Manual Chapter : Preventing DDoS Flood and Sweep Attacks
Applies To:Show Versions
Preventing DDoS Flood and Sweep Attacks
About DoS sweep and flood attack prevention
sweep attackis a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.
The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack originates.
The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host or multiple hosts.
flood attackis a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large number of UDP packets, requiring the system to verify applications and send responses.
The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.
Sweep and flood is the first prevention that is limited to the affected hosts. For example, the Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits just the traffic to the targeted host. Collateral damage is much lower by mitigating these vectors. You can set the limits lower than would be reasonable for the indiscriminate vectors.
You can configure DoS sweep and flood prevention at the system level using Device Protection, or at the protected object level in the Protection Profile.
Protecting against single-endpoint flood and sweep attacks
You can protect against DDoS single-endpoint attacks to protect traffic from flood and sweep attacks.
- On the Main tab, click.
- From theLog Publisherlist, select a destination to which the BIG-IP system sends DoS and DDoS log entries. You can review, create, and update log publishers inSystem>Logs>Configuration>Log Publishers.
- Select theThreshold Sensitivity.SelectLow,Medium, orHigh. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
- Expand theNetworkfamily, and clickSingle Endpoint Floodnear the bottom of the list.The settings appear on the right.
- By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).For most DoS vectors, you want to enforce the vector. Set a vector toDisabled(no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
- From theDetection Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
- UseInfiniteto set no value for the threshold.
- From theMitigation Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
- UseInfiniteto set no value for the threshold. This specifies that this type of attack is not rate-limited.
- In thePacket Typearea, select the packet types you want to detect for this attack type in theAvailablelist, and move them to theSelectedlist.
- In the Attack Type list, clickSingle Endpoint Sweep.The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- When you finish adjusting the settings of the attack types, clickCommit Changes to System.The device protection configuration is updated.
Now you have configured the system to provide protection against single-endpoint DoS flood and sweep attacks at the system level for all traffic passing through, and to allow such attacks to be identified in system logs and reports. You can similarly protect against sweep and specific flood attacks in protection profiles that more narrowly guard specific backend servers
from specific flood attacks
You can use DDoS Hybrid Defender™ to guard protected objects from specific flood attacks.
- On the Main tab, click.
- Click the name of the protection profile to edit, or create a new one.
- ForFamilies, make sureNetworkis selected.
- Expand theNetworkcategory.
- In the Search text filter, typefloodto show only the flood vectors.
- Click the type of flood for which you want to change the settings.The settings appear on the right.
- Adjust the settings as needed.For Threshold Mode, clickFully Automaticto allow the system to determine the thresholds based on traffic.
- When you finish adjusting the settings of the vectors, clickCommit Changes to System.The protection profile is updated.
Now you have configured the system to prevent DDoS flood attacks on the protected objects that use the updated protection profile.