Manual Chapter : Protecting Against DDoS Attacks

Applies To:

Show Versions Show Versions
Manual Chapter

Protecting Against DDoS Attacks

Overview: Protecting against DDoS attacks

You can easily set up DDoS HybridDefender to protect your networks and applications from DoS attacks. Once it is all set up, you can monitor the system to see whether there have been any attacks, and whether they are being handled properly.
You configure DDoS Hybrid Defender by using the settings in the DoS Configuration menu. F5 does not generally recommend making changes using the Advanced Menu.

Protecting the network from DDoS attacks

DDoS Hybrid Defender detects and handles DDoS attacks using preconfigured responses. Here you can adjust the device configuration settings that apply to the DDoS Hybrid Defender device as a whole so that it protects the network.
  1. On the Main tab, click
    DoS Configuration
    Device Protection
    .
  2. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  3. For
    Threshold Sensitivity
    , select
    Low
    ,
    Medium
    , or
    High
    .
    Low
    means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to
    Medium
    or
    High
    because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to
    Low
    to get fewer false positives.
  4. From the
    Eviction Policy
    list, select the eviction policy to apply globally.
    The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,
    default-eviction-policy
    is applied and selected in this field.
  5. In the AutoThreshold area, for
    Relearn
    , click
    Start Relearning
    to start relearning auto-thresholds by analyzing current traffic.
    Auto-thresholds are calculated from the system start. If you have made changes to the system since then, and want the system to adjust automatic DoS thresholds because of these changes, use this option.
  6. In the Dynamic Signatures area, for
    Relearn
    , click
    Start Relearning
    to delete existing dynamic signatures and start learning new ones, by analyzing current traffic. The default learning period is two hours.
    Dynamic DoS detection creates dynamic signatures for attacks based on changing traffic patterns over time.
    The
    Learning Phase End Time
    displays the time and date the last learning period ended.
  7. Optionally, set up appropriate whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the
      Whitelist Address List
      field (see
      Creating a whitelist address list
      for details). The system must be compatibility level 1 or 2.
      Whitelist address lists are simply lists of addresses.
    2. For
      Rich Whitelists
      (all compatibility levels), click the
      Add Whitelist
      button, type the name, source VLAN, source or destination address, port, and protocol, then click
      Done Editing
      .
      You can create up to eight rich whitelists, which allow further delineation of the whitelist.
    3. If the system is compatibility level 2, for
      Extended Whitelists
      , click the
      Add Whitelist
      button, type the name, source VLAN, source address, destination address, port, and protocol, then click
      Done Editing
      .
      Extended whitelists can include both the source and destination addresses on systems that support neuron capabilities
  8. Click the edit icon on the right of Network or DNS to open a properties pane where you can configure settings for the family of vectors.
    You can specify settings for dynamic signatures, mitigation, or scrubbing.
  9. Click a family (
    Network
    ,
    DNS
    , or
    SIP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  10. In the
    Attack Type
    column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the
    Properties
    pane.
  11. By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    For most DoS vectors, you want to enforce the vector. Set a vector to
    Disabled
    (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  12. Set the
    Threshold Mode
    for the vector.
    • If the attack allows automatic threshold configuration, you can select
      Fully Automatic
      or
      Manual Detection/Auto Mitigation
      to configure automatic or partially automatic thresholds.
    • To configure thresholds manually, click
      Fully Manual
      .
  13. To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from the
    Set State
    list at the bottom of the screen, select
    Mitigate
    ,
    Detect Only
    , or
    Disable
    .
    The state you click is set for all selected vectors.
  14. If desired, you can configure threshold settings for multiple DDoS vectors.
    1. Select the check box next to the vector names.
    2. At the bottom of the screen, click
      Set Threshold Mode
      , and choose the threshold setting.
      Select
      Fully-automatic
      for the system to set the thresholds for the vectors that use auto-thresholding. See
      Automatically setting system-wide DDoS thresholds
      for details.
      To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
      To configure thresholds manually, click
      Manual
      . See
      Manually setting system-wide DDoS thresholds
      for details.
      Choose
      Manual Detection/Auto-Mitigation
      to configure thresholds manually but have the system automatically mitigate system stress.
  15. When you finish adjusting the settings, click
    Commit Changes to System
    .
Now you have configured the device to respond to DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Refer to the sections on automatically and manually setting system-wide DDoS vector thresholds if you need more details about adjusting the DDoS Hybrid Defender device configuration.

Automatically setting system-wide DDoS vector thresholds

DDoS Hybrid Defender handles DDoS attacks at the system level using preconfigured responses, but you might need to adjust the values for your environment. You can configure system-wide device protections that examine all the traffic coming through DDoS Hybrid Defender. For some DDoS attack vectors available in the device protection, you can have the system automatically set detection thresholds and internal rate or leak limits. Use this task to configure individual DoS vectors that include the automatic configuration.
Not all settings apply to all DoS vectors. For example, some vectors do not have automatic thresholds.
  1. On the Main tab, click
    DoS Configuration
    Device Protection
    .
  2. Click a family (
    Network
    ,
    DNS
    , or
    SIP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  3. In the
    Attack Type
    column, click the name of any attack type to edit the settings.
    The attack type settings appear on the right, in the Properties pane.
  4. By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    For most DoS vectors, you want to enforce the vector. Set a vector to
    Disabled
    (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  5. To allow the DoS vector thresholds to be automatically adjusted, for
    Threshold Mode
    , select
    Fully Automatic
    (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the
      Attack Floor EPS
      field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the
      Attack Ceiling EPS
      field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to
      Infinite
      .
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  6. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
  7. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
  8. Select the
    Category Name
    to which blacklist entries generated by
    Bad Actor Detection
    are added.
  9. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  10. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher for the
    Advertisement Next-Hop
    in the Global Settings.
  12. For automatic blacklisting, click
    Attacked Destination Detection
    , and configure the additional settings as for Bad Actor Detection.
  13. When you finish adjusting the settings, click
    Commit Changes to System
    .
Now you have configured the device to automatically determine DoS attack thresholds based on the characteristics of traffic at the network level. The thresholds assigned are usually between the attack floor and attack ceiling values.

