Manual Chapter : Preventing Device DoS/DDoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.1.9, 15.1.8
Manual Chapter

Preventing Device DoS/DDoS Attacks

Adjust the device compatibility level

BIG-IP devices are divided into three categories based on hardware capability, and each category allows the use of specific compatibility levels. When you modify the compatibility level of the system, you enable different levels of DoS/DDoS protection and whitelists that are available for use.
Level 0
Systems with basic hardware DoS capabilities. Provides device protection and Rich Whitelists. Valid for all systems, and is the default value.
Level 1
Virtual Edition (VE) systems or systems with hardware DoS and sPVA capabilities. Provides Level 0 features, per-virtual server DOS, whitelist hostaddress lists, IP Intelligence, and bad actor detection.
Level 2
Systems with hardware DoS, sPVA and Neuron capabilities. Provides Level 1 features, and whitelist subnet address lists.
If using DDoS Hybrid Defender, adjusting the compatibility level must be done from the Advanced Menu.
  1. On the Main tab, click
    System
    Configuration
    Device
    .
  2. From the
    Compatibility Level
    list, select the appropriate compatibility level for your hardware.
    You will receive a message if you select a level that is not applicable to your hardware.
  3. Click
    Update
    .

Default Device DoS/DDoS attack signatures

The following tables, organized by DoS category, list AFM default device DoS attacks, and provide a short description and relevant information. You can adjust the thresholds in device protection by clicking the attack types and adjusting the properties.

