Updated Date: 07/07/2026
Detecting and Mitigating DoS/DDoS Attacks on Protected Zones
A zone is a collection of VLANs. Users are allowed to configure ACL policy rules to control network access between zones. For example, a rule can be configured to enforce traffic belonging to a Zone IT-Network to allow traffic access to only Zone IT-Network and Zone Public-Network, and block access to Zone Developer-Network.
The DoS capabilities are extended to include zones as a context by allowing to attach a DoS protection profile to the zones object. A zone that has an associated DoS protection profile is called a protected zone.
The zone-based DoS protection is implemented by associating the specific VLANs requiring protection to a DoS protected catch-all protected zone.
The DoS protections specified in the profile will be applied to the VLANs specified in the zone collectively. The attack traffic destined to any VLAN in the zone is counted towards the threshold for all the VLANs. A VLAN cannot be protected by multiple DoS protection profiles, a VLAN can only be a member of one zone protected by a DoS protection profile.
The following limitations are enforced during configuration of a zone:
- Protected zones that have DoS protection profiles attached cannot have overlapping VLANs, that is, a specific VLAN can be part of only one protected zone.
- A total of 16 protected zones can have DoS protection profiles attached to them.
- Only one DoS protection profile can be attached to a protected zone.
- A DoS profile being attached to a protected zone cannot have DNS DoS or SIP DoS enabled, only a Network DoS should be enabled.
The BIG-IP system DB variable dos.protectedzone must be enabled to configure the protected zones. Use the following TMSH command to enable the variable:
#modify sys db dos.protectedzone value enable# list sys db dos.protectedzone
sys db dos.protectedzone {
value "enable"
}Note: The DB variable dos.protectedzone must be enabled manually in BIG-IP 15.1.8, in all other versions this variable is enabled by default.
To enable the Zone Based DDoS feature on HW based platforms, the dos.allvlans DB variable must be set to false.
# modify sys db dos.allvlans { value false }# list sys db dos.allvlans
sys db dos.allvlans {
value "false"
}You can create a new zone using this task.
-
On the Main tab, click Security > Zones.
-
Click Create.
The New Zone screen opens.
-
In the Name field, type a name for the zone.
-
In the Description field, type a description for the zone.
-
In the VLANs field, select the VLANs for the system to associate with the zone.
Note: Zones that have DoS profiles attached cannot have overlapping VLANs, that is a specific VLAN can be part of only one protected zone.
-
Click Finished.
You can create a new DoS protection profile and configure settings to identify, and rate limit possible DNS DoS attacks.
-
On the Main tab, click Security > DoS Protection > Protection Profiles.
The Protection Profiles list screen opens.
-
Click Create.
The New Protection Profile screen opens.
-
In the Name field, type the name for the profile.
-
For Threshold Sensitivity, select Low, Medium, or High.
Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
-
If you have created a whitelist on the system, from the Default Whitelist list, select the list.
You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.
-
From Families, select Network, DNS, or SIP.
Note: Select Network, if the DoS protection profile is assigned to a protected zone.
-
At the bottom of the screen, click the selected family.
The screen displays the attack vectors for the selected family.
-
Click a specific Vector Name, to change the state, threshold or rate increase of the attack vector.
The Properties page for the attack vector opens to the right of the page.
-
In the Properties pane, from the State list, choose the appropriate enforcement option.
- Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
- Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
- Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
- Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
-
For Threshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection /Auto Mitigation), or, you can control the settings (Fully Manual).
The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
-
To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
Note: Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
-
In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
-
In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
-
-
To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
Note: Bad Actor Detection is not available for every vector.
-
To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies. For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
-
From the Category Name list, select the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
-
In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
-
In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is
14400seconds (4 hours). -
To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher.
-
Click Commit Changes to System at the top of the page.
You have now configured a protection profile to provide custom responses to malformed SIP attacks, SIP flood attacks, and to allow such attacks to be identified in system logs and reports.
Now you need to associate the protection profile with a protected object or a protected zone to apply the settings in the profile to traffic on that protected object or protected zone.
You can modify the State and Threshold Mode of multiple attack vectors protecting the device at one time.
-
On the Main tab, click Security > Dos Protection > Device Protection.
-
Click the Network, DNS, or SIP area at the bottom of the page.
All of the attack vectors for that family appear in the Attack Type list.
-
To modify the state of one or more attack vectors, click the check box next to each attack vector name.
-
From the Set State list at the bottom of the page, select Disable, Learn Only, Mitigate, Detect Only, or Mitigate.
-
Click Commit Changes to System at the top of the page.
-
To modify the threshold mode of one or more attack vectors, click the check box next to each attack vector name.
-
From the Set Threshold Mode list at the bottom of the page, select Fully Automatic, Manual Detection / Auto Mitigation, or Manual.
Note: To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
-
Click Commit Changes to System at the top of the page.
You have modified the attack vector State and Threshold Mode of multiple attack vectors.
Create a custom logging profile to log DoS Protection events and send the log messages to a specific location.
-
On the Main tab, click Security > Event Logs > Logging Profiles.
The Logging Profiles list screen opens.
-
Click Create.
The Create New Logging Profile screen opens.
-
In the Logging Profile Properties, select the DoS Protection check box.
The DoS Protection tab opens.
-
In The DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system will use to log DoS events.
-
Click Create.
Assign this DoS Protection logging profile to a protected object or zones.
Ensure that the BIG-IP system DB variable dos.protectedzone is enabled.
You can create a new protected zone profile using this task. You can associate a zone and DoS protection profile while you create a protected zone.
-
On the Main tab, click Security > DoS Protection > Protected Zones.
-
Click Create.
-
In the Name field, type a name for the protected zone profile.
-
In the Description field, type a description for the protected zone profile.
-
In the Zone field, select the zone to associate with the protected zones profile.
-
In the DoS Protection Profile field, select the DoS protection profile to associate with the protected zones profile.
-
In the Logging Profile field, select the logging profile for the system to associate with the protected zones profile.
-
Click Finished.
The DoS protection profile, zone, and logging profile are associated with the protected zone and DoS protection is now enabled.