Manually setting system-wide DDoS vector thresholds

You manually configure thresholds for a DDoS vector when you want to configure specific settings, or when the vector does not allow for automatic threshold configuration.
Not all settings apply to all DoS vectors.
  1. On the Main tab, click
    DoS Configuration
    Device Protection
    .
  2. Click a family (
    Network
    ,
    DNS
    , or
    SIP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  3. In the
    Attack Type
    column, click the name of any attack type to edit the settings.
    The attack type settings appear on the right, in the Properties pane.
  4. By default, the system enforces all of the attack types at some level. If you do not want to enforce a particular attack type, in the properties set the
    State
    to
    Disabled
    .
  5. In the Properties pane, set
    Threshold Mode
    to
    Fully Manual
    .
  6. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold.
  7. From the
    Detection Threshold %
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold.
  8. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  9. Click
    Simulate Auto Threshold
    to log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.
    This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select
    Fully Automatic
    for a vector.
  10. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
  11. In the
    Per Source IP Detection Threshold EPS
    field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the
    Per Source IP Mitigation Threshold EPS
    field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
  14. Select the
    Category Name
    to which blacklist entries generated by
    Bad Actor Detection
    are added.
  15. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  16. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher for the
    Advertisement Next-Hop
    in the Global Settings.
  18. For automatic blacklisting, click
    Attacked Destination Detection
    , and configure the additional settings as for Bad Actor Detection.
  19. When you finish adjusting the settings, click
    Commit Changes to System
    .
  20. Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DDoS attacks at the device level, and to allow such attacks to be identified in system logs and reports, rate-limited, and blacklisted when specified.

Configuring dynamic signatures at the device level

Dynamic DoS detection creates dynamic signatures for attacks based on changing traffic patterns over time. When an attack is detected, a dynamic signature is created and added to the dynamic signatures list. All packets are then checked against the dynamic signature, and mitigated according to internal logic. You can enable dynamic signatures to dynamically detect and mitigate DoS attacks at the device level for Network or DNS device protection.
  1. On the Main tab, click
    DoS Configuration
    Device Protection
    .
    The DoS Protection Device Configuration screen opens.
  2. To enable dynamic signatures for Network (Layer 3 or 4) or DNS traffic, point to
    Network
    or
    DNS
    , then select the Edit icon (pencil) that appears on the right side.
    The Properties pane opens on the right with the settings for that traffic.
  3. In the Properties pane, for
    Dynamic Signature Enforcement
    , from the list, select
    Enabled
    .
    At first, you may want to select
    Learn Only
    to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select
    Enabled
    .
  4. From the
    Mitigation Sensitivity
    list, select the sensitivity level for dropping packets.
    • Select
      None
      to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from
      Low
      to
      High
      . A setting of
      Low
      is least aggressive, but will also trigger fewer false positives. A setting of
      High
      is most aggressive, and the system may drop more false positive packets.
  5. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the
    Redirection/Scrubbing
    list, select
    Enabled
    .
  6. If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from the
    Scrubbing Category
    list, select the IP Intelligence category to assign to the scrubbed packets.
  7. In the
    Scrubbing Advertisement Time
    field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  8. When you finish adjusting the settings, click
    Commit Changes to System
    .
  9. If at any point, you want to delete existing dynamic signatures and restart learning new ones, on the Device Protection screen, click
    Start Relearning
    .
With dynamic signatures enabled, the system examines traffic in a learning mode to create a baseline of normal traffic coming to the device. Learning lasts for a couple of hours until sufficient traffic and server stress is analyzed. Then, the system begins anomaly detection and if an attack is detected, it develops dynamic signatures that characterize and mitigate the attack. The system continues to examine traffic patterns in an adaptive mode and constantly updates traffic information and creates dynamic signatures as needed.
To view and edit dynamic signatures, go to the Signatures screen, and click the signature name. You can edit the state and threshold mode, and view predicates in the Properties pane on the right. Click the name in the list again to review details about recent attacks for this signature.
You can also enable dynamic signatures on a protection profile for the protected objects associated with the protection profile.

Custom DDoS attack types

You can create custom HTTP, Network, DNS and TLS DoS attack types if the default attack types do not match a specific type of DoS traffic. Familiarize yourself with the following options prior to creating a new DoS signature. The HTTP and TLS attack signatures are share the same HTTP family.
Signature option
Description
Name
A unique name identifying the signature object.
Tags
Tags are used to classify signatures. You can use tags to filter signature lists. For example, use a tag like Flood to group all flood attack signatures.
Description
Describe the purpose of the signature.
Alias
A alternate name for the signature.
Approved
Select the check box to indicate that the signature has been reviewed and approved.
Shareable
Indicates that the signature can be used by other protected objects (virtual servers) and protection profiles. All shareable signatures are accepted on any profile for which signatures are enabled.
Predicates List
One or more match expressions, joined by logical operators, which the system uses to match traffic that is causing a DoS attack. You can edit the predicates (and all properties) of persistent signatures, and view the predicates of dynamic signatures. To add predicates when creating a persistent signature, click Add, select a predicate, specify the match expression, and the value.
Creating a custom DDoS attack signature
You can create custom HTTP, TLS, Network or DNS DoS attack signature for traffic patterns not matching one of the default attack signatures.
  1. On the Main tab, click
    Security
    DoS Protection
    Signatures
    .
  2. Click
    Add Signature
    within the
    Persistent
    area.
    The Properties pane opens on the right.
  3. Select an attack family from the family list.
  4. Enter a unique
    Signature Name
    for the attack signature.
  5. Click the
    Tags
    icon to define one or more optional search tags.
    Be sure to press
    Enter
    after each tag and click
    Done
    to associate all of the tags with the signature.
  6. Enter an optional
    Description
    and
    Alias
    .
  7. Click
    Add
    in the Predicates List area.
  8. Scroll through the Predicates List and select a predicate.
  9. Select the predicate match expression and value.
  10. Repeat steps 7 through 9 to add additional predicates.
  11. Click
    Create
    .
The new attack signature can now be viewed and modified when you click the Persistent area.
Use the new attack signature when creating or modifying a new protection profile or when enabling device protection.

