Manual Chapter :
Protecting Against DDoS Attacks
Applies To:
Show VersionsProtecting Against DDoS Attacks
Overview: Protecting against DDoS attacks
You can easily set up DDoS HybridDefender™ to protect your networks and applications from DoS attacks. Once
it is all set up, you can monitor the system to see whether there have been any attacks, and
whether they are being handled properly.
You configure DDoS
Hybrid Defender by using the settings in the DoS Configuration menu. F5 does not generally
recommend making changes using the Advanced Menu.
Protecting the
network from DDoS attacks
DDoS Hybrid
Defender™ detects and handles DDoS attacks using preconfigured responses. Here
you can adjust the device configuration settings that apply to the DDoS Hybrid Defender
device as a whole so that it protects the network.
- On the Main tab, click.
- From theLog Publisherlist, select a destination to which the BIG-IP system sends DoS and DDoS log entries.You can review, create, and update log publishers in.
- ForThreshold Sensitivity, selectLow,Medium, orHigh.Lowmeans the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this toMediumorHighbecause even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this toLowto get fewer false positives.
- From theEviction Policylist, select the eviction policy to apply globally.The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,default-eviction-policyis applied and selected in this field.
- In the AutoThreshold area, forRelearn, clickStart Relearningto start relearning auto-thresholds by analyzing current traffic.Auto-thresholds are calculated from the system start. If you have made changes to the system since then, and want the system to adjust automatic DoS thresholds because of these changes, use this option.
- In the Dynamic Signatures area, forRelearn, clickStart Relearningto delete existing dynamic signatures and start learning new ones, by analyzing current traffic. The default learning period is two hours.Dynamic DoS detection creates dynamic signatures for attacks based on changing traffic patterns over time.TheLearning Phase End Timedisplays the time and date the last learning period ended.
- Optionally, set up appropriate whitelists for addresses that can bypass DDoS checks.
- To specify a system-wide DoS address list containing addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in theWhitelist Address Listfield (seeCreating a whitelist address listfor details). The system must be compatibility level 1 or 2.Whitelist address lists are simply lists of addresses.
- ForRich Whitelists(all compatibility levels), click theAdd Whitelistbutton, type the name, source VLAN, source or destination address, port, and protocol, then clickDone Editing.You can create up to eight rich whitelists, which allow further delineation of the whitelist.
- If the system is compatibility level 2, forExtended Whitelists, click theAdd Whitelistbutton, type the name, source VLAN, source address, destination address, port, and protocol, then clickDone Editing.Extended whitelists can include both the source and destination addresses on systems that support neuron capabilities
- Click the edit icon on the right of Network or DNS to open a properties pane where you can configure settings for the family of vectors.You can specify settings for dynamic signatures, mitigation, or scrubbing.
- Click a family (Network,DNS, orSIP) to display the associated attack vectors.A table opens listing the attack vectors, the properties, and the current device statistics, if available.
- In theAttack Typecolumn, click the name of any attack type to edit the settings.The attack settings appear on the right, in thePropertiespane.
- By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).For most DoS vectors, you want to enforce the vector. Set a vector toDisabled(no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
- Set theThreshold Modefor the vector.
- If the attack allows automatic threshold configuration, you can selectFully AutomaticorManual Detection/Auto Mitigationto configure automatic or partially automatic thresholds.
- To configure thresholds manually, clickFully Manual.
- To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from theSet Statelist at the bottom of the screen, selectMitigate,Detect Only, orDisable.The state you click is set for all selected vectors.
- If desired, you can configure threshold settings for multiple DDoS vectors.
- Select the check box next to the vector names.
- At the bottom of the screen, clickSet Threshold Mode, and choose the threshold setting.SelectFully-automaticfor the system to set the thresholds for the vectors that use auto-thresholding. SeeAutomatically setting system-wide DDoS thresholdsfor details.To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.To configure thresholds manually, clickManual. SeeManually setting system-wide DDoS thresholdsfor details.ChooseManual Detection/Auto-Mitigationto configure thresholds manually but have the system automatically mitigate system stress.
- When you finish adjusting the settings, clickCommit Changes to System.
Now you have configured the device to
respond to DoS and DDoS attacks, and to allow such attacks to be identified in system
logs and reports.
Refer to the sections on automatically and
manually setting system-wide DDoS vector thresholds if you need more details about
adjusting the DDoS Hybrid Defender device configuration.
Automatically
setting system-wide DDoS vector thresholds
DDoS Hybrid
Defender™ handles DDoS attacks at the system level using preconfigured
responses, but you might need to adjust the values for your environment. You can
configure system-wide device protections that examine all the traffic coming through
DDoS Hybrid Defender. For some DDoS attack vectors available in the device protection,
you can have the system automatically set detection thresholds and internal rate or leak
limits. Use this task to configure individual DoS vectors that include the automatic
configuration.
Not all settings apply to all DoS vectors. For example, some
vectors do not have automatic thresholds.
- On the Main tab, click.
- Click a family (Network,DNS, orSIP) to display the associated attack vectors.A table opens listing the attack vectors, the properties, and the current device statistics, if available.
- In theAttack Typecolumn, click the name of any attack type to edit the settings.The attack type settings appear on the right, in the Properties pane.
- By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).For most DoS vectors, you want to enforce the vector. Set a vector toDisabled(no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
- To allow the DoS vector thresholds to be automatically adjusted, forThreshold Mode, selectFully Automatic(available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
- In theAttack Floor EPSfield, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
- In theAttack Ceiling EPSfield, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this toInfinite.Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
- To detect IP address sources from which possible attacks originate, enableBad Actor Detection.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- For automatic blacklisting, clickAttacked Destination Detection, and configure the additional settings as for Bad Actor Detection.
- When you finish adjusting the settings, clickCommit Changes to System.
Now you have configured the device to automatically determine DoS attack thresholds
based on the characteristics of traffic at the network level. The thresholds assigned
are usually between the attack floor and attack ceiling values.
Manually setting
system-wide DDoS vector thresholds
You manually configure thresholds for a DDoS
vector when you want to configure specific settings, or when the vector does not allow
for automatic threshold configuration.
