Applies To:Show Versions
Preventing DDoS Flood and Sweep Attacks
About DoS sweep and flood attack prevention
Protecting against single-endpoint flood and sweep attacks
- On the Main tab, click.
- From theLog Publisherlist, select a destination to which the BIG-IP system sends DoS and DDoS log entries. You can review, create, and update log publishers inSystem>Logs>Configuration>Log Publishers.
- Select theThreshold Sensitivity.SelectLow,Medium, orHigh. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
- Expand theNetworkfamily, and clickSingle Endpoint Floodnear the bottom of the list.The settings appear on the right.
- By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).For most DoS vectors, you want to enforce the vector. Set a vector toDisabled(no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
- From theDetection Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
- UseInfiniteto set no value for the threshold.
- From theMitigation Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
- UseInfiniteto set no value for the threshold. This specifies that this type of attack is not rate-limited.
- In thePacket Typearea, select the packet types you want to detect for this attack type in theAvailablelist, and move them to theSelectedlist.
- In the Attack Type list, clickSingle Endpoint Sweep.The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- When you finish adjusting the settings of the attack types, clickCommit Changes to System.The device protection configuration is updated.
from specific flood attacks
- On the Main tab, click.
- Click the name of the protection profile to edit, or create a new one.
- ForFamilies, make sureNetworkis selected.
- Expand theNetworkcategory.
- In the Search text filter, typefloodto show only the flood vectors.
- Click the type of flood for which you want to change the settings.The settings appear on the right.
- Adjust the settings as needed.For Threshold Mode, clickFully Automaticto allow the system to determine the thresholds based on traffic.
- When you finish adjusting the settings of the vectors, clickCommit Changes to System.The protection profile is updated.