Creating a whitelist address list

You can specify IP addresses on a whitelist that the system does not check for DDoS attacks. Addresses on the whitelist are trusted IP addresses that are never blocked.
Different types of whitelists are available depending on the hardware compatibility level of your system: whitelists (Level 1 or 2), rich whitelists (all levels), or extended whitelists (Level 2 only). You can create rich and extended whitelists when configuring Device Protection or creating a Protection Profile.
This task describes how to create a whitelist address list, which is configurable only if your system compatibility level is set to Level 1 or 2. You can check the compatibility level from the Advanced Menu at
System
Configuration
Device
General
.
  1. On the Main tab, click
    DoS Configuration
    Whitelist
    .
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name.
  4. In the
    Addresses
    field, type each address then click
    Add
    to add it to the whitelist. Addresses can be in the following forms:
    • An IPv4 or IPv6 address, and specify a network with CIDR slash notation
    • An IPv4 or IPv6 address range
    • A fully qualified domain name
    • A geographic location
    • Another address list or whitelist
  5. Click
    Finished
    to add the whitelist to the configuration.
At the device level, you can use the whitelist in
DoS Configuration
Device Protection
to specify traffic that is allowed to pass through DDoS Hybrid Defender without undergoing DoS checks. You can also use the whitelist at the profile level in
DoS Configuration
Protection Profiles
to specify the default or HTTP whitelist.

Adjust the device compatibility level

BIG-IP devices are divided into three categories based on hardware capability, and each category allows the use of specific compatibility levels. When you modify the compatibility level of the system, you enable different levels of DoS/DDoS protection and whitelists that are available for use.
Level 0
Systems with basic hardware DoS capabilities. Provides device protection and Rich Whitelists. Valid for all systems, and is the default value.
Level 1
Virtual Edition (VE) systems or systems with hardware DoS and sPVA capabilities. Provides Level 0 features, per-virtual server DOS, whitelist hostaddress lists, IP Intelligence, and bad actor detection.
Level 2
Systems with hardware DoS, sPVA and Neuron capabilities. Provides Level 1 features, and whitelist subnet address lists.
If using DDoS Hybrid Defender, adjusting the compatibility level must be done from the Advanced Menu.
  1. On the Main tab, click
    System
    Configuration
    Device
    .
  2. From the
    Compatibility Level
    list, select the appropriate compatibility level for your hardware.
    You will receive a message if you select a level that is not applicable to your hardware.
  3. Click
    Update
    .

Creating a protection profile

You need to create a DoS protection profile to define which protection mechanisms to apply to specific protected objects in your network. You can apply one protection profile to multiple protected objects, if they have similar characteristics.
For example, if securing a DNS server and several application servers, you could create two protection profiles: one that enforces DNS vectors and the other for enforcing HTTP vectors on two application servers. Then, you can create three protected objects and associate the DNS protection profile with the protected object representing the DNS server, and associate the HTTP protection profile with the protected objects created for the application servers.
  1. On the Main tab, click
    DoS Configuration
    Protection Profiles
    .
  2. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  3. Click
    Create
    .
    The Create New Protection Profile screen opens.
  4. In the
    Name
    field, type a name.
  5. In the
    Description
    field, optionally type a description.
  6. Select the
    Threshold Sensitivity
    .
    Select
    Low
    ,
    Medium
    , or
    High
    . A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  7. If you have created a whitelist on the system, from the
    Default Whitelist
    list, select the list.
    You can also click
    Manage Address Lists
    to jump to the Address Lists screen where you can create or edit address lists.
  8. For
    HTTP Whitelist
    , you can use the default HTTP whitelist or
    Override Default
    to specify another list.
  9. For
    Families
    , select the types of vectors to include in the protection profile.
  10. Click the edit icon on the right of Network or DNS to open a properties pane where you can configure settings for the family of vectors.
    You can specify settings for dynamic signatures, mitigation, or scrubbing.
  11. Click a family (
    Network
    ,
    DNS
    ,
    SIP
    , or
    HTTP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  12. In the
    Vector Name
    column, click the name of any vector to edit the settings.
    The vector settings appear on the right, in the
    Properties
    pane.
  13. To fully enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    If you have enforced most of the vectors at the device level using
    Device Protection
    , you can focus on adjusting the vector thresholds that vary for specific protected objects.
  14. Set the
    Threshold Mode
    for the vector.
    • If the attack allows automatic threshold configuration, you can select
      Fully Automatic
      or
      Manual Detection/Auto Mitigation
      to configure automatic or partially automatic thresholds.
    • To configure thresholds manually, click
      Fully Manual
      .
  15. To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from the
    Set State
    list at the bottom of the screen, select
    Mitigate
    ,
    Detect Only
    , or
    Disable
    .
    The state you click is set for all selected vectors.
  16. If desired, you can configure threshold settings for multiple DDoS vectors.
    1. Select the check box next to the vector names.
    2. At the bottom of the screen, click
      Set Threshold Mode
      , and choose the threshold setting.
      Select
      Fully-automatic
      for the system to set the thresholds for the vectors that use auto-thresholding. See
      Automatically setting DDoS thresholds for Protected Objects
      for details.
      To work accurately, using fully automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
      To configure thresholds manually, click
      Manual
      . See
      Manually setting DDoS thresholds for protected objects
      for details.
      Choose
      Manual Detection/Auto-Mitigation
      to configure thresholds manually but have the system automatically mitigate system stress.
  17. When you finish adjusting the settings of the vectors, click
    Commit Changes to System
    .
    The protection profile is created.
You have created a protection profile that implements specific DoS protections.
Next, you need to attach the protection profile to one or more protected objects.

Automatically setting Network, DNS or SIP DDoS vector thresholds for protected objects

DDoS Hybrid Defender protects network objects from DoS attacks by using a protection profile that you assign to protected objects. The protection profile is where you define thresholds for DDoS attack vectors. For some attack vectors in the protection profile, the system can automatically set detection thresholds and internal rate or leak limits by examining traffic patterns. Use this task to configure individual DoS vectors that include the automatic configuration.
Not all settings apply to all DoS vectors. For example, some vectors do not have automatic thresholds.
  1. On the Main tab, click
    DoS Configuration
    Protection Profiles
    .
  2. Click the name of the protection profile to edit, or create a new one.
  3. For
    Families
    , select the types of vectors to include in the protection profile.
  4. Click a family (
    Network
    ,
    DNS
    , or
    SIP
    ) to display the associated attack vectors.
    A table opens listing the attack vectors, the properties, and the current device statistics, if available.
  5. In the
    Vector Name
    column, click the name of any vector to edit the settings.
    The vector settings appear on the right, in the
    Properties
    pane.
  6. To fully enforce the DoS vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (watch, learn, and alert) or
    Learn Only
    (collect stats, no mitigation).
    If you have enforced most of the vectors at the device level using
    Device Protection
    , you can focus on adjusting the vector thresholds that vary for specific protected objects.
  7. To allow the DoS vector thresholds to be automatically adjusted, for
    Threshold Mode
    , select
    Fully Automatic
    (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the
      Attack Floor EPS
      field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the
      Attack Ceiling EPS
      field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to
      Infinite
      .
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  8. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
  9. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
  10. Select the
    Category Name
    to which blacklist entries generated by
    Bad Actor Detection
    are added.
  11. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  12. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  13. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher for the
    Advertisement Next-Hop
    in the Global Settings.
  14. For automatic blacklisting, click
    Attacked Destination Detection
    , and configure the additional settings as for Bad Actor Detection.
  15. When you finish adjusting the settings, click
    Commit Changes to System
    .
Now you have configured the protection profile to automatically determine DoS attack thresholds based on the characteristics of traffic. The thresholds assigned are usually between the attack floor and attack ceiling values.
Next, you need to attach the protection profile to one or more protected objects.

