settings are reached, the system limits the number of requests per second to the history interval and uses the selected mitigation methods described here. These methods do not apply to Behavioral DoS.
    Client Side Integrity Defense
    Sends a JavaScript challenge to determine whether the client is a legal browser or an illegal script. Only used when the
    Operation Mode
    is set to
    Blocking
    .
    CAPTCHA Challenge
    Issues a CAPTCHA challenge to the traffic identified as suspicious by source IP address, geolocation, URL, or site wide.
    Request Blocking
    Specifies how and when to block (if the operation mode is set to
    Blocking
    ) or report (if the operation mode is set to
    Transparent
    ) suspicious requests. Select
    Block All
    to block all suspicious requests or
    Rate Limit
    to reduce the number of suspicious requests.
  69. For
    How to detect attackers and which mitigation to use
    , specify how to identify and stop DoS attacks. By default, source IP addresses and URLs are used to detect DoS attacks. You can specify other detection methods and adjust the thresholds for each of the settings as needed.
    By Source IP
    Specifies conditions for when to treat an IP address as an attacker.
    By Device ID
    Specifies conditions for when to treat a device as an attacker.
    By Geolocation
    Specifies when to treat a particular country as an attacker.
    By URL
    Specifies when the system treats a URL as under attack.
    Site Wide
    Specifies conditions for how to determine when the entire web site is under attack.
    At least one mitigation method must be selected before you can edit the detection settings. If the specified thresholds in the settings are reached, the system limits the number of requests per second to the history interval and uses the selected mitigation methods described below.
    Client Side Integrity Defense
    Sends a JavaScript challenge to determine whether the client is a legal browser or an illegal script. Only used when the
    Operation Mode
    is set to
    Blocking
    .
    CAPTCHA Challenge
    Issues a CAPTCHA challenge to the traffic identified as suspicious by source IP address, geolocation, URL, or site wide.
    Request Blocking
    Specifies how and when to block (if the operation mode is set to
    Blocking
    ) or report (if the operation mode is set to
    Transparent
    ) suspicious requests. Select
    Block All
    to block all suspicious requests or
    Rate Limit
    to reduce the number of suspicious requests.
  70. For
    IP Detection Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    Source IP-Based
    in Client Side Integrity Defense,
    Source IP-Based
    in the CAPTCHA challenge, or
    Source IP-Based Rate Limit
    in Request Blocking.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
    TPS increased by
    Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    200
    requests per second.
    Minimum TPS Threshold for detection
    Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If these thresholds are reached the system treats the IP address as an attacker, and prevents further attacks by limiting the number of requests per second to the history interval.
  71. For
    Geolocation Detection Criteria
    , modify the threshold values as needed.
    This setting appears only if one of the
    Geolocation-based
    options is selected in the
    Prevention Policy
    .
    Geolocation traffic share increased by
    Specifies that a country should be considered suspicious if the number of requests from that country has increased by this percentage. The default value is
    500%
    .
    Geolocation traffic share is at least
    Specifies that a country should be considered suspicious if, of all the requests to the web application, the number of requests from that country is at least this percentage. The default value is
    10%
    .
    If both of these criteria are met, the system treats traffic from the country as an attack, and limits the number of requests per second to the history interval.
  72. For
    Detection Criteria
    , modify the threshold values as needed.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
    Latency increased by
    Specifies that the system considers traffic to be an attack if the latency has increased by this percentage, and the minimum latency threshold has been reached. The default value is
    500%
    .
    Latency reached
    Specifies that the system considers traffic to be an attack if the latency is greater than this value. This setting provides an absolute value, so, for example, if an attack increases latency gradually, the increase might not exceed the
    Latency Increased by
    threshold and would not be detected. If server latency reaches the
    Latency reached
    value, the system considers traffic to be an attack even if it did not meet the
    Latency increased by
    value. The default value is
    10000
    ms.
    Minimum Latency Threshold for detection
    Specifies that the system considers traffic to be an attack if the detection interval for a specific URL equals, or is greater than, this number, and at least one of the
    Latency increased by
    numbers was reached. The default setting is
    200
    ms.
    Click the
    Set default criteria
    link to reset these settings to their default values.
  73. For the
    Prevention Duration
    setting, specify the time spent in each mitigation step until deciding to move to the next mitigation step.
