Manual Chapter :
Detecting and Mitigating DoS/DDoS Attacks on Protected Objects
Applies To:
Show Versions
BIG-IP AFM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Detecting and Mitigating DoS/DDoS Attacks on Protected Objects
Overview: Mitigating DoS/DDoS Attacks on Protected Objects
When you create virtual servers using BIG-IP Local Traffic Manager (LTM), AFM discovers them as protected objects. This discovery makes it easy for you to locate and apply DoS/DDoS protection profiles, and to view the current attack status of each protected object.
DoS/DDoS Protection Profiles
DoS/DDoS protection profiles define the strategies used to detect, and mitigate DoS/DDoS attacks on protected objects. Protection profiles allow you to enable, and configure a wide variety of attack signatures for Network, DNS, and SIP protocols. For most attack signatures, you can allow AFM to manage detection and mitigation thresholds, or you configure attack signature settings manually.
Protection Settings
You can apply the following protection settings to protected objects:
- Throughput Capacity
- A maximum allowable throughput, in megabits per second, for the protected object. Infinite means no limit.
- Protection Profile
- A DoS protection profile configured to detect and mitigate DoS/DDoS attack based on known and discovered attack signatures.
- Eviction Policy
- An Eviction policy controlling the amount of allowable connections, based on specified high and low water marks. Once the high water mark is triggered, a number of eviction strategies can be selected to control how connections are dropped.
- IP Intelligence
- An IP intelligence policy used to control network access based on client source IP addresses.
For SIP DoS protection, you must also create a SIP profile with SIP Firewall
enabled, and attach it to the protected object being protected from SIP DoS attacks.
Configure a DoS/DDoS protection profile
You can create a new DoS protection profile and configure settings to identify, and rate limit possible DNS DoS attacks.
- On the Main tab, click.The Protection Profiles list screen opens.
- ClickCreate.The New Protection Profile screen opens.
- In theNamefield, type the name for the profile.
- ForThreshold Sensitivity, selectLow,Medium, orHigh.Lowmeans the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this toMediumorHighbecause even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this toLowto get fewer false positives.
- If you have created a whitelist on the system, from theDefault Whitelistlist, select the list.You can also clickManage Address Liststo jump to the Address Lists screen where you can create or edit address lists.
- FromFamilies, selectNetwork,DNS, orSIP.
- At the bottom of the screen, click the selected family.The screen displays the attack vectors for the selected family.
- Click a specific Vector Name, to change the state, threshold or rate increase of the attack vector.The Properties page for the attack vector opens to the right of the page.
- In the Properties pane, from theStatelist, choose the appropriate enforcement option.
- SelectMitigateto enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
- SelectDetect Onlyto configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
- SelectLearn Onlyto configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
- SelectDisabledto disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
- ForThreshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection /Auto Mitigation), or, you can control the settings (Fully Manual).The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
- To allow the DoS vector thresholds to be automatically adjusted, forThreshold Mode, selectFully Automatic(available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
- In theAttack Floor EPSfield, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
- In theAttack Ceiling EPSfield, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this toInfinite.Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
- To detect IP address sources from which possible attacks originate, enableBad Actor Detection.Bad Actor Detection is not available for every vector.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:. For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
- From theCategory Namelist, select the blacklist category to which to add blacklist entries generated byBad Actor Detection.
- In theSustained Attack Detection Timefield, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
- In theCategory Duration Timefield, specify the length of time in seconds that the address will remain on the blacklist. The default is14400seconds (4 hours).
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at.
- ClickCommit Changes to Systemat the top of the page.
You have now configured a protection profile to provide custom responses to malformed
SIP attacks, SIP flood attacks, and to allow such attacks to be identified in system
logs and reports.
Now you need to associate the protection profile
with a protected object to apply the settings in the profile to traffic on that
protected object.
Modify multiple attack vectors at once
You can modify the State and Threshold Mode of multiple attack vectors protecting the device at one time.
- On the Main tab, click.
- Click theNetwork,DNS, orSIParea at the bottom of the page.All of the attack vectors for that familiy appear in the Attack Type list.
- To modify the state of one or more attack vectors, click the check box next to each attack vector name.