Network attack types

Vector
Information
Hardware accelerated
ARP Flood
ARP packet flood
Yes
Bad ICMP Checksum
An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet.
Yes
Bad ICMP Frame
The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types.
Yes
Bad IGMP Frame
IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad.
Yes
Bad IP TTL Value
Time-to-live equals zero for an IPv4 address.
Yes
Bad IP Version
The IPv4 address version in the IP header is not 4.
Yes
Bad IPv6 Addr
IPv6 source IP =
0xff00::
Yes
Bad IPV6 Hop Count
Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad.
Yes
Bad IPV6 Version
The IPv6 address version in the IP header is not 6.
Yes
Bad SCTP Checksum
Bad SCTP packet checksum.
No
Bad Source
The IPv4 source IP =
255.255.255.255
or
0xe0000000U
.
Yes
Bad TCP Checksum
The TCP checksum does not match.
Yes
Bad TCP Flags (All Cleared)
Bad TCP flags (all cleared and SEQ#=0).
Yes
Bad TCP Flags (All Flags Set)
Bad TCP flags (all flags set).
Yes
Bad UDP Checksum
The UDP checksum is not correct.
Yes
Bad UDP Header (UDP Length > IP Length or L2 Length)
UDP length is greater than IP length or Layer 2 length.
Yes
Ethernet Broadcast Packet
Ethernet broadcast packet flood
Yes
Ethernet MAC Source Address == Destination Address
Ethernet MAC source address equals the destination address.
Yes
Ethernet Multicast Packet
Ethernet multicast packet flood
Yes
FIN Only Set
Bad TCP flags (only FIN is set).
Yes
Header Length > L2 Length
No room in Layer 2 packet for IP header (including options) for IPv4 address
Yes
Header Length Too Short
IPv4 header length is less than 20 bytes.
Yes
Host Unreachable
Host unreachable error
Yes
ICMP Fragment
ICMP fragment flood
Yes
ICMP Frame Too Large
The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in
tmsh
:
modify sys db dos.maxicmpframesize
value
, where
value
is <=
65515
.
Yes
ICMPv4 Flood
Flood with ICMPv4 packets
Yes
ICMPv6 Flood
Flood with ICMPv6 packets
Yes
IGMP Flood
Flood with IGMP packets (IPv4 packets with IP protocol number 2)
Yes
IGMP Fragment Flood
Fragmented packet flood with IGMP protocol
Yes
IP Error Checksum
The header checksum is not correct.
Yes
IP Fragment Error
Other IPv4 fragment error
Yes
IP Fragment Flood
Fragmented packet flood with IPv4
Yes
IP Fragment Overlap
IPv4 overlapping fragment error
No
IP Fragment Too Small
IPv4 short fragment error
Yes
IP Length > L2 Length
The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet.
Yes
IP Option Frames
IPv4 address packets that are part of an IP option frame flood. On the command line,
option.db variable tm.acceptipsourceroute
must be enabled to receive IP options.
Yes
IP Option Illegal Length
Option present with illegal length.
No
IP uncommon proto
Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list.
Yes
IP Unknown protocol
Unknown IP protocol
No
IPv4 mapped IPv6
The IPv6 stack is receiving IPv4 address packets.
Yes
IPV6 Atomic Fragment
IPv6 Frag header present with M=0 and FragOffset =0.
Yes
IPv6 duplicate extension headers
An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header.
Yes
IPv6 Extended Header Frames
IPv6 address contains extended header frames.
Yes
IPv6 extended headers wrong order
Extension headers in the IPv6 header are in the wrong order.
Yes
IPv6 extension header too large
An extension header is too large. To tune this value, in
tmsh
:
modify sys db dos.maxipv6extsize
value
, where
value
is
0-1024
.
Yes
IPv6 Fragment Error
Other IPv6 fragment error
Yes
IPv6 Fragment Flood
Fragmented packet flood with IPv6
Yes
IPv6 Fragment Overlap
IPv6 overlapping fragment error
No
IPv6 Fragment Too Small
IPv6 short fragment error
Yes
IPv6 hop count <= <tunable>
The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in
tmsh
:
modify sys db dos.ipv6lowhopcnt
value
, where
value
is
1-4
.
Yes
IPv6 Length > L2 Length
IPv6 address length is greater than the Layer 2 length.
Yes
L2 Length >> IP Length
Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size.
Yes
LAND Attack
Source IP equals destination IP address
Yes
No L4
No Layer 4 payload for IPv4 address.
Yes
No L4 (Extended Headers Go To Or Past End of Frame)
Extended headers go to the end or past the end of the L4 frame.
Yes
No Listener Match
This can occur if the listener is down as it attempts to make a connection, or if it was not started or was configured improperly. It may also be caused by a network connectivity problem.
Non TCP Connection
Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.
Option Present With Illegal Length
Packets contain an option with an illegal length.
Yes
Payload Length < L2 Length
Specified IPv6 payload length is less than the L2 packet length.
Yes
Routing Header Type 0
Identifies flood packets containing type 0 routing headers, which can be used to amplify traffic to initiate a DoS attack.
Yes
Single Endpoint Flood
Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
Single Endpoint Sweep
Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
SYN && FIN Set
Bad TCP flags (SYN and FIN set).
Yes
TCP BADACK Flood
TCP ACK packet flood
No
TCP Flags - Bad URG
Packet contains a bad URG flag; this is likely malicious.
Yes
TCP Half Open
TCP connection whose state is out of synchronization between the two communicating hosts
Yes
TCP Header Length > L2 Length
The TCP header length exceeds the Layer 2 length.
Yes
TCP Header Length Too Short (Length < 5)
The Data Offset value in the TCP header is less than five 32-bit words.
Yes
TCP Option Overruns TCP Header
The TCP option bits overrun the TCP header.
Yes
TCP PUSH Flood
TCP PUSH flood
Yes
TCP RST Flood
TCP RST flood
Yes
TCP SYN ACK Flood
TCP SYN/ACK flood
Yes
TCP SYN Flood
TCP SYN flood
Yes
TCP SYN Oversize
Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value in tmsh:
modify sys db dos.maxsynsize value
. The default size in bytes is
64
and the maximum allowable value is
9216
.
Yes
TCP Window Size
The TCP window size in packets is above the maximum size. To tune this value in tmsh:
modify sys db dos.tcplowwindowsize value
where
value
is <=
128
.
Yes
TIDCMP
ICMP source quench attack
Yes
Too Many Extension Headers
For an IPv6 address, there are too many extended headers (the default is
4
). To tune this value in
tmsh
:
modify sys db dos.maxipv6exthdrs
value
, where
value
is
0-15
.
Yes
TTL <= <tunable>
An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in
tmsh
:
modify sys db dos.iplowttl
value
, where
value
is
1-4
.
Yes
UDP Flood
UDP flood attack
Yes
Unknown Option Type
Unknown IP option type.
No
Unknown TCP Option Type
Unknown TCP option type.
Yes