    Option
    Description
    Escalation Period
    Specifies the minimum time spent in each mitigation step before the system moves to the next step when preventing attacks against an attacker IP address or attacked URL. During a DoS attack, the system performs attack prevention for the amount of time configured here for the mitigation methods that are enabled. If after this period the attack is not stopped, the system enforces the next enabled prevention step. Type a number between
    1
    and
    3600
    . The default is
    120
    seconds.
    De-escalation Period
    Specifies the time spent in the final escalation step until retrying the steps using the mitigation methods that are enabled. Type a number (greater than the escalation period) between
    0
    (meaning the steps are never retried) and
    86400
    seconds. The default value is
    7200
    seconds (2 hours).
    DoS mitigation is reset after 2 hours, even if the detection criteria still hold, regardless of the value set for the
    De-escalation Period
    . If the attack is still taking place, a new attack occurs and mitigation starts over, retrying all the mitigation methods. If you set the
    De-escalation Period
    to less than 2 hours, the reset occurs more frequently.
  74. For
    Suspicious IP Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    Source IP-Based
    for Client Side Integrity Defense or the CAPTCHA challenge,
    Source IP-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    200
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  75. For
    Suspicious Geolocation Criteria
    , modify the threshold values as needed.
    This setting appears only if one of the
    Geolocation-Based
    options is selected in the
    Prevention Policy
    .
    Geolocation traffic share increased by
    Specifies that the system considers a country to be suspicious if the number of requests from a country has increased by this percentage. The default value is
    500%
    .
    Geolocation traffic share is at least
    Specifies that a country should be considered suspicious if, of all the requests to the web application, the number of requests from that country is at least this percentage. The default value is
    10%
    .
    If both of these criteria are met, the system treats traffic from the country as an attack, and limits the number of requests per second to the history interval.
  76. For
    Suspicious Site-Wide Criteria
    , modify the threshold values as needed.
    This setting appears only if you are using site-wide prevention policies.
    TPS increased by
    Specifies that the system considers a whole site to be under attack if the transactions sent per second have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a whole site to be under attack if the number of requests sent per second is equal to or greater than this number. The default value is
    10000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a whole site to be under attack if the detected TPS is equal to or greater than this number, and the
    TPS increased by
    number was reached. The default setting is
    2000
    TPS.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  77. For
    Suspicious URL Criteria
    , modify the threshold values as needed.
    This setting appears if at least one of these
    Prevention Policy
    settings is selected:
    URL-Based
    for Client Side Integrity Defense or CAPTCHA Challenge, or
    Source IP-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers a URL to be an attacker if the transactions sent per second sent to the URL have increased by this percentage, and the detected TPS for a specific IP address is equal to or greater than the
    Minimum TPS Threshold
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a URL to be suspicious if the number of transactions sent per second to the URL is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    1000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a URL to be an attacker if the detected TPS for a specific URL equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    40
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  78. For
    URL Detection Criteria
    , modify the threshold values for when the system treats a URL to be under attack.
    This setting appears only if
    Prevention Policy
    is set to
    URL-Based
    for Client Side Integrity Defense or CAPTCHA Challenge, or
    URL-Based Rate Limit
    for Request Blocking.
    TPS increased by
    Specifies that the system considers a URL to be that of an attacker if the transactions sent per second to the URL have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a URL to be suspicious if the number of transactions sent per second to the URL is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the
    TPS increased by
    threshold and would not be detected. If the TPS reaches the
    TPS reached
    value, the system considers traffic to be an attack even if it did not meet the
    TPS increased by
    value. The default value is
    1000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a URL to be an attacker if the detected TPS for a specific URL equals, or is greater than, this number, and the
    TPS increased by
    number was reached. The default setting is
    200
    transactions per second.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings.
  79. For
    Site-Wide Detection Criteria
    , modify the threshold values for when the system treats a website as being under attack.
    This setting appears only if you are using site-wide prevention policies.
    TPS increased by
    Specifies that the system considers a whole site to be under attack if the transactions sent per second have increased by this percentage, and the detected TPS is greater than the
    Minimum TPS Threshold for detection
    . The default value is
    500%
    .
    TPS reached
    Specifies that the system considers a whole site to be under attack if the number of requests sent per second is equal to or greater than this number. The default value is
    10000
    TPS.
    Minimum TPS Threshold for detection
    Specifies that the system considers a whole site to be under attack if the detected TPS is equal to or greater than this number, and the
    TPS increased by
    number was reached. The default setting is
    2000
    TPS.
    If any of these criteria is met, the system handles the attack according to the
    Prevention Policy
    settings. This mitigation method is used last because it may drop some legitimate requests.