Not
all settings apply to all DoS vectors.
- On the Main tab, click.
- Click a family (Network,DNS, orSIP) to display the associated attack vectors.A table opens listing the attack vectors, the properties, and the current device statistics, if available.
- In theAttack Typecolumn, click the name of any attack type to edit the settings.The attack type settings appear on the right, in the Properties pane.
- By default, the system enforces all of the attack types at some level. If you do not want to enforce a particular attack type, in the properties set theStatetoDisabled.
- In the Properties pane, setThreshold ModetoFully Manual.
- From theDetection Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
- UseInfiniteto set no value for the threshold.
- From theDetection Threshold %list, selectSpecifyorInfinite.
- UseSpecifyto set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
- UseInfiniteto set no value for the threshold.
- From theMitigation Threshold EPSlist, selectSpecifyorInfinite.
- UseSpecifyto set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
- UseInfiniteto set no value for the threshold. This specifies that this type of attack is not rate-limited.
- ClickSimulate Auto Thresholdto log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you selectFully Automaticfor a vector.
- To detect IP address sources from which possible attacks originate, enableBad Actor Detection.
- In thePer Source IP Detection Threshold EPSfield, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
- In thePer Source IP Mitigation Threshold EPSfield, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- For automatic blacklisting, clickAttacked Destination Detection, and configure the additional settings as for Bad Actor Detection.
- When you finish adjusting the settings, clickCommit Changes to System.
- Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DDoS attacks
at the device level, and to allow such attacks to be identified in system logs and
reports, rate-limited, and blacklisted when specified.
Configuring dynamic signatures at the device level
Dynamic DoS detection creates dynamic signatures for attacks based on changing traffic
patterns over time. When an attack is detected, a dynamic signature is created and added
to the dynamic signatures list. All packets are then checked against the dynamic
signature, and mitigated according to internal logic. You can enable dynamic signatures
to dynamically detect and mitigate DoS attacks at the device level for Network or DNS
device protection.
- On the Main tab, click.The DoS Protection Device Configuration screen opens.
- To enable dynamic signatures for Network (Layer 3 or 4) or DNS traffic, point toNetworkorDNS, then select the Edit icon (pencil) that appears on the right side.The Properties pane opens on the right with the settings for that traffic.
- In the Properties pane, forDynamic Signature Enforcement, from the list, selectEnabled.At first, you may want to selectLearn Onlyto track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then selectEnabled.
- From theMitigation Sensitivitylist, select the sensitivity level for dropping packets.
- SelectNoneto generate and log dynamic signatures, without dropping packets.
- To drop packets, set the mitigation level fromLowtoHigh. A setting ofLowis least aggressive, but will also trigger fewer false positives. A setting ofHighis most aggressive, and the system may drop more false positive packets.
- For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from theRedirection/Scrubbinglist, selectEnabled.
- If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from theScrubbing Categorylist, select the IP Intelligence category to assign to the scrubbed packets.
- In theScrubbing Advertisement Timefield, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
- When you finish adjusting the settings, clickCommit Changes to System.
- If at any point, you want to delete existing dynamic signatures and restart learning new ones, on the Device Protection screen, clickStart Relearning.
With dynamic signatures enabled, the system examines
traffic in a learning mode to create a baseline of normal traffic coming to the device.
Learning lasts for a couple of hours until sufficient traffic and server stress is
analyzed. Then, the system begins anomaly detection and if an attack is detected, it
develops dynamic signatures that characterize and mitigate the attack. The system
continues to examine traffic patterns in an adaptive mode and constantly updates traffic
information and creates dynamic signatures as needed.
To view and edit dynamic
signatures, go to the Signatures screen, and click the signature name. You can edit
the state and threshold mode, and view predicates in the Properties pane on the
right. Click the name in the list again to review details about recent attacks for
this signature.
You can also enable dynamic signatures on a protection
profile for the protected objects associated with the protection profile.
Custom DDoS attack types
You can create custom HTTP, Network, DNS and TLS DoS attack types if the default attack types do not match a specific type of DoS traffic. Familiarize yourself with the following options prior to creating a new DoS signature.
The HTTP and TLS attack signatures are share the same HTTP family.
Signature option | Description |
---|---|
Name | A unique name identifying the signature object. |
Tags | Tags are used to classify signatures. You can use tags to filter signature lists. For example, use a tag like Flood to group all flood attack signatures.
|
Description | Describe the purpose of the signature. |
Alias | A alternate name for the signature. |
Approved | Select the check box to indicate that the signature has been reviewed and approved. |
Shareable | Indicates that the signature can be used by other protected objects (virtual servers) and protection profiles. All shareable signatures are accepted on any profile for which signatures are enabled. |
Predicates List | One or more match expressions, joined by logical operators, which the system uses to match traffic that is causing a DoS attack. You can edit the predicates (and all properties) of persistent signatures, and view the predicates of dynamic signatures. To add predicates when creating a persistent signature, click Add, select a predicate, specify the match expression, and the value.
|
Creating a custom DDoS attack signature
You can create custom HTTP, TLS, Network or DNS DoS attack signature for traffic patterns not matching one of the default attack signatures.
- On the Main tab, click.
- ClickAdd Signaturewithin thePersistentarea.The Properties pane opens on the right.
- Select an attack family from the family list.
- Enter a uniqueSignature Namefor the attack signature.
- Click theTagsicon to define one or more optional search tags.Be sure to pressEnterafter each tag and clickDoneto associate all of the tags with the signature.
- Enter an optionalDescriptionandAlias.
- ClickAddin the Predicates List area.
- Scroll through the Predicates List and select a predicate.
- Select the predicate match expression and value.
- Repeat steps 7 through 9 to add additional predicates.
- ClickCreate.
The new attack signature can now be viewed and modified when you click the Persistent area.
Use the new attack signature when creating or modifying a new protection profile or when enabling device protection.
Creating a
whitelist address list
You can specify IP addresses on a whitelist that
the system does not check for DDoS attacks. Addresses on the whitelist are trusted IP
addresses that are never blocked.