Configuring dynamic signatures in the protection profile

Dynamic DoS detection creates dynamic signatures that define attacks based on changing traffic patterns over time. When an attack is detected, a dynamic signature is created and added to the dynamic signatures list. All packets are then checked against the dynamic signature, and mitigated according to internal logic. You enable dynamic signatures in a protection profile to dynamically detect and mitigate DoS attacks for protected objects that are associated with the profile.
  1. On the Main tab, click
    DoS Configuration
    Protection Profiles
    .
  2. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  3. To enable dynamic signatures for Network (Layer 3 or 4) or DNS traffic, point to
    Network
    or
    DNS
    , then select the Edit icon (pencil) that appears on the right side.
    The Properties pane opens on the right.
  4. In the Properties pane, for
    Dynamic Signature Enforcement
    , from the list, select
    Enabled
    .
    At first, you may want to select
    Learn Only
    to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select
    Enabled
    .
  5. From the
    Mitigation Sensitivity
    list, select the sensitivity level for dropping packets.
    • Select
      None
      to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from
      Low
      to
      High
      . A setting of
      Low
      is least aggressive, but will also trigger fewer false positives. A setting of
      High
      is most aggressive, and the system may drop more false positive packets.
  6. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the
    Redirection/Scrubbing
    list, select
    Enabled
    .
  7. If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from the
    Scrubbing Category
    list, select the IP Intelligence category to assign to the scrubbed packets.
  8. In the
    Scrubbing Advertisement Time
    field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  9. When you finish adjusting the settings, click
    Commit Changes to System
    .
  10. If at any point, you want to delete existing dynamic signatures for this protected object and restart learning new ones:
    1. On the Main tab, click
      Local Traffic
      Virtual Servers
      . (For DDoS, use the Advanced Menu.)
    2. Click the name of the protected object for which you want to remove dynamic signatures.
    3. Select
      Security
      Policies
      .
    4. In the
      Dynamic Signatures
      field, click
      Relearn
      .
With dynamic signatures enabled, the system examines traffic in learning mode to create a baseline of normal traffic coming to the device. Learning lasts for a couple of hours until sufficient traffic and server stress is analyzed. Then, the system begins anomaly detection and if an attack is detected, it develops dynamic signatures that characterize and mitigate the attack. The system continues to examine traffic patterns in an adaptive mode and constantly updates traffic information, and developing dynamic signatures as needed.
To view and edit dynamic signatures, go to the Signatures screen, and click the signature name. You can edit the state and threshold mode, and view predicates in the Properties pane on the right. Click the name in the list again to review details about recent attacks for this signature.
You can also enable dynamic signatures for network or DNS traffic at the device level.

Viewing and persisting dynamic signatures

DDoS Hybrid Defender must have completed the traffic learning period, two hours by default, and detected one or more traffic pattern anomalies in order to create a dynamic signature.
Dynamic signatures can not be modified and do not remain in the configuration by default. You can view dynamic signature details and if the signature is considered useful, you can make it permanent., or persistent in the configuration. Persistent signatures can be also be modified.
  1. On the Main tab, click
    DoS Configuration
    Signatures
    .
  2. Click
    Dynamic
    to expand the list of dynamic signatures
  3. Review the relevant signature statistics such as
    Creation Info
    and
    Threshold EPS
    .
  4. Click the name of the signature to view the signature
    Predicate List
    .
  5. To make the dynamic signature a permanent, or Persistent signature, check the box next to the signature and click
    Make Persistent
    .
  6. To modify the signature, click
    Persistent
    .
  7. Click the name of the signature.
  8. The
    Properties
    page will appear to the right, allowing you to modify the signature.

Protecting network objects from DDoS attacks

With DDoS Hybrid Defender, you can protect different types of network devices such as application servers, network hosts, DNS servers, routers, and so on against DDoS attacks. These network devices are called
protected objects
.
You need to create protected objects that represent the different devices, and attach a protection profile that defines the DoS protections to apply to that device.
  1. On the Main tab, click
    DoS Configuration
    Protected Objects
    .
    The Protected Objects screen is displayed showing the configured protected objects.
  2. On the far right, click
    Create
    Protected Object
    .
    The Properties pane opens on the right where you create the protected object. The Shared Objects pane also appears and that is where you can develop traffic matching criteria for Netflow Protected Servers. It does not apply to Protected Objects.
  3. In the Properties pane, for
    Name
    , type a name for the protected object.
  4. In the
    Destination Address
    field, type the IP address or network to which the protected object can send traffic (same format as source address).
  5. In the
    Service Port
    field, specify the service port used by the protected object (0-65535, wildcard * All Ports for all, or select a service from the list).
  6. Check
    Auto Discover Contained Services
    to enable auto discovery of services.
    For more information about auto discovery of services, refer to
    About DDhD auto discovered services
    in the next section.
  7. From the
    Protocol
    list, select the network protocol that the protected object uses. Options are:
    TCP
    ,
    UDP
    , or
    All Protocols
    .
  8. For
    Standard
    type protected objects in the
    Service Profile
    list, select the appropriate DNS, SIP, or HTTP service profile to associate with the protected object.
    In most cases, the default
    DHD_dns
    ,
    DHD_sip
    , or
    DHD_http
    profile is sufficient. To adjust the profile settings, from the Advanced Menu, select
    Local Traffic
    Profiles
    Services
    and select
    DNS
    ,
    SIP (legacy)
    , or
    HTTP
    . From there, you can edit the default profiles or create new ones.
  9. In the
    Source Address
    field, type the IP address or network from which the protected object accepts traffic.
    Specify the IP address in CIDR format:
    address/prefix
    , where the prefix length is in bits: for example, for IPv4:
    10.0.0.1/32
    or
    10.0.0.0/24
    , and for IPv6:
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    .
  10. Click
    Network & General
    to expand the configuration area
  11. From the
    VLANs
    list, move one or more VLANs available to this protected object into the
    Selected
    list.
    You can view and create VLANs by clicking
    View VLAN Profiles
    .
  12. From the
    Transparent Nexthop
    list, select the egress vlan for traffic that you want to preserve layer 2 (MAC) address information. Layer 2 address preservation disables layer 3 (IP/IPv6) address translation.
  13. From the
    Logging Profiles
    list, move one or more log profiles to use for this protected object into the
    Selected
    list.
    You can view and create Logging Profiles by clicking
    View Log Profiles
    .
  14. Click
    Protection Settings
    to expand the configuration area.
  15. In the
    Throughput Capacity (Mbps)
    field, type the maximum allowable throughput in megabits per second for the protected object. Infinite means no limit.
  16. From the
    Protection Profile
    list, select the protection profile that defines the protections and thresholds to associate with the protected object.
  17. From the
    Bot Defense Profile
    list, select the bot defense profile that defines the protections and thresholds to associate with the protected object.
  18. From the
    Eviction Policy
    list, select the eviction policy to associate with the protected object.
    The eviction policy provides guidelines for how aggressively the system discards flows from the flow table.
  19. From the
    IP Intelligence
    list, select the IP intelligence policy to associate with the protected object.
    The IP intelligence policy checks traffic against an IP intelligence database that contains known bad or questionable IP addresses.
  20. Click the
    Save
    button.
    The system creates the protected object.
Now you have configured the system to protect a network object from DDoS attacks, and to allow such attacks to be identified in system logs and reports.

