Manual Chapter :
Preventing DDoS Flood and Sweep Attacks
Applies To:
Show Versions
F5 DDoS Hybrid Defender
- 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.1, 15.1.0, 15.0.0
Preventing DDoS Flood and Sweep Attacks
About DoS sweep and flood attack prevention
A
sweep attack
is a network scanning technique that typically sweeps your network
by sending packets, and using the packet responses to determine live hosts. Typical attacks use
ICMP to accomplish this.The Sweep vector tracks packets by source address. Packets from a specific source that meet the
defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also
configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack
originates.
The sweep mechanism protects against a flood attack
from a single source, whether that attack is to a single destination host or
multiple hosts.
A
flood attack
is a an attack technique that floods your network with packets of a
certain type, in an attempt to overwhelm the system. A typical attack might flood the system with
SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your
network with a large number of UDP packets, requiring the system to verify applications and send
responses. The Flood vector tracks packets per destination address. Packets to a specific destination that
meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The
system can detect such attacks with a configurable detection threshold, and can rate limit
packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of
ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address,
according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts
first, so a packet flood from a single source address to a single destination address is handled
by the sweep vector.
Sweep and flood is the first prevention that is limited to the affected hosts. For example, the
Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold
is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits
just the traffic to the targeted host. Collateral damage is much lower by mitigating these
vectors. You can set the limits lower than would be reasonable for the indiscriminate
vectors.
You can configure DoS sweep and flood prevention at the system
level using Device Protection, or at the protected object level in the Protection
Profile.
Protecting against single-endpoint flood and sweep attacks
You can protect against DDoS single-endpoint
attacks to protect traffic from flood and sweep attacks.
- On the Main tab, click .
- From theLog Publisherlist, select a destination to which the BIG-IP system sends DoS and DDoS log entries. You can review, create, and update log publishers inSystem>Logs>Configuration>Log Publishers.
- Select theThreshold Sensitivity.SelectLow,Medium, orHigh. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
- Expand theNetworkfamily, and clickSingle Endpoint Floodnear the bottom of the list.The settings appear on the right.
- By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).For most DoS vectors, you want to enforce the vector. Set a vector toDisabled(no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
- From theDetection Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
- UseInfiniteto set no value for the threshold.
- From theMitigation Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
- UseInfiniteto set no value for the threshold. This specifies that this type of attack is not rate-limited.
- In thePacket Typearea, select the packet types you want to detect for this attack type in theAvailablelist, and move them to theSelectedlist.
- In the Attack Type list, clickSingle Endpoint Sweep.The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- When you finish adjusting the settings of the attack types, clickCommit Changes to System.The device protection configuration is updated.
Now you have configured the system to provide protection against single-endpoint DoS
flood and sweep attacks at the system level for all traffic passing through, and to
allow such attacks to be identified in system logs and reports. You can similarly
protect against sweep and specific flood attacks in protection profiles that more
narrowly guard specific backend servers
Protecting objects
from specific flood attacks
You can use DDoS Hybrid Defender™ to guard protected objects from specific flood
attacks.
- On the Main tab, click .
- Click the name of the protection profile to edit, or create a new one.
- ForFamilies, make sureNetworkis selected.
- Expand theNetworkcategory.
- In the Search text filter, typefloodto show only the flood vectors.
- Click the type of flood for which you want to change the settings.The settings appear on the right.
- Adjust the settings as needed.For Threshold Mode, clickFully Automaticto allow the system to determine the thresholds based on traffic.
- When you finish adjusting the settings of the vectors, clickCommit Changes to System.The protection profile is updated.
Now you have configured the system to prevent DDoS flood attacks on the protected
objects that use the updated protection profile.