Different types of whitelists
are available depending on the hardware compatibility level of your system:
whitelists (Level 1 or 2), rich whitelists (all levels), or extended whitelists
(Level 2 only). You can create rich and extended whitelists when configuring Device
Protection or creating a Protection Profile.
This task describes how to create
a whitelist address list, which is configurable only if your system compatibility
level is set to Level 1 or 2. You can check the compatibility level from the
Advanced Menu at
.- On the Main tab, click.
- ClickCreate.
- In theNamefield, type a name.
- In theAddressesfield, type each address then clickAddto add it to the whitelist. Addresses can be in the following forms:
- An IPv4 or IPv6 address, and specify a network with CIDR slash notation
- An IPv4 or IPv6 address range
- A fully qualified domain name
- A geographic location
- Another address list or whitelist
- ClickFinishedto add the whitelist to the configuration.
At the device level, you can use the whitelist in
to specify traffic that is allowed to pass through DDoS Hybrid Defender
without undergoing DoS checks. You can also use the whitelist at the profile level in
to specify the default or HTTP whitelist.Adjust the
device compatibility level
BIG-IP devices are divided into three categories based on hardware capability, and each category allows the use of specific compatibility levels. When you modify the compatibility level of the
system, you enable different levels of DoS/DDoS protection and whitelists that are available for use.
- Level 0
- Systems with basic hardware DoS capabilities. Provides device protection and Rich Whitelists. Valid for all systems, and is the default value.
- Level 1
- Virtual Edition (VE) systems or systems with hardware DoS and sPVA capabilities. Provides Level 0 features, per-virtual server DOS, whitelist hostaddress lists, IP Intelligence, and bad actor detection.
- Level 2
- Systems with hardware DoS, sPVA and Neuron capabilities. Provides Level 1 features, and whitelist subnet address lists.
If using DDoS Hybrid Defender, adjusting the
compatibility level must be done from the Advanced Menu.
- On the Main tab, click.
- From theCompatibility Levellist, select the appropriate compatibility level for your hardware.You will receive a message if you select a level that is not applicable to your hardware.
- ClickUpdate.
Creating a
protection profile
You need to create a DoS protection profile to
define which protection mechanisms to apply to specific protected objects in your
network. You can apply one protection profile to multiple protected objects, if they
have similar characteristics.
For example, if securing a DNS server
and several application servers, you could create two protection profiles: one that
enforces DNS vectors and the other for enforcing HTTP vectors on two application
servers. Then, you can create three protected objects and associate the DNS
protection profile with the protected object representing the DNS server, and
associate the HTTP protection profile with the protected objects created for the
application servers.
- On the Main tab, click.
- On the Main tab, click.The Protection Profiles list screen opens.
- ClickCreate.The Create New Protection Profile screen opens.
- In theNamefield, type a name.
- In theDescriptionfield, optionally type a description.
- Select theThreshold Sensitivity.SelectLow,Medium, orHigh. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
- If you have created a whitelist on the system, from theDefault Whitelistlist, select the list.You can also clickManage Address Liststo jump to the Address Lists screen where you can create or edit address lists.
- ForHTTP Whitelist, you can use the default HTTP whitelist orOverride Defaultto specify another list.
- ForFamilies, select the types of vectors to include in the protection profile.
- Click the edit icon on the right of Network or DNS to open a properties pane where you can configure settings for the family of vectors.You can specify settings for dynamic signatures, mitigation, or scrubbing.
- Click a family (Network,DNS,SIP, orHTTP) to display the associated attack vectors.A table opens listing the attack vectors, the properties, and the current device statistics, if available.
- In theVector Namecolumn, click the name of any vector to edit the settings.The vector settings appear on the right, in thePropertiespane.
- To fully enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).If you have enforced most of the vectors at the device level usingDevice Protection, you can focus on adjusting the vector thresholds that vary for specific protected objects.
- Set theThreshold Modefor the vector.
- If the attack allows automatic threshold configuration, you can selectFully AutomaticorManual Detection/Auto Mitigationto configure automatic or partially automatic thresholds.
- To configure thresholds manually, clickFully Manual.
- To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from theSet Statelist at the bottom of the screen, selectMitigate,Detect Only, orDisable.The state you click is set for all selected vectors.
- If desired, you can configure threshold settings for multiple DDoS vectors.
- Select the check box next to the vector names.
- At the bottom of the screen, clickSet Threshold Mode, and choose the threshold setting.SelectFully-automaticfor the system to set the thresholds for the vectors that use auto-thresholding. SeeAutomatically setting DDoS thresholds for Protected Objectsfor details.To work accurately, using fully automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.To configure thresholds manually, clickManual. SeeManually setting DDoS thresholds for protected objectsfor details.ChooseManual Detection/Auto-Mitigationto configure thresholds manually but have the system automatically mitigate system stress.
- When you finish adjusting the settings of the vectors, clickCommit Changes to System.The protection profile is created.
You have created a protection profile that implements specific DoS protections.
Next, you need to
attach the protection profile to one or more protected objects.
Automatically
setting Network, DNS or SIP DDoS vector thresholds for protected objects
DDoS Hybrid
Defender™ protects network objects from DoS attacks by using a protection
profile that you assign to protected objects. The protection profile is where you define
thresholds for DDoS attack vectors. For some attack vectors in the protection profile,
the system can automatically set detection thresholds and internal rate or leak limits
by examining traffic patterns. Use this task to configure individual DoS vectors that
include the automatic configuration.
Not all settings apply to all DoS vectors. For
example, some vectors do not have automatic thresholds.
- On the Main tab, click.
- Click the name of the protection profile to edit, or create a new one.
- ForFamilies, select the types of vectors to include in the protection profile.
- Click a family (Network,DNS, orSIP) to display the associated attack vectors.A table opens listing the attack vectors, the properties, and the current device statistics, if available.
- In theVector Namecolumn, click the name of any vector to edit the settings.The vector settings appear on the right, in thePropertiespane.
- To fully enforce the DoS vector, make sure theStateis set toMitigate(watch, learn, alert, and mitigate).Other options allow you toDetect Only(watch, learn, and alert) orLearn Only(collect stats, no mitigation).If you have enforced most of the vectors at the device level usingDevice Protection, you can focus on adjusting the vector thresholds that vary for specific protected objects.