Create an eviction policy

You can create eviction policies to control the granularity and aggressiveness with which the system discards flows.
  1. On the Main tab, click
    DoS Configuration
    Eviction Policy
    .
  2. Click
    Create
    .
    The
    New Eviction Policy
    screen opens.
  3. In the
    Name
    field, type a name for the eviction policy.
  4. In the
    Trigger
    fields, type a high and low water mark for the eviction policy.
    This measure specifies the percentage of the quota, for this context, before flow eviction starts (high water mark) and ends (low water mark).
  5. Enable
    Slow Flow Monitoring
    to monitor flows that are considered slow by the system, and specify the slow flow threshold in bytes per second.
    This combination of settings monitors the system for flows that fall below the slow flow threshold for more than 30 seconds.
  6. In the
    Grace Period
    field you can set a grace period, in seconds, between the detection of slow flows that meet the threshold requirement, and purging of slow flows according to the
    Slow Flow Throttling
    settings.
  7. In the Slow Flow Throttling area, set the slow flow throttling options.
    Disabled
    Slow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.
    Absolute
    Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.
    Percent
    Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows that exceed the specified monitoring setting, so the default value of 100% removes all slow flows that exceed the slow flow threshold, after the grace period.
  8. For
    Strategies
    , configure the strategies that the eviction policy uses to remove flows by moving algorithms from the
    Available
    list to the
    Selected
    list.
  9. Click
    Finished
    .
The eviction policy appears in the Eviction Policy List.
To use an eviction policy, associate it with a protected object or a route domain. You can configure a global eviction policy at
System
Configuration
Local Traffic
General
.

Create a policy to check addresses against IP Intelligence

You can verify IP addresses against the preconfigured IP Intelligence database, and against IPs from your own feed lists, by creating an IP Intelligence policy.
  1. On the Main tab, click
    DoS Setup
    IP Intelligence
    Policies
    .
    The IP Intelligence Policies screen opens.
  2. Click
    Create
    to create a new IP Intelligence policy.
  3. In the
    Name
    field, type a name for the IP intelligence policy.
  4. To add feed lists to the policy, click the name of an
    Available
    feed list, and then add it to the
    Selected
    list.
  5. For
    Default Action
    , set the default action for the IP intelligence policy as a whole.
    • Select
      Accept
      to allow packets from categorized addresses that have no action applied on the feed list.
    • Select
      Drop
      to drop packets from categorized addresses that have no action applied on the feed list.
    The default action applies to addresses that are not assigned a blacklist category in the feed list. The IP Intelligence feature uses the action specified in a feed list entry, when available.
  6. Set
    Default Log Actions
    for the IP intelligence policy as a whole.
    • Log Whitelist Overrides
      logs only whitelist matches that override blacklist matches.
    • Log Blacklist Category Matches
      logs IP addresses that match blacklist categories.
    • Select both
      Log Blacklist Category Matches
      and
      Log Whitelist Overrides
      to log all blacklist matches, and all whitelist matches that override blacklist matches.
    Whitelist matches always override blacklist matches.
  7. To customize default actions and logging for any of the blacklist categories, specify default actions in the
    Blacklist Matching Policy
    setting.
    The default action for a blacklist category is always
    Reject
    .
    For each category that you want to customize:
    1. From the
      Blacklist Category
      list, select a category.
    2. For
      Action
      , select
      Use Policy Default
      to use the default action for this policy; select
      Drop
      to drop packets from sources of the specified type, as identified by the IP address intelligence database; or select
      Accept
      to allow packets in this category.
    3. For
      Log Blacklist Category Matches
      , select
      Use Policy Default
      to use the default log action for blacklist matches;
      Yes
      affords visibility into blacklist matches and logs all packets, but provides no hardware acceleration data;
      Limited
      logs statistics every 256 packets and includes hardware acceleration;
      No
      does not log blacklist matches but provides the highest performance with hardware acceleration.
    4. For
      Log Whitelist Overrides
      , select
      Use Policy Default
      to use the default log action for whitelist overrides; select
      Yes
      or
      No
      to override the default action.
    5. For
      Match Override
      , select the matching criteria that overrides a blacklist match. You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist.
    6. Click
      Add
      to add the custom defaults for the category.
      You can also select
      Replace
      to replace the defaults for a category.
    7. Repeat these steps for any category for which you want to customize default actions.
    The custom categories are listed at the bottom. You can select and delete them if things change.
  8. Click
    Finished
    .
You created an IP intelligence policy. Next, it needs to be assigned globally to the BIG-IP system, to a specific virtual server, or a route domain so that it is applied to the correct traffic.