DNS attack vectors

Vector
Information
Hardware accelerated
DNS A Query
UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS AAAA Query
UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.. To tune this value, in tmsh:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS AXFR Query
UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Any Query
UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS CNAME Query
UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS IXFR Query
UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS MX Query
UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Malformed
Malformed DNS packet
Yes
DNS NS Query
UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS NXDOMAIN Query
DNS query. Queried domain name does not exist.
Yes
DNS OTHER Query
UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Oversize
Detects oversized DNS headers. To tune this value, in
tmsh
:
modify sys db dos.maxdnssize
value
, where
value
is
256-8192
.
Yes
DNS PTR Query
UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Question Items != 1
DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question.
Yes
DNS Response Flood
UDP DNS Port=
53
, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS SOA Query
UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS SRV Query
UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS TXT Query
UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes

SIP attack vectors

Vector
Information
Hardware accelerated
SIP ACK Method
SIP ACK packets
Yes
SIP BYE Method
SIP BYE packets
Yes
SIP CANCEL Method
SIP CANCEL packets
Yes
SIP INVITE Method
SIP INVITE packets
Yes
SIP Malformed
Malformed SIP packets
Yes
SIP MESSAGE Method
SIP MESSAGE packets
Yes
SIP NOTIFY Method
SIP NOTIFY packets
Yes
SIP OPTIONS Method
SIP NOTIFY packets
Yes
SIP OTHER Method
Other SIP method packets
Yes
SIP PRACK Method
SIP PRACK packets
Yes
SIP PUBLISH Method
SIP PUBLISH packets
Yes
SIP REGISTER Method
SIP REGISTER packets
Yes
SIP SUBSCRIBE Method
SIP SUBSCRIBE packets
Yes
SIP URI Limit
The SIP URI exceeds the limit.
Yes