- To allow the DoS vector thresholds to be automatically adjusted, forThreshold Mode, selectFully Automatic(available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
- In theAttack Floor EPSfield, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
- In theAttack Ceiling EPSfield, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this toInfinite.Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
- To detect IP address sources from which possible attacks originate, enableBad Actor Detection.
- To automatically blacklist bad actor IP addresses, selectAdd Source Address to Category.
- Select theCategory Nameto which blacklist entries generated byBad Actor Detectionare added.
- Specify theSustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
- To change the duration for which the address is blacklisted, specify the duration in seconds in theCategory Duration Timefield. The default duration for an automatically blacklisted item is 4 hours (14400seconds).After this time period, the IP address is removed from the blacklist.
- To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, selectAllow External Advertisement.To advertise to edge routers, you must configure a Blacklist Publisher for theAdvertisement Next-Hopin the Global Settings.
- For automatic blacklisting, clickAttacked Destination Detection, and configure the additional settings as for Bad Actor Detection.
- When you finish adjusting the settings, clickCommit Changes to System.
Now you have configured the protection profile to automatically determine DoS attack
thresholds based on the characteristics of traffic. The thresholds assigned are usually
between the attack floor and attack ceiling values.
Next, you need to
attach the protection profile to one or more protected objects.
Configuring dynamic signatures in the protection profile
Dynamic DoS detection creates dynamic signatures that define attacks based on changing
traffic patterns over time. When an attack is detected, a dynamic signature is created
and added to the dynamic signatures list. All packets are then checked against the
dynamic signature, and mitigated according to internal logic. You enable dynamic
signatures in a protection profile to dynamically detect and mitigate DoS attacks for
protected objects that are associated with the profile.
- On the Main tab, click.
- On the Main tab, click.The Protection Profiles list screen opens.
- To enable dynamic signatures for Network (Layer 3 or 4) or DNS traffic, point toNetworkorDNS, then select the Edit icon (pencil) that appears on the right side.The Properties pane opens on the right.
- In the Properties pane, forDynamic Signature Enforcement, from the list, selectEnabled.At first, you may want to selectLearn Onlyto track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then selectEnabled.
- From theMitigation Sensitivitylist, select the sensitivity level for dropping packets.
- SelectNoneto generate and log dynamic signatures, without dropping packets.
- To drop packets, set the mitigation level fromLowtoHigh. A setting ofLowis least aggressive, but will also trigger fewer false positives. A setting ofHighis most aggressive, and the system may drop more false positive packets.
- For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from theRedirection/Scrubbinglist, selectEnabled.
- If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from theScrubbing Categorylist, select the IP Intelligence category to assign to the scrubbed packets.
- In theScrubbing Advertisement Timefield, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
- When you finish adjusting the settings, clickCommit Changes to System.
- If at any point, you want to delete existing dynamic signatures for this protected object and restart learning new ones:
- On the Main tab, click. (For DDoS, use the Advanced Menu.)
- Click the name of the protected object for which you want to remove dynamic signatures.
- Select.
- In theDynamic Signaturesfield, clickRelearn.
With dynamic signatures
enabled, the system examines traffic in learning mode to create a baseline of normal
traffic coming to the device. Learning lasts for a couple of hours until sufficient
traffic and server stress is analyzed. Then, the system begins anomaly detection and if
an attack is detected, it develops dynamic signatures that characterize and mitigate the
attack. The system continues to examine traffic patterns in an adaptive mode and
constantly updates traffic information, and developing dynamic signatures as
needed.
To view and edit dynamic signatures, go to the Signatures screen, and
click the signature name. You can edit the state and threshold mode, and view
predicates in the Properties pane on the right. Click the name in the list again to
review details about recent attacks for this signature.
You can also enable
dynamic signatures for network or DNS traffic at the device level.
Viewing and persisting dynamic signatures
DDoS Hybrid
Defender™ must have completed the traffic learning period, two hours by default, and detected one or more traffic pattern anomalies in order to create a dynamic signature.
Dynamic signatures can not be modified and do not remain in the configuration by default. You can view dynamic signature details and if the signature is considered useful, you can make it permanent., or persistent in the configuration. Persistent signatures can be also be modified.
- On the Main tab, click.
- ClickDynamicto expand the list of dynamic signatures
- Review the relevant signature statistics such asCreation InfoandThreshold EPS.
- Click the name of the signature to view the signaturePredicate List.
- To make the dynamic signature a permanent, or Persistent signature, check the box next to the signature and clickMake Persistent.
- To modify the signature, clickPersistent.
- Click the name of the signature.
- ThePropertiespage will appear to the right, allowing you to modify the signature.
Protecting network objects from DDoS
attacks
With DDoS
Hybrid Defender™, you can protect different types of network devices such as
application servers, network hosts, DNS servers, routers, and so on against DDoS
attacks. These network devices are called
protected
objects
. You need to create protected objects that
represent the different devices, and attach a protection profile that defines the
DoS protections to apply to that device.
- On the Main tab, click.The Protected Objects screen is displayed showing the configured protected objects.
- On the far right, click.The Properties pane opens on the right where you create the protected object. The Shared Objects pane also appears and that is where you can develop traffic matching criteria for Netflow Protected Servers. It does not apply to Protected Objects.
- In the Properties pane, forName, type a name for the protected object.
- In theDestination Addressfield, type the IP address or network to which the protected object can send traffic (same format as source address).
- In theService Portfield, specify the service port used by the protected object (0-65535, wildcard * All Ports for all, or select a service from the list).
- CheckAuto Discover Contained Servicesto enable auto discovery of services.For more information about auto discovery of services, refer toAbout DDhD auto discovered servicesin the next section.
- From theProtocollist, select the network protocol that the protected object uses. Options are:TCP,UDP, orAll Protocols.
- ForStandardtype protected objects in theService Profilelist, select the appropriate DNS, SIP, or HTTP service profile to associate with the protected object.In most cases, the defaultDHD_dns,DHD_sip, orDHD_httpprofile is sufficient. To adjust the profile settings, from the Advanced Menu, select and selectDNS,SIP (legacy), orHTTP. From there, you can edit the default profiles or create new ones.