How to protect different network objects from DDoS attacks

Administrators often want to protect against a specific type of DDoS attack or to protect a particular type of protected object from attacks. This table gives you an idea of the types of protections you can set up.
To protect this:
Use these settings:
DNS Servers
  • Create a protection profile for all DNS Servers.
  • In
    Families
    , click
    DNS
    .
  • Expand
    DNS
    , check threshold settings.
  • Create a protected object for each DNS Server.
  • Set
    Service Port
    to the DNS port.
  • Set
    Protocol
    to
    UDP
    .
  • In
    Protection Profile
    , select the profile you created.
SIP Servers
  • Create a protection profile for all SIP Servers.
  • In
    Families
    , click
    SIP
    .
  • Expand
    SIP
    , check threshold settings.
  • Create a protected object for each SIP Server.
  • Set
    Service Port
    to the SIP port.
  • Set
    Protocol
    to
    TCP
    .
  • In
    Protection Profile
    , select the profile you created.
Web applications
  • Create a protection profile for one or more application servers.
  • In
    Families
    , click
    HTTP
    .
  • Expand
    HTTP
    , check threshold settings.
  • Create a protected object for each application server.
  • Set
    Service Port
    to
    80
    for HTTP.
  • Set
    Protocol
    to
    TCP
    .
  • In
    Protection Profile
    , select the profile you created.
Backend servers from Syn Floods
  • Create a protection profile for all backend servers.
  • In
    Families
    , click
    Network
    .
  • Expand
    Network
    , check the settings for
    TCP SYN Flood
    .
  • Create a protected object for each backend server.
  • Set
    Destination Address
    to
    *
    for all addresses.
  • Set
    Service Port
    to
    *
    for all ports.
  • Set
    Protocol
    to
    TCP
    .
  • In
    Protection Profile
    , select the profile you created.
Backend servers from Sweep Attacks
  • Create a protection profile for all backend servers.
  • In
    Families
    , click
    Network
    .
  • Expand
    Network
    , for
    Sweep
    select the packet types to check for sweep attacks.
  • Create a protected object for each backend server.
  • Set
    Destination Address
    to
    *
    for all addresses.
  • Set
    Port
    to
    *
    for all ports.
  • Set
    VLAN
    to
    defaultVLAN
    .
  • Set
    Protocol
    to
    TCP
    .
  • In
    Protection Profile
    , select the profile you created.

DDoS protected object attack types

For each protected object, you can specify specific threshold, rate increase, rate limit, and other parameters for supported DoS attack types, to more accurately detect, track, and rate limit attacks.

IPv4 Attack Vectors

Vector
Information
Host Unreachable
The host cannot be reached.
ICMP Fragment
ICMP fragment flood.
ICMPv4 Flood
Flood with ICMPv4 packets.
IP Fragment Flood
Fragmented packet flood with IPv4.
IP Option Frames
IPv4 address packets that are part of an IP option frame flood. On the command line
option.db variable tm.acceptipsourceroute
must be enabled to receive IP options.
TIDCMP
ICMP type 4 error; can't accept queries.
TTL <=
tunable
An IP packet with a destination that is not multicast has a Time to live (TTL) value less than or equal to the configured value. To tune this value, in tmsh:
modify sys db dos.iplowttl
value
, where
value
is 1-4. 1 is default.

IPv6 Attack Vectors

Vector
Information
Host Unreachable
The host cannot be reached.
ICMP Fragment
ICMP fragment flood.
ICMPv6 Flood
Flood with ICMPv6 packets.
IPV6 Extended Header Frames
IPv6 address contains extended header frames.
IPv6 extension header too large
An IPv6 extension header exceeds the limit in bytes set at
DoS Protection
Quick Configuration
Global Settings
, in the
Too Large IPv6 Extension Header
field .
IPV6 Fragment Flood
The IPv6 extended header hop count is less than or equal to the hop count limit set at
DoS Protection
Quick Configuration
Global Settings
, in the
IPv6 Low Hop Count
field.
IPv6 hop count <= <tunable>
The IPv6 extended header hop count is less than or equal to the hop count limit set at
DoS Protection
Quick Configuration
Global Settings
, in the
IPv6 Low Hop Count
field.
Too Many Extended Headers
For an IPv6 address, the extension headers exceed the limit set at
DoS Protection
Quick Configuration
Global Settings
, in the
Too Many IPv6 Extension Header
field.

TCP Attack Vectors

Vector
Information
Non TCP Connection
Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.
Option Present With Illegal Length
Packets contain an option with an illegal length.
TCP Bad URG
TCP header has a bad URG flag, this is likely malicious (flag is set and urgent pointer is 0).
TCP Option Overruns TCP Header
The TCP option bits overrun the TCP header.
TCP PSH Flood
Attackers send spoofed PUSH packets at very high rates; packets do not belong to any current session.
TCP RST Flood
TCP reset attack, also known as "forged TCP resets", "spoofed TCP reset packets" or "TCP reset attacks" is a method of tampering with Internet communications.
TCP SYN ACK Flood
An attack method that involves sending a target server spoofed SYN-ACK packets at a high rate.
TCP SYN Flood
Attackers send a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
TCP SYN Oversize
Detects TCP data SYN packets larger than the maximum specified in the limit set at
DoS Protection
Quick Configuration
Global Settings
, in the
Too Large TCP SYN Packet
field. The default size in bytes is
64
and the maximum allowable value is
9216
.
TCP Window Size
The TCP window size in packets is above the maximum size. To tune this setting, change the setting at
Dos Protection
Quick Configuration
Global Settings
, in the
Too Low TCP Window Size
field.
Unknown TCP Option Type
TCP option type is not standard.

UDP Attack Vector

Vector
Information
UDP Flood
The attacker sends
UDP
packets, typically large ones, to single destination or to random ports.

Sweep Attack Vector

Vector
Information
Sweep
The attacker uses a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts.

DNS Attack Vectors

Vector
How to identify it
a
UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
aaaa
UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
any
UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
axfr
UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
cname
UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
dns-malformed
Malformed DNS packets.
ixfr
UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
mx
UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
ns
UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
other
UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
ptr
UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
qdcount
DNS QDCount limit. UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
soa
UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
srv
UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).
txt
UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Protection
Quick Configuration
Global Settings
to the DNS VLAN (
0-4094
).