Detect and mitigate device DoS/DDoS attacks automatically

Device Protection is used to protect the entire BIG-IP system. You can configure the AFM system to automatically detect, and mitigate a wide range of DoS/DDoS attacks.
Not all settings apply to all DoS vectors. For example, some vectors cannot use automatic thresholds, and some vectors cannot be automatically blacklisted.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  3. For
    Threshold Sensitivity
    , select
    Low
    ,
    Medium
    , or
    High
    .
    Low
    means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to
    Medium
    or
    High
    because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to
    Low
    to get fewer false positives.
  4. From the
    Eviction Policy
    list, select the eviction policy to apply globally.
    The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,
    default-eviction-policy
    is applied and selected in this field.
  5. Optionally, click the
    Whitelists
    area to set whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing Source IP addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the
      Whitelist Address List
      field (see
      Creating a whitelist address list
      for details). The system must be at compatibility level 1 or 2.
      Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
    2. For
      Rich Whitelists
      (all compatibility levels), click the
      Add Whitelist
      button, type the name, source VLAN, source or destination address, port, and protocol, then click
      Done Editing
      .
      You can create up to eight rich whitelists, which allow further delineation of the whitelist.
    3. If the system is compatibility level 2, for
      Extended Whitelists
      , click the
      Add Whitelist
      button, type the name, source VLAN, source address, destination address, port, and protocol, then click
      Done Editing
      .
      You can create 256 source and destination whitelist addresses by default and can extend to 1024 by using
      Extended Whitelists
      .
  6. At the bottom of the screen, click the
    Network
    ,
    DNS
    , or
    SIP
    area to configure detection and mitigation thresholds for a specific attack vector.
    The screen displays all the available attack vectors for the given type.
  7. In the
    Attack Type
    column, click the name of any attack type to edit the settings.
    The attack settings appear in the
    Properties
    pane on the right side of the page.
  8. To enforce DoS protection for the attack vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (collect stats, watch, learn, alert, and no mitigation) or
    Learn Only
    (collect stats, watch, learn, and no mitigation).
    If you test a legitimate packet with a packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  9. Set the
    Threshold Mode
    to
    Fully Automatic
    .
    • To configure thresholds manually, refer to the next section, Detecting and Mitigating Device DoS/DDoS Attacks Manually.
  10. If the vector includes other settings, such as Bad Actor Detection and Attacked Destination Detection, configure them as needed. If using automatic blacklisting with Bad Actor Detection, be sure to assign a global IP intelligence policy to the device (
    Security
    Network Firewall
    IP Intelligence
    Policies
    ).
  11. Click
    Commit Changes to System
    to save the changes.
    The configuration is updated, and the Device Protection screen opens again.
  12. Repeat the previous steps for any other attack types for which you want to change the configuration.
You have now configured the system to provide custom responses to DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.