- In theSource Addressfield, type the IP address or network from which the protected object accepts traffic.Specify the IP address in CIDR format:address/prefix, where the prefix length is in bits: for example, for IPv4:10.0.0.1/32or10.0.0.0/24, and for IPv6:ffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64.
- ClickNetwork & Generalto expand the configuration area
- From theVLANslist, move one or more VLANs available to this protected object into theSelectedlist.You can view and create VLANs by clickingView VLAN Profiles.
- From theTransparent Nexthoplist, select the egress vlan for traffic that you want to preserve layer 2 (MAC) address information. Layer 2 address preservation disables layer 3 (IP/IPv6) address translation.
- From theLogging Profileslist, move one or more log profiles to use for this protected object into theSelectedlist.You can view and create Logging Profiles by clickingView Log Profiles.
- ClickProtection Settingsto expand the configuration area.
- In theThroughput Capacity (Mbps)field, type the maximum allowable throughput in megabits per second for the protected object. Infinite means no limit.
- From theProtection Profilelist, select the protection profile that defines the protections and thresholds to associate with the protected object.
- From theBot Defense Profilelist, select the bot defense profile that defines the protections and thresholds to associate with the protected object.
- From theEviction Policylist, select the eviction policy to associate with the protected object.The eviction policy provides guidelines for how aggressively the system discards flows from the flow table.
- From theIP Intelligencelist, select the IP intelligence policy to associate with the protected object.The IP intelligence policy checks traffic against an IP intelligence database that contains known bad or questionable IP addresses.
- Click theSavebutton.The system creates the protected object.
Now you have configured the system to protect a network object from DDoS attacks, and
to allow such attacks to be identified in system logs and reports.
Create an eviction policy
You can create eviction policies to control the granularity and aggressiveness with
which the system discards flows.
- On the Main tab, click.
- ClickCreate.TheNew Eviction Policyscreen opens.
- In theNamefield, type a name for the eviction policy.
- In theTriggerfields, type a high and low water mark for the eviction policy.This measure specifies the percentage of the quota, for this context, before flow eviction starts (high water mark) and ends (low water mark).
- EnableSlow Flow Monitoringto monitor flows that are considered slow by the system, and specify the slow flow threshold in bytes per second.This combination of settings monitors the system for flows that fall below the slow flow threshold for more than 30 seconds.
- In theGrace Periodfield you can set a grace period, in seconds, between the detection of slow flows that meet the threshold requirement, and purging of slow flows according to theSlow Flow Throttlingsettings.
- In the Slow Flow Throttling area, set the slow flow throttling options.DisabledSlow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.AbsoluteSlow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.PercentSlow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows that exceed the specified monitoring setting, so the default value of 100% removes all slow flows that exceed the slow flow threshold, after the grace period.
- ForStrategies, configure the strategies that the eviction policy uses to remove flows by moving algorithms from theAvailablelist to theSelectedlist.
- ClickFinished.
The eviction policy appears in the Eviction Policy List.
To use an eviction policy, associate it with a
protected object or a route domain. You can configure a global eviction policy at
.Create a policy
to check addresses against IP Intelligence
You can verify IP addresses against the
preconfigured IP Intelligence database, and against IPs from your own feed lists, by
creating an IP Intelligence policy.
- On the Main tab, click.The IP Intelligence Policies screen opens.
- ClickCreateto create a new IP Intelligence policy.
- In theNamefield, type a name for the IP intelligence policy.
- To add feed lists to the policy, click the name of anAvailablefeed list, and then add it to theSelectedlist.
- ForDefault Action, set the default action for the IP intelligence policy as a whole.
- SelectAcceptto allow packets from categorized addresses that have no action applied on the feed list.
- SelectDropto drop packets from categorized addresses that have no action applied on the feed list.
The default action applies to addresses that are not assigned a blacklist category in the feed list. The IP Intelligence feature uses the action specified in a feed list entry, when available. - SetDefault Log Actionsfor the IP intelligence policy as a whole.
- Log Whitelist Overrideslogs only whitelist matches that override blacklist matches.
- Log Blacklist Category Matcheslogs IP addresses that match blacklist categories.
- Select bothLog Blacklist Category MatchesandLog Whitelist Overridesto log all blacklist matches, and all whitelist matches that override blacklist matches.
Whitelist matches always override blacklist matches. - To customize default actions and logging for any of the blacklist categories, specify default actions in theBlacklist Matching Policysetting.The default action for a blacklist category is alwaysReject.For each category that you want to customize:
- From theBlacklist Categorylist, select a category.
- ForAction, selectUse Policy Defaultto use the default action for this policy; selectDropto drop packets from sources of the specified type, as identified by the IP address intelligence database; or selectAcceptto allow packets in this category.
- ForLog Blacklist Category Matches, selectUse Policy Defaultto use the default log action for blacklist matches;Yesaffords visibility into blacklist matches and logs all packets, but provides no hardware acceleration data;Limitedlogs statistics every 256 packets and includes hardware acceleration;Nodoes not log blacklist matches but provides the highest performance with hardware acceleration.
- ForLog Whitelist Overrides, selectUse Policy Defaultto use the default log action for whitelist overrides; selectYesorNoto override the default action.
- ForMatch Override, select the matching criteria that overrides a blacklist match. You can require a source match, a destination match, or both a source and destination match to override a blacklist match with a whitelist.
- ClickAddto add the custom defaults for the category.You can also selectReplaceto replace the defaults for a category.
- Repeat these steps for any category for which you want to customize default actions.
The custom categories are listed at the bottom. You can select and delete them if things change. - ClickFinished.
You created an IP
intelligence policy. Next, it needs to be assigned globally to the BIG-IP system, to a
specific virtual server, or a route domain so that it is applied to the correct
traffic.
How to protect different network objects from DDoS attacks
Administrators often want to protect against a specific type of DDoS attack or to protect
a particular type of protected object from attacks. This table gives you an idea of the types of
protections you can set up.