SIP Attack Vectors

Vector
Information
ack
SIP ACK packets. Used with invite request when establishing a call.
bye
SIP BYE packets. The attacker tries to terminate a communication session prematurely.
cancel
SIP CANCEL packets. Attackers prevent callers from establishing a session.
invite
SIP INVITE packets. Attackers send multiple invite packets to initiate call sessions.
message
SIP MESSAGE packets. Attackers send instant messages.
notify
SIP NOTIFY packets. Attackers send notifications, such as of voice mails.
options
SIP OPTIONS packets. Attackers send probes to determine capabilities of servers.
other
Other SIP method packets.
prack
SIP PRACK packets. Attackers send prack packets for provisional acknowledgements.
publish
SIP PUBLISH packets. Attackers publish messages to the server.
register
SIP REGISTER packets. Attackers register or unregister a phone address listed in the To header field with a SIP server.
subscribe
SIP SUBSCRIBE packets. Attackers send subscriber notification messages.
URI Limit
The SIP URI exceeds the limit set at
Dos Protection
Quick Configuration
Global Settings
, in the
Too Long SIP URI
field. This setting should be less than
1024
, the maximum length for a SIP URI in bytes.

Layer 7 HTTP and HTTPS Attack Vectors

Protection
Description
Behavioral
Attack indicates bad actors by their anomalous behavior based on deviation from baseline behavior.
Detection by Device
Attack indicates suspicious client devices tracked by fingerprinting and a high number of transactions per second.
Detection by Geolocation
Attack indicates suspicious geographical locations identified by their IP range and an unusual traffic share.
Detection by Site
Attack indicates that the global traffic on the site (whole application) signifies an attack based on a high number of transactions per second.
Detection by Source-IP
Attack indicates suspicious clients identified by their IP address and a high number of transactions per second.
Detection by URL
Attack targets specific URLs in the web application by sending a high number of transactions per second to them.
Heavy URL
Attack focuses on URLs that consume considerable server resources thus can become tipping points in DoS attacks. The system automatically detects heavy URLs.

HTTP and HTTPS Proactive Bot Defense Categories

Category
Description/Category
Proactive Bot Defense
Attacks caused by web robots. The system uses JavaScript evaluations and bot signatures to ensure that browsers are legitimate not automated.
Crawler
Benign
HTTP Library
Benign
Search Bot
Benign
Search Engine
Benign
Service Agent
Benign
Site Monitor
Benign
Social Media Agent
Benign
Web Downloader
Benign
DoS Tool
Malicious
E-Mail Collector
Malicious
Exploit Tool
Malicious
Network Scanner
Malicious
Spam Bot
Malicious
Vulnerability Scanner
Malicious
Web Spider
Malicious

DDoS device protection attack types

In Device Protection, you can specify thresholds, rate increase, rate limit, and other parameters for device-level DDoS attack types, to more accurately detect, track, and rate limit attacks. Broken packets, such as those with bad headers, should be severely rate limited.