- From theSet Statelist at the bottom of the page, selectDisable,Learn Only,Mitigate,Detect Only, orMitigate.
- ClickCommit Changes to Systemat the top of the page.
- To modify the threshold mode of one or more attack vectors, click the check box next to each attack vector name.
- From theSet Threshold Modelist at the bottom of the page, selectFully Automatic,Manual Detection / Auto Mitigation, orManual.To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
- ClickCommit Changes to Systemat the top of the page.
You have modified the attack vector State and Threshold Mode of multiple attack vectors.
About AFM auto discovered services
AFM auto discovered services are connection flows that have been processed by an existing protected object. For example, when a forwarding virtual server processes an HTTP connection, the AFM system will create a discovered service for that connection. You can promote an auto discovered service to a protected object, and apply security policies and profiles to security process traffic for that service.
Protected object configuration
To auto discover, a protected object must either have the Service Port option set to *All Ports, or have more than one Destination Address with a specific Service Port. For example:
ltm virtual internal_web { destination 192.168.10.0:http mask 255.255.255.0 ip-protocol tcp
ltm virtual internal_net { destination 192.168.10.10:any mask 255.255.255.255 ip-protocol tcp
Discovered service auto-naming convention
When a remote client creates a new connection through one of the protect objects, AFM creates a new discovered service object that is eligible for promotion. The AFM system also creates a name for the service by combining the parent protected object name, the IP address and port of the connection. For example:
ltm virtual internal_web_192.168.10.100_80 { destination 192.168.10.100:http mask 255.255.255.0 ip-protocol tcp
Enable AFM auto discovery of services
To allow auto discovery, a protected object must either have the Service Port option set to *All Ports, or have more than one Destination Address with a specific Service Port: for example, 10.10.10.0/24 port 80
You can enable AFM service auto discovery on a protected object, allowing you to view, promote, and secure connections being processed by the BIG-IP system.
- On the Main tab, click.
- Click a protected object under the Name column.The protected object Properties opens on the right side of the page.
- Check theAuto Discover Contained Servicescheck box.
- ClickSaveat the bottom of the page.
You have enabled auto discovery of services on a protected object.
You can promote a discovered service to protected object status and apply a protection profile.
Promote an AFM discovered service
You can promote a discovered service to protected object status.
- On the Main tab, click.
- From theParent Protected Objectlist, select a protected object.Auto discovered services, and connection related information for each service is displayed.
- Click the check box next to a discovered service.
- Click thePromotebutton.The discovered service Properties page displays on the right side of the page.
- You can modify discovered service properties such asName,Destination Address,Service PortandProtocol.
- ClickProtection Settingsto set aThroughput Capacity, apply aProtection Profile,Eviction PolicyorIP Intelligence Policy.
- ClickSave.
Apply a protection profile to a protected object
You must add the DoS protection profile to the protected
object to provide enhanced protection from DoS attacks, and track anomalous activity on the
BIG-IP system.
- On the Main tab, click.
- Click the name of the protected object (virtual server) to which you want to assign a protection profile.The Properties pane opens on the right.
- In the Protection Settings area, from theProtection Profilelist, select the name of the protection profile to assign.Ensure a Service Profile is selected to enable the protected object to process application traffic.
- ClickSave.
The DoS protection
profile is associated with the protected object and DoS protection is now enabled.
Create a DoS/DDoS logging profile
Create a custom logging profile to log DoS
Protection events and send the log messages to a specific location.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In the Logging Profile Properties, select theDoS Protectioncheck box.The DoS Protection tab opens.
- In The DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system will use to log DoS events.
- ClickCreate.
Assign this DoS Protection logging profile to a protected object.
Logging DoS/DDoS Events for a Protected Object
Assign a logging profile to a protected object when you want the system to log DoS events.
- On the Main tab, click.
- Click the name of the protected object for which you want to log DoS events.The Properties pane opens on the right.
- In the Network & General area, forLogging Profiles, move the logging profile to assign from the Available list into the Selected list.You can create, and modify log publishers in.
- ClickSave.
The system logs DoS events for the protected object.
You can review DoS event logs at
and select the type of DoS event log to view.