To protect this: | Use these settings: |
---|---|
DNS Servers |
|
SIP Servers |
|
Web applications |
|
Backend servers from Syn Floods |
|
Backend servers from Sweep Attacks |
|
DDoS protected object attack types
For each protected object, you can specify specific threshold, rate increase, rate
limit, and other parameters for supported DoS attack types, to more accurately detect, track,
and rate limit attacks.
IPv4 Attack Vectors
Vector | Information |
---|---|
Host Unreachable | The host cannot be reached. |
ICMP Fragment | ICMP fragment flood. |
ICMPv4 Flood | Flood with ICMPv4 packets. |
IP Fragment Flood | Fragmented packet flood with IPv4. |
IP Option Frames | IPv4 address packets that are part of an IP option frame flood. On the command
line option.db variable tm.acceptipsourceroute must be
enabled to receive IP options. |
TIDCMP | ICMP type 4 error; can't accept queries. |
TTL <= tunable | An IP packet with a destination that is not multicast has a Time to live (TTL)
value less than or equal to the configured value. To tune this value, in tmsh:
modify sys db dos.iplowttl value , where value is 1-4. 1 is
default. |
IPv6 Attack Vectors
Vector | Information |
---|---|
Host Unreachable | The host cannot be reached. |
ICMP Fragment | ICMP fragment flood. |
ICMPv6 Flood | Flood with ICMPv6 packets. |
IPV6 Extended Header Frames | IPv6 address contains extended header frames. |
IPv6 extension header too large | An IPv6 extension header exceeds the limit in bytes set at , in the Too Large IPv6 Extension Header field
. |
IPV6 Fragment Flood | The IPv6 extended header hop count is less than or equal to the hop count limit
set at DoS Protection Quick
Configuration Global Settings , in the
IPv6 Low Hop Count field. |
IPv6 hop count <= <tunable> | The IPv6 extended header hop count is less than or equal to the hop count limit
set at DoS Protection Quick
Configuration Global Settings , in the
IPv6 Low Hop Count field. |
Too Many Extended Headers | For an IPv6 address, the extension headers exceed the limit set at , in the Too Many IPv6 Extension Header
field. |
TCP Attack Vectors
Vector | Information |
---|---|
Non TCP Connection | Sets a connection rate limit for non-TCP flows that takes into account all
other connections per second. |
Option Present With Illegal Length | Packets contain an option with an illegal length. |
TCP Bad URG | TCP header has a bad URG flag, this is likely malicious (flag is set and urgent
pointer is 0). |
TCP Option Overruns TCP Header | The TCP option bits overrun the TCP header. |
TCP PSH Flood | Attackers send spoofed PUSH packets at very high rates; packets do not belong
to any current session. |
TCP RST Flood | TCP reset attack, also known as "forged TCP resets", "spoofed TCP reset packets"
or "TCP reset attacks" is a method of tampering with Internet communications. |
TCP SYN ACK Flood | An attack method that involves sending a target server spoofed SYN-ACK packets
at a high rate. |
TCP SYN Flood | Attackers send a succession of SYN requests to a target's system in an attempt to
consume enough server resources to make the system unresponsive to legitimate
traffic. |
TCP SYN Oversize | Detects TCP data SYN packets larger than the maximum specified in the limit set
at , in the Too Large TCP SYN Packet field. The
default size in bytes is 64 and the maximum allowable value
is 9216 . |
TCP Window Size | The TCP window size in packets is above the maximum size. To tune this setting,
change the setting at , in the Too Low TCP Window Size field.
|
Unknown TCP Option Type | TCP option type is not standard. |
UDP Attack Vector
Vector | Information |
---|---|
UDP Flood | The attacker sends UDP packets, typically large ones, to single
destination or to random ports. |
Sweep Attack Vector
Vector | Information |
---|---|
Sweep | The attacker uses a network scanning technique that typically sweeps your
network by sending packets, and using the packet responses to determine live
hosts. |
DNS Attack Vectors
Vector | How to identify it |
---|---|
a | UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
aaaa | UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
any | UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
axfr | UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
cname | UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
dns-malformed | Malformed DNS packets. |
ixfr | UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
mx | UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
ns | UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
other | UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
ptr | UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
qdcount | DNS QDCount limit. UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To
tune this value, set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
soa | UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
srv | UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
txt | UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). |
SIP Attack Vectors
Vector | Information |
---|---|
ack | SIP ACK packets. Used with invite request when establishing a call. |
bye | SIP BYE packets. The attacker tries to terminate a communication session
prematurely. |
cancel | SIP CANCEL packets. Attackers prevent callers from establishing a
session. |
invite | SIP INVITE packets. Attackers send multiple invite packets to initiate call
sessions. |
message | SIP MESSAGE packets. Attackers send instant messages. |
notify | SIP NOTIFY packets. Attackers send notifications, such as of voice
mails. |
options | SIP OPTIONS packets. Attackers send probes to determine capabilities of
servers. |
other | Other SIP method packets. |
prack | SIP PRACK packets. Attackers send prack packets for provisional
acknowledgements. |
publish | SIP PUBLISH packets. Attackers publish messages to the server. |
register | SIP REGISTER packets. Attackers register or unregister a phone address listed
in the To header field with a SIP server. |
subscribe | SIP SUBSCRIBE packets. Attackers send subscriber notification messages. |
URI Limit | The SIP URI exceeds the limit set at , in the Too Long SIP URI field. This setting
should be less than 1024 , the maximum length for a SIP URI in
bytes. |
Layer 7 HTTP and HTTPS Attack Vectors
Protection | Description |
---|---|
Behavioral | Attack indicates bad actors by their anomalous behavior based on deviation from
baseline behavior. |
Detection by Device | Attack indicates suspicious client devices tracked by fingerprinting and a high
number of transactions per second. |
Detection by Geolocation | Attack indicates suspicious geographical locations identified by their IP range
and an unusual traffic share. |
Detection by Site | Attack indicates that the global traffic on the site (whole application)
signifies an attack based on a high number of transactions per second. |
Detection by Source-IP | Attack indicates suspicious clients identified by their IP address and a high
number of transactions per second. |
Detection by URL | Attack targets specific URLs in the web application by sending a high number of
transactions per second to them. |
Heavy URL | Attack focuses on URLs that consume considerable server resources thus can
become tipping points in DoS attacks. The system automatically detects heavy
URLs. |
HTTP and HTTPS Proactive Bot Defense Categories
Category | Description/Category |
---|---|
Proactive Bot Defense | Attacks caused by web robots. The system uses JavaScript evaluations and bot
signatures to ensure that browsers are legitimate not automated. |
Crawler | Benign |
HTTP Library | Benign |
Search Bot | Benign |
Search Engine | Benign |
Service Agent | Benign |
Site Monitor | Benign |
Social Media Agent | Benign |
Web Downloader | Benign |
DoS Tool | Malicious |
E-Mail Collector | Malicious |
Exploit Tool | Malicious |
Network Scanner | Malicious |
Spam Bot | Malicious |
Vulnerability Scanner | Malicious |
Web Spider | Malicious |
DDoS device
protection attack types
In Device Protection, you can specify thresholds, rate
increase, rate limit, and other parameters for device-level DDoS attack types, to more
accurately detect, track, and rate limit attacks. Broken packets, such as those with bad
headers, should be severely rate limited.