Network attack types

Vector
Information
Hardware accelerated
ARP Flood
ARP packet flood
Yes
Bad ICMP Checksum
An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet.
Yes
Bad ICMP Frame
The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types. Valid IPv4 types:
  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded
  • 12 Parameter Problem
  • 13 Timestamp
  • 14 Timestamp Reply
  • 15 Information Request
  • 16 Information Reply
  • 17 Address Mask Request
  • 18 Address Mask Reply
Valid IPv6 types:
  • 1 Destination Unreachable
  • 2 Packet Too Big
  • 3 Time Exceeded
  • 4 Parameter Problem
  • 128 Echo Request
  • 129 Echo Reply
  • 130 Membership Query
  • 131 Membership Report
  • 132 Membership Reduction
Yes
Bad IGMP Frame
IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad.
Yes
Bad IP TTL Value
Time-to-live equals zero for an IPv4 address.
Yes
Bad IP Version
The IPv4 address version in the IP header is not 4.
Yes
Bad IPv6 Addr
IPv6 source IP =
0xff00::
Yes
Bad IPV6 Hop Count
Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad.
Yes
Bad IPV6 Version
The IPv6 address version in the IP header is not 6.
Yes
Bad SCTP Checksum
Bad SCTP packet checksum.
No
Bad Source
The IPv4 source IP =
255.255.255.255
or
0xe0000000U
.
Yes
Bad TCP Checksum
The TCP checksum does not match.
Yes
Bad TCP Flags (All Cleared)
Bad TCP flags (all cleared and SEQ#=0).
Yes
Bad TCP Flags (All Flags Set)
Bad TCP flags (all flags set).
Yes
Bad UDP Checksum
The UDP checksum is not correct.
Yes
Bad UDP Header (UDP Length > IP Length or L2 Length)
UDP length is greater than IP length or Layer 2 length.
Yes
Ethernet MAC Source Address == Destination Address
Ethernet MAC source address equals the destination address.
Yes
FIN Only Set
Bad TCP flags (only FIN is set).
Yes
Header Length > L2 Length
No room in Layer 2 packet for IP header (including options) for IPv4 address
Yes
Header Length Too Short
IPv4 header length is less than 20 bytes.
Yes
Host Unreachable
Host unreachable error
Yes
ICMP Fragment
ICMP fragment flood
Yes
ICMP Frame Too Large
The ICMP frame exceeds the declared IP data length or the maximum datagram length set at
DoS Setup
Global
, in the
Too Large IPv6 Extension Header
field. To tune this value, in
tmsh
:
modify sys db dos.maxicmpframesize
value
, where
value
is <=
65515
.
Yes
ICMPv4 Flood
Flood with ICMPv4 packets
Yes
ICMPv6 Flood
Flood with ICMPv6 packets
Yes
IGMP Flood
Flood with IGMP packets (IPv4 packets with IP protocol number 2)
Yes
IGMP Fragment Flood
Fragmented packet flood with IGMP protocol
Yes
IP Error Checksum
The header checksum is not correct.
Yes
IP Fragment Error
Other IPv4 fragment error
Yes
IP Fragment Flood
Fragmented packet flood with IPv4
Yes
IP Fragment Overlap
IPv4 overlapping fragment error
No
IP Fragment Too Small
IPv4 short fragment error
Yes
IP Length > L2 Length
The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet.
Yes
IP Option Frames
IPv4 address packets that are part of an IP option frame flood. On the command line
option.db variable tm.acceptipsourceroute
must be enabled to receive IP options.
Yes
IP Option Illegal Length
Option present with illegal length.
No
IP uncommon proto
Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list.
Yes
IP Unknown protocol
Unknown IP protocol
No
IPv4 mapped IPv6
The IPv6 stack is receiving IPv4 address packets.
Yes
IPV6 Atomic Fragment
IPv6 Frag header present with M=0 and FragOffset =0
Yes
IPv6 duplicate extension headers
An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header.
Yes
IPv6 Extended Header Frames
IPv6 address contains extended header frames.
Yes
IPv6 extended headers wrong order
Extension headers in the IPv6 header are in the wrong order.
Yes
IPv6 extension header too large
An IPv6 extension header exceeds the limit in bytes set at
DoS Setup
Global
, in the
Too Large IPv6 Extension Header
field.
Yes
IPv6 Fragment Error
Other IPv6 fragment error
Yes
IPv6 Fragment Flood
Fragmented packet flood with IPv6
Yes
IPv6 Fragment Overlap
IPv6 overlapping fragment error
No
IPv6 Fragment Too Small
IPv6 short fragment error
Yes
IPv6 hop count <= <tunable>
The IPv6 extended header hop count is less than or equal to the hop count limit set at
DoS Setup
Global
, in the
IPv6 Low Hop Count
field.
Yes
IPv6 Length > L2 Length
IPv6 address length is greater than the Layer 2 length.
Yes
L2 Length >> IP Length
Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size.
Yes
LAND Attack
Source IP equals destination IP address
Yes
No L4
No Layer 4 payload for IPv4 address.
Yes
No L4 (Extended Headers Go To Or Past End of Frame)
Extended headers go to the end or past the end of the L4 frame.
Yes
No Listener Match
This can occur if the listener is down as it attempts to make a connection, or if it was not started or was configured improperly. It may also be caused by a network connectivity problem.
Non TCP Connection
Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.
Option Present With Illegal Length
Packets contain an option with an illegal length.
Yes
Payload Length < L2 Length
Specified IPv6 payload length is less than the L2 packet length.
Yes
Routing Header Type 0
Identifies flood packets containing type 0 routing headers, which can be used to amplify traffic to initiate a DoS attack.
Yes
Single Endpoint Flood
Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
Single Endpoint Sweep
Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
SYN && FIN Set
Bad TCP flags (SYN and FIN set).
Yes
TCP BADACK Flood
TCP ACK packet flood
No
TCP Flags - Bad URG
Packet contains a bad URG flag; this is likely malicious.
Yes
TCP Half Open
TCP connection whose state is out of synchronization between the two communicating hosts
Yes
TCP Header Length > L2 Length
The TCP header length exceeds the Layer 2 length.
Yes
TCP Header Length Too Short (Length < 5)
The Data Offset value in the TCP header is less than five 32-bit words.
Yes
TCP Option Overruns TCP Header
The TCP option bits overrun the TCP header.
Yes
TCP PUSH Flood
TCP PUSH flood
Yes
TCP RST Flood
TCP RST flood
Yes
TCP SYN ACK Flood
TCP SYN/ACK flood
Yes
TCP SYN Flood
TCP SYN flood
Yes
TCP SYN Oversize
Detects TCP data SYN packets larger than the maximum specified in the limit set at
DoS Setup
Global
, in the
Too Large TCP SYN Packet
field. The default size in bytes is
64
and the maximum allowable value is
9216
.
Yes
TCP Window Size
The TCP window size in packets is above the maximum size. To tune this setting, change the setting at
DoS Setup
Global
, in the
Too Low TCP Window Size
field.
Yes
TIDCMP
ICMP source quench attack
Yes
Too Many Extension Headers
For an IPv6 address, the extension headers exceed the limit set at
DoS Setup
Global
, in the
Too Many IPv6 Extension Header
field.
Yes
TTL <= <tunable>
An IP packet with a destination that is not multicast has a TTL greater than 0 and less than the value set at
DoS Setup
Global
, in the
IPv4 Low TTL
field. The range for this setting is
1-4
.
Yes
UDP Flood
UDP flood attack
Yes
Unknown Option Type
Unknown IP option type.
No
Unknown TCP Option Type
Unknown TCP option type.
Yes

DNS attack vectors

Vector
Information
Hardware accelerated
DNS A Query
UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS AAAA Query
UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS AXFR Query
UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS Any Query
UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS CNAME Query
UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS IXFR Query
UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS MX Query
UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS Malformed
Malformed DNS packet
Yes
DNS NS Query
UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS NXDOMAIN Query
DNS query. Queried domain name does not exist.
Yes
DNS OTHER Query
UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS Oversize
Detects oversized DNS headers. To tune this value, set the
Too Large DNS Packet
setting at
DoS Setup
Global
to the maximum value for a DNS header, from
256-8192
bytes.
Yes
DNS PTR Query
UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS Question Items != 1
UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS Response Flood
UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS SOA Query
UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS SRV Query
UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes
DNS TXT Query
UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set the
DNS VLAN
setting at
DoS Setup
Global
to the DNS VLAN (
0-4094
).
Yes

SIP attack vectors

Vector
Information
Hardware accelerated
SIP ACK Method
SIP ACK packets
Yes
SIP BYE Method
SIP BYE packets
Yes
SIP CANCEL Method
SIP CANCEL packets
Yes
SIP INVITE Method
SIP INVITE packets
Yes
SIP Malformed
Malformed SIP packets
Yes
SIP MESSAGE Method
SIP MESSAGE packets
Yes
SIP NOTIFY Method
SIP NOTIFY packets
Yes
SIP OPTIONS Method
SIP NOTIFY packets
Yes
SIP OTHER Method
Other SIP method packets
Yes
SIP PRACK Method
SIP PRACK packets
Yes
SIP PUBLISH Method
SIP PUBLISH packets
Yes
SIP REGISTER Method
SIP REGISTER packets
Yes
SIP SUBSCRIBE Method
SIP SUBSCRIBE packets
Yes
SIP URI Limit
The SIP URI exceeds the limit set at
Dos Setup
Global
, in the
Too Long SIP URI
field. This setting should be less than
1024
, the maximum length for a SIP URI in bytes.
Yes

Behavioral

Behavioral DDoS protection is enabled, by default, and all thresholds and threshold actions are applied. You can initiate leaning or relearning of dynamic signatures, adjust mitigation sensitivity, and enable redirection and scrubbing of IP addresses identified by the dynamic signatures. You also have the option of selecting
Learn Only
to track dynamic vector statistics, without enforcing any thresholds or limits.
In the case of an attack, the system dynamically creates signatures that characterize the attack. During the attack, you see them listed as behavioral vectors (starting with Sig). They are removed when the attack is over.