  80. Click
    Update
    to save the DoS profile.
  81. On the Main tab, click
    DoS Configuration
    Protected Objects
    .
    The Protected Objects screen is displayed showing the configured protected objects.
  82. On the menu bar, click
    Network Configuration
    .
  83. If your system is configured using routed mode and connects to other networks through additional routers, add the required routes so the traffic can reach its destination:
    1. Next to
      Routes
      , click
      Create
      .
    2. Type a name, destination IP address, netmask, and gateway IP address (this is the next hop router address).
    3. Click
      Done Editing
      to save the route.
  84. To detect attacks by passively observing mirrored traffic, configure Span Ports:
    1. Next to Span Ports, click
      Create
      .
    2. Select the interface from which to listen to traffic.
    3. Click
      Done Editing
      to save the route.
    For port mirroring to work, the TCP Half Open vector must not be enforced. Click
    Protected Objects
    Device Configuration
    Other
    TCP Half Open
    and set it to
    Don't Enforce
    .
    The Span Ports that you configure have Span Mode (also called Tap Mode) enabled. The switch or router sends a copy of all network packets to DDoS Hybrid Defender for analysis. That's all you have to do. Click
    Update
    to finish.
  85. To detect attacks by examining traffic metadata in NetFlow messages, create a NetFlow configuration:
    1. Next to Netflow, click
      Create
      .
    2. Type a name for the configuration.
    3. Type the
      IP Address/Mask
      and
      Port
      for the NetFlow traffic.
    4. Specify the
      VLAN
      on which to listen for NetFlow messages.
    5. Select the
      NetFlow Version
      to listen for.
    6. Click
      Done Editing
      to save the route.
  86. Click
    Update
    to save the network configuration.
  87. Click
    Commit Changes to System
    to save the changes.
  88. In the Device Protection area, click
    Device Configuration
    .
    The DoS Device Configuration screen opens.
  89. Click the
    +
    sign next to a category to display the attack vectors for any of the enabled DDoS settings.
    A table opens listing the associated attack vectors, the properties, and the current device statistics, if available.
  90. Click the name of any vector to edit the settings.
    The configuration settings appear on the right side of the screen.
  91. If you are using Silverline DDoS Protection Services, select the
    Silverline
    check box.
    The system reports DDoS attacks to F5 Silverline. For severe attacks, you can work with the F5 Silverline Security Operations Center (SOC) to migrate traffic to the F5 Silverline Cloud Platform for mitigation.
  92. For the
    Action
    , select what you want to happen in case of a DDoS attack:
    • To have the system detect, log, and mitigate DDoS attacks, select
      Log And Mitigate
      . The mitigating action rate-limits the attack. You can also select to detect bad actors, blacklist the bad actors, and advertise the bad actors.
    • To have the system detect and log attacks only, select
      Log Only
      . To ensure that no mitigation takes place, you must set the rate-limit thresholds for all enabled vectors to
      Infinite
      .
    • To disable system-level device protection and take no action, select
      None
      .
    The selected action occurs when a DoS vector exceeds the detection (log) or rate-limit (mitigate) threshold.
  93. Specify the
    Auto Threshold Sensitivity
    .
    A lower number means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage.
  94. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    The VLANs you can select from are specified on the Network Configuration screen. Use
    Any
    to specify any address or VLAN.
    Be careful not to allow all traffic.
  95. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher for the
    Advertisement Next-Hop
    in the Global Settings.
  96. To operate DDoS Hybrid Defender as an inline L2 transparent mode device (the ingress and egress VLANs are the same), create a Virtual Wire configuration. Click
    Virtual Wire
    and on the Virtual Wire Properties screen, configure it as follows:
    1. For
      Name
      , type a name for the Virtual Wire configuration, then for
      Member 1
      and
      Member 2
      , select unique interfaces (or trunks) for the ingress and egress ports on the system.
    2. In the VLAN Traffic Management Configuration area, for
      Define VLANs
      , select
      Add
      to create a VLAN group.
    3. For
      Name
      , type a name for the VLAN group.
    4. If using tagged VLANs, type a tag number for the VLANs (an integer from
      1
      to
      4095
      ), select the
      Tagged
      check box.
    5. Click
      Add
      to add the VLAN group.
    6. If using other VLAN tags, create additional VLANs following the same steps.
    7. In the Actions area, for
      Propagate Virtual Wire Link Status
      , select
      Enabled
      if you want to propagate link status.
    8. Click
      Finished
      .
    The system creates a Virtual Wire configuration.