Network attack
types
Vector | Information | Hardware accelerated |
---|---|---|
ARP Flood | ARP packet flood | Yes |
Bad ICMP Checksum | An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the
packet. | Yes |
Bad ICMP Frame | The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6
types. Valid IPv4 types:
| Yes |
Bad IGMP Frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either
0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be
non-zero only if bits 7:0 are 0x11, or else the header is bad. | Yes |
Bad IP TTL Value | Time-to-live equals zero for an IPv4 address. | Yes |
Bad IP Version | The IPv4 address version in the IP header is not 4. | Yes |
Bad IPv6 Addr | IPv6 source IP = 0xff00:: | Yes |
Bad IPV6 Hop Count | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are
bad. | Yes |
Bad IPV6 Version | The IPv6 address version in the IP header is not 6. | Yes |
Bad SCTP Checksum | Bad SCTP packet checksum. | No |
Bad Source | The IPv4 source IP = 255.255.255.255 or
0xe0000000U . | Yes |
Bad TCP Checksum | The TCP checksum does not match. | Yes |
Bad TCP Flags (All Cleared) | Bad TCP flags (all cleared and SEQ#=0). | Yes |
Bad TCP Flags (All Flags Set) | Bad TCP flags (all flags set). | Yes |
Bad UDP Checksum | The UDP checksum is not correct. | Yes |
Bad UDP Header (UDP Length > IP Length or L2 Length) | UDP length is greater than IP length or Layer 2 length. | Yes |
Ethernet MAC Source Address == Destination Address | Ethernet MAC source address equals the destination address. | Yes |
FIN Only Set | Bad TCP flags (only FIN is set). | Yes |
Header Length > L2 Length | No room in Layer 2 packet for IP header (including options) for IPv4
address | Yes |
Header Length Too Short | IPv4 header length is less than 20 bytes. | Yes |
Host Unreachable | Host unreachable error | Yes |
ICMP Fragment | ICMP fragment flood | Yes |
ICMP Frame Too Large | The ICMP frame exceeds the declared IP data length or the maximum datagram
length set at , in the Too Large IPv6 Extension Header field.
To tune this value, in tmsh : modify sys db
dos.maxicmpframesize , where
value value is <=65515 . | Yes |
ICMPv4 Flood | Flood with ICMPv4 packets | Yes |
ICMPv6 Flood | Flood with ICMPv6 packets | Yes |
IGMP Flood | Flood with IGMP packets (IPv4 packets with IP protocol
number 2) | Yes |
IGMP Fragment Flood | Fragmented packet flood with IGMP protocol | Yes |
IP Error Checksum | The header checksum is not correct. | Yes |
IP Fragment Error | Other IPv4 fragment error | Yes |
IP Fragment Flood | Fragmented packet flood with IPv4 | Yes |
IP Fragment Overlap | IPv4 overlapping fragment error | No |
IP Fragment Too Small | IPv4 short fragment error | Yes |
IP Length > L2 Length | The total length in the IPv4 address header or payload length in the IPv6
address header is greater than the Layer 3 length in a Layer 2 packet. | Yes |
IP Option Frames | IPv4 address packets that are part of an IP option frame flood. On the command
line option.db variable tm.acceptipsourceroute must be
enabled to receive IP options. | Yes |
IP Option Illegal Length | Option present with illegal length. | No |
IP uncommon proto | Sets thresholds for and tracks packets containing IP
protocols considered to be uncommon. By default, all IP protocols other than TCP,
UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. | Yes |
IP Unknown protocol | Unknown IP protocol | No |
IPv4 mapped IPv6 | The IPv6 stack is receiving IPv4 address packets. | Yes |
IPV6 Atomic Fragment | IPv6 Frag header present with M=0 and FragOffset =0 | Yes |
IPv6 duplicate extension headers | An extension header should occur only once in an IPv6 packet, except for the
Destination Options extension header. | Yes |
IPv6 Extended Header Frames | IPv6 address contains extended header frames. | Yes |
IPv6 extended headers wrong order | Extension headers in the IPv6 header are in the wrong order. | Yes |
IPv6 extension header too large | An IPv6 extension header exceeds the limit in bytes set at , in the Too Large IPv6 Extension Header
field. | Yes |
IPv6 Fragment Error | Other IPv6 fragment error | Yes |
IPv6 Fragment Flood | Fragmented packet flood with IPv6 | Yes |
IPv6 Fragment Overlap | IPv6 overlapping fragment error | No |
IPv6 Fragment Too Small | IPv6 short fragment error | Yes |
IPv6 hop count <= <tunable> | The IPv6 extended header hop count is less than or equal to the hop count limit
set at , in the IPv6 Low Hop Count field. | Yes |
IPv6 Length > L2 Length | IPv6 address length is greater than the Layer 2 length. | Yes |
L2 Length >> IP Length | Layer 2 packet length is much greater than the payload length in an IPv4
address header, and the Layer 2 length is greater than the minimum packet
size. | Yes |
LAND Attack | Source IP equals destination IP address | Yes |
No L4 | No Layer 4 payload for IPv4 address. | Yes |
No L4 (Extended Headers Go To Or Past End of Frame) | Extended headers go to the end or past the end of the L4 frame. | Yes |
No Listener Match | This can occur if the listener is down as it attempts to make a connection, or
if it was not started or was configured improperly. It may also be caused by a
network connectivity problem. | |
Non TCP Connection | Sets a connection rate limit for non-TCP flows that takes into account all
other connections per second. | |
Option Present With Illegal Length | Packets contain an option with an illegal length. | Yes |
Payload Length < L2 Length | Specified IPv6 payload length is less than the L2 packet length. | Yes |
Routing Header Type 0 | Identifies flood packets containing type 0 routing
