Manual Chapter : Preventing DDoS Flood and Sweep Attacks

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 15.0.0
Manual Chapter

Preventing DDoS Flood and Sweep Attacks

About DoS sweep and flood attack prevention

A
sweep attack
is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.
The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack originates.
The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host or multiple hosts.
A
flood attack
is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large number of UDP packets, requiring the system to verify applications and send responses.
The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.
Sweep and flood is the first prevention that is limited to the affected hosts. For example, the Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits just the traffic to the targeted host. Collateral damage is much lower by mitigating these vectors. You can set the limits lower than would be reasonable for the indiscriminate vectors.
You can configure DoS sweep and flood prevention at the system level using Device Protection, or at the protected object level in the Protection Profile.

Protecting against single-endpoint flood and sweep attacks

You can protect against DDoS single-endpoint attacks to protect traffic from flood and sweep attacks.
  1. On the Main tab, click
    DoS Configuration
    Device Protection
    .
  2. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries. You can review, create, and update log publishers in
    System
    >
    Logs
    >
    Configuration
    >
    Log Publishers
    .
  3. Select the
    Threshold Sensitivity
    .
    Select
    Low
    ,
    Medium
    , or
    High
    . A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  4. Expand the
    Network
    family, and click
    Single Endpoint Flood
    near the bottom of the list.
    The settings appear on the right.
  5. By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    For most DoS vectors, you want to enforce the vector. Set a vector to
    Disabled
    (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  6. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold.
  7. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  8. In the
    Packet Type
    area, select the packet types you want to detect for this attack type in the
    Available
    list, and move them to the
    Selected
    list.
  9. In the Attack Type list, click
    Single Endpoint Sweep
    .
    The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
  10. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
  11. Select the
    Category Name
    to which blacklist entries generated by
    Bad Actor Detection
    are added.
  12. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  13. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  14. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher for the
    Advertisement Next-Hop
    in the Global Settings.
  15. When you finish adjusting the settings of the attack types, click
    Commit Changes to System
    .
    The device protection configuration is updated.
Now you have configured the system to provide protection against single-endpoint DoS flood and sweep attacks at the system level for all traffic passing through, and to allow such attacks to be identified in system logs and reports. You can similarly protect against sweep and specific flood attacks in protection profiles that more narrowly guard specific backend servers

Protecting objects from specific flood attacks

You can use DDoS Hybrid Defender to guard protected objects from specific flood attacks.
  1. On the Main tab, click
    DoS Configuration
    Protection Profiles
    .
  2. Click the name of the protection profile to edit, or create a new one.
  3. For
    Families
    , make sure
    Network
    is selected.
  4. Expand the
    Network
    category.
  5. In the Search text filter, type
    flood
    to show only the flood vectors.
  6. Click the type of flood for which you want to change the settings.
    The settings appear on the right.
  7. Adjust the settings as needed.
    For Threshold Mode, click
    Fully Automatic
    to allow the system to determine the thresholds based on traffic.
  8. When you finish adjusting the settings of the vectors, click
    Commit Changes to System
    .
    The protection profile is updated.
Now you have configured the system to prevent DDoS flood attacks on the protected objects that use the updated protection profile.