Detect and mitigate device DoS/DDoS attacks manually

Device Protection is used to protect the entire BIG-IP system. You can manually configure the AFM system's detection and mitigation thresholds for a wide range of DoS and DDoS attacks.
Not all settings apply to all DoS vectors. For example, some vectors cannot be automatically blacklisted.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. From the
    Log Publisher
    list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  3. For
    Threshold Sensitivity
    , select
    Low
    ,
    Medium
    , or
    High
    .
    Low
    means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to
    Medium
    or
    High
    because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to
    Low
    to get fewer false positives.
  4. From the
    Eviction Policy
    list, select the eviction policy to apply globally.
    The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,
    default-eviction-policy
    is applied and selected in this field.
  5. Optionally, click the
    Whitelists
    area to set whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing source IP addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the
      Whitelist Address List
      field (see
      Creating a whitelist address list
      for details). The system must be at compatibility level 1 or 2.
      Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
    2. For
      Rich Whitelists
      (all compatibility levels), click the
      Add Whitelist
      button, type the name, source VLAN with VLAN mask, source or destination address (with prefix), port, and protocol, then click
      Done Editing
      .
      You can define up to eight rich whitelists.
    3. If the system is compatibility level 2, for
      Extended Whitelists
      , click the
      Add Whitelist
      button, type the name, source VLAN with VLAN mask, source address (with prefix), destination address (with prefix), port, and protocol, then click
      Done Editing
      .
      Extended whitelists can include both the source and destination addresses, and you can create 256 of them, by default. (The maximum number can be extended to 1024, if needed.)
  6. At the bottom of the screen, click the
    Network
    ,
    DNS
    , or
    SIP
    area to configure detection and mitigation thresholds for a specific attack vector.
    The screen displays all the available attack vectors for the given type.
  7. In the
    Attack Type
    column, click the name of an attack type to edit the settings.
    The attack settings appear the
    Properties
    pane on the right side of the page.
  8. To enforce DoS protection for the attack vector, make sure the
    State
    is set to
    Mitigate
    (watch, learn, alert, and mitigate).
    Other options allow you to
    Detect Only
    (collect stats, watch, learn, alert, and no mitigation) or
    Learn Only
    (collect stats, watch, learn, and no mitigation).
    If you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  9. For
    Threshold Mode
    , select
    Fully Manual
    or
    Manual Detection / Auto Mitigation
    .
    When calculating the Event Per Second (EPS) value, the value is applied to a single Traffic Management Microkernel (TMM). Ensure that you multiply the EPS value by the number of TMMs your device has. Two exceptions are the Single Endpoint Sweep and Single Endpoint Flood vectors. The EPS value for these vectors are not multiplied by the number of TMMs.
  10. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  11. From the
    Detection Threshold %
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  12. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  13. To log traffic that the system identifies as a DoS attack according to the automatic thresholds, enable
    Simulate Auto Threshold.
    This setting applies only to vectors that can be configured for automatic thresholds. It allows you to see the results of automatic thresholds on the selected DoS vector without actually affecting traffic. When you enable this setting, the current system-computed thresholds for automatic thresholds are displayed for this vector. Automatic thresholds are not applied to packets unless the
    Threshold Mode
    is changed for the vector.
  14. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
    Bad Actor Detection is not available for every vector.
  15. In the
    Per Source IP Detection Threshold EPS
    field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  16. In the
    Per Source IP Mitigation Threshold EPS
    field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  17. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
    For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:
    Security
    Network Firewall
    IP Intelligence
    Policies
    . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  18. From the
    Category Name
    list, select a black list category to apply to automatically blacklisted addresses.
  19. Specify the
    Sustained Attack Detection Time
    , in seconds, after which an IP address is blacklisted.
  20. To change the duration for which the address is blacklisted, specify the duration in seconds in the
    Category Duration Time
    field. The default duration for an automatically blacklisted item is 4 hours (
    14400
    seconds).
    After this time period, the IP address is removed from the blacklist.
  21. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at
    Security
    Options
    External Redirection
    Blacklist Publisher
    .
  22. To set thresholds for attacked destinations, select
    Attacked Destination Detection
    .
    1. In the
      Per Destination IP Detection Threshold EPS
      field, specify the number of events per second from one IP address that identifies the IP destination as an Attacked destination, for purposes of attack detection and logging.
    2. In the
      Per Destination IP Mitigation Threshold EPS
      field, specify the number of events per second headed to one IP address, above which rate limiting occurs.
    3. To automatically blacklist bad actor IP addresses, select
      Add Destination Address to Category
      .
      For DoS protection, the blacklist category is set to
      denial_of_service
      automatically.
    4. Specify the
      Sustained Attack Detection Time
      , in seconds, after which an IP address is blacklisted.
    5. To set the duration the destination address remains blacklisted, specify the
      Category Duration Time
      in seconds. The default is
      900
      seconds.
    6. To allow destination IP blacklist entries to be advertised to edge routers so they will null route their traffic, select
      Allow External Advertisement
      .
  23. Click the
    Commit Changes to System
    button at the top of the page.
    The configuration is updated, and the Device Protection screen opens again.
  24. Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports, rate-limited, and blacklisted when specified.

Modify multiple attack vectors at once

You can modify the State and Threshold Mode of multiple attack vectors protecting the device at one time.
  1. On the Main tab, click
    Security
    Dos Protection
    Device Protection
    .
  2. Click the
    Network
    ,
    DNS
    , or
    SIP
    area at the bottom of the page.
    All of the attack vectors for that family appear in the Attack Type list.
  3. To modify the state of one or more attack vectors, click the check box next to each attack vector name.
  4. From the
    Set State
    list at the bottom of the page, select
    Disable
    ,
    Learn Only
    ,
    Mitigate
    ,
    Detect Only
    , or
    Mitigate
    .
  5. Click
    Commit Changes to System
    at the top of the page.
  6. To modify the threshold mode of one or more attack vectors, click the check box next to each attack vector name.
  7. From the
    Set Threshold Mode
    list at the bottom of the page, select
    Fully Automatic
    ,
    Manual Detection / Auto Mitigation
    , or
    Manual
    .
    To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
  8. Click
    Commit Changes to System
    at the top of the page.
You have modified the attack vector State and Threshold Mode of multiple attack vectors.