headers, which can be used to amplify traffic to initiate a DoS attack. | Yes |
Single Endpoint Flood | Flood to a single endpoint and can come from many
sources. You can configure packet types to check for, and packets per second for
both detection and rate limiting. | No |
Single Endpoint Sweep | Sweep on a single endpoint. You can configure packet
types to check for, and packets per second for both detection and rate
limiting. | No |
SYN && FIN Set | Bad TCP flags (SYN and FIN set). | Yes |
TCP BADACK Flood | TCP ACK packet flood | No |
TCP Flags - Bad URG | Packet contains a bad URG flag; this is likely malicious. | Yes |
TCP Half Open | TCP connection whose state is out of synchronization
between the two communicating hosts | Yes |
TCP Header Length > L2 Length | The TCP header length exceeds the Layer 2 length. | Yes |
TCP Header Length Too Short (Length < 5) | The Data Offset value in the TCP header is less than five 32-bit words. | Yes |
TCP Option Overruns TCP Header | The TCP option bits overrun the TCP header. | Yes |
TCP PUSH Flood | TCP PUSH flood | Yes |
TCP RST Flood | TCP RST flood | Yes |
TCP SYN ACK Flood | TCP SYN/ACK flood | Yes |
TCP SYN Flood | TCP SYN flood | Yes |
TCP SYN Oversize | Detects TCP data SYN packets larger than the maximum
specified in the limit set at , in the Too Large TCP
SYN Packet field. The default size in bytes is 64 and the maximum allowable value
is 9216 . | Yes |
TCP Window Size | The TCP window size in packets is above the maximum
size. To tune this setting, change the setting at , in the Too Low TCP
Window Size field. | Yes |
TIDCMP | ICMP source quench attack | Yes |
Too Many Extension Headers | For an IPv6 address, the extension headers exceed the limit set at , in the Too Many IPv6 Extension Header
field. | Yes |
TTL <= <tunable> | An IP packet with a destination that is not multicast has a TTL greater than 0
and less than the value set at , in the IPv4 Low TTL field. The range for this
setting is 1-4 . | Yes |
UDP Flood | UDP flood attack | Yes |
Unknown Option Type | Unknown IP option type. | No |
Unknown TCP Option Type | Unknown TCP option type. | Yes |
DNS attack vectors
Vector | Information | Hardware accelerated |
---|---|---|
DNS A Query | UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS AAAA Query | UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS AXFR Query | UDP packet, DNS Qtype is AXFR, VLAN is <tunable>.
To tune this value, set the DNS
VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS Any Query | UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS CNAME Query | UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS IXFR Query | UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS MX Query | UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS Malformed | Malformed DNS packet | Yes |
DNS NS Query | UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS NXDOMAIN Query | DNS query. Queried domain name does not exist. | Yes |
DNS OTHER Query | UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS Oversize | Detects oversized DNS headers. To tune this value, set
the Too Large DNS Packet
setting at to the maximum value for a DNS header, from 256-8192 bytes. | Yes |
DNS PTR Query | UDP DNS query, DNS Qtype is PTR, VLAN is
<tunable>. To tune this value, set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS Question Items != 1 | UDP packet, DNS qdcount neq 1, VLAN is <tunable>.
To tune this value, set the DNS
VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS Response Flood | UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is
<tunable>. To tune this value, set the DNS VLAN setting
at to the DNS VLAN (0-4094 ). | Yes |
DNS SOA Query | UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value,
set the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS SRV Query | UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
DNS TXT Query | UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set
the DNS VLAN setting at to the DNS VLAN (0-4094 ). | Yes |
SIP attack vectors
Vector | Information | Hardware accelerated |
---|---|---|
SIP ACK Method | SIP ACK packets | Yes |
SIP BYE Method | SIP BYE packets | Yes |
SIP CANCEL Method | SIP CANCEL packets | Yes |
SIP INVITE Method | SIP INVITE packets | Yes |
SIP Malformed | Malformed SIP packets | Yes |
SIP MESSAGE Method | SIP MESSAGE packets | Yes |
SIP NOTIFY Method | SIP NOTIFY packets | Yes |
SIP OPTIONS Method | SIP NOTIFY packets | Yes |
SIP OTHER Method | Other SIP method packets | Yes |
SIP PRACK Method | SIP PRACK packets | Yes |
SIP PUBLISH Method | SIP PUBLISH packets | Yes |
SIP REGISTER Method | SIP REGISTER packets | Yes |
SIP SUBSCRIBE Method | SIP SUBSCRIBE packets | Yes |
SIP URI Limit | The SIP URI exceeds the limit set at , in the Too Long SIP
URI field. This setting should be less than 1024 , the maximum length for a SIP
URI in bytes. | Yes |
Behavioral
Behavioral DDoS protection is enabled, by default, and all thresholds and threshold actions
are applied. You can initiate leaning or relearning of dynamic signatures, adjust
mitigation sensitivity, and enable redirection and scrubbing of IP addresses identified by
the dynamic signatures. You also have the option of selecting
Learn
Only
to track dynamic vector statistics, without enforcing any thresholds or
limits. In the case of an attack, the system dynamically creates signatures that characterize the
attack. During the attack, you see them listed as behavioral vectors (starting with Sig).
They are removed